CyberWire Daily - Gamaredon Group is phishing ahead of Ukraine’s independence day. North Korea blamed for BLINDINGCAN RAT. Google patches Gmail flaw.
Episode Date: August 20, 2020Ukraine warns that Russia’s Gamaredon Group is running a phishing campaign ahead of Ukraine’s independence day. CISA and the FBI publish details on a North Korean remote access Trojan. Google patc...hes a serious Gmail flaw. Marriott faces another lawsuit over its 2018 data breach. The WannaRen ransomware operators have released a decryption key. Rob Lee from Dragos with lessons learned from recent virtual conferences. Our guest is Rachel Tobac from SocialProof with her insights on social engineering and the Twitter hack. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/162 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Ukraine warns that Russia's Gamerodon group is running a phishing campaign ahead of Ukraine's Independence Day.
CISA and the FBI publish details on a North Korean remote-access Trojan.
Google patches a serious Gmail flaw.
Marriott faces another lawsuit over its 2018 data breach.
The Wanneran ransomware operators have released a decryption key.
Rob Lee from Dragos with lessons learned from recent virtual conferences.
Our guest is Rachel Toback from SocialProof
with her insights on social engineering
and the Twitter hack.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary
for Thursday, August 20th, 2020.
Center warns that the Gamerodon group, also known as Primitive Bear, a Russian threat group run by the GRU and presenting itself as a Ukrainian separatist organization, is newly active with
fishing. The attackers are using malicious attachments that pose as official government
documents, often spoofing the security service of Ukraine. The effort appears to be battle space
preparations for a campaign against
Ukrainian infrastructure, believed to be timed for Monday, August 24, which is Ukraine's Independence
Day. The center's press service stated, specialists of the NCCC within the National Security and
Defense Council of Ukraine have identified a trend towards the modernization of cyber attack software
in order
to increase the effectiveness of overcoming protection means and concealment of their
activities in compromised systems. The analysis of malicious programs revealed signs of preparation
for a large coordinated attack on government agencies and critical infrastructure, aimed at
destabilizing the situation in Ukraine before
the Independence Day and during preparations for the next local elections, end quote.
Ukraine's SBU security service also says that accounts of its involvement with Russian
Wagner Group paramilitaries allegedly active in Belarus are Russian disinformation. Ukraine's SZR Foreign Intelligence Service yesterday said
the Wagner Group is operating in Belarus under Russian control.
The U.S. Cybersecurity and Infrastructure Agency and the FBI have issued a joint malware analysis
report describing a North Korean remote-access Trojan blinding can, which Hidden Cobra is deploying in an attempt to establish persistence
in networks of interest to Pyongyang.
The report says,
A threat group with a nexus to North Korea targeted government contractors earlier this year
to gather intelligence surrounding key military and energy technologies.
The campaign represents another use of bogus job offers,
targeting workers in the defense sector to induce them into installing malware via malicious Word documents. In the
example provided in the report, the attackers used documents that purported to come from Boeing's HR
department. Google yesterday patched a security flaw that could have enabled attackers to spoof emails from any Gmail or G Suite user while bypassing DMARC and SPF policies, ZDNet reports.
The vulnerability was reported by security researcher Alison Hussain in April, and Google fast-tracked its patching process after Hussain published details of the flaw yesterday.
patching process after Hussein published details of the flaw yesterday. The bug could be exploited via the G Suite administrator console by setting up custom mail routing rules and configuring an
inbound gateway. Hussein explained in a blog post, quote, by chaining together both the broken
recipient validation in G Suite's mail validation rules and an inbound gateway, I was able to cause
Google's backend to resend mail
for any domain which was clearly spoofed when it was received.
This is advantageous for an attacker
if the victim they intend to impersonate also uses Gmail or G Suite
because it means the message sent by Google's backend
will pass both SPF and DMARC
as their domain will, by nature of using G Suite, be configured to allow
Google's backend to send mail from their domain. Additionally, since the message is originating
from Google's backend, it is also likely that the message will have a lower spam score and so should
be filtered less often, end quote. Google fixed the issue within seven hours of the details being published,
and Hussein praised them for their quick response.
Marriott International is facing a class-action lawsuit in the High Court of England and Wales over the hotel group's massive data breach that came to light in 2018.
According to Reuters, the lawsuit seeks unspecified damages
and represents anyone living in England or Wales whose data was stolen in the breach.
Based on the number of potential claimants, Verdict estimates that Marriott could be forced to pay tens of millions of dollars in compensation if it loses the suit.
Operators of the Wanner Ren ransomware, which was responsible for a widespread indiscriminate wave of ransomware attacks in China this past April,
have given a master decryption key to a Chinese cybersecurity firm, ZDNet reports.
ZDNet speculates that the attackers, thought to be a small-time criminal group, realized they were in over their heads and provided the keys to avoid excessive attention from Chinese authorities.
A report from Clarity notes that more than 70% of industrial control system vulnerabilities
disclosed in the first half of 2020 are remotely exploitable via a network attack.
Computer Business Review notes that the energy, critical manufacturing, and water sectors
were the most affected by the
vulnerabilities, although this could be due to those sectors receiving increased attention from
security researchers. And finally, Palantir has quietly decamped from its Palo Alto headquarters,
forsaking Silicon Valley for real estate more to its liking in Denver, as both the Denver and Silicon Valley
Business Journals report. CNBC notes CEO Karp's view that Silicon Valley's increasing intolerance
and monoculture and high cost of living have made it a less desirable place from which to do business. Thank you. with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
cloak.io.
Rachel Toback is well-known in security circles for her expertise in social engineering,
bolstered by her multiple wins in the DEF CON Social Engineering Capture the Flag competitions.
She's CEO and co-founder at Social Proof Security, and I recently interviewed her for our Hacking Humans podcast to get her insights on the recent hack of Twitter.
Here's a segment of that interview.
It came to my attention maybe an hour into the attack.
I checked out my Twitter and I saw former President Barack Obama tweeted out a link to a Bitcoin opportunity is the way that he positioned it, where he said that he would double your money. And I'm thinking to myself, that's unlikely. I don't think that that's,
I don't think former President Barack Obama is going to double my money. And then I saw that
Elon Musk had tweeted it out too. And I was like, okay, that's really strange. So using Occam's
razor, I deduced a couple of predictions.
And where did you begin?
I mean, what were your first suppositions of what might be going on?
Well, I started from my position.
So I started thinking, what would I have done as an attacker?
And what I would have done as an attacker is I probably would have just tried to gain access to their accounts by leveraging some sort of like internal access panel, an admin
panel or God mode,
we sometimes call it at a company. And a lot of times I do that when I'm hacking just by calling
customer support. So I might call customer support, gain access to their credentials, and just log in
and then change the things that I want to change on the back end myself. So that was a prediction
that I made. And folks were like, eh, I don't know. I think it was probably an API thing. And I was
like, maybe? But I don't know. I think it was probably an API thing. And I was like, maybe?
But I don't know.
The simplest explanation is sometimes the easiest, and it's just what the attacker does.
I think it's a really important point that you bring up here.
And you've said it a couple times, and that's the willingness to say, I don't know.
And I think that's something that, particularly online, that impulse is not often rewarded.
Yeah. I think we saw a lot of people try and say like, oh, I think I know what happened,
or we know what happened. And they really don't. Even now, we only can go off of what Twitter
admits happened. And even that might not be correct. And so we have to say that Twitter
claims this happened. It's just like that type of language is really important to be clear on.
A lot of times we just don't know the answer. We can make hypotheses, we have reporting, but we are
only reading those claims. We don't know for sure. I wonder sometimes if we've got a little bit of
that boy crying wolf situation here in InfoSec in general, where, you know, we see it play out
so many times. A breach occurs and the PR folks from whatever company got breached say,
we're convinced that this was a sophisticated actor who, you know,
there was nothing that could be done due to the sophistication of this actor.
Yeah, we hear that a lot.
That's like a knee-jerk first reaction is the word sophisticated is used in almost every press release.
A sophisticated actor.
I think we saw that in the case of the Twitter announcement as well. A coordinated, sophisticated social engineering attack.
And while it was coordinated, they did likely coordinate on Discord from what we're seeing.
It doesn't necessarily mean it's sophisticated. Social engineering somebody and calling to gain
access to credentials while pretexting or pretending to be IT support, I wouldn't call
that sophisticated. The things that I do are interesting,
but I wouldn't say they're so hard
that the average person couldn't do them.
We do know that it's possible
to defend against this stuff too.
We need to have least privilege.
That means limited admin access.
We need to have software to detect aberrant behavior.
You know, if you're changing 15 plus emails
on an admin panel in two minutes
when you're really supposed to be doing that maybe once a day, then that's probably going to raise some red flags and it probably should have sooner.
We need to audit who has access.
We need, you know, four eyes or two person sign off.
We have to treat people well and fairly.
So while a lot of times we say it's a sophisticated actor and there's nothing that could have been done, many times it's less sophisticated than we think.
And there's probably something that could have been done, many times it's less sophisticated than we think and there's probably something that could have been done. That's Rachel Toback from Social Proof Security. Be sure to check out our complete interview on the Hacking Humans podcast.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Robert M. Lee.
He is the CEO at Dragos.
Rob, it's always great to have you back.
Your team at Dragos recently teamed up with the folks over at SANS, and you
had a virtual conference, and you had a blog post about this. You said you had seven most meaningful
lessons learned during that conference. Can you take us through what are some of the takeaways
that you all left with? Yeah, absolutely. So every year we put on the DISC, which is the Dragos
Industrial Security Conference at our headquarters in Maryland. It's a free conference for
the ICS security community, the asset owners and operators to come in
and get to see the latest in research and really just have a conference for them, not sort of the
trade show-like feel that can sometimes happen. And especially with COVID
and all the things going on, I went to the team at SANS.
Obviously I'm a SANS instructor and have worked there
and have good relationships over the years.
I said, look, why don't we actually just partner on some things
and some various initiatives,
and let's kick off that partnership with a conference.
And so we hosted the SANS ICS desk.
So it's like SANS and the Dragos Industrial Security Conference.
But we did it virtually, and we did it mid-summer,
or so I got, what, no, that was April, and the Dragos Industrial Security Conference. But we did it virtually, and we did it mid-summer, right?
Or so I got, what?
No, that was April.
So that we could have it available for folks.
So when we kicked it off, we were like,
oh, maybe we'll have like 200 or 300 people to show up.
We had close to 10,000, and it was pretty wild.
We had like 4,000 or 5,000 that were consistently on
throughout the whole day, no matter at any given point
you could dial in and see that.
And that's crazy in terms of response.
My number one takeaway was just the amount of interest
and passion people have for ICS security.
And so we saw tons of people from outside
the ICS security community coming in to take part
in these presentations and understand what was going on.
So it was a bunch of SANS people and a bunch of Dracos people
that gave these presentations. The other one, though, is we
pulled together and hosted a CTF. And for the CTF, it's really
hard to get access to industrial control equipment. A lot of it's sensitive,
more of it's super expensive. So most people in the community usually have
a version machine or two, maybe they have a couple protocols they play around with. Getting access to
a data off a full range is hard.
There's only two or three places that have
historically done that in our community.
And it's been very limited data sets anyways.
And we put it out to the community, part of
the CTF. So NetWars
is the engine that SANS uses.
It caps out at a thousand people.
We've not ever had that problem, how we did
here. We actually capped it out at a thousand
people, I think, within the first three days of registrations being open,
and everybody actually showed up.
I think 890 of them were active during the actual CTF window.
It was a six-hour CTF.
I was going to say, did you effectively have to worry
about the system being DDoSed with that many?
We were very concerned.
Did you effectively have to worry about the system being DDoSed?
We were very concerned.
Also, just over a six or seven hour period,
we put so much data together.
I mean this with no exaggeration. It was by far the largest ICS data set
available to the community to date.
Teams tore through it.
And there was a couple of people in teams that finished,
and it was right down to the wire.
Most didn't finish, which is what was expected,
but they scored a ton of points and learned new things.
The feedback was just exceptional.
People were in love with it.
And that's the thing that, again, the bigger lesson learned, the bigger thing that I've been advocating for years anyways, is I see that
security is cool. And given the opportunity, people will get involved. Did your team come
away with any things that they learned seeing the system get hammered in that kind of way with
creative people from all over the world? Were there any surprises? Yeah. So so I mean, we focused it on the defense, first of all.
So we didn't see them like hammering it that way.
Like we did the attacks and then they were doing the CTF
in terms of like forensics and defense.
I didn't want to give an environment to be like,
hey, some country's APT, do you want to come train?
I don't want to go down that route.
So instead it was like, here's packet capture and memory images, that kind of stuff.
And I think what the big takeaway was,
and I've seen this anecdotally through teaching at SANS
anyways in my ICS class, but it's good to get a
non-selection bias kind of view into this, where
most of the people felt,
hey, a lot of my IT security skill sets
do translate well into ICS security,
but many of them don't,
and there are unique skills,
and hey, this is actually this interesting, unique thing.
And you'll hear me talk a lot about how ICS security
is different, and different mission,
and different threats,
and you talk about that.
But to get a reminder from a wide selection of highly skilled people
of, no, yeah, we see the same thing.
This is actually different, and it's cool, and it's unique, and it's fun.
That's good feedback into the process.
All right, well, congratulations on the event.
It sounds like it was a good experience for everybody. It's available for people still, by the way.
If people go to the SANS site, if they missed out,
all of the presentations are online, both on the Drago site and on the SANS site.
All the slides, all the recordings, and that data set is also available for folks.
Once they register for the event over at SANS, they get that data set.
Now, the CTF engine isn't active to go and score points,
but all of the answers and the data set is there.
And our hope is it's just this continuing education tool
for a lot of people to get interested in ICS.
All right. Well, Robert M. Lee, thanks for joining us. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who
want to stay abreast of this rapidly evolving field sign up for cyberwire pro it'll save you
time and keep you informed listen for us on your alexa smart speaker too the cyberwire podcast is
proudly produced in maryland out of the startup studios of data tribe where they're co-building
the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.