CyberWire Daily - Implications of Solorigate’s circumspection. RBNZ cleans data sources. Gamarue in student laptops. Dodgy apps. Ransom DDoS surges. Securing the President’s Peloton.
Episode Date: January 22, 2021Twice, it’s maybe an indicator. Once, it’s nuthin’ at all...to the machines. The Reserve Bank of New Zealand works to clean up its data sources. Wormy student laptops. Daily Food Diary is a glut...ton for your data. Ransom DDoS. Caleb Barlow examines how we handle disinformation in our runbooks and response plans. Our guest Ron Gula from Gula Tech Adventures shares his thoughts on proper public cyber response to the SolarWinds attack. And should we worry about that White House Peloton? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/14 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Twice it's maybe an indicator, once it's nothing at all to the machines.
The Reserve Bank of New Zealand works to clean up its data sources.
Wormy student laptops.
Daily Food Diary is a glutton for your data.
Ransom DDoS.
Caleb Barlow examines how we handle disinformation in our runbooks and response plans.
Our guest Ron Gula from Gula Tech Adventures shares his thoughts on proper public cyber response to the SolarWinds attack.
And should we worry about that White House peloton?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, January 22nd, 2020.
Microsoft's discussion of what they've found while looking into the Soloragate incident
continues to attract attention from the security sector,
and other firms' researchers are corroborating the general picture Microsoft drew of how the threat actors worked. Domain Tools, for one, points out that Soloragate and the tactics its
operators used conclusively demonstrates the limitations of indicator-centric defenses.
The Soloragate campaign was too quiet,
too cagey, too protean
to betray itself by simple indicators,
especially when potential indicators are used just once.
The Reserve Bank of New Zealand,
afflicted by a data breach it suffered
by illegal access of a third-party file-sharing service,
has decided to delay its regularly scheduled release of statistical data
while it continues to investigate the breach.
Part of the issue is data collection,
some of which was done via the compromised service.
Reuters reports that the central bank says it's making progress in that investigation.
Everyone wants to help students engaged in remote learning,
and several governments around the world have provided suitable devices and connectivity to students who might otherwise lack them.
Of course, amid general success, not all has proceeded happily.
The BBC reports that some laptops Her Majesty's Government had issued to support children being schooled at home during the pandemic
have been found to come pre-equipped with malware. A school in Bradford noticed the problem when some of the devices were noticed to
be quacking to a server in Russia, which is not the sort of behavior one wants to see.
It wasn't all of them, only some, but the calling back to Russian servers and affected machines
apparently started when the devices were unpacked and set up,
which suggests that the infection preceded anything the students might have done with their new laptops.
Why would the Russians be spying on British kids?
Well, they're not. Anyway, probably not.
Computing says the malware is a version of the Gamaru worm. It's a commodity worm that's been around in the underworld for almost a decade.
ESET's 2017 description of Gamaru remains informative.
The worm was then and remains widely used malware
traded in various criminal markets.
It's been most often used for credential theft
and for installation of other malicious software.
Gamaru has been widely available for years.
Security researchers at Prodio this morning released notes on a malicious app
that's found its way into the not-exactly-walled-but-at-least-fenced-in garden of Google Play.
It's called Daily Food Diary, and it represents itself as a tool for introspective dieters
who prefer an app to a concerned friend as an aid to intake and portion control.
You take pictures of your meals and set yourself various gastronomic reminders.
But it's a pretty intrusive app,
and it's interested in things other than what's on your plate.
It asks for foreground service permission,
that is, a setting that runs it automatically at startup.
And it also sets itself to run in the background,
arrogating this wake lock permission without so much as a buy-your-leave.
It also overrides attempts to exit the app.
And there's more.
Daily Food Diary nags its users for permission to access their contact list,
whose contents it then exfiltrated to parts
unknown. It will also ask, repeatedly, to manage your phone calls as well as your calories,
enabling it to refuse calls that might interrupt whatever else the app was up to.
Prodio sees some code similarities to Joker malware, so stay clear of the Daily Food Diary.
Try a pad and pencil.
Dear diary, I can't believe I ate the whole thing.
There we go. Fixed it.
Researchers at Lumen report a disturbing rise in extortion by threatened distributed denial of service over the second half of 2020.
Ransom DDoS, or R-DDoS, it's being called.
One of the more active criminal groups in the field represents itself as being a nation-state's intelligence service,
using such services' familiar nicknames, including the Armada Collective, Lazarus Group, Fancy Bear, and Cozy Bear.
It's none of those, but it's been successful enough to inspire imitators.
So again, no bears, no pandas, no cute but malign animals whatsoever.
Just grifters, hoods, and racketeers.
Lumen advises against paying.
Security firm Radware is also seeing a surge in attempted RDDOS.
They began seeing letters in December sent to some of their customers
that began with a greeting, equally matey and menacing.
Quote,
Maybe you forgot us, but we didn't forget you.
We were busy working on more profitable projects, but now we are back.
End quote.
Radware thinks the correspondents are the same goons
who cumbered email boxes back in August.
Anywho, the letter continues in a darker key. Quote, we asked for 10 Bitcoin to avoid getting your whole network
DDoSed. It's a long time overdue and we did not receive payment. Why? What is wrong? Do you think
you can mitigate our attacks? Do you think that it was a prank or that we will just give up? As the threatening language heats up, the idiomatic control downshifts into a shadow brokerish gear.
Quote,
probably cost you more one day without the internet than what we are asking. So we calculated and decided to try peacefully again. And we are not doing this for cyber vandalism, but to make
money. So we are trying to be make it easier for both. End quote. Radware speculates that the bull
market in Bitcoin with its attendant price rise may have convinced the crooks that the extortion
is worth their while. That seems
corroborated by the crooks themselves, who go on to say, we will be kind and will not increase your
fee. Actually, since the Bitcoin price went up over 100% since the last time, we will temporarily
decrease the fee to 5 Bitcoin. Temporarily. Yes, pay us 5 Bitcoin and we are gone. End quote.
Yes, pay us five Bitcoin and we are gone.
End quote.
So there you go.
But remember, as the R.D. Dossers themselves might say,
there's no particular reason to take them at their word for anything.
One way in which they would never be heard from again might be if they were apprehended and given a nice sabbatical at Club Fed
or a period of reflection at Her Majesty's Pleasure
or the equivalent in Canada, Australia, New Zealand, Germany, France.
You get the picture.
Good hunting, law enforcement.
And finally, to return to personal wellness,
here's another fitness-related thing people are worrying about.
The connected Peloton stationary bicycle, which counts President Biden among its users.
Apparently, people are concerned
that the Peloton's onboard camera and microphone could be compromised, revealing whatever Mr. Biden
looked and sounded like while he was spinning away. Graham clearly says it's all much ado about
nothing, pointing out that the president could secure the camera with a post-it note and maybe
find the microphone and stuff it with something that would muffle its input.
And in addition to a post-it or tape on the camera
be decently clad while on the peloton, just in case,
then we have a better idea.
Maybe just play some music
at a distractingly high volume while exercising.
Secret Service, you're welcome.
And Popular Mechanics, The Times, The Guardian, Cycling Weekly.
Don't sweat the small stuff.
We're pretty sure NSA wouldn't.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and
their families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
In the aftermath of the SolarWinds Orion data breach,
there's been active discussion of what kinds of steps need to be taken in response to the event from both the federal government and the private sector.
Joining me to discuss this aspect of the story is Ron Gula, co-founder of Gula Tech Adventures and former CEO and co-founder of Tenable Network Solutions.
and co-founder of Tenable Network Solutions.
So today we're going to be talking about some issues related to the recent SolarWinds breach.
Before we dig into some of the specifics, can I get just kind of a general sense of response from you?
I mean, we're several days out from the revelations about this.
From your point of view, where do we stand?
So I think the big winners for the SolarWinds response are FireEye. FireEye did not have to disclose this, but they did disclose it, and good for them. The losers have been folks who probably
should have detected this. So perhaps it's pretty easy to armchair and criticize the intelligence
community and say, hey, why didn't you stop this? Maybe they stopped 10 other solar winds and the 11th
one got through. But what about all the companies and vendors and IT support teams who were defending
the government networks that this backdoor went out of? So you've got to kind of question what's
going on there. I look at this in terms of like winners and losers.
You know what the response is going to be, right?
More cyber vendors, more policy, more talking about who's in charge.
That's kind of where we're at.
What do you suppose an ideal response would be?
Well, an ideal response would be one that would be more uniformed and consistent.
It's pretty easy to kind of point to
President Trump's firing of Chris Krebs from CISA.
But even if Chris Krebs was there,
you know, if you look at just the statement
that the joint statement from the NSA and Cyber Command
and the FBI and the DJ,
I mean, the amount of people involved in the statement
were longer than the actual statement itself, right?
So unlike COVID, you know, where we have a Dr.
Fauci or we have people who are talking directly to the American people, we've got a lot of people
talking about a lot of different things at a lot of different levels. It's very difficult as a
cybersecurity expert or just being in the cybersecurity industry to kind of communicate
about what should be done. Is that something that you think perhaps the Biden
administration should address, is having a clear person at the top of that chain?
I think the operational role of coordinating within the government is a different role than
being perhaps a public figure. And, you know, if you look at some of the moves that have been made
recently, I mean, Ann Neuberger is going to be joining the National Security Council.
Brings a tremendous amount of experience.
I don't know how public that position is going to be.
We typically don't have National Security Council members, you know, going on TV and saying, you know, this is our strategy for this, this or that.
It's typically more of the White House advisor roles, kind of like Tom Bossert used to be for DHS and Rob Joyce used to be for the NSA.
But we do need this role of somebody who can speak at the national level, sort of the Fox News, CNN, and NBC level in a consistent manner that's not only going to convey the right information, but it's going to inspire people to kind of patch their systems or check if they have
SolarWinds as a vendor, that sort of thing. We don't have that equivalent as a cyber industry.
Can you give us some insights? I mean, how would you envision a more active public-private
partnership? I mean, how does the government step up to fill in some of the gaps here?
Well, there's a couple different ways.
So one is continuing erosion of what I call the equities issue.
So right now you have Cyber Command and the Cyber Directorate at the NSA.
If they find a vulnerability, rightly so, they have a process to decide, you know, is it better to protect the nation or is it better to, you know, spy on our adversaries?
And that process is done, you know, inside the Fort Meade.
And that's always been done that way and it should be done that way.
Well, now you've got issues where, well, maybe Apple would have a different decision, you know, if they had awareness of that.
Maybe Amazon would have a different view of that, you know, if they had awareness of that. Maybe Amazon would have a different view of that, you know, if they were aware of that. You know, maybe the average person,
you know, from a citizen, you know, would have a different view of that versus a seasoned,
you know, cybersecurity, you know, infosec leader. So I'd love to see a little bit more transparency
with this. Unfortunately, the general public, you know, we don't think of cybersecurity the
same way we think
of healthcare due to COVID. Buildings that burn and blow up from terrorist attacks and people who
die from COVID are always going to be more important than enhancing our cybersecurity.
But having said that, we're not that far away from where a cybersecurity incident could cause
tremendous amounts of damage, including what happened with SolarWinds. If you imagine, you know, shutting down and doing an actual attack on the economy
of the United States, this is something the Cyberspace Solarium really, really addressed.
So I could see more discussions like this occur in the Biden administration just as we get more
involved with cyber as a nation. That's Ron Gula from Gula Tech
Adventures. There is a lot more to our interview. Don't forget to go listen to extended versions of
this and many other interviews at CyberWire Pro. It's on our website, thecyberwire.com. Thank you. a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And I'm pleased to be joined once again by Caleb Barlow. He is the CEO at Synergist Tech.
Caleb, it's always great to have you back.
You know, I want to touch base with you as we,
as this new administration takes its place in Washington,
what are some of the things that are top of mind for you?
What are some of the things that you'd like to see them focus on?
Well, I think we're all kind of asking the question,
what's the Biden policy on cyber, right? And you can't use the Obama administration as a proxy because that was like cyber decades ago, right? Time flies. Right. And, you know, both in terms of the people he's going to put in and,
you know, what's his stance on China, Russia, and all of that stuff that gets into the,
you know, the intersection between political and cyber. But I thought about
this, Dave, and I think there's a couple of problems that as security professionals, putting
aside the politics for a second, have just got to be things that get solved in this next
administration. So we've got five things here, right? And the first one, Dave, privacy, right?
We've got 52 different breach disclosure laws in the U.S. We've got GDPR in
Europe, which, and let's face it, you and I have talked about this many times, you know, you can
have great security and have awful privacy, but you can't have good privacy without good security.
And, you know, there's some major problems with GDPR, particularly around, you know, the fact
they never worked out the ICANN and WHOIS issues. And in a lot of ways, and I've said this many times,
GDPR is causing more privacy problems than it's fixing because of the implications to security.
So one of the questions that's been asked for a long time is,
could we get a nationwide security policy?
And without it, we've got things going on in know, we've got things going on in California,
we've got things going on in Europe, and every state is different right now. If you have a breach
right now that involves the loss of data potentially in all 50 states, you know, you
literally have 52 plus different things that you've got to do, and you've got to do them quickly.
That's kind of crazy.
Right. Do you think there's political will for that? I mean, is it something that can bubble up to the top? You know, I don't know. And I think that's the real interesting thing with
this question. I don't know if the political will is there, but I think as security professionals,
one of the things we have to do this time is we've got to start to
realize that privacy is actually part of our swim lane. So you're going to need to reach out to that
compliance officer. You're going to need to start to figure this out because we're going to have to
as security professionals because we're getting held to meeting these regulations, whether we
realize it or not. Okay, so let's go to number two, Dave. Yeah. So number two is supply chain and IoT in particular. And hey, couldn't be a better,
you know, a couple of weeks to bring this up with the whole thing going on with SolarWinds, right?
Yeah.
But, you know, also look at, and I think this is an area where we are seeing investment. I mean,
just look at, you know, what's happening there with Robert Lee, who's also on the podcast a lot in the investment in Dragos, right? There's clearly people realizing that, hey, this
is a place that we need to invest and, you know, we've got to do some things. But if we look at
what happened with SolarWinds and the fact that, you know, this isn't the first supply chain breach.
I mean, heck, you can even go all the way back to Target, but also let's not forget that NotPetya
was a supply chain breach, right?
Right.
We've got to think about how we secure a supply chain
in a new way.
And that's probably going to mean
that you can't self-attest to your security posture anymore.
We're going to have to describe a minimum acceptable defense.
And we're starting to see some progress towards that.
What's next on your list?
Okay, next on the list is kinetic impact.
So when things actually cause physical damage,
and this is happening right now in healthcare,
we've talked for years,
especially kind of in the military ranks around,
well, when does the cybersecurity incident
get to the point at which it's an act of war
or that a proportional response is bigger than just cyber?
Well, unfortunately, we're probably going to have to address that
because for the first time, we have cyber attacks that are actually causing harm to people.
And the recent incident that occurred with 12 hospitals going down
due to a targeted series of attacks. And in particular
in Vermont, where they actually had to bring in the National Guard to help them respond to this.
You know, in Germany, we saw an alleged loss of life due to a patient that had to be diverted
when the hospital was taking down. We're in it now in terms of kinetic impact. But what we haven't
figured out, what we haven't talked about
as a society yet, what's a proportional response to this? And especially since this is not coming
from a nation state actor, this is coming from what is likely an organized crime actor.
Yeah. What's next on your list?
Skills gap. 500,000 open, unfilled cybersecurity jobs
right now in the United States.
Probably more than 2 million worldwide.
We have got to figure out
how we're going to get more talent
into our own supply chain as security professionals.
That means we're going to have to start hiring younger people.
We're going to have to start growing them.
We're going to have to start educating ourselves.
And the last one here is we've got to deal with trust and broken data and to be able
changing data. Like if we saw anything in this last election cycle, we are as security professionals,
we're the ones, the sentinels standing guard on trust. And we're going to have to figure out
not only how do we make sure
that we can trust our systems,
but that people aren't manipulating
the data in those systems.
And that's a form of attack
that we just haven't dealt with yet,
but it is absolutely coming.
Yeah.
Yeah, I mean, I agree with you
that that specter is out there.
I mean, we've seen, you know,
the locking up of data,
we've seen destruction of data,
but so far alteration of data hasn't really, we haven't seen much of that. And what's
government's role when you see that someone is altering data in a critical U.S. system?
Well, where does government step in and how, and most importantly, how does government step in to
help with resiliency in that case? Yeah.
All right.
Well, Caleb Barlow, thanks for joining us.
Thanks, Dave.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Stay just a little bit longer.
Listen for us on your Alexa smart speaker, too.
Whatever you may be up to this weekend, be sure to set aside some time to check out Research Saturday.
In my conversation with Mark Arena from Intel 471, we're discussing TrickBot, whether it may be down, but not out.
That's Research Saturday. Give it a listen. Thanks for listening.
We'll see you back here next week. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.