CyberWire Daily - Fancy Bear's new moves. OceanLotus and Sowbug cyber espionage groups active. Notes from CyCon, and a look at industry news.
Episode Date: November 8, 2017In today's podcast we hear some industry news today, briefly, before we get to the cloak-and-keyboard stuff. Fancy Bear has some new dance steps. OceanLotus and Sowbug, threat actors, not plants or... insects, as you might be forgiven for thinking, snoop on ASEAN and Latin America, respectively. Notes on international law and the future of cyberwar from CyCon. Joe Carrigan from JHU on the difficulties in reporting vulnerabilities. Robert Rodriguez from SINET on the trends he sees from the companies winning the SINET 16. And Appleby insists the Paradise Papers were not an inside job. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Fancy Bear has some new dance steps.
Ocean Lotus and SoBug snoop on ASEAN and Latin America, respectively.
Notes on international law and the future of
cyberwar from Saicon, and Appleby insists the Paradise Papers were not an inside job.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, November 8, 2017.
Some industry news today, briefly, before we get to the cloak and keyboard stuff.
Fallout from NotPetya continues to descend on earnings.
The latest victim to report that the June pseudo-ransomware campaign continues to inflict financial pain is the shipping giant Maersk,
which is estimating NotPetya losses at somewhere north of $300 million.
estimating NotPetya losses at somewhere north of $300 million.
We're likely to hear more such reports from other companies as they continue their return to normal operations.
There's less unpleasant industry news as well.
The New York Times reported in an exclusive
that Prague-based antivirus firm Avast is preparing for an IPO
that could be priced in the billions.
In other business news,
security firm Proofpoint is a buyer. It's announced its purchase of CloudMark for a reported $110
million. CloudMark isn't the only acquisition target. U.S. private equity firm Warburg Pincus
is said to have increased its 21% stake in Israeli cybersecurity shop Siren to a controlling 75%.
Warburg Pincus invested $19.6 million in Siren to acquire its current fraction of ownership.
And container security company NuVector announces that it's raised $7 million,
which it intends to use to build up engineering and sales operations.
Misconfigured AWS S3 buckets continue to make trouble.
Accenture recently narrowly escaped what observers believe might have been a significant breach.
Amazon is trying to give its AWS customers easier ways of avoiding missteps in the cloud.
The cloud provider has moved to add encryption by default to customers' S3 buckets.
has moved to add encryption by default to customers' S3 buckets.
The Cynet Showcase event is taking place in Washington, D.C. today and tomorrow,
highlighting the Cynet 16 Innovation Awards,
presented to the company's Cynet's panel of judges deems the most innovative and compelling.
Robert Rodriguez is the chairman and founder of Cynet,
and I asked him to describe some of the trends he's seeing in
cybersecurity. We've moved from a prevention and detection environment. I mean, we still do that,
of course, but we're more into response, incident response. But the big word today, resilience.
That's what board of directors and CEOs want to know. Okay, they're in. When we get hits, what does that mean to our resiliency?
When can we be back up? How do we minimize shareholder value loss, brand reputation,
tangible and untangible? The other area that I think is interesting is the orchestration
and automation. That's an area that we need to go to, and more companies are in that space. There's also an increase of companies in the deception space that is trending.
However, when I talk to CISOs, I ask, is it nice to have or need to have?
And what I get from them is it's important, but it's nice to have.
And that doesn't mean that that's correct and accurate, but that's the feedback I've received from some of the CISOs that I know.
I think also in terms of trends, let's talk about cultural trends, right, in the marketplace.
I think this is really important because, you know, because we're in cybersecurity and there's a lot of risk out there and there's been a lot of attacks and, you know, Equifax and Target and Home Depot and OPM over the years.
The problem doesn't seem to be going away anytime soon.
I would say that the buyers, the CISOs, have been harder to get to by the companies.
And I'm getting feedback from the companies that they want to start building more purpose-driven type of events,
that they focus on building really trust-based relationships with the CISOs.
And they do an off-site that is focused on a thought leadership discussion,
not a pitch of the technology or solution that the company has,
whether it's in orchestration or whether it's incident response.
They want to start doing these kind of things
and maybe some private off-site networking and dinners
because it's really about the relationships.
And it's building not just relationships, but trust-based relationships.
That's one of the things I'm hearing from the companies.
And part of the challenge is the CISO, whether they're industry or government,
are in high demand.
And when anything's in high demand, sometimes you can be reclusive because the noise is so great.
What's out there that really makes sense? And also, everybody wants them. I mean,
the vendors want them. The venture capitalists want them to introduce the portfolio companies,
the event people want them to speak. When they go to Gardner, RSA,
a lot of people want them to go to their dinners. And so they get pulled in different directions.
It just makes it harder to get to them. I think the word that corporate uses today,
building purpose-driven companies, that needs to go down to the entrepreneur and and defining a very strong mission a strong sense of purpose
a strong sense of culture that is um we're all in here together we're here to help the cisos that are protecting the brand and reputation and critical infrastructure of their respective
entities and really listen to what their challenges are and what their problems are and go into it as a team.
Of course, I want them to succeed with the sales,
but I think sales need to come second behind the relationship.
And if they do that, I think they'll have greater success.
That's Robert Rodriguez from Cynet.
The Cynet Showcase event is in Washington, D.C. today and tomorrow at the National Press Club.
We'll have more coverage of the event tomorrow.
today and tomorrow at the National Press Club. We'll have more coverage of the event tomorrow.
There's more news today about cyber espionage, and we turn to three spy stories.
There wasn't much barking heard from Moscow dogs in yesterday's U.S. off-year elections,
at least not so far, but the Russian organs haven't been idle either. McAfee notes that Fancy Bear, and if you're keeping score at home unofficially,
that's Russia's GRU, the military intelligence agency, after having fished PsyCon with little
evident success, continues to tune its activities. It's seeking to take advantage of a recently
demonstrated Microsoft Office vulnerability, the dynamic data exchange can be exploited to install
malware, and it's baiting its fishhooks with fears surrounding the recent terror attack in New York City.
At least two other active espionage campaigns are in progress.
Veloxity is tracking a Vietnamese threat group the company says is running an ongoing cyber espionage campaign against ASEAN neighbors.
The researchers are coy about attributing their activity to any
nation-state, but its interests appear to coincide with those of Vietnam's government.
The threat actors are being identified with APT32, also known as Ocean Lotus,
which FireEye described in May. APT32 is currently engaged in surveillance of ASEAN meetings convened in Manila.
Symantec researchers find that espionage group Sobug, known since 2015, are still quietly active with its Felismas malware.
Sobug's targets have principally been in Latin America, but it's recently expanded its interests to include Asia.
It looks like nation-state sponsored activity with
an interest in diplomatic intelligence, but which nation might be running Sobug is unknown.
The targets are unusual in that Latin America is heavily overrepresented.
Most such campaigns have shown more interest in Western European and North American targets.
And while we're thinking of espionage and nation-state conflict,
it's worth turning to the SICON conference that's meeting in Washington, D.C.
Yesterday's sessions included an interesting panel on the Talon Manual and international law
as it affects cyber operations. The panelists, many of whom had been involved in preparing Talon 2.0,
stressed a commonly overlooked fact about this
NATO publication on cyber conflict. It was developed to expound Lex Lata, the law as it
stands, and not Lex Ferenda, the law as it ought to be. They saw this as essential to the manual's
credibility. There was one significant area of dispute, and that was over sovereignty,
how it's to be interpreted,
how it informs permissible activity under international law, and how it interacts with a requirement for due diligence. This morning, an international law expert, Denton's Peter
Stockberger, picked up some of the themes addressed by the Talon panel. In particular,
he was interested in the ways in which international law surrounding attribution
of cyberattacks has been evolving.
Since customary practice is one of the sources of international law,
Stockburger said it was worth keeping an eye on how formal attribution of attacks has developed over the last few years.
The test for attribution has been, since the 1990s at least, the effective control test.
1990s at least, the effective control test. That is, you could attribute a third-party attack to a nation-state only if that state could be shown to be in effective control of the third party.
Support, even funding, would be insufficient. But now, especially since the U.S. attributed
the 2014 Sony hack to North Korea, there's been a movement, in practice, away from effective control to a new, less stringent
test, control and capabilities. Thus, we now cite similar malware, IP addresses, common tactics,
and other more circumstantial matters when we attribute a cyber attack to a state.
This is a relatively new and not fully appreciated development, Stockbridge argued.
New America's Peter Singer, who delivered the
morning keynote, was in fine full futurist fig, giving the symposiasts much to think about
concerning the ways in which emerging technologies like robotics, artificial intelligence, big data,
and even human enhancement are going to change the way militaries organize, recruit, train,
and fight. They're going to be bigger than the
steam engine, bigger than the airplane, bigger than the computer itself. We'll have more on his talk
and other presentations at PsyCon later this week. And leaving PsyCon to return to the world of crime,
in case you were wondering, Appleby, the Bermuda offshore specialist law firm, says it was hacked
and that it wasn't an inside job.
Some outsider got in to steal and leak the Paradise Papers.
There's still no word on who the hackers were or how they got in.
It's also unclear that the leaks reveal any illegal activity,
but consensus remains that the optics are bad for those mentioned in dispatches.
It's striking to see the way Appleby continues to insist that the leaks are the fruit of criminal hacking and that the law firm is the victim here.
And legally, it's hard to disagree with them.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be. Let's create the
agent-first future together. Head to salesforce.com slash careers to learn more.
Visit src.com to learn more. on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of
herself. Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute.
Joe, welcome back.
You wanted to take us through a story today about being able to report vulnerabilities when you find them.
Right. So one of my roles at the Information Security Institute at Johns Hopkins University is I am the coordinator for all of our vulnerability disclosures.
So what that means is when we find a vulnerability, we have a policy that says the first thing we're going to do is notify the person who is responsible for maintaining this product, library, thing, whatever it is, that we found this vulnerability and provide them with an opportunity to fix it
before we release it to the general public.
All right.
And I've had to report a number of vulnerabilities over the past couple of years that we found.
And one of the things I found was it's very difficult to tell a company that you found
a vulnerability in their product.
Why do you...
Go on.
I mean, do they not have an email address?
Are they just not set up to do it?
I'll talk about a specific company
which shall remain nameless.
Now, there are companies out there
that have stepped up
and they're starting to do this,
particularly big software manufacturers
like Microsoft and Google.
Sure, we hear about bug bounties
and things like that.
Exactly, and every company should have this.
But there was one company
where I would get in touch with them.
I called all over
to their offices and they were like, their engineering department was, I don't know who
you'd send that to. And I sent it, I eventually wound up using the support portal and said,
can I give this to you? We consider this vulnerability disclosed. And at one point
in time from one company, I got back a letter that said, or an email that said,
we received your vulnerability disclosure and we've notified our legal team.
Of course, they have.
I wrote them back.
You're waiting for your summons.
Right. Exactly.
And somehow you've you've you've violated the Digital Millennium Copyright Act or something.
Right. By finding a vulnerability like a like a good academic research organization
so i wrote them back and i said i would recommend that you also send this to your engineering team
uh you're free to send it to whomever you please right but the legal people are not going to fix
this problem for you and we consider it disclosed and we're going to disclose it to the public
after our non-disclosure period.
I see.
So there was this company that we had been working, I made a number of disclosures to
and a news organization contacted the professor who was the advisor to the students who found
these vulnerabilities and said, what do you do when you find these vulnerabilities?
And he says, well, you know, we try to tell the companies,
but we generally have a hard time doing that.
So then the news organization contacted the company and asked the vice president of communications at that company,
why can't Hopkins disclose these vulnerabilities to you?
And that got some attention, right?
Of course it did.
When a large news organization contacts you and says...
You just got to get to the right person, right?
You got products that have security vulnerabilities in them, and the people that find them can't report them to you.
And we got some immediate attention.
And this company – I don't want to say anything about the company.
The company actually –
Sure.
They took care of the problem.
They solved it.
And they're actually looking at starting a bug bounty now, which is great.
It's unfortunate that it takes that kind of pressure to do that.
Companies, every single company that manufactures a product that can have a security vulnerability.
So anything that is a computer or when I say is a computer, there's so much stuff that's actually a computer.
What isn't a computer these days?
Think of being a computer.
A router, right?
Your router at your house that you have. That's probably't a computer these days? Think of being a computer. A router, right? Your router at your house
that you have. That's probably a Linux computer,
right? Inside. Your thermostat.
Your security camera. Your refrigerator.
Exactly. Your refrigerator. Your oven.
Your washing machine. They all have computers
now and they're connected to the internet. This all goes
back to the surface area problem,
the attack surface problem. But
these manufacturers
all need to have a public way for people to put data into their realm of knowledge that somebody has found a vulnerability.
So it needs to be beyond the general contact us form on the website so that it properly gets routed and gets the proper attention that it deserves.
It does.
And you need to have a way for security
researchers to reach out and get in touch with you. Okay. Joe Kerrigan, thanks for joining us.
My pleasure.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.