CyberWire Daily - EU suspects Russia of disinformation. TrickBot’s latest module is a brute. Parallax RAT and the MaaS black market. Pandemic hacking trends. What to do with time on your hands.
Episode Date: March 19, 2020The EU suggests that Russia’s mounting an ongoing disinformation campaign concerning COVID-19. Russia says they didn’t do nuthin’. TrickBot is back with a new module, still under development, an...d it seems most interested in Hong Kong and the US. The Parallax RAT is the latest offering in the malware-as-a-service market. Food delivery services are now targets of opportunity for cybercriminals. Zoom-bombing is now a thing. And some advice from an astronaut. Andrea Little Limbago from Virtru with insights into her career path, guest is Tom Creedon from LookingGlass Cyber on the Asia-Pacific Cyber Conflict. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_19.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The EU suggests that Russia's mounting an ongoing disinformation campaign concerning COVID-19.
Russia says they didn't do nothing. TrickBot is back with
a new module still under development, and it seems most interested in Hong Kong and the U.S.
The Parallax Rat is the latest offering in the malware-as-a-service market. Food delivery
services are now targets of opportunity for cybercriminals. Zoom bombing is now a thing.
And some advice from an astronaut.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, March 19, 2020.
The EU's foreign policy body, the European External Action Service,
has called out Russia for systematically pushing disinformation about the coronavirus.
Quote, A significant disinformation campaign by Russian state media and pro-Kremlin outlets regarded COVID-19 is ongoing.
The overarching aim of Kremlin disinformation is to aggravate the public health crisis in Western countries,
That's from a document dated March 16th and obtained by Reuters.
The document said that there had been more than 80 cases of disinformation about coronavirus emanating from Russian sources since the 22nd of January.
about coronavirus emanating from Russian sources since the 22nd of January.
Among the more noxious themes is Russian amplification of debunked Iranian charges that COVID-19 is really a U.S. biowar project,
and charges that U.S. military personnel in what Moscow refers to as the near abroad,
the non-Russian former Soviet republics, have been carrying the coronavirus.
The general consensus on the origins of COVID-19 is that this strain of coronavirus is a zoonotic
disease that jumped from bats to humans in China.
Russia's foreign ministry has harrumphed that the EU's charges are unfounded and lack
common sense.
Spokesman Dmitry Peskov thinks the examples aren't specific enough
and that, as usual, Moscow is more sinned against than sinning.
Quote,
We're talking again about some unfounded allegations
which in the current situations are probably the result of anti-Russian obsession.
Mr. Peskov complained.
This global pandemic has nudged many of us toward a
greater appreciation for the interconnectedness of this big blue marble in space we all inhabit.
Global supply chains, economies, healthcare systems, nation-states, and yes, cyber security.
Thomas Creeden is the cyber threat intelligence leader and senior managing director
for the Asia Pacific region at Looking Glass Cyber Solutions. We caught up with him at the RSA
conference. That's the kind of the double-edged sword with regard to public threat intelligence
coming out of commercial side or even some of the stuff that's coming out of the DOJ is that
while it does give people visibility into there is a threat there, many times a lot of
the stuff that we're putting out there is also helping them get better at their OPSEC and
avoiding detection. And that's the case both in crime or in cyber espionage. In terms of the
sophistication of these groups and the types of operations that they do, comparing them to what we're doing here in the United States, for example. Are we on equal footing? Do they go toe-to-toe with us?
Where do they rank as an adversary goes? What's the level of sophistication?
Traditionally, we see the term advanced persistent threat. the majority of attacks are not very advanced.
As far as their capabilities,
what would you compare,
what would you say our capabilities are?
That's a good point.
We all assume that, of course,
Stuxnet was conducted by UK, US, and Israel.
A very interesting operation, interesting tools,
but I don't have a lot of visibility into the tool sets that are being used in U.S. law enforcement, in U.S. intelligence agencies. So
probably stay away from that. Yeah, that's actually a really interesting insight.
Is there anything when it comes to the Asia-Pacific region that you feel is not getting the attention
it deserves? We've seen a lot of the discussion of the Russian influence operations. We've seen some discussion
of the Chinese influence operations. And I don't want to overhype them because in many ways,
we haven't found them to be successful in any way, shape or form, whether they're targeting Taiwan,
whether they're targeting Hong Kong, which actually might be a good thing that we're not over-hyping it. Whereas with Russia, well,
we could have the argument whether it's being over-hyped or not. And that's a longer discussion
over beers, I guess. But there's really not too much. The business email compromise is still a
significant issue over there. The cyber espionage, it never went away.
There's a lot of talk that, you know, after the Xi-Obama summit, that things quieted down.
And for the case of East Asia, it never did quiet down.
It's actually quite a colorful region.
And you can't really just base on the country itself because of people operating in those countries.
That's Thomas Creeden from Looking Glass Cyber Solutions.
We turn from COVID-19 for the moment.
You do know, of course, that COVID-19 is currently the most popular fish bait in the cyber sea, right?
We're going to look at a few other interesting developments.
Researchers at security firm Bitdefender report that TrickBot has a new module
designed to brute force remote desktop protocol for selected victims.
It's designated RDP Scan DLL, and it's apparently still under development.
The RDP attack tool seems intended for use against targets in Hong Kong and the U.S.
TrickBot began its career in 2016 as a credential stealer focused mostly on financial targets,
but its modular design has lent it steadily increasing levels of sophistication
as criminals plug in new capabilities.
This most recent enhancement, RDP Scan DLL,
is being used mostly against telecommunications targets,
with the other most targeted verticals being education and research,
and then financial
services, including banks. The criminal campaign is being run from a dynamic set of command and
control servers, most of them located in Russia. Morphosec Labs have released more technical
information on the Parallax remote access trojan. Parallax has recently figured in coronavirus themed attacks morphosec sees the
more recent parallax rat campaigns as representative of a trend toward malware as a service which has
made effective attack tools available to criminals who don't need to have the skills necessary to
developing their own malware here are a few new bits of criminality we confess we hadn't particularly expected.
Retrospectively, however, they seem fairly obvious, especially in these challenging times.
First, SpyCloud warns that hoods are sharing instructions in their chat rooms on how to hijack food delivery services.
The objective being, of course, free food.
Free for them, not for the homebound who pay for and actually need the deliveries.
Second, with video conferencing seeing heavy use as people work remotely,
TechCrunch reports that Zoom bombing is now a thing.
That is, Iago-like skids are trolling Zoom virtual meetings
and sharing unusually repellent, violent, or pornographic content as your screen.
The objective being, of course, the lulz.
They're like Iago in terms of motiveless malice, not in terms of invention or cleverness.
Losers with time on their hands.
And bleeping computer reports that high-minded criminals say they won't use ransomware against hospitals during the present pandemic.
Says the gangs, but the register and the telegraph seem reluctantly moved to skepticism.
Remember what we just said about food-stealing skids?
Sure, sure, technically, of course, it's not ransomware, but it's a fair representation of the criminal mindset.
of the criminal mindset.
Security firm Emsisoft,
which specializes in developing decryptors for ransomware and which is offering its services for free
during the pandemic,
has appealed to the extortionists as fellow human beings,
people who themselves have families and loved ones,
and asked them to tone it down
while everyone's dealing with COVID-19.
We hope they reach the criminals' ears,
but we have to admit there's not a lot of reason to expect altruism, public spirit, or even fellow feeling from the hoods.
Finally, we've seen lots of advice about how to work remotely effectively and securely during
the present pandemic, and you'll find plenty of links to such advice in this week's worth of the
CyberWire's
daily news briefing. Check it out. Some of it includes various offers of free services.
But there's also some general advice, call it lifestyle advice, from an unexpected source.
Dr. Rendezvous himself explains how to get through the lockdown, quarantine, and confinement.
Buzz Aldrin, Apollo 11 Lunar Module pilot and alumnus of that
Andromeda-strain-style quarantine the astronauts endured at the Lunar Receiving Laboratory in
Houston, has offered us all not to take so much advice as an example. Ars Technica asked Dr.
Aldrin what he was doing to protect himself from the coronavirus. The second man on the moon
immediately replied, lying on my backside and locking the door.
He used a different word than backside.
The astronaut also suggested that one might pass the time
the way he did back in the day,
watching ants crawl around
and filling out government travel vouchers.
For government travel vouchers,
fill in whatever company forms you may have been putting off
or even heaven forfend.
Income tax documents.
There may be some lessons here for telework, or at least for phoning it in.
Ours calls Dr. Rendezvous a national treasure, and what can one do but agree?
Let's stay safe out there.
Stay safe out there.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be. Let's create
the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
BlackCloak.io.
And I am pleased to welcome back to the show Andrea Little-Limbago.
She is the chief social scientist at Virtru.
Andrea, you've been a guest on the show before, but this is my opportunity to welcome you to our partner segments.
So welcome to the Cyber Wire.
Oh, thanks so much.
I'm thrilled to be a partner with you. I've always loved the podcast. This is an exciting opportunity for me.
Well, let's get to know you a little bit. First of all, your title, Chief Social Scientist,
what goes into that role? And that's also one of the most frequently asked questions I get because
there are so few social scientists actually in cybersecurity. And quickly, I'll start off to explain what it is by an anecdote that
about five years ago, I was asked almost everywhere I went, why is there a social
scientist in cybersecurity? And I now no longer get asked that question at all. And it's more so,
what different areas are you focusing on? And so the position and just the applications of
social science have evolved a ton over the last five years.
And so really my job now and in the past has – it covers several different areas.
One can focus on the human-computer interaction.
And so we hear a lot about usable security and usable privacy and making it more user-friendly.
And so looking at how different applications enable various kinds of security settings and data integration and analysis
and those kind of things is one component of it.
Another core component of it is looking at the geopolitics of cybersecurity,
so really looking at the behavior of nation states, criminals, terrorist groups,
the whole range of attackers, as well as what kind of tactics and techniques and procedures they're using,
what are the motivations, how the groups interact.
And then also along those lines on the defensive side,
how are defenders adjusting to those kind of attacks,
both on the technical side but also on the legal and policy side is another component.
And then I would add probably a third one that I try and integrate
is really just within the industry itself, focusing on within companies,
helping professional development and growth of our technical folks and helping guide and
sort of serving as an editor-in-chief of the technical content so that when it is distributed,
it's more consumer-friendly for a broader audience, but then also looking at growing
companies and helping within the industry in the areas of diversity, equity, and inclusion. Yeah, it's really interesting to me, as you mentioned, this evolution, this
recognition that the human side, the social side of this technical industry is more important than
ever. Right. And it's one of the things where, as a social scientist, it has always driven me nuts that I always hear the human is the weakest link in security.
And while absolutely, we see the data on spear phishing and so forth, but at the same time, it's really, I've always seen it as a cop-out for explaining why technology isn't doing what it should be doing.
And one of my favorite quotes by Martin Groton is along the lines of, humans are features, not bugs.
quotes by Martin Groton is along the lines of humans are features, not bugs. And that's how we really need to start looking at it is making the technology work for humans, understand the
kind of human behavior that drives why they're clicking on links. I mean, the fact that we're
still focused on not clicking on links is one of the top lines of defense is a little bit baffling,
given human behavior and given what the business needs are. And so the industry is evolving now.
And that's what, you know, it's interesting seeing you just saw at RSA, the human element was the core theme.
And so I do see the industry changing a fair amount, starting to look at all the different implications and how it's really a sociotechnical system of the humans interacting with the technology and then building the tools to address those. And also keeping in mind sort of the unintended consequences that may happen,
especially when you think about AI models that you're building, but also along the lines of just
visualization and human interaction and so forth. Can you give us some insights into your career
path? What led you to this line? It so far has been really circuitous, I would say.
I started off very much so in the national security space and really interested in international relations and earned my Ph.D. in political science with a focus on international relations and conflict and cooperation amongst nation states.
But also along those lines with a focus as well on democracy and building
democracies and also how democracies decline. And so that took me to teaching in academia for a short
period of time before I got recruited into the Department of Defense and worked at an
analytics center called the Joint Warfare Analysis Center. And that's actually where I really started
getting more into the realm of working with
engineers and other kinds of data sources, as you can imagine, in that area, in conjunction with
a broad range of computational social scientists. And so I was a technical lead of a team there
that focused more so on the counterterrorism effort. And this was, you know, in the, you know,
late aughts, I guess we can call the decade that. So that's when the DOD was realizing that the human element really did matter.
And it's interesting, when I first got into cybersecurity,
I wrote something that was very similar along the lines of how in the counterterrorism realm,
there was an evolution for first trying to focus on kinetic
and then starting to realize that humans matter,
and then how to try to adjust behavior, anything from economic governance
and democracy and development to just influence operations and so forth as far as the whole
winning the hearts and minds notion.
And cybersecurity, I feel like, has gone under a very similar evolution as far as focusing
mainly on the technical and then starting to now look at how the humans interact.
And so that was the DoD.
I was there for about five years leading a team there and then have since then gone to a couple of different smaller startups
working across those various realms that I described earlier.
First at Barrico Technologies, was at Endgame for about five years,
which is at Endpoint Security,
and now at Virtua focusing on data protection and privacy and security.
Well, we're glad to have you join us.
Andrea Little-Limbago, thanks for joining us.
Oh, thank you so much.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.