CyberWire Daily - Hacking attends international conflicts and disputes in India, Australia, and Ethiopia. US designates four Chinese media outlets foreign missions. Sodinokibi evolves; Evil Corps rises from its virtual grave.
Episode Date: June 23, 2020International conflicts and disputes are attended by hacking in South Asia, Australia, and Africa. The US designates four Chinese media outlets as foreign missions, that is, propaganda outfits. Sodino...kibi ransomware sniffs at paycard and point-of-sale systems. Ben Yelin on TSA’s facial recognition program. Cybersecurity Canon Week continues with our guest is Bill Bonney, Co-Author of CISO Desk Reference Guide. And Evil Corp is back, apparently because you just can’t keep a bad man down. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/121 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing
the world what AI was meant to be.
Let's create the agent-first
future together. Head to
salesforce.com slash careers
to learn more.
Your business
needs AI solutions that are
not only ambitious, but also practical
and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.
International conflicts and disputes are attended by hacking in South Asia, Australia, and Africa. Thank you. on TSA's facial recognition program. Cybersecurity Canon Week continues with our guest Bill Bonney,
co-author of the CISO Desk Reference Guide.
And Evil Corp is back,
apparently because you just can't keep a bad man down.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary
for Tuesday, June 23, 2020.
International conflict continues to breed attendant cyber-offensive operations and apparent hacktivism.
India, which has seen minor but lethal skirmishes with China along their disputed border,
continues to warn its businesses, organizations, and government agencies to be
alert for continued Chinese cyberattacks. The Outlook reports that New Delhi's security
agencies are distributing an alert from CERT-IN that many such attacks can be expected to take
the form of COVID-19-themed phishing. Inc. 42 says that researchers at Cypherma have been
monitoring dark web chatter that appears to confirm such warnings.
Zscaler has taken a look at last week's warning from the Australian Cyber Security Centre
about copy-paste compromises used against Australian networks.
None of the reported exploits involve zero days.
All take advantage of known and patchable vulnerabilities.
These and several other recent campaigns against Australian targets have been widely attributed to China, as the
Sydney Morning Herald summarizes. Prime Minister Scott Morrison didn't name the attacker beyond
calling it a state-backed actor with significant capability, but plenty of other sources,
publicly outside the government and privately within it, haven't been shy in saying that,
straight up, it's China. The U.S.'t been shy in saying that, straight up,
it's China. The U.S. State Department, in voicing support for Australia, hasn't been coy about naming names either. As has been the case for the last few years, Huawei and its market penetration
have provided the occasion of and flashpoint for such conflict. Former Prime Minister Malcolm
Turnbull said the recent increase in cyberattacks Australia
has seen fully justifies excluding Huawei from the country's infrastructure. Huawei,
the Australian Financial Review reported, has tut-tutted that Mr. Turnbull's remarks were
inaccurate and inappropriate. And one case of possible hacktivism, or possibly state-directed hacktivism, has appeared in Ethiopia.
Addis Ababa says, according to Borkena, that unspecified Ethiopian government organizations have been hit by Egyptians
working under the hacker name Cyber Horus Group, Anubis Hacker, and Security By Past.
Their evident intent is to pressure the Ethiopian government over the Grand Ethiopian Renaissance Dam,
known by its acronym GERD, on the Blue Nile,
which has prompted an international dispute among Egypt, Ethiopia, and Sudan over water rights.
The dam's reservoir is scheduled to begin filling next month,
the beginning of a process that could take 10 to 15 years.
The dam will, in addition to serving as a water storage source,
also protect people downstream from flooding, even as it would interfere with traditional
flood recession agriculture. Egypt has voiced concerns that GERD could interfere with its own
water supply. Sudan's government has generally been more favorably disposed toward the project,
seeing it as a regional water reserve that could redress shortages during times of drought. The U.S. Treasury Department, with the technical
assistance of the World Bank, has sought to broker an agreement on regional control of the dam but
with mixed results, in part because GERD has become something of a patriotic issue in Ethiopia.
You can see online expressions of such sentiment under hashtag
It's My Damn. The U.S. State Department has designated China Central Television,
China News Service, The People's Daily, and The Global Times as foreign missions, that is,
Chinese government propaganda outlets. The Wall Street Journal quotes David Stilwell,
Assistant Secretary of State for East
Asia and the Pacific, to the effect that, quote, these aren't journalists. These are members of
the propaganda apparatus, end quote. Beijing says it's a lot of arbitrary Yankee hooey that the news
outlets are firmly grounded in objectivity, impartiality, truthfulness, and accuracy,
which is the PRC's story, and they're sticking to it.
The Chinese government went on,
this is totally unjustified and unacceptable,
and once again exposes its double standards and hypocrisy
of the so-called freedom of press.
So take that, Foggy Bottom, and tell it to Pravda while you're at it.
Anywho, the State Department's designation won't shut down the force services operation in the U.S.,
but it will prove to be, at the very least, an irritant.
Designation under the Foreign Missions Act will require the news operations to report all their personnel to the State Department
and to register any property they hold, whether they own it or lease it.
Researchers at Symantec's Critical Attack
Discovery and Intelligence team this morning reported a couple of new wrinkles in the
Sodinokibi ransomware. First, the gang is using the commodity malware Cobalt Strike to deliver
its payload. Second, they're also scanning some of the victims' networks for point-of-sale or
paycard management software. This second activity is ambiguous but
suggestive of a further direction in the malware's evolution. They could be attempting to encrypt
point-of-sale data, or they could be interested in diversifying their revenue stream through some
carding on the side. That would be consistent with the recent tendency of ransomware to steal data
for either leverage or resale, in addition to simply encrypting it.
It's worth noting that even confined to traditional extortion by encryption,
Sotinikibi is asking a lot from its victims.
Symantec says that their current demands are $50,000, in Monero, of course,
if the victim pays up within the first three hours of infection.
After that, the ransom goes up to a hundred grand.
And hey, everybody.
Remember the group that calls itself Evil Corp,
the gang behind the Drydex Trojan
that went into occultation last year
after two of their numeros,
Maxim Yakubets and Igor Turashev,
got clobbered with U.S. federal indictments
and some attendant sanctions
against their collaborator back in December.
Well, Evil Corp is back in business, ZDNet reports.
A study released today by Fox IT describes Wasted Locker,
a new ransomware strain that's designed to bypass many of the endpoint protections that frustrate other forms of malware.
It also demands a very high ransom.
that frustrate other forms of malware.
It also demands a very high ransom.
Fox IT says they've seen demands as high as $10 million,
which makes the hoods behind Sodinokibi look like cheap grifters.
Mr. Yakubets and Turashev, both still at large, are Russian nationals.
The U.S. Justice Department says that it asked Moscow for help during the investigation that resulted in the indictments unsealed in December, and that Moscow was sort of helpful, to a point. But both men remain at large,
and justice suspects that Mr. Yakubets, at least, is cooperating with the Russian organs.
So, FBI, Britain's National Crime Agency, Interpol? Good hunting, friends.
We continue Cybersecurity Canon Week,
celebrating the books and authors the Cybersecurity Canon Committee
has determined are well worth your time.
Our own Rick Howard heads up the effort here at the Cyber Wire,
and today he speaks with Bill Bonney, co-author of the CISO Desk Reference Guide.
So Bill, why did you write this book?
Well, this actually came from a panel discussion that Matt and Gary and I had back in 2015.
We were talking about the evolving role of the CISO and what new CISOs had to be
prepared to do that was different than the expectations of the CISOs of the past.
The panel discussion was supposed to run about an hour or so, and about an hour and 45 minutes
into the discussion, they started kicking us out of the room, and then people started kind of
following us down the hall because the conversation was so kind of resonating with everybody trying to figure out, you know, how do I evolve what I'm doing to meet the needs of today?
So we started by writing a few articles for LinkedIn back in 2015, and we would kind of trade off and kind of edit each other's work.
And we would kind of trade off and kind of edit each other's work.
And then, you know, after we did about four of those articles, we said, you know, you know, this material and the way that we're going about this, this might be better suited to put down in a book. And the point really was to try to set something up that would be consumed by the mid-tier CISO, either wannabe CISO or CISO who's, you know, in a situation where they're trying to learn
the business. They haven't done it before. They're working for a mid-tier company. The reason why we
had mid-tier in mind is because San Diego is very much a mid-tier town. I think we have the lowest
per capita S&P 500 headquarters in the country. For us, the audience was really kind of that built
in set of our peers that needed to have that kind of,
you know, the wisdom, so to speak, collected from people who had kind of been there and done that.
What we then realized as we got the first volume out and started working on the second volume was
that our way of putting this book together, which was to have each of us talk about each one of the
topics, kind of recreated that panel discussion. And then the book actually
became consumed by a much larger audience, which was very gratifying to us and, you know, really
kind of nailed home that point for us that, you know, being able to kind of write down what we
all kind of collectively knew in a way that people could explore from different angles really kind of,
you know, hit a sweet spot for us. That's really what was the impetus was trying to write something that would capture the wisdom,
really, for those mid-tier players that didn't have the ability to learn from S&P 500 peers.
That's The Cyber Wire's Rick Howard speaking with Bill Bonney,
co-author of the CISO Desk Reference Guide.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024,
these traditional security tools expand your attack surface with public-facing IPs that are
exploited by bad actors more easily than ever with AI tools. It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps
and IPs invisible, eliminating
lateral movement, connecting
users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using
AI to analyze over 500 billion
daily transactions. Hackers can't attack what they can't see. Protect your organization with
Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, DeleteMe is a game changer. Within days of signing up,
they started removing my personal information from hundreds of data brokers. I finally have
peace of mind knowing my data privacy is protected. DeleteMe's team does all the work for you with
detailed reports so you know exactly what's been done. Take control of your data and keep your
private life private
by signing up for Delete.me. Now at a special discount for our listeners. Today, get 20% off
your Delete.me plan when you go to joindeleteme.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to joindelete.me.com slash N2K and enter code N2K at checkout.
That's joindelete.me.com slash N2K, code N2K.
And joining me once again is Ben Yellen.
He is from the University of Maryland Center for Health and Homeland Security.
Also my co-host over on the Caveat podcast.
Hello, Ben.
Hello, Dave. How are you?
Doing well, thanks.
Interesting story came by.
The TSA has released a privacy impact assessment report
that updates their plans on integrating facial recognition
into everyone's experience at the airport.
What's going on here?
So prior to these past couple of weeks, the TSA has engaged in a pilot program
where attached to the stations where they scan your boarding pass,
there's also a camera that takes a picture of each boarding passenger and sort of
cross-references that person's face against government databases to ensure that the person
is, quote, safe to get on an airplane, that they're not a security risk. This announcement
leads us to believe that this practice is going to become more widespread. There has been a notice of proposed rulemaking at the federal level to make this universal as it applies to international
travelers. And at least this article seems to think that that's going to be extended to
domestic travelers as well. So the TSA says, you know, and there are ways to sort of limit the
invasion of privacy as it relates to these types of mugshots.
The first is that at least as it relates to domestic flights, theoretically, this is all going to be voluntary.
So you can opt out, although some customers have reported that TSA agents have not let them opt out of taking these photographs at security checkpoints.
photographs at security checkpoints.
And even thinking practically,
sort of all of the security we go through at TSA checkpoints, a lot of it is opt-out.
But by opting out, you're really making your life more difficult.
If you choose not to go through those scanning machines,
they're going to patch you down.
So it's not really the ability to opt out
in any meaningful sense of the word.
So that's sort of one way that they will try to protect your personal privacy.
They also say that these photographs are going to be deleted after 24 hours,
after they have cross-referenced them against federal databases.
So this is not a photo that they're going to keep in their system. But
they are collecting, at least for a temporary period, your biometric data. And that can always
be a little bit dangerous in terms of protecting your privacy. The other thing that's mentioned in
this article, which I think is very interesting, is the TSA is asking people who are flying
The TSA is asking people who are flying to take their masks off in this age of the COVID-19 pandemic.
And, you know, that presents a potential danger for a passenger.
You're exposing yourself to airborne pathogens, or really you're exposing other people to your own potential germs or disease related to the coronavirus.
disease related to the coronavirus. So, you know, that adds certainly another level of risk that perhaps the TSA did not anticipate when they wanted to put this policy into practice. So,
you know, there are a couple of things privacy advocates can do here. This is in the federal
rulemaking process right now. You can find this privacy impact analysis and publicly comment on it. Sometimes
they read the comments, sometimes they don't, but it's always worth, you know, having your voice
heard on that, especially as it relates to domestic air travel. And for the time being,
you know, you do have the option of opting out. And, you know, that's something that the article really harps on, is that this is voluntary
right now. You can still fly even if you choose not to be photographed. So just things to keep
in mind for people who are going to be traveling on airplanes in the next couple of months.
A couple of things caught my eye here. One was evidently there are requirements that the TSA is supposed to follow when it comes to notification.
This article points out, it says,
required notices are dictated by the Paperwork Reduction Act and the Privacy Act,
but the TSA has ignored both of these federal laws in its facial recognition plans.
Yeah, so...
There it is. Yeah, so... There it is.
Yeah, I'm not sure that they've necessarily ignored it.
I mean, without having full details on it,
both the Paperwork Production Act and the Privacy Act
are complex pieces of legislation with a lot of exceptions.
So, you know, I don't know if what the TSA is doing
falls under that exception.
It's certainly worth doing more research on it.
So I wouldn't necessarily allege anything nefarious on the part of the TSA,
but generally they are required to provide proper notice.
For the most part, the TSA has been pretty good about that.
They do put signs up, for example, saying that use of enhanced screening technology
going through those little machines is voluntary.
You can opt out.
And it seems like, at least going forward, there are going to be those types of warnings as it relates to these supposed mugshots.
So without knowing the details of whether they've complied completely with those statutes in the past, I think they will try to do their best going forward.
Yeah, yeah.
It's also interesting to me, and I'm just speculating here,
but they say that the images won't be retained
for more than 24 hours.
But I wonder if the metadata,
the fact that you pass through this place
gets logged somewhere.
In that cross-referencing of information across those databases that they're checking,
does the fact that a ping was made from this data point, does that get logged somewhere?
I don't know the answer to that, but it's a question I would ask
if I were interested in digging into some of the details of this.
Absolutely.
And the metadata, even if they don't get the photograph itself, the metadata
could be useful information. It could be private
information. If you didn't want people to know that you were photographed
at an airport at a certain point, that you weren't taking a particular flight,
maybe that was something that you were doing as part of your personal life
and you didn't want it public that you were participating in air travel,
then yeah, I would guess that that metadata is going to be stored somewhere,
even if they delete the photograph itself.
And that certainly presents privacy concerns.
Yeah, interesting.
All right, well, Ben Yellen, as always, thanks for joining us.
Thank you, Dave.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.