CyberWire Daily - Facebook takes down Myanmar military page. Chinese cyberespionage and cloned Equation Group tools. Supply chain compromises. Threat trends.
Episode Date: February 22, 2021Facebook takes down Myanmar junta’s main page. APT31 clones Equation Group tools. Silver Sparrow’s up to...something or other. Bogus Flash Player update serves fake news and malware. Effects of su...pply chain compromises spread. Clubhouse’s privacy issues. VC firm breached. CrowdStrike releases its annual threat report. We welcome Josh Ray from Accenture security to our show. Rick Howard examines Google’s cloud services. And a Maryland school concludes its annual cyber challenge. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/34 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Facebook takes down Myanmar junta's main page,
APT31 clones equation group tools.
Silver Sparrow's up to something.
Bogus Flash Player update serves fake news and malware.
Effects of supply chain compromises spread.
Clubhouse has some privacy issues.
A VC firm has been breached.
CrowdStrike releases its annual threat report.
We welcome Josh Ray from Accenture Security to our show.
Rick Howard examines Google's cloud services.
And a Maryland school continues its annual cyber challenge.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, February 22, 2021.
Facebook yesterday took down the main page belonging to Myanmar's military, according to Reuters.
The social network explained its decision in terms of its policy against incitement of violence.
Quote, in line with our global policies, we've removed the Tatmadaw True News Information Team page from Facebook
for repeated violations of our community standards, prohibiting incitement of violence and coordinating harm.
Checkpoint reports that a Chinese threat group, APT31,
cloned a leaked U.S. Equation Group tool and has now used it for several years.
APT31 is also known as Zirconium in Microsoft's metallic taxonomy of threat actors,
or as Judgment Panda to other scorekeepers.
This isn't the first time a Chinese threat actor has used what appears to be NSA tools.
They had found their way earlier into Beijing's cyber arsenal,
and apparently at some point before the shadow brokers committed their big equation group leak to the Internet.
the shadow brokers committed their big equation group leak to the internet.
Silver Sparrow, described last week by researchers at Red Canary, investing devices with Apple's new M1 chips, as well as some using Intel processors, remains baffling.
Although Malwarebytes researchers found the malware on some 30,000 endpoints, Ars Technica
says Silver Sparrow has no apparent payload.
The binaries don't seem to do anything.
They're being called bystander binaries and may simply be placeholders.
Silver Sparrow also has a self-destruction mechanism
designed to expunge traces of itself from infected systems.
Whoever's operating Silver Sparrow hasn't yet used that
functionality, and as computing reports, researchers are still in the dark about what
might trigger self-destruction. Silver Sparrow will bear watching, especially if it proves to
be a staging mechanism for further cyber campaigns. A fake Adobe Flash Player updater is in circulation, Bleeping Computer reported yesterday.
It's a relatively complicated scam.
Javad Malik, security awareness advocate at KnowBefore, summarized the activity as follows.
Quote,
Threat actors are using Google Alerts to promote a fake Adobe Flash Player updater
that installs other unwanted programs on unsuspecting users' computers.
The threat actors create fake stories with titles containing popular keywords that Google search then indexes.
Once indexed, Google Alerts will alert people who are following those keywords.
When visiting the fake stories using a Google Redirect link, the visitor will be redirected to the threat actor's malicious site.
However, if you visit the fake stories URL directly, the website will state that the page does not exist.
Adobe Flash Player has reached the end of its life, but many users, habituated by years of updates, may not know this,
and may not recognize the bogus update for the imposture it is. The unwanted program
being served is one updater, and it will, from time to time, offer other phony updates that
themselves carry other unwanted programs. So here's a direct risk from fake news stories
being indexed by search engines, in this case by Google. Not only do they cloud your mind with misinformation,
but they also serve as the entering wedge of a malware distribution campaign.
Breaches of vendors in the software supply chain continue to flow through third parties.
The Accelion FTA compromise has now affected the Kroger supermarket chain,
and the Wall Street Journal describes the ways
Accelion's troubles have afflicted its customers.
State Scoop has an account of how a ransomware attack
by Cuba Ransomware,
a gang having the poor taste to illustrate its dump site
with heroic images of political mass murderers,
has affected customers of automatic funds transfer services.
Many AFTS customers are U.S. state and
local governments, and they've been in the process of warning individuals whose data may have been
compromised. Emergent social media platform Clubhouse appears to be experiencing the sorts
of security issues that accompany rapid growth, especially when the growing company has strong business links to companies in China.
Bloomberg reports that the app's chats have been breached.
A Guardian op-ed summarizes causes for concern.
You're telling the app that you're connected
with various people and they're connected with you,
for example, and that's something you
and your contacts may not want to share.
And then there's the business of Clubhouse
making unencrypted copies of the chit-chat going on in its various rooms. As the Guardian's essayist
puts it, Clubhouse says it deletes these once it determines nothing untoward is going on, but
still, that's not particularly reassuring, especially when your back-end services are provided by a Shanghai outfit.
Nothing wrong with Shanghai, necessarily. Lots of nice, hard-working people, but still,
after all, Beijing's writ runs there. Axios reports that Sequoia Capital has disclosed a
data breach that may have affected some of the personal and financial data the venture capital firm holds. Sequoia says it's notified affected individuals and has so far found no
signs of the data's abuse. CrowdStrike this morning published their annual global threat report.
They see an intensification of now familiar trends with supply chain attacks, ransomware, extortion, and nation-state espionage
all on the rise. They also see increasing sophistication on the part of cyber criminals.
Remote work will continue to expand attack surfaces, and health care will, unfortunately,
remain a priority target. They think dedicated leak sites will make it easier for criminals to carry out data extortion attacks.
Looking at the state actors, CrowdStrike sees China focusing on supply chain compromises,
with an emphasis on industrial espionage against verticals that could yield IP useful to the goals of the 14th Five-Year Plan.
And North Korea will be more motivated than ever to shore up its failed economy through direct
cyber theft. And finally, it's good amid the ice storms and the data breaches to share some local
good news. This past weekend, Loyola-Blakefield, just up the road from us in Baltimore County,
held its fourth annual Loyola-Blakefield Cyber Challenge virtually this year, and they
sent us a note this morning to give us the results. The challenge categories this year included web
exploitation, cryptology, forensics, programming, and network analysis, and the 51 teams that
competed came from as far away as Illinois. This is a student-run challenge, and we're happy to share the congratulations
Loyola-Blakefield sent to the winners.
They wrote, on behalf of LBSCI,
congratulations to Audrey Wheeler from Rolling Meadows High School,
Robbie Hoff and Mark Gattas from John Carroll School,
Ryan Elkocha from Damascus High School,
Daniel Matthew from Poolsville High School, and Jason Walter from Calvert Hall College.
Special congratulations to Daniel Matthew and Ryan Elkocha and their teams for winning the beginner and advanced divisions respectfully.
If you're interested in how Loyola-Blakefield put the challenge together, check out their website and drop them a line.
We're sure they'll be happy
to hear from you.
Calling all sellers.
Salesforce is hiring
account executives
to join us
on the cutting edge
of technology.
Here, innovation
isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with
Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform Thank you. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Rick Howard.
He is the CyberWire's chief analyst and also our chief security officer.
Rick, it's always great to have you back.
Thanks, Dave.
analyst and also our chief security officer. Rick, it's always great to have you back.
Thanks, Dave.
This week on CSO Perspectives, you are launching a two-part series on securing the Google Cloud platform. Now, I know that we have just recently done similar things for Amazon AWS and Microsoft
Azure. Is this, you know, lather, rinse, repeat, or does Google have a different
approach here? That's a good way to put it. Well, you will be pleasantly surprised, David.
Google's plan for cloud services is fundamentally different from the other two, right? And their
official name for the service is Google Cloud Platform or GCP.
And I have to tell you, I can never remember what that acronym stands for.
I have to look it up every single time, right?
Yeah, yeah.
And they didn't roll it out until 2012.
This is a good six years after Amazon released AWS and two years after Microsoft released Azure.
And now looking at all three of them, it's pretty clear to me that Google studied their two competitors
and made some design changes.
And the most obvious is how they placed zero trust as a cornerstone to the entire experience.
Yeah, I mean, that's interesting because in the previous two series,
you made the solid point that both AWS and Azure, they provide means to implement
zero trust concepts. What makes GCP different? So Google took the design concept, this thing
called software design perimeter or SDP. It came from the US government way back in the early
2000s, you know, from the Defense Information Systems Agency, or DISA
for all places, right? And then they built it, you know, and in our last Hashtable episode on
AWS security, the chief security officer for Sallie Mae, Jerry Archer, said he uses a third
party tool to implement SDP for his AWS deployments. But in the Google Cloud platform,
SDP is how the system works out of the box, right?
So we spend some time in this episode
talking about what that means
for our first principle approach
to securing cloud environments.
All right, well, it is CSO Perspectives
and it is part of CyberWire Pro.
You can find out all about that on our website,
thecyberwire.com.
Rick Howard, always a pleasure.
Thank you, sir.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a
default-deny approach can keep your company safe and compliant.
And it is my pleasure to welcome to the Cyber Wire, Josh Ray.
He is the Managing Director and Global Lead of Accenture's Cyber Defense Business.
Josh, welcome to the show.
Thanks, Dave. Pleasure to be here.
Looking forward to talking about some really interesting topics today.
Well, before we jump in with some of the technical things, I'd like to introduce you to our audience.
Can you give us some notion of what is your day-to-day like?
What are the types of things that you're doing for Accenture?
Yeah, Dave, within our cyber defense business, my team and I, we really focus on looking at threat activity,
but really primarily looking at it in very highly customized ways.
So a lot of the things that we do are helping our clients on their darkest day, but also
helping them prepare for the most advanced cyber adversaries that they're going to face.
And really, it's about us being able to provide our clients with a level of confidence to
kind of chart that journey through not just that worst day, but hopefully improving
their overall security posture and capability when they come into contact with some of these
advanced adversaries. So we do things like incident response and threat hunting, cyber
threat intelligence. We do a lot of intelligence-driven red teaming and advanced adversary
simulations. We also help our clients with application security,
as well as helping them transform their third operations capability
to really, in many cases, make use of investments that they've made in technologies
so they're able to properly operationalize it within their environment.
Can you give us some insights on your own background?
What led you to this
particular position? Now, it's actually, I've been very fortunate and blessed to kind of grow up
within the mission. Started my career in the Navy and then went back to school when I got out and
found myself at Naval Intelligence, actually doing an internship, and focused really right away on some advanced nation-state adversaries,
went on to do some work within the DOD and the Defense Industrial Base,
which we were very much kind of the tip of the spear,
and focused on a lot of the same types of threats that most folks know today as the APT.
the same types of threats that most folks know today as the APT. And then from there, went on to work for VeriSign, where I helped protect.com and.net and was fortunate to run the iDefense
business. And then I led that acquisition from VeriSign into Accenture in 2017. So again, very, very focused on a specific mission and really threat operations
throughout my whole career and, you know, couldn't find myself in a better place now.
Yeah, it's interesting. You mentioned incident response, which I suppose is the, you know,
the part of your business that you hope for your customers, they never have to engage with you on.
that you hope for your customers,
they never have to engage with you on.
But I mean, how much of that is sort of dialing in ahead of time to try to have all the proper things
in place for them to try to put off that need
for incident response as long as possible?
Yeah, breach readiness is a huge part
of what we do for our clients.
And it's really about actually taking
not only the lessons learned from all of the incidents that we help our clients work through, but also taking an offensive mindset.
So having that full offensive portfolio, whether it be pen testing or red team or doing things like an advanced adversary simulation, It really helps our clients be able to anticipate and gain those breach learnings without actually having to experience those types of breaches or the pain of that breach.
And then we can transform them and kind of tune their security programs and their threat operations programs to really kind of drive that kind of end-to-end threat-focused approach.
threat-focused approach. And again, core to that obviously is having the ability to know the threat at that tactical, operational, and strategic level through high confidence threat intelligence.
Can you give us some insights as to how organizations go about dialing in, how much they interact with a company like yours, like Accenture,
how much they do in-house, and how they choose how they're going to turn those knobs?
That's a great question.
And I think it really depends on the business, I would say,
requirements of each one of the individual clients.
And it varies by industry as well, too.
So we see some clients that really want to in-house as much as they can, and they use us
for some of the higher-end testing. And then there's other clients on the other end of the
spectrum that really just want to focus primarily on running their business and leverage us to run
much of their security operations for them as well. And then there's some in the middle that kind of take that hybrid approach, right?
Realizing what they can do or are able to do internally
and then augment their capability with some of the things that we do within
cyber defense.
All right. Well, Josh Ray, Managing Director and Global Lead of Accenture's
Cyber Defense Business. Great to have you on board. Thanks for joining us. Thank you, Dave.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
So chunky, you'll be tempted to eat it with a fork.
Listen for us on your Alexa smart speaker, too.
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment called Security Ha!
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
And check out the Recorded Future podcast, which I also host.
The subject there is threat intelligence,
and every week we talk to interesting people
about timely cybersecurity topics.
That's at recordedfuture.com slash podcast.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Guru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Pure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.