CyberWire Daily - Evil Corp versus newspapers. Trolling for unprotected MongoDB. Taurus in the criminal souks. Law and security. Loot boxes as gambling items.
Episode Date: July 2, 2020Evil Corp seems to have been shuffling through some newspaper sites. Don’t take the gangs’ communiqués at face value, but some appear to be trolling for unprotected MongoDB databases. A look at T...aurus, an information-stealer being sold in criminal-to-criminal markets. Chinese law and online security. The EARN-IT Act is being debated. Justin Harvey on “Smishing”. Our guest is Jeff Styles from FireMon on COVID-19 increasing misconfiguration risks. And there’s trouble in Tilted Towers. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/128 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Evil Corp seems to have been shuffling through some newspaper sites.
Don't take the gang's communiques at face value,
but some appear to be trolling for unprotected MongoDB databases.
A look at Taurus and information stealer being sold in criminal-to-criminal markets.
Chinese law and online security.
The Earn It Act is being debated.
Justin Harvey on smishing.
Our guest is Jeff Stiles from Firemon on COVID-19 increasing misconfiguration risks.
And there's trouble in tilted towers.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday,
July 2nd, 2020. Evil Corp's recent actions against a range of U.S. corporations in the recent Wasted Locker campaign
are said, by Bleeping Computer and others, to have affected a large number of newspaper sites run by a single-parent corporation.
The reports are based on a tweeted update to Research Semantic published last week.
Neither the news outlets nor their corporate parent are named.
These attempts don't appear to have been particularly
successful. A CISA official and an IBM researcher have given CyberScoop an appreciation of ransomware
gangs' growing sophistication. It's been common knowledge for the better part of a year that a
ransomware attack should also be treated as a data breach. The gangs have for months adopted
data theft as a core tactic, both for additional
leverage against the victim and as an additional revenue stream. What's relatively new is the
amount of effort expended in reconnaissance of the victims' networks. The criminals want to know
what the victims have, where it's kept, and who has access. Krebs on security warns that some
news organizations have been overly willing to retail ransomware gangs' claims.
He thinks simply transmitting the criminals' woofing only aids their marketing, and who wants that?
So, good advice, don't take the hoods uncritically at their word.
So on that note, we'll observe that this next story, reported by ZDNet, is sourced to the GDI Foundation, a group devoted to finding and
responsibly disclosing vulnerabilities, and hardly ones to swallow internet nonsense whole.
They've noticed a problem afflicting MongoDB instances left exposed and unprotected online.
Hackers have been using an automated script to scan for unsecured MongoDB databases, and they found some 22,900,
which by ZDNet's count amounts to about 47% of all such databases accessible online.
Once an unprotected database is found, two things happen.
First, the criminal backs up the data, and second, they wipe the original.
That deletion was in some initial cases fumbled
or overlooked, but the hoods seem now to have fixed their problem and become more adept at
deleting information from their victims. Then they leave a ransom note. The ransom isn't particularly
high, coming in at just 15 thousandths of a bitcoin. That's about $140. It is interesting,
however, to see the extortionists use
both a carrot and a stick to induce compliance with their chicken feed demand the carrot is the
promise that the wiped data will be restored from the crook's own backup the stick is that the
stolen data will be referred to european authorities to get the victim prosecuted under
gdpr there's also a deadline The victim has 48 hours to decide,
at which point it's Adios Data and Ola Information Commissioner.
Or so the crooks claim.
Researchers at security firm Zscaler describe an information stealer Taurus
currently sold in criminal-to-criminal markets.
It's offered by the tastelessly self-named Predator the Thief,
and it's carefully coded not to execute in 12 former Soviet republics.
That's understandable, since accommodation to the organs
has long been the better part of criminal valor.
One might expect more unrestrained bravery
from someone calling themselves Predator the Thief.
Maybe Bottom Feeder the Scavenger would
be better. Anywho, since we've never cooled our heels in an Orenberg slammer, maybe we shouldn't
cast stones. Taurus concentrates on system information, passwords, cookies, browser history,
autofill values, and cryptocurrency wallets. The payload is delivered by phishing. Predator the
Thief's criminal clients
can keep track of where their fish bait is being swallowed on a snazzy dashboard with a heat map
of the whole world. Not every former Soviet republic is immune, by the way. The map shows
infections in the three Baltic states, none of which are particularly Moscow-friendly.
China's national security law has effectively ended Hong Kong's former autonomy,
the Register reports. The Wall Street Journal says this marks an end to business as usual in the city.
The law is cast as a measure against secession, subversion, terrorism, and collusion with foreign
forces. Those who run afoul of it are subject to removal to the mainland and long prison sentences,
in principle extending to life. China's full online surveillance apparatus can henceforth
be expected to be used against Hong Kong. But of course, the online cyber aspects of
the national security law are not the most important of its effects. As far as extradition
to the mainland is concerned, Foreign Affairs published an elegy for Hong Kong autonomy today under the title,
Hong Kong is part of the mainland now. Jeff Stiles is Vice President of Global
Field Engineering at Firemon. Among the many security issues he and his team have been
tracking during COVID-19 are a dramatic increase in misconfigurations. He joins us with these
insights. So misconfigurations, think of it as human error, right? And this can happen on any
form of technology, right? From overly permissive access to incorrect zone access, fat fingering a
subnet, putting the wrong toggle in place, anything that's unintended,
right? Whenever we're configuring a software, platform, hardware, you name it, you know,
we make a mistake and then that mistake can be exploited. Now, mistakes are going to happen and,
you know, people make mistakes. From your point of view, what are the most effective ways to
mitigate them? You're right. So mistakes are going to happen. You know, we look at solving that from
two aspects. There's the alerting mechanisms, right, which are typically reactive, meaning
somebody makes the mistake, we catch that mistake and then alert on it. Unfortunately,
with the reactive state, you're typically, the damage is already done or could be done.
Right. So we have to kind of evolve and look at more of a proactive approach.
So we want to be able to catch a change before it goes live.
So there's almost an element of staging in there. But the proactive place is really what we want to do.
And we do this
through a form of automation, right? We take the guesswork out of it. What is done by humans,
we evaluate it before it goes live. And then every other step after that, we try to automate it to
remove that human error. Now, how do you put something like that in place while balancing the need to not introduce unnecessary or frustrating friction of slowing people down?
Yeah, it's funny.
Whenever we talk about security, there's always that balancing act, right?
You go to one level, security becomes null and void. You go to the other side, it becomes so intrusive that
nobody can get anything done because there's just too many hurdles. There's too many layers.
So you do have to find that balancing point. What about looking at all this through the lens
of the COVID crisis that we find ourselves in today? How does that affect the likelihood of these misconfiguration errors?
Yeah, that's a great question.
The COVID-19 thing is really,
it's really done a change in the way we do business
and the way we look at things.
So the spike in bad activity happening right now
is all capitalizing on the shift to remote work.
They're all trying to exploit all these people moving at a very fast pace with very little
security understanding. This becomes the breeding ground for misconfigurations.
So we're seeing this across the board. Everybody's trying to go from zero to 60 in, you know, three seconds so they can go to work the next day and everybody's
remote. They're making a lot of errors, and these things are what everybody is capitalizing on.
A lot of interesting change happening during the COVID-19. That's Jeff Stiles from Firemon.
Huawei has made its statement to the media concerning the U.S. Federal Communications
Commission's designation of the company as a threat to national security.
It wants a reprieve, denouncing the designation as based on selective information, innuendo, and mistaken assumptions.
The company is canny enough to appeal to concerns about telecommunications for rural areas and underserved regions generally.
These constitute a natural market for the company's equipment.
The U.S. Congress is taking up the EARN IT Act in earnest today.
Encryption fireworks, the Washington Post calls the discussion.
The measure represents an anti-encryption shot in the crypto wars.
We'll know more about how the debate proceeded after Independence Day weekend.
wars. We'll know more about how the debate proceeded after Independence Day weekend.
And finally, Professor Hill, call your office because, oh, there's trouble, my friends,
in Tilted Towers. And there's a difference between a commoner and a lord or a lady with a capital L,
and that stands for loot. Your young'uns have been frittering away their days and nights in Tilted Towers or Retail Row. CDNet sounds the alarm.
Britain's House of Lords wants to regulate loot boxes
as a form of gambling.
So do your Fortnite Charleston while you still can, kids,
before my lord gets his hands on it,
because frittering may be on the skids in Westminster.
But if things like online poker, dog tracks, and loot boxes
all cater to an addictive pursuit of the rainbow's end,
then maybe my lord's got a point.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with
agents, winning with purpose, and showing the world what AI was meant to be. Let's create the
agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's
the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and
ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Justin Harvey. He is the Global Incident Response Leader at Accenture.
Justin, always great to have you back. You know, we hear a lot about phishing. We hear about
We hear a lot about phishing.
We hear about vishing, which is using video for phishing.
You wanted to touch today on smishing, which you and your team have been tracking as a growing problem.
What are we talking about here?
Well, smishing is when you receive a phish or a scam via an SMS text. And I don't mean your safe and secure blue eye messaging.
We're just talking about straight off SMS,
green text coming through your phone.
We have seen an uptick in criminals
that are utilizing SMS to distribute phishing attacks.
And we have been training the internet community
for years now to really question emails coming through.
I mean, like, okay, this is the domain.
Is it a real one?
Is it too good to be true?
But we've been kind of ignoring that we use our mobile devices so much and there's text, there's iMessages, there's apps.
And on a daily basis, we receive texts that are really important to us, like our Amazon delivery.
Oh, it's around the corner.
Okay, great.
Our food delivery and even our bank accounts alerting us to questionable behavior with our bank accounts.
And then we're even receiving some six-digit codes if we use SMS for two-factor.
And what's happening is we are seeing criminals that are preying upon this because
when you receive an unsolicited email and it hits your box, you're thinking,
it looks a little weird. It seems too good to be true. Maybe the graphics are off, but you'll be
able to look at the domain name and say, that doesn't look right. When it comes from a phone
number, phone numbers are numeric. So if, even if, let's say the president
of the United States sends you a text, it would come through as text because you don't have the
president's number or cell phone. I'm hoping that the majority of our listeners don't have.
I always pick up when the White House is texting. So when you receive this text,
it looks very benign. And given that it's in plain text, it's easy to be fooled and say, click this link to know more.
And then, of course, that link also is typically shortened with a shortening service like Bitly or Google.
So when you get that text and it says, let's say, Bank of America has told you that you have a fraudulent transaction,
please click this shortened link to go review it, a lot of people are being fooled by that.
So it's important to remember to really question not only the source of the SMS message, but also the content and just be extra careful when you click that link and it opens up your browser,
that that also might not be an official source for that information.
You know, I wonder too how much of this,
there's a generational factor here as well,
because I think about my children
and the amount that they use text messaging versus email compared to what
I do, it's probably the exact opposite. You know, to them, using email is something that only old
people do, and they do pretty much everything through their texting. So it makes me wonder if
they would be, just by virtue of the volume of messaging that they get, would that make them
more susceptible to this or being natives,
are they more careful? I think the jury is still out, but I think that this could probably
be more associated with technology evolving to be more of a hybrid situation where people are
using their browsers, but then they also have to use SMS to get multi-factors and communicate.
So I think it's just a sign of our times.
And it's not like there can be a very easy fix for this.
Given that they come from numeric numbers, it's very hard to whitelist or even blacklist.
or even blacklists, because you don't know if,
let's say the next time that you go to do your multi-factor authentication,
some services change their number that they text you from every time,
or they have a bank of numbers,
and there'd be no way to really whitelist or blacklist it. But I think that the good rule of thumb here is
really scrutinize the source and the message.
And if you do think that this is from your bank
or it's legitimate,
copy and paste the URL out of that,
put it into, let's say, a secure browser
in secure mode or in privacy mode.
I know that there are multiple modes out there
for Safari and Edge and Chrome and Opera and Firefox.
Everyone has that private
browsing mode. And if you really do suspect that you need to see what's on there, utilizing that,
or even what I do a lot of times is actually take the source phone number and plug that into Google
and try to do a reverse search. And what you find is that there's a lot of websites out there that
catalog scamming phone numbers. So a lot of websites out there that catalog
scamming phone numbers. So a lot of times you can just plug in the phone number and you're like,
hmm, there were five reports in the past seven days that I've won. And then the final thing
I would want to say here, Dave, is that no matter how important things are, if your bank or someone is sending you something that is critical via an SMS, go to the website or go to your bank or call them and say, hey, is this legitimate?
I've got this message from you and it says it's important, but I want to verify it. are signing up for text notifications on things, be very wary in being able to tell the difference
between when you're getting a shipment notification or an ad from your favorite online retailer
versus someone offering something that's too good to be true.
Yeah.
All right.
Well, Justin Harvey, thanks for joining us.
Thank you.
Thank you. businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.