CyberWire Daily - Fancy Bear paws at anti-doping agencies. Johannesburg says no to the Shadow Kill Hackers. Adwind jRAT’s new misdirection. US FCC versus Huawei, ZTE. Georgia hacked.
Episode Date: October 29, 2019Fancy Bear is pawing at anti-doping agencies, again, suggesting more to come for the 2020 Tokyo Olympics. Johannesburg has declined to pay the Shadow Kill Hackers the money they demanded. Adwind jRAT ...has gotten a bit harder to detect. The US FCC is considering a measure that would prevent certain funds from being used to purchase Huawei or ZTE gear. Pwn2Own goes ICS. Georgia is hit by unknown hackers, and Magecart appears in an American Cancer Society website. Daniel Prince from Lancaster University on risk management and uncertainty. Guest is Robb Reck from Ping Identity with their research, 5 Steps to Improve API Security. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Fancy Bear is pawing at anti-doping agencies, again,
suggesting more to come for the 2020 Tokyo Olympics.
Johannesburg has declined to pay the Shadowkill hackers the money they demanded.
Adwind J-Rat has gotten a bit harder to detect.
The USFCC is considering a measure that would prevent certain funds
from being used to purchase Huawei or ZTE gear.
Pwn2Own goes ICS.
Georgia is hit by unknown hackers.
And Magecart appears in an American Cancer Society website.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, October 29, 2019.
Microsoft yesterday reported finding indications that Russia's GRU has resumed targeting networks of anti-doping agencies that police international sports.
Microsoft refers to the GRU as Strontium, others refer to it as Fancy Bear or APT28.
Fancy Bear was active against anti-doping groups during the last Olympiad when officials disqualified Russian teams for widespread use of performance-enhancing drugs. Microsoft's notice suggests that Moscow
has neither forgotten nor forgiven, and that organizations connected with what's called
the Olympic Movement can expect more hostile attention in cyberspace through next summer's
Tokyo Games. Japanese authorities have been aware of and preparing for cyber threats to
the Games since 2015 at least. Anti-doping organizations have received the attentions
of the GRU before. In October of 2018, the U.S. Department of Justice indicted seven officers of
the Russian Military Intelligence Service on charges related to the hacking of such agencies.
Microsoft didn't specify which organizations were the subject of this most recent round of hacking,
but it has warned them that they do figure in the attackers' plans.
Fancy Bear has been generally regarded as responsible for the Olympic destroyer malware
that hit the 2018 Winter Olympics in South Korea.
That particular campaign was false- false flagged in ways designed to
lead to the conclusion that North Korea was responsible for the attacks. The imposter
worked for a while but was debunked within a matter of weeks. In South Africa, the city of
Johannesburg has declined to pay the ransom the shadow kill hackers demanded and has called upon
international support to help with recovery.
The deadline for payment expired last night,
and there are no signs that the attackers have so far made good on their threats.
Authorities say they've restored some 80% of the online services used by the city of 5 million.
Researchers at Menlo Security say the Adwind J-Rat has grown more difficult to detect.
The malware is an information stealer that, for the most part, has been used to collect passwords from infected systems.
The newest version, which, in a departure from Adwind J-Rat's earlier platform-agnostic manifestations,
seems to be targeting Windows machines, usually arrives as a Java archive file attached to a phishing email
or downloaded from an old WordPress-based watering hole.
The initial Java archive file is obfuscated in ways
that make behavioral or signature-based detection difficult.
In effect, Menlo's security says, the malware is hiding in plain sight.
Eventually, of course, it has to reveal itself
by sending stolen credentials to a remote server.
And that, Menlo says, is what will blow the gaff to alert defenders.
We've been checking in with Rob Reck from Ping Identity
on his CISO Advisory Council's research for 2019.
Their final report is titled
Five Steps to Improve API Security.
The API kind of behind-the-scenes movement has really changed the way IT and development
teams work.
Instead of all, you know, the majority of user interaction or, excuse me, system interaction
happening like through a web page where a system, you know, goes to a browser and accesses
it, the vast majority of transactions, the vast majority of business being done is behind
the scenes.
And APIs, we're at systems talk to each other.
And so what are the practical implications of that?
Well, we've built these security teams and development teams that are really better at,
especially from a security perspective, we're better at securing web apps.
We're better at doing vulnerability scans for systems.
We don't necessarily understand how does an API work. And
even our pen testers, they're much better at focusing on those web application systems.
And so we really need to start thinking about what's the impact, what's the implications of
having these APIs that we're not quite as skilled at dealing with.
Well, let's go through the steps together here. Walk us through what you recommend.
Yeah. So I'd say these are five
steps to get started, right? We're certainly not expecting that you finish these five steps and
you're done. But I know there's a lot of departments out there that just don't know
even where to begin. So step one is you got to know what APIs are in use. And this is no different
than any other kind of part of security. But knowing your systems, knowing your infrastructure,
generally, I'd
imagine that if you ask a security team how many APIs they have, they, number one, don't
have the answer.
And number two, if they take a guess, they would guess way too few.
And the only way you start to know this is by really teaming up with other departments.
Number one is you have to talk to your development folks.
That's the folks who are creating APIs and putting out new ones all the time.
Work with them, work with your IT,
maybe your information systems teams
that manage those different systems
and start to put together that single inventory of systems.
Hmm.
Well, what's number two on your list?
Gain visibility into the activity.
So it's not just what APIs are there,
it's like, what do they do?
What are the purposes of these things?
And that's not so easy,
especially in this kind of DevOps, continuous integration, continuous deployment world we live in, where an API that existed today doing one thing very well tomorrow may do a lot of additional
things. So we really need to start seeing what does normal behavior look like on those APIs,
so we can understand where's the biggest risk. We probably don't have the resources to go look into every single API, but as we know which ones do high value
transactions, maybe financial transactions, maybe health transactions, we can start to focus our
attention on those higher risk APIs. Well, speaking of resources, your third tip here is to assemble
the right resources. Yeah. So this is not just, you know, put your security, you know, your network firewall admins on
your APIs and expect them to be able to be effective, right?
We really need to figure out who can be effective.
And it's kind of a hybrid position where someone who has a security mindset, but has the skills
of a developer who understands how APIs work, what do they do?
And this is, you know, one of the big challenges we have. And, you know, you talk about it on CyberWire all the time,
the skills gap, right? The security skills gap that we run into. This is a place where I think
it's probably most obvious is finding an experienced security focused API person.
That's just about impossible. What we need to do instead is let's find someone in the organization
who has either a strong development background and has some interest in security or a security person who's willing to put in the time to learn how APIs work.
Let's get some of those resources together.
Whether they're located in security or in development doesn't matter that much as long as both teams are kind of part of that process.
Yeah, and that goes right to your number four, which is assigned ownership of API security.
Yeah, you got it.
And I'd say, once again, it doesn't matter to me who owns it.
My problem is what I see too much of is, is they say, well, we both are a part of the
solution.
No one really specifically owns it.
And, you know, I firmly believe if nobody owns something, then, or excuse me, if everybody
owns something, then nobody owns it.
You have to have an individual department, individual person who's going to be held accountable for that. And then, of course,
they'll partner up with the others. So if security is going to own it, then they're going to depend
a ton on development to be effective. And if development owns it, you know, that means that
they have to be the ones to answer for, you know, why were your APIs not secure versus asking the
CISO to come, you know, be the one to answer if development was the one doing it.
And then your fifth item on the list is address API security by design.
Yeah, this is, I mean, this is clear for any kind of development, but I think it's especially
important in APIs because of the nature that generally API development comes along in this
much more agile, much, you know, more DevOps-y type of environment. When you start to see these
quick changes, they really can have big
impacts. APIs have been notoriously abused in a number of big breaches. I guess the Cambridge
Analytica scandal, not so much a breach, but an abuse of APIs. And we've had lots of other
examples of that. The only way you address that is by starting to get the threat model for APIs
considered and developed in much earlier in the process. When I say the threat model for APIs considered and developed
in much earlier in the process.
When I say the threat model, I mean,
well, who would be interested in going after this data
that the API protects?
How could they do it?
Where are they coming from?
And make sure we're developing around that threat model.
And then one other element there is all development of APIs
should probably be done considering
as though this API,
we're going to be externally exposed versus kind of trusting that it's behind a firewall. And,
and we're not going to worry about having to be as security focused there over time,
you know, exposure changes, these things have to change. And in this, this world we're living in,
where borders and firewalls aren't necessarily going to be there for very long,
really focusing on making sure we have a resilient API is one of the keys. That's Rob Reck from Ping Identity.
The U.S. Federal Communications Commission has proposed rules that would prevent recipients
of universal service funds from using that money to purchase equipment or services from companies
that threaten national security. The measure, which the FCC will vote on this November 19th,
isn't restricted to any particular companies or countries,
but the Commission specifically calls out Huawei and ZTE
as examples of the companies it has in mind.
USF money is designed to support rural telecommunications infrastructure.
So, should the measure pass in November,
it won't amount to a ban, but it will be a powerful disincentive to using products and services from the two Chinese companies.
The selection of the USF as a tool to use against Huawei and ZTE is significant.
The company's reputation for low cost have made them attractive to carriers serving rural areas
and closing gaps in the proverbial last mile.
The loss of USF money would change the economic calculation.
Pwn2Own will add industrial control systems to its bug-hunting target list this January,
according to Dark Reading.
They point out that they're not going to ship, obviously,
pump controls or centrifuges to the conference venue,
but Trend Micro, which is running the program,
believes it's found suitable software-based products
to make the exercise interesting.
An unattributed cyber attack against Georgian targets
has taken down some 2,000 websites
and the national television station, according to the BBC.
The website attacks were for the most part defacements.
There's no attribution yet,
but as is usually the case in the former Soviet republics that make up the independent states of
the near abroad, the speculation in the country of Georgia is that the hackers were Russian.
That's of course premature and merely a priori. There could be any number of other threat actors
responsible. The story is developing. Whoever is behind the attack, they seem to have a taste for 1980s American science fiction,
assuming that I'll Be Back is in fact the homage to The Terminator it appears to be.
And finally, creeps using the Magecart card-scraping malware that's afflicted many e-commerce
sites over the past year have turned to a new target,
the American Cancer Society's online store. The code was injected last week, was removed at some
point after researchers at Sanguine Security found and disclosed it, and now seems to be gone. But if
you've used a card recently on the American Cancer Society site, do check with your card company.
Cancer Society site, do check with your card company.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now. We know that real-time visibility
is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation
to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Learn more at blackcloak.io.
And joining me once again is Daniel Prince.
He's a senior lecturer in cybersecurity at Lancaster University.
Daniel, welcome back.
We wanted to touch today on risk management and uncertainty.
What do you have to share with us today?
Well, thank you for having me back on.
So I've been doing quite a lot of work looking at risk management and thinking about actually what do we mean by risk.
And when you start to look at some of the formal definitions, risk is really looking at a system where we can know all the specific outputs and we can assign probabilities to those possible outputs. The problem with, I'm finding with digital systems, is that the ability to be
able to enumerate all the possible outcomes, all the possible problems that that system has,
is nearly impossible because of the complexities of the system. And that leads us into the really the
concepts of uncertainty, where we can, we know some of the possible outcomes, but we just don't
know all of the possible outcomes. And therefore, it becomes much more complicated to have a
quantitative based system to understand where all the probabilities of all different outcomes
happen. And so for me, this is really important when we start to talk about things like systemic risk within systems.
So systemic risk is this concept that there is an underlying big problem
that could actually change the way that people behave.
But that assumes that, one, we can identify all the possible outcomes and assign probabilities,
and two, that we know the whole system.
My point here at thinking is that we can't know all the possible outcomes,
so we have to start thinking about systemic uncertainty.
And that leads you on to, instead of doing really a lot of planning,
a lot of more thinking about how do we respond to incidents,
which is one of the reasons why when I'm teaching and thinking about risk management, I'm actually thinking more
about how do we prepare people to be able to respond effectively to the materialization of
unintended or bad events within a particular system, including the people and the technology.
particular system, including the people and the technology.
Now, do you find that people approach this in a logical way?
Do people come at it thinking that they can eliminate all risk?
Do they have unrealistic expectations?
I think the unrealistic expectation starts with believing they can know all the possible outcomes that a computer system could generate.
And that's, in some ways, a little bit of a naive position to take.
And I think if you talk to a lot of technologists, they wouldn't take that position.
But a lot of other people who are not completely aware of the complexities of computer systems
do take that position and believe that you can know all the outputs.
But there is often, sort of, I find, a bit of a bias, an overconfidence bias
within some technical people within risk management, that they assume that they can
know all the possible outcomes and quantify them, and then they're dealt with. The reality is,
I think it's much more important for a whole organization to be really prepared to face an incident.
And that's just not the technical people, but that's also all of the business people all across the whole organization.
And thinking about how the organization really responds as a collective of people to support the organization to deal with a specific threat.
It strikes me that it's not unlike how we deal with ourselves, our human bodies and our frailties and our ability to get sick.
You can do everything. You can wash your hands. You can not sneeze on your co-workers.
But still, people are going to get colds,
people are going to get the flu. And as an organization, you have to be prepared for that,
that sometimes people aren't going to be able to show up for work.
Yeah, that's it. And it's one of the really interesting things about,
you know, in our day-to-day lives, we're quite happy with uncertainty, most of us. We're quite
happy to be able to deal with um the unintended outcome the things we
didn't think about we are capable of doing that and we we accept that we have that in our daily
lives but what's interesting when it comes to computer systems because it is technology because
it's engineered there is this kind of well why can't we know everything that's that the question
that sort of comes out but if you take a standard computer system, you've got some hardware that we don't know
what's in it.
We don't know where there's vulnerabilities.
So things like Meltdown and Spectre are key examples of that.
Then we put an operating system on top of that, which could have some problems.
And then we install a wide variety of applications on top of that.
And we don't know one installation is exactly the same as the other.
So every single system we have
and all the systems that interconnect us
can be considered as unique
as every single person on the planet.
So when you start to think about it like that,
then it's, you know,
we really need to start to think about
doing the best defense we can,
but also be able to respond as effectively as we can as well.
All right, Daniel Prince, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.