CyberWire Daily - Hurricane Panda and Charming Kitten paw at, respectively, the campaigns of Mr. Biden and Mr. Trump. Lies’ bodyguard of truth. Information warfare in the Gulf.
Episode Date: June 5, 2020It’s mostly cyberespionage today, with an admixture of influence operations. Google has warned both major US Presidential campaigns that Chinese and Iranian intelligence services are after their sta...ffers’ email accounts, so far apparently without much success. Russia, China, and Iran devote some purposive media attention to US civil unrest. Johannes Ullrich from SANS on malicious PowerPoint add-ins. Our guest is Bil Harmer from SecureAuth on credential carelessness. And Qatar’s rivals in the Gulf continue their information campaign against Doha: this time it’s bogus news of a coup. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/109 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
It's mostly cyber espionage today with a mixture of influence operations.
Google has warned both major U.S. presidential campaigns
that Chinese and Iranian intelligence services are after their staffers' email accounts. Thanks for having me. from SecurAuth on credential carelessness. And Qatar's rivals in the Gulf continue their information campaign against Doha.
This time, it's bogus news of a coup.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary
for Friday, June 5th, 2020.
Google's threat analysis group has warned the U.S. presidential campaigns of both major
parties' presumptive nominees that Chinese and Iranian threat groups are targeting campaign
staffers' personal emails.
Google's Shane Huntley tweeted the findings yesterday and subsequently clarified that
the threat groups in question are China's APT 31, Hurricane Panda,
and Iran's APT 35, Charming Kitten. The Wall Street Journal reports that Hurricane Panda
is interested in the Biden campaign. Charming Kitten has targeted the Trump campaign.
Both efforts are believed to have been unsuccessful. The Washington Post says the two groups have
different interests. Hurricane Panda is collecting intelligence on former Vice President Biden's views and those of his staffers,
while Charming Kitten is interested in undermining President Trump's re-election.
Russia is also engaged with the election, but neither Iran nor China appear to be following Russia's playbook, the Post observes.
So, to summarize, Chinese intelligence services want to find out what's on candidate Biden's mind,
and Iranian intelligence services would very much like to see President Trump's re-election campaign fail.
The drone strike that killed General Soleimani is offense enough,
and the increasingly tight U.S.-led sanctions make Tehran's dislike for the president
overdetermined. The Chinese interest in collection is, as usual, thorough and extensive.
As the Foreign Policy Research Institute's Clint Watts told the Washington Post,
China doesn't just want to know Biden's opinion about China. They want to know all of Biden's
staff's opinions about every part of the world, end quote. So, not only thorough and comprehensive, but also very much along the
lines of traditional collection. Iran's collecting too, but Tehran's collection seems more focused.
Iran is interested in obtaining and then releasing damaging material. That would indeed be a page from Moscow's 2016 playbook
when Cozy Bear successfully and quietly penetrated campaigns
and when Fancy Bear doxed the U.S. Democratic National Committee
and the Clinton campaign, releasing emails that embarrassed the victims.
Should Tehran obtain comparable dirt on this year's Republican presidential campaign,
they can be expected to engage in the same sort of malign, involuntary, enforced transparency to which Fancy Bear
subjected the Clinton campaign in 2016. Of course, as the Post and others routinely observe,
it's also possible that foreign espionage services could use access to hacked email
accounts and other resources to mount disinformation in the
form of spoofs and fakes. The fakes could either be deep or shallow. As long as they find takers,
it doesn't matter because this is information warfare, not art. That sort of fakery didn't
happen with the email compromise of 2016, but it's certainly a possibility in 2020.
but it's certainly a possibility in 2020.
U.S. Attorney General Barr yesterday said in brief remarks about ongoing civil unrest that,
quote, we are also seeing foreign actors playing all sides to exacerbate the violence, end quote.
The social media study group Grafica independently described influence campaigns by Russia, China, and Iran, all of which seek to further their agenda by, respectively, drawing attention to fissures in American
society, discrediting U.S. criticism of human rights violations, and undermining the legitimacy
of U.S.-led sanctions.
This particular influence campaign doesn't seem to be marked, at least not yet, by the
characteristic troll-farming inauthenticities that became the distinctive stigmata of earlier Russian influence campaigns.
One aspect of influence operations has been the interplay between state-run news outlets,
troll farms, and useful marks who more or less uncritically accept and amplify
the lines the state's operators are pushing.
Facebook has for some time enjoyed success in identifying and blocking what Menlo Park calls coordinated inauthenticity.
The social network is now beginning to address authentic media,
whose viewpoint might be determined by their government controllers.
Facebook announced some months ago that it would begin labeling accounts run by state-controlled media. This long-anticipated labeling began yesterday. The labels appear
in the Ad Library page view on pages and in the page transparency section. Facebook is looking
specifically for outlets that are wholly or partially under the editorial control of their
government. So Sputnik and RT would get the Russia State Controlled Media label,
and China Daily gets the Controlled by You-Know-Who label.
The Verge explains Facebook's new policy as one of
including information about their ownership and funding,
the level of transparency around their sources,
and the existence of accountability systems like a corrections policy.
End quote.
So simply being government-funded doesn't make you state-controlled.
Therefore, the BBC presumably would get a pass for editorial independence,
as would Radio Free Europe, Radio Liberty.
AFP outlines the ongoing disinformation campaign against Qatar.
It's the latest round in a regional dispute that goes back to 2017,
when Saudi Arabia, the United Arab Emirates, Bahrain, and Egypt cut ties with Qatar over that country's alleged closeness to Iran,
and thus to Tehran-backed Islamist groups.
The recent disinformation includes social media posts that claim a violent coup d'etat was in progress in Doha,
complete with grainy video of machine gun fire, and so on.
Some of this stuff came from social media accounts that just popped up, no followers, no nothing.
None of the corroborative detail one expects would lend verisimilitude to an otherwise bald and unconvincing narrative.
It's interesting that AFP calls their story a fact-check.
It seems to be just straight-up good reporting, but fact-checking now seems to have a cachet
among those who struggle with disinformation and fake news.
Perhaps that's fair enough, since it's meta-reporting, that is, reporting about reporting.
That is reporting about reporting. you'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak. Learn more at blackcloak.io. My guest today is Bill Harmer, Chief Evangelist and CISO at SecureAuth, where, as the name implies, they specialize in identity security.
He joins us with insights on credential carelessness. One of the things that was
really interesting that stood out was the convenience factor, where we look at things like biometrics. If you talk to people about biometrics and ask
them, are you comfortable with sharing your biometrics with a company so that you can have
access? They say no. A lot of them say, no, I'm not comfortable with that. I don't trust them
because they keep hearing about the hacks. But then you ask how many of them use it, and it is,
you know, well, if you
look at an iPhone, you have to use it. Well, you don't have to. You can go to a PIN number. But
everybody does it because they want the convenience. And I've been saying this for years.
Security is a balance of convenience and risk. That's really all it is. If it's too inconvenient
to use the security tools, users find a way around it. That's what drove Shadow IT.
That's what drove entire industries.
It was interesting to see that.
And when you start to see it at things like the director versus the non-management level, we were seeing that directors were reusing passwords more than regular employees.
And, you know, I'd love to try and dig into that deeper to find out, is that, again,
is that convenience? Gosh, I'm a director, I'm so busy. Or is it just, it doesn't apply to me,
right? Is there a level above sort of the applicability? So based on the data that you
collected here, what are the take-homes for you? What are some of the things we can learn from this?
We need to get rid of passwords. We really, really have to start to drive towards a passwordless
environment because probably for, I guess, five years now, we've heard about digital transformation.
Five years ago, it was kind of a buzzword. Last year, it's sort of the norm. Everybody's talking
about digital transformation. COVID, it effectively base jumped everybody into digital
transfer. You had no choice, right? Friday, everybody's working in the office. Monday,
everybody's working from home. So digital transformation is part of what we are now,
and it will be the new norm, right? We're seeing this already with Shopify, Twitter. They're all
saying work from home, work remote. We're going to shut down offices. We don't need to have our offices. You don't have to come back in.
So it is the new norm.
But in doing that, in setting up your Zscalers, your Palo Altos, your Cisco umbrellas and stuff like that, and creating good, secure communication channels for security everywhere, every one of them looks at it and says, get us a authentication.
Authenticate the user and send us a SAML token.
And then, you know, the zero trust world kicks in. And to me, I mean, the key to this, you can
build all the great infrastructure you want, but the key right there is the identity, right? And
in that identity, it's all hinged on these poorly crafted, reused garbage passwords, and they are dispersed across the world.
And that's something nobody's really had to deal with before.
What do you suppose it's going to take for these sorts of changes to make, for people
to finally jettison passwords for us to move on to whatever that next thing may be?
Is it possible to imagine an event where we turn that
page or is it going to be more of a slow evolutionary kind of thing? Honestly, I think we
might be in that event right now. I think because companies, people aren't going to do anything just
for the sake of doing it, right? There's got to be some sort of impending or critical event that
happens. And right now, as companies are sending people home to work and realizing, okay, they can
do it. And they know there's ones that have said, no, you can't do your job from home. And they're
going, nope, I can see it's being done. There's others that are going, hey, I don't have to pay
for expensive downtown property in San Francisco and New York.
Real estate, commercial real estate is going to take a beating after this.
But all of these things are happening.
And what they're realizing is, OK, I'm going to have to have VPNs.
And some people were out buying extra licenses for the VPNs.
But it's around that identity.
How can I be sure that it is them?
So I think we're going to see a push in identity.
I think it was on Kramer's Mad Money or something like that.
They said that this is now a $16 billion industry and climbing.
I think so that is part of it.
But the other part of it is as you start to see things like digital voting, taxes, all these other things, our social security number is an utter joke as a method of
identifying ourselves, right? This is 100% compromised for everybody in the country.
It's out there. So what do you do? How do you fix that? And I think this is where we're going to see
a drive or a request from the citizens for a sovereign identity,
something that is theirs, that is digitally managed,
that is compartmentalized.
So that way when I have to maybe go buy a car
and I need to have a credit check done,
I share part of it.
I'll share the whole thing.
Because right now you just write down
your social security number, your name,
your home address, stuff like that.
And if they lose that bit of paper, you're done, right?
So it's going to be something-
And they photocopy your driver's license, right?
They photocopy your driver's license,
photocopy your passport when you check into the hotel.
So how is it that we can find a digital way,
like an Apple Pay or a Samsung Pay
or one of those things where I can send a token,
I can send an authentication token,
it's vetted by third party.
And we're seeing that.
We're starting to see that in the identity space where we're seeing this convergence of things like identity proofing along with identity and access management and authentication starting to become more of a ubiquitous tool.
That's Bill Harmer from SecureAuth.
Subscribers to CyberWire Pro can find an extended version of my interview with Bill
in the interview selects.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. And joining me once again is Johannes Ulrich. He is the Dean of Research at
the SANS Technology Institute and also the host of the ISC Stormcast podcast. Johannes, it's always great to have you
back. You've got some interesting information to share about some stuff that's going on within
PowerPoint. What's going on here? Yeah, PowerPoint is sort of an interesting format as far as
Microsoft Office formats go. We are all aware that there are tons of malicious
vert and Excel documents because they contain macros
and then the macros are being used to install a malicious software. Now, PowerPoint was a little
bit the oddball here in that PowerPoint doesn't really support macros. But what we have seen now
is that PowerPoint templates are actually being used. And with PowerPoint templates,
you have a feature called add-ins. Well, I guess it's macro by another name, but it has a similar
functionality where as you open, as you close a PowerPoint document, you can run code,
you can download malware, you can start it and do pretty much everything that sort of matters from a malware point of view that macros in Excel and Word allow you to do.
Wow.
So what specifically are you tracking here?
What have you seen?
Well, we have seen some documents that are being used to install malicious software.
What was sort of interesting here is also the two hooks that are available.
software. What was sort of interesting here is also the two hooks that are available. One,
that's triggered whenever you open a document. And that's by far sort of the more common thing that's being used in Invert and Excel macros. The other hook that you have available is when you
close the document. And interestingly, in the PowerPoint documents, or I should say PowerPoint
templates, we have seen that hook is being used, the close hook.
And the PowerPoint, of course, is empty.
So the user opens it, closes it immediately because nothing to see.
And that's sort of when it triggers.
The assumption here is that maybe that more signatures are looking for the open call, not so much for the close call.
Or maybe some sandboxes will not detect the close, but only the open call, not so much for the closed call, or maybe some sandboxes will not detect the closed, but only the open.
Not really sure why they do it, but I assume it's a little bit of additional obfuscation here.
Now, what sort of options are available to protect against this?
Because with Excel, you can disable macros.
Do you have that sort of capability within PowerPoint?
In PowerPoint, not so much.
Do you have that sort of capability within PowerPoint?
In PowerPoint, not so much.
But in general, if you lock down your Windows system, prevent unwanted software from running,
so essentially any kind of whitelisting will help.
That's what you should anyway do.
That protects you against so many other attacks.
And I think there's just another example that the attackers are getting and have always been really creative in how they trick users into installing software. And I think the thing to remember here is that
most software, I would say 90% of any hard numbers of software that infects workstations
is willingly launched by the user. Under a wrong pretext, of course, where I tell them it's something useful,
way back to the fake antivirus and such. So it's not so much about preventing the particular
method that's being used to launch the software, but really more about preventing the user from
launching software they're not supposed to launch. So there's a user education component here as
well. User education is a user education component here as well.
User education is a good part of this, but from a technical point of view,
just to prevent the user from launching random software.
Yeah. All right, Johannes Ulrich, thanks for joining us.
Thank you. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and
technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Thanks for listening.
We'll see you back here tomorrow.
Thank you. innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.