CyberWire Daily - Holiday Bear’s tricks. Phishing for security experts. Industrial cyberespionage. Human error and failure to patch. EO on breach disclosure discussed. Malware found in game cheat codes.
Episode Date: April 1, 2021US Cyber Command and CISA plan to publish an analysis of the malware Holiday Bear used against SolarWinds. The DPRK is again phishing for security researchers. Exchange Server exploitation continues. ...Stone Panda goes after industrial data in Japan. Human error remains the principal source of cyber risk. A US Executive Order on cyber hygiene and breach disclosure nears the President’s desk. David Dufour from Webroot on the 3 types of hackers and where you’ve seen them recently. Rick Howard checks in with our guest Sharon Rosenman from Cyberbit on SOC Evolution. And gamers? Don’t cheat. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/62 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
U.S. Cyber Command and CISA plan to publish an analysis
of the malware Holiday Bear used against SolarWinds.
The DPRK is again fishing for security researchers.
Exchange server exploitation continues.
StonePanda goes after industrial data in Japan.
Human error remains the principal source of cyber risk.
A U.S. executive order on cyber hygiene and breach disclosure nears the president's desk.
David Dufour from Webrooot on the three types of hackers
and where you've seen them recently.
Rick Howard checks in with our guest Sharon Rosenman
from Cyberbit on SOC Evolution.
And gamers, don't cheat.
From the Cyber Wire studios at Data Tribe,
I'm Elliot Peltzman, filling in for Dave Bittner,
with your Cyber Wire summary for Thursday, April 1st, 2021.
And sure, we know it's April Fool's Day, but all of this is for real.
Dave really is at home having a well-earned day off.
And I can personally guarantee you that everything you're about to hear is true,
to the best of our ability, to determine.
For us, it's April No FoolFooling Day CyberScoop yesterday reported that U.S. Cyber Command and CISA,
the Cybersecurity Infrastructure Security Agency,
were soon to release a malware analysis report detailing the hacking tools used by HolidayBear
in the Russian cyber espionage campaign that compromised the
SolarWinds software supply chain last year. The report is expected to describe 18 pieces of
malicious code the Russian operators used, and to detail how they were able to move across affected
networks. It is also expected to go beyond the reporting so far developed and published by private sector researchers. As Bank Info Security reminds everyone, patching the SolarWinds Orion platform,
while necessary, isn't sufficient to secure an organization against this form of attack.
You've also got to find the threat and expel it from any affected systems.
Google's Threat Analysis Group yesterday published an update on a North Korean campaign
that's targeting security researchers.
The researchers observed the campaign's beginning back in January,
but within the last two weeks have seen it evolve.
On March 17th, the campaign established fake accounts for fictitious personnel
represented as working for an equally bogus company, Secure Elite.
Secure Elite is presented as an offensive security company based in Turkey
that offers penetration testing, assessments, and exploits.
The fake company has a website
and is supported by at least two phony LinkedIn profiles
and two equally phony
Twitter accounts. Google didn't find malware hosted in any of the come-on sites or accounts,
but they've reported the accounts to the appropriate social media platforms
and added the website to Google's safe browsing as a precaution.
Security firm Digital Shadows has today published an overview of where we are with respect to the exploitation of the proxy logon vulnerabilities that threat actors have exploited against Microsoft Exchange Server.
The principal takeaway Digital Shadows offers is that, even though an estimated 92% of vulnerable Exchange Server instances have been patched,
the cyber gangs who've barged in behind
Hafnium continue to use the exploits in various crimes, for the most part cryptojacking and
ransomware attacks. This indicates, Digital Shadows says, quote, that enough damage may
already have been done, and with more to come, in the near future. End quote. Researchers at Kaspersky have outlined a campaign by APT10
directed against Japanese industrial targets.
APT10 is the Chinese government advanced persistent threat,
also known as Red Apollo, MenuPass, Potassium, and Stone Panda.
The goal is apparently industrial espionage.
The campaign is a long-running one that's been active, generally, at least since March of 2019.
The most recent surge in activity came this January. According to Kaspersky,
the actor leveraged vulnerabilities in Pulse Connect Secure in order to hijack VPN sessions,
or took advantage of system credentials that were stolen in previous operations.
The Hacker News explains,
The infection chain leverages a multi-stage attack process with the initial intrusion happening via abuse of SSL VPN
by exploiting unpatched vulnerabilities or stolen credentials.
This morning, Cyber Inc., a security company that specializes in zero-trust browser isolation,
released its inaugural Cyber Insights Report.
This 2021 edition presents the results of an end-user survey on cyber threats
and the ways in which companies are trying to set themselves up
to make more informed security decisions.
Cyber Inc. wrote,
The report reveals that in the people-process-technology triad,
human error is the top reason for breaches,
accounting for 70% of successful attacks.
The next biggest cause is vulnerability management
through patches and upgrades, accounting for just 14% of successful attacks. End quote.
So help your people be successful, and for heaven's sake, patch while the patching's good.
But don't be too hard on your people either. Remember that for many of them, an essential
part of their job involves opening emails and following links.
Even the best-intentioned and best-informed can go astray, unfortunately.
Some mistakes are dopey ones, but not all of them are.
Nirav Shah, CyberInk's COO, said in the company's announcement of their study,
COO said in the company's announcement of their study,
quote,
It's simply not realistic to expect that employees can make the right judgment call on the credibility of a potentially malicious email.
We see examples all the time where individuals unknowingly click on something that looks legitimate
and cause their organization to be a victim of a costly malware attack.
But it's not their fault.
Mistakes are human nature.
End quote.
Bloomberg reports that the much-anticipated executive order
on breach disclosure has been drafted
but has yet to reach U.S. President Biden's desk.
It's expected to do so within the next few weeks.
Sources tell Bloomberg that, quote,
companies doing business with the federal government
would be required to report hacks of their computer networks
within a few days, end quote.
The executive order would also mandate
that federal contractors meet certain software standards,
including a requirement that vendors provide
a software bill of materials
when they delivered their products to federal customers.
And there are also provisions that are said to prescribe various improvements
to federal agencies' security practices,
including mandatory use of two-factor authentication and improved data encryption.
And finally, game cheat codes are a familiar part of the gaming world,
even if they're not quite the thing and not really fair.
But now there's another reason to avoid them altogether.
If you won't listen to your conscience, then at least consult your self-interest.
Cisco Talos researchers have discovered that bad actors are introducing malware
into files gamers would use to download and install cheat codes.
So who cares?
Well, if you're a gamer, you should.
Not only could the malware injected into your device compromise your privacy, but if you're
working from home and tending to mingle business with fun, you're also placing your organization
at risk.
Come on now, you know who you are.
And this is no April Fool prank either.
Stay safe out there.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and Quora,
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire's own CSO, Rick Howard, has been talking to experts about SOC operations.
Here's Rick.
I got the chance to talk to Sharon Rosenman about the current state of SOC operations. He is the chief marketing officer at
Cyberbit, an Israeli company that provides hands-on training for SOC personnel. But when he was
younger, he spent 20 years in the Israeli Air Force, and it's that experience that shapes his approach to training SOC personnel.
When I didn't fly or train for more than a month, I lost all my certifications. I wasn't allowed
to do anything. When I needed to learn how to land or take off, I didn't take a course.
I actually went into a flight sim, and I actually did that a few times before I was allowed to actually do it in real life.
In a SOC, it's a hands-on, completely practical profession.
We don't do that.
We either send people to courses or we let them learn on the job.
In a SOC, you train once every six months, but that's totally fine.
Why?
It doesn't make sense, right?
So we need to
maintain our muscle memory. We need to train much more and we need to do it by means of simulation
because that's the way that we're going to respond to an incident in real life. We're going to work
as a team. There's going to be pressure. We need to see how these things look like before we
actually experience in the real world. And today, all the SOC professionals, they've never seen an
attack before until they've experienced one on the job, which doesn't really make sense.
What Sharon is getting at is absolutely true. SOC operations is a team sport,
and you shouldn't exclusively learn how to do it on the fly.
Even before COVID, organizations have been telling us that they have to change the way that they maintain
their skill. It's something that used to be done once, twice, or three times a year. It's just not
enough anymore. Moreover, when you don't even have the option to travel to do a course twice a year,
you're basically losing your skill set. Being an incident responder or a SOC analyst is a hands-on
skill, just like sports. You haven't done it for a while. There is an incident responder or SOC analyst is a hands-on skill. Just like sports,
you haven't done it for a while, there is an incident, you're not performing well. That's
something you need to keep maintaining. It's a muscle you need to keep working on.
We're running SOC teams in simulations. For some of them, it's the first time they've been put into
a real-world, full-scale incident. And we see that the reasons that many of them are failing is not because they
don't know how to use Splunk or their firewall and so on. It's because they don't know how to
work as a team, because it's something they've never done before. Which begs the question,
what skill sets do your SOC analysts need to be good at their jobs so that your organization can
reduce the chance of material impact due to
some future cyber attack. Clearly, they need to be a bit technical. They need to understand the
security stack that they are monitoring and the telemetry that they will get from that stack.
They also need to understand the intrusion kill chain concept and how they can use the security
stack to monitor and prevent a cyber adversary's attack sequence. But those are
table stake skills. What may be even more important are the soft skills they bring to the table during
a crisis. In other words, how do they communicate the technical risk that they have identified into
business risk that senior leaders can understand? You really don't want to start practicing those
skills during a crisis.
You might want to practice them beforehand. We need to put more focus on our people to help them build skills like critical thinking, for example, like investigation, to develop an open mind and
a type of skill set, working under pressure and so on. It's soft skills. I keep getting back to
that because this is something that organizations haven't really figured out that being a good incident respond or a good
SOC analyst, a lot of that is your soft skills. It's a combination of soft skills and technical
skills and you have to work on both and you have to develop both. We need to communicate to a CEO
or a CFO, for example, during the ransomware incident, what's going on? We need to communicate to a CEO or a CFO, for example, during a ransomware incident.
What's going on?
We need to take decisions together.
Are we paying the ransom?
What are the risks currently?
What areas of the organization are at risk?
Identify the specific point of communicating technical information to non-technical staff
is the bottleneck in the incident response process.
Ties directly into teamwork, communication skills,
and communicating technical information to non-technical.
It's obviously having the understanding of the tools.
They need the understanding of the technologies.
They need the understanding of basic IT fundamentals.
And they need to understand what the attacker techniques look like.
In terms of the soft skills, I would look primarily at teamwork and communication skills,
which are the most important ones.
Anybody that has been in the military, like Sharon in the Israeli Air Force,
knows the value of realistic training.
In the U.S. Army, where I came from, they have an entire desert base
dedicated to force-on-force training called the National Training Center.
The idea that we might train SOC personnel in a similar force-on-force simulated environment seems like a no-brainer.
In that way, we can train our analysts not only on the technology they will use in a crisis,
but also how they will communicate with their peers and leadership.
That's the Cyber Wire's own Rick Howard.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And joining me once again is David DeFore.
He is the Vice President of Engineering and Cybersecurity at WebRoot.
David, great to have you back.
I want to touch base on something I know you've been tracking,
and that is this notion that you've got three types of hackers that you're dealing with,
and where we may have seen them recently.
What do you want to share with us today?
Well, yeah.
You know, David, we're always talking about
what's available career-wise in the cybersecurity industry.
And we never seem to talk about, if you wanted to go the hacker route,
you know, malicious actor, what those job opportunities look like for you.
So we've kind of...
You know, there's a reason why we don't talk about that, but go on.
Go on.
Well, no, seriously, you know, as we're, you know, there's a reason why we don't talk about that, but go on. Go on. Well, no, seriously.
You know, as we're teeing up our adversaries and wanting to make sure we understand what the motivation behind malicious actors are, it's kind of good to really put them in some buckets.
And these aren't the definitive buckets, but they really help.
And there's really three types.
There's the impersonator, the opportunist, and then the infiltrator.
And most hacking techniques fall into one of these three buckets.
All right.
Well, go on.
All right.
So the impersonator, that's someone who's usually using social media or they're trying to get your bank account.
So they're trying to act like you to get you to give them
information. And so maybe they're acting like your bank or they're acting like your friend on social
media. And really their goal and the tools they use, the software they implement is trying to
make them look like someone other than who they are. Again, because most hackers are trying to
do something for a purpose,
they're trying to get your banking information or your social media information for some nefarious
purpose. Then we have the opportunist. And this is a hacker that typically in a lot of,
we're seeing a lot of this with ransomware in small governments, entities, and things like that, where someone is not particularly concerned about who they're hacking,
but they've written software that takes advantage of exploits,
of problems in software,
and they're just blasting the stuff out there
to see who they can get to click on something
or to see who hasn't patched a computer.
And their goal is to take advantage of opportunities on scale.
They're not so much worried about who they hack
as much as they're seeing how many people they can hack
and then from that, you know, cause problems or steal or things like that.
And then finally is the infiltrator.
And this is someone who you might get confused between the opportunist and the infiltrator.
this is someone who you might get confused between the opportunist and the infiltrator. The infiltrator is specifically targeting an industry or a specific company or individual
because there's some value they have for getting the information than that industry or that person
may have. And that's typically where espionage would fall into, yes? Yes. So a lot of times, if you had me put kind of who's doing what,
the impersonator is someone trying to get your bank account information, make some money.
The opportunist is that more sophisticated hacker who has the ability to make tools to put out there
so that they can run massive campaigns.
This is a lot of times organized crime.
And the infiltrator is the one that is typically government
or very large entity backed.
So what are your recommendations for folks to kind of dial in
where they best aim their resources at protecting themselves here?
Yeah, I think that's a great question.
And if I'm a consumer, let's say, I think that's a great question. And if I'm a
consumer, let's say, I care about the impersonator most, and then I care about the opportunist.
Unless you're Dave Bittner, you don't really care about the infiltrator because no one's really
trying to, there's no massive government out there trying to hack you. But seriously, consumers,
they care about the impersonator and the opportunist. And what you got to do there is patch your systems. You got to make sure you've
got good antivirus and you're backing up. That's the basics. Now, the infiltrator,
they're targeting organizations. And there, you probably are big and have deep pockets.
And you really do need to put in some money behind your cybersecurity posture where you're
doing monitoring. So you're doing real-time detection, things like that.
Yeah. So the folks who are likely to be the target of the infiltrators, chances are they know it.
That's exactly right. You know, if you're the welding shop down the road fixing, you know,
Jeep Wranglers, you're probably not having the infiltrator
come after you. But if you're the
U.S. government building warships
or something, people are going to try to
hack your systems.
Alright, good information.
David DeFore, thanks for joining us.
Hey, great being here, David. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro. It'll save you time and keep you informed. Listen for us on your
Alexa smart speaker too. The CyberWire podcast is proudly produced in Maryland out of the startup
studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is
And I'm Elliot Peltzmanman filling in for Dave Bittner.
Thanks for listening.
Thank you.