CyberWire Daily - Facebook faces anti-trust suit. COVID-19 vaccine cyberespionage. Emissary Panda spotting. SQL databases for sale. Notes on the FireEye breach, the end of Flash, and the Mirai botnet.
Episode Date: December 10, 2020Facebook faces a US antitrust suit. Cyberespionage hits the European Medicines Agency, apparently looking for COVID-19 vaccine information. Emissary Panda is out and about. A simple ransomware campaig...n goes for success through volume. Stolen SQL databases are offered for sale back to their owners. React to the FireEye breach, but don’t over-react. We welcome Kevin McGee from Microsoft Canada to the show. Our guest is Liviu Arsene from Bitdefender with insights Business Threat Landscape report for 2020. Flash nears its end-of-life. Predictions for 2020, and another guilty plea in the Mirai case. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/237 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Facebook faces a U.S. antitrust suit.
Cyber espionage hits the European Medicines Agency,
apparently looking for COVID-19 vaccine information.
Emissary Panda is out and about.
A simple ransomware campaign goes for success through volume.
Stolen SQL databases are offered for sale back to their owners.
React to the fire eye breach, but don't overreact.
We welcome Kevin McGee from Microsoft Canada to their owners. React to the FireEye breach, but don't overreact. We welcome Kevin McGee from Microsoft Canada to the show.
Our guest is Liviu Arsene from Bitdefender
with insights on their business threat landscape report.
Flash nears its end of life.
Predictions for 2020.
And another guilty plea in the Mirai case.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, December 10th, 2020. We begin by mentioning, briefly, a major legal development that broke yesterday.
The U.S. Federal Trade Commission has filed an antitrust suit against Facebook,
alleging years of anti-competitive behavior that could ultimately warrant breaking up the company.
The FTC has been joined in the suit by 26 state attorneys general and the AGs of the District of Columbia and the Territory of Guam.
We'll have more details on the suit in this afternoon's pro-privacy and pro-policy briefings,
but for now we'll characterize the action this way.
If data represent the new oil, then Facebook looks to the FTC like the new Standard Oil.
BioNTech has disclosed, according to The Guardian, that information related to the COVID-19 vaccine the German firm has been developing with Pfizer was accessed in a cyber attack against the European Medicines Agency.
agency. The agency simply says that it was attacked without offering so far any information on targets, losses, or attribution, Security Week reports. Dutch National Police are investigating.
Avast yesterday reported citing emissary Panda, also known as APT27 or Lucky Mouse.
The campaign, whose first interest seems to be the government of Mongolia,
is fishing with a weaponized document exploiting CVE-2017-11882. The Prague-headquartered security
firm said, in part, quote, the APT group planted back doors and key loggers to gain long-term
access to government networks and then uploaded a variety of tools that they used to perform additional activities on the compromised network, such as scanning of the tools are from Emissary Panda's familiar kit,
but Avast has found some new ones, and it highlights those in its report. A number of the tools are from Emissary Panda's familiar kit,
but Avast has found some new ones, and it highlights those in its report.
Much about the cyber espionage campaign remains unclear.
For example, an unknown company that provides contract services to government agencies in East Asian countries has apparently been under attack,
but who that company is and what the pandas were after is still murky.
But the entry point into the government organizations successfully penetrated
was gained by pivoting from a compromised third party.
Guardacor says that a relatively simple ransomware campaign
they're calling Please Read Me
has been attacking SQL databases since this past January.
It's an untargeted campaign, the security firm's researchers say.
The attackers aren't interested in the size or identity of the victims.
Their secret to success is volume.
Guardacore calls it factory ransomware,
and they characterize it as untargeted, transient, and simple.
ZDNet reports that criminals are ransoming stolen databases for roughly $550 per database,
prices fluctuating with Bitcoin exchange rates.
More than 85,000 SQL databases are for sale back to their owners
in what appears to be a secondary ransomware market.
The market also seems largely automated.
And there's no particular reason to think that the databases won't also be sold
to third parties in the criminal-to-criminal market.
There's considerable breathlessness in reactions to the FireEye breach,
but both Qualsys and Hurricane Labs offer more measured, less alarmist advice.
QualSys observes that some of the stolen tools may appear in commodity attacks.
Hurricane Labs sensibly points out that organizations should pay attention to the vulnerabilities
FireEye has said the tools incorporate and apply the available patches and mitigations.
Both note that FireEye has shared details useful for protection in its GitHub repository.
So the incident should serve as an impetus to more careful patching and practicing better
cyber hygiene in general.
We note that plenty of vendors are interested in helping you do both.
Speaking of patching and updates, the requiem for Flash has been sounded so often
that one almost hesitates to put on mourning, but this time it seems to be for real.
ZDNet reminds all that Adobe has issued its last-ever Flash patch
and warns users in very direct language that Flash will reach its end of life on January 12th of the new year.
If you use Flash, plan accordingly.
Looking ahead to the new year, as we've been doing lately, we can sum up most of the predictions by
saying that 2020's criminal momentum is expected to carry into 2021, and it's clearly doing so.
COVID-19-driven social engineering, for one thing, is here and likely to remain for the
foreseeable future. KnowBefore, for example, announces the appearance of COVID-19 vaccine
fish bait. It's unlikely to go away soon. Expect this chum to be scattered across inboxes well into
2021. And Armor Blocks this morning released updates on some representative COVID-19 scams.
And Armor Blocks this morning released updates on some representative COVID-19 scams.
Reuters sees the same sort of thing.
One trend, surprising at first blush, but which on reflection seems right,
is that COVID-19 concerns appear to have driven a rise in romance scams.
Under lockdown, apparently, people are looking for love in all the wrong places.
G-Data summarizes the coming evolution of ransomware by noting that the extortionists will become smarter, more focused, and above all,
faster. The increased speed, ZDNet points out, is worrisome. The hoods will be likelier to pivot
and encrypt before they're detected, getting inside the defender's OODA loop. The fish bait is getting better designed, too.
Bitdefender sees scammers upping their game in impersonating financial services.
The language and the logos, for example,
much cleaner and more convincing than they've historically been.
Other things to worry about?
Well, there's stalkerware, which has drawn attention with reports
that lawful intercept tools are proliferating into the hands of unlawful users.
And of course, there are North Korean cyber attack units, which the national interest thinks aren't receiving the attention their level of threat warrants.
It's not all mom and kimchi in Pyongyang, whatever the dear successor may be woofing nowadays.
whatever the dear successor may be woofing nowadays.
And finally, remember Mirai, the botnet that took out the Internet over most of the U.S. eastern seaboard back in 2016?
It was widely believed when the IoT botnet worked its DDoS
that Mirai was a shot across the American bow, probably fired by Russia.
Within less than a month, it was determined that this wasn't so.
The Professor Moriarty of the affair turned out to be a student at Rutgers University in New Jersey, and not
exactly the pride of the Scarlet Knights either. He was interested in driving traffic away from
competing offerers of Minecraft in-game purchases, and thought that DDoSing them would be a good idea. It's just that, well, one thing led to another and things got out of hand.
Anywho, besides providing a useful cautionary tale about premature attribution
and the attendant difficulty of recognizing a digital Pearl Harbor,
the incident resulted in three federal guilty pleas.
There's now been a fourth.
An unnamed defendant had taken a guilty plea
before the U.S. Court for the District of New Hampshire.
The defendant is unnamed
because of the defendant's tender years
at the time of the offense.
The U.S. Department of Justice said yesterday that,
according to the plea agreement,
the individual conspired to commit computer fraud and abuse
by operating a botnet
and by intentionally damaging a computer.
Because the individual was a juvenile
at the time of the commission of the offense,
the individual's identity is being withheld
pursuant to the Juvenile Delinquency Act.
May the individual set his or her feet
on a better path.
Calling all sellers. Thank you. with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their
controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one
third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Researchers at Bitdefender recently published their Business Threat Landscape Report for 2020.
Joining us with key takeaways from the report is Liviu Arsene, Senior E-Thread Analyst at Bitdefender. This has been a very
interesting year, to say the least. So basically, the entire report focuses on how the pandemic
has affected both the threat landscape and, you know, the overall infrastructure for organizations
as well as their employees. Well, let's go through it together. What are some of the key findings here?
Right.
So I guess one of the biggest key findings
is that half of organizations
weren't prepared for a pandemic-type situation.
So that means they literally had to redesign
their entire infrastructures overnight
to accommodate all their employees working remotely.
And when you do these types of things
without proper preparation,
misconfigurations and blunders will happen.
It's likely that most of these misconfigurations and on-the-go infrastructure realignments
will probably be exploited by attackers in the next 12 to 18 months by using very simple
techniques, everything from brute forcing to credential
stuffing or simply exploiting unpatched systems.
So what are some of the takeaways here?
With the information you gathered in the report, what sort of lessons can you share with our
listeners?
So I guess some of the biggest are that one of the policies that seems to be less enforced, let's say,
is the fact that companies don't have a policy for making employees or for preventing employees from reusing old passwords.
Actually, I think over 93% of employees actually reuse old passwords for their accounts.
sorts for their accounts. There's also the fact that I think in the first half from January up until June, we've seen a spike in suspicious IoT incidents in households. And CIOs and CISOs
actually do believe that the fact that employees are now working remotely from their own homes,
their networks could actually be prone to more attacks, to a more diverse attack surface, if you will, that could potentially compromise their work, endpoints, laptops, or computers, and subsequently move those threats to the enterprise environment.
Yeah. Do you suppose that the organizations that went into this better prepared, but also have been able to be nimble throughout.
Are they going to have a competitive advantage when we get to the other side?
Well, security is, you can look at it as something organic.
It's never something that you deploy once and you forget about it.
It's something that you constantly have to evaluate.
So those that had a plan were probably a little bit better prepared to face the new threats.
But these are not the only threats, the only things that have changed.
Even those companies that were prepared for this scenario are now facing threats that they previously didn't face.
For instance, we found evidence, if you will, although circumstantial evidence,
that there is such a thing as APT hackers for hire,
which is a bad thing because APT groups are mostly associated with governments, you know,
and state-sponsored actors.
But recent investigations found out, revealed that some of these APT groups
may actually be offering their services to the highest bidder.
For example, instead of targeting financial institution or government institutions,
they've started targeting completely different verticals.
They went after a real estate company
and a video production company.
So they had absolutely nothing to do with financial gain.
I mean, the attack is not financially motivated
or politically motivated.
So the only plausible explanation
in light of the
sophistication of the attack was that they were probably hired by one of their competitors to do
a little bit of industrial espionage. And this completely changes the game a little bit,
especially for these SMBs that traditionally didn't face these types of threats. And this
is all in the report. There's a lot more detail in that. That's Liviu Arsene from Bitdefender.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a
default-deny approach can keep your company safe and compliant.
And it is my pleasure to welcome to the show Kevin McGee.
He is the Chief Security and Compliance Officer with Microsoft Canada.
Kevin, welcome to the Cyber Wire.
Hi, Dave. Pleasure to be here.
So before we dig into some of the topics that you're going to share with us along the way,
I thought it'd be nice to get to know you a little bit about your own professional journey
and the sorts of things that keep you busy day to day at Microsoft.
Where did you get your start and what led you to where you are today at Microsoft?
Well, I often joke that I'm actually educated as a historian and then went into business, had a startup in the IT space in the 90s and then came to sort of my security career indirectly later in life,
much like the career path of Jack Ryan. So I like to consider myself the Canadian Jack Ryan.
And I think that interesting sort of background, sort of an arts degree with an education based on
presenting a hypothesis, defending your hypothesis, building evidence, looking at sources
critically and whatnot, building communication skills in a different way. Long form writing has given me
a different perspective and a really interesting take on my work that other folks that maybe came
up the more technical route hadn't have. And then just joining sort of the startup community in the
90s, which was sort of a crazy time, was an amazing time to be in technology.
Yeah. And then so what was the path that led you to Microsoft?
Ultimately, I never really saw myself, again, working for a large company,
but Microsoft in the last number of years has really shifted to a different style
under Satya Nadali, where we take a very growth mindset,
learn-it-all approach to our work.
And a lot of the innovations I was seeing, it was very interesting, started coming out of Microsoft.
So when the recruiter called and connected me
to a vice president who was hiring,
he wanted me to look at the business
and growing the business like a startup person would.
It was very refreshing.
And I thought maybe when I joined,
it wouldn't be like that, but it truly is.
We're trying to build a culture that looks at diversity of opinions,
innovation, and whatnot as what makes you successful in your career,
not just delivering numbers or shipping product.
You know, I think about Microsoft as a global company
and certainly one with a lot of history.
Can you give us some insights?
What is it like to be in a leadership position there in Canada?
What are the interactions
with the rest of the global community of Microsoft?
Well, the cool thing is
I actually started reporting into corporate,
so into sort of the mothership.
Often you folks describe it as...
And so that gave me a view
of how sort of the global company works and introduced me to folks around the world.
And then shifted to a Canada-specific career when I took this role a couple years in.
And having both experiences has been fantastic because the Canadian subsidiary really operates like a small team.
We all know each other.
We all work together.
You know, it's a really sort of esprit de corps type of relationship we have. But I can also reach out to my counterparts and really see what's going on around the world. So I can call my counterpart in Australia or Germany or whatnot and get a really global feel on topics or an understanding of how things work in different cultures, or maybe they're seeing a different threat in a different environment. And I'm just beginning to see it now where they've experienced
it for a number of months because of some aspect of their geography. And often the smaller regions
really can't relate to sort of larger markets like the US or whatnot. So having those folks
that I can rely on as part of my intelligence network is fantastic. And what is your day-to-day like these days? What sort of things keep you busy?
Well, it's interesting today because we're growing a team and I'm interviewing and hiring
and onboarding folks in a pandemic that I've never met. So it's a full new dynamic for not
only myself, but for my team really evolving and responding to the current needs just like
everyone else. And obviously, cybersecurity is moving very quickly now. So we're having to adapt
even quicker. So I spent a lot of time not necessarily on the technology, but really
understanding the needs of customers, the needs of my people, and making sure that my folks aren't
burning out or really have what they need to do their jobs.
So you would think that a chief security officer is really focused on more of the technology
and sort of the digging into the code or whatnot,
but the business really is becoming more and more about people and understanding people.
Well, Kevin McGee, chief security and compliance officer with Microsoft Canada,
welcome to the Cyber Wire.
You can say thank you.
Thank you.
I wasn't sure what the protocol was there.
Yeah.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders
who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Between love and madness lies obsession.
Listen for us on your Alexa smart speaker, too. Thank you. Thanks for listening.
We'll see you back here tomorrow. Thank you. and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.