CyberWire Daily - Influence operations and cyber probes of presidential campaigns. TrickBot’s recovery. Remote learning woes. Port facilities in Iran reported to have been targeted in cyberattacks.
Episode Date: October 19, 2020Updates on influence ops and campaign hacking show that the opposition has its troubles, too. TrickBot operators seem to have returned to business. Schools’ remote learning programs are providing at...tractive targets for cybercriminals. Iranian news outlets say ports were the targets of last week’s cyberattacks. David Dufour explains how phishing campaigns capitalized on a global crisis. And Charlie Tibor says, “hello world” (we paraphrase). For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/202 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Updates on InfluenceOps and campaign hacking show that the opposition has its troubles too.
Trick-a-bot operators seem to have returned to business.
Schools' remote learning programs are providing attractive targets for cybercriminals.
Iranian news outlets say ports were the target of last week's cyberattacks.
David DeFore explains how phishing campaigns capitalized on a global crisis.
And Charlie Tibor says, hello world.
We paraphrase.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, October 19, 2020.
In news that just broke this afternoon, the U.S. Justice Department announced the unsealing of an indictment against six Russian GRU officers belonging to Unit 74455, a group known as Sandworm. In the present indictment, the Justice
Department notes that while it indicted members of the Sandworm unit for election-related attacks,
in this case they're being called out for actions related to the disruption of Ukraine's power grid
and the subsequent NotPetya
destructive attack that spilled far beyond Ukraine. NotPetya had worldwide effects,
shutting down companies and causing immense harm. The Justice announcement points out that for three
U.S. victims, damages exceeded a billion dollars, and that globally, the transportation and healthcare sectors were especially targeted.
Justice is particularly hard on the Sandworm team and calls the conspirators' actions on the part
of the Russian government as irresponsible, more like the activities of a petulant child
than a responsible government. The indictment, Justice says, lays bare Russia's activities to disrupt the internal politics of other countries.
Cisco's Talos Group, Facebook, Twitter, and Google were thanked, as are Five Eyes partners, for their cooperation in the investigation.
The indictments were issued by a federal grand jury in Pittsburgh, where the U.S. Attorney for the Western District of Pennsylvania and the FBI's
Pittsburgh field office led the investigation. This is a developing story. We'll follow up on it
as more news emerges. There are a number of follow-ups to earlier stories today. Late Friday,
Google published an update on what it's observed of foreign intelligence services' activities
against U.S. political campaigns.
Over the summer, Google's threat analysis group monitored attempts by Iran's APT35,
also known as Charming Kitten, and Iran's APT31, or Judgment Panda,
to compromise email accounts belonging to staffers at both the Trump and Biden presidential campaigns.
The attacks were carried out by phishing.
Google says it saw no signs that the attacks were successful.
The threat analysis group also observed spammy,
clumsily executed attempts at influence operations
directed against U.S. audiences by inauthentic networks run from China.
Quote,
This network has a presence across multiple platforms
and acts by primarily acquiring or hijacking existing accounts and posting spammy content.
There's that word spammy.
And Google adds that the content was in Mandarin and featured the usual internet gigas of such clickbait as videos of animals, music, food, plants, sports, and games.
Google went on to say that, music, food, plants, sports, and games. Google went on to say that, quote,
a small fraction of these spam channels will then post videos about current events.
Such videos frequently feature clumsy translations and computer-generated voices.
Researchers at Grafica and FireEye have detailed how this network behaves,
including its shift from posting content in Mandarin about issues
related to Hong Kong and China's response to COVID-19 to include a small subset of content
in English and Mandarin about current events in the U.S., such as protests about racial justice,
the wildfires on the West Coast, and the U.S. response to COVID-19, end quote.
Most of these were carried out over YouTube,
marred by clumsy machine translation and ineffectual execution.
It's worth remembering that the opposition isn't always 10 feet tall.
That's three meters and a few baker's dozen of millimeters
for those living in, well, basically anywhere but here in the U.S. of A.
That's not a council of relaxed vigilance,
just a realistic appraisal that the opposition has its problems, too.
CrowdStrike has a dispiriting follow-up to the recent public-private interference with the TrickBot gang.
The disruption that interference caused seemed to have been quick and sharp,
but unfortunately, the TrickBot gang, Wizard Spider in Crowdstrike's
threat menagerie, seems to have recovered faster than anyone would have wished. Their bizarre
loader Trojans distribution is rising, and the rates of Conti and Rayuk infestations seem to
have returned to their normal levels. No one expected the takedowns to amount to more than
a temporary disruption, but unfortunately, that disruption has proved more temporary than hoped.
Bleeping Computer reports that TrickBot operators have begun using the legitimate project management solution Basecamp
to host the Trojan Bazaar loader with the ultimate goal of installing Raiuk ransomware.
Researchers at the security firm Cyjax made the point that insinuating a loader into a legitimate service increases the likelihood that defenses will interpret the malicious code as benign and pass it through to its targets.
Schools, forced by the COVID-19 pandemic to operate online with large, often poorly protected attack surfaces, continue to attract the attention of cybercriminals,
the Wall Street Journal says.
For many individual schools and school districts,
the general shift to online virtual learning
has itself represented an improvisation.
It's terra incognita for students, faculty, administrators,
and we might add parents.
Under these circumstances,
attacks have ranged from prank-level denial-of-service escapades
by students interested in doing even less to full-scale ransomware attacks.
The criminal extortion is at once more serious and more widespread,
where availability is at a premium, as it is with schools.
The ransomware threat bites harder.
as it is with schools. The ransomware threat bites harder.
Iran's ports and maritime organization reported that last week's cyber attacks against the country targeted ports but were unsuccessful. Port Strategy reports that no other details have
been forthcoming. And finally, in a Cyber Wire exclusive, we're authorized to disclose the arrival on or about 9 o'clock Friday morning of Charlie Tibor Komoromi,
the new son of our colleague, producer Kelsey Bond.
The tail of the tape puts Charlie at 6 pounds, 1 ounce, and 20.6 inches long.
The pictures of him look great, and our maternity desk tells us that the hat he's wearing was a gift,
that he did not arrive with it on his head.
So congratulations to Kelsey and Steve.
Looking ahead, listeners, please block out some internship opportunities in your organization for Charlie in about 2036.
We think he's going to be precocious.
And share the young family's joy.
All of us at the CyberWire do.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI. Now that's a new
way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I am joined once again by Rick Howard.
He is the chief security officer and chief analyst here at the Cyber Wire.
Rick, I got to say, I'm a little jealous.
You recently had the opportunity to sit down with one of our favorite authors.
What can you tell us about that?
Yes, I got to interview David Sanger again.
Okay, he is the noted New York Times journalist, three-peat Pulitzer Prize winner.
And doesn't that make you—
But who's counting?
Yeah.
I'm feeling a little bit inadequate at this point.
Right.
Right, he's got a shelf full.
I can barely tie my shoes in the morning.
He is an author, and now he's a producer of an HBO documentary about his most recent book,
The Perfect Weapon, How the Cyber Arms Race Set the World Afire.
The documentary starts streaming on 16 October at 8 p.m. on HBO and HBO Max.
And I highly recommend it.
I've seen it twice now.
Now, my recollection is that you and I are on the same page here.
We both really enjoyed that book.
Where does it fit into your collection of the great cybersecurity books?
Yeah, you're right.
You and I love talking about that.
And you know for years that if anybody ever asked me
about what is the one book they should read
to get a sense of the cybersecurity community,
I would always recommend an old favorite,
The Cuckoo's Egg by Dr. Clifford Stoll,
favorite by everybody.
He published it in the late 80s.
That book convinced a lot of people
to pursue cybersecurity as a career in the early days,
including me.
All right.
But if there is any book that could potentially knock Cuckoo's egg off that lofty perch, it is Sanger's Perfect Weapon.
Wow.
All right.
Well, it doesn't get much more of praise than that.
Well, for you, what are the takeaways?
I mean, we have the book and now also the documentary.
What were the take-homes for you?
Well, Sanger is captured completely, all right,
the seminal paradigm shift in thinking by nation states around the world in the last decade from cyber just being a novelty item
with limited capability and use
to cyber being a strategic tentpole lever
as an instrument of political power
and influence.
Before 2010, most nation states, including the U.S., thought about cyber as a novel tool
for a subset of cyber espionage requirements.
But today, though, cyber has become the political lever to pull for nation states like China,
Russia, and the U.S. that are just short of actual warfare.
These nations can do extreme damage to each other in the cyber arena without the fear that the
action will escalate to a shooting war. And then for smaller nations like North Korea and Iran,
cyber has become the great playing field leveler. These smaller nations can exact the same kinds of damage
as the big boys now at a fraction of the cost compared to trying to match, you know, U.S.
numbers of tanks, aircraft carriers, and jets. Sanger's book, and now his documentary, captures
this paradigm shift perfectly. Here's David, after I interviewed him, explaining the book and the documentary. Well, Rick, the concept behind the book was that
we went through years in which, in the national security
world, people viewed cyber as this sort of
interesting side, irregular warfare kind of thing
that was sort of a nice thing to
spend a half an hour learning about while you were
spending the year or two years or your career learning about traditional national security.
And what have we discovered in the time since? That it's not the sideshow, it is the show.
That in a world in which no one wants to take on the U.S. military directly for all the understandable reasons,
it is suddenly possible to undercut American power or another adversary's power by using a short-of-war cyber-related weapon, whether you are hacking into infrastructure,
dams, voting machines, electric power grids, a financial system, or whether you're hacking
into mines, the information wars that we've seen surrounding the 2016 election and begun
to see in 2020, although here in the 2020 elections,
we'll discuss, we've got some new concerns that go beyond what the Russians did four years ago.
So we brought it sort of up to date. You'll see a lot of different people talking about what it's
like to have been on the receiving end of this and the sort of fog of war. You've got everyone in this documentary from Hillary Clinton and John Podesta,
who sat down to talk about the 2016 election, to Seth Rogen, who was the star of, of course,
the interview. And he is very funny, I do have to say. And you'll see people like Eric Rosenbach,
co-director of Harvard's Belfer Center,
but was the chief of staff to Ash Carter at the Pentagon
when he was secretary of defense,
talking about the calculus that you make as you're under cyber attack
or as you're trying to think about what the U.S. can go do.
So the idea is to bring
you in at a very human level to the kind of decisions that have to be made when you're on
the receiving end and when you're on the offensive end. You know, Rick, one thing about the book,
I mean, obviously extremely well written by David Sanger, but one of the things that I remember as
I was going through it was this is one of those books where I had to pause every now and then and go back and reread a paragraph.
And part of that is that this book is so packed with information. How do you convert that to a
documentary? How do you distill it down to something when you don't have the amount of
time that you have in a book? And also, I mean, it's a different medium.
Yeah, you know, I took, I don't know, I had maybe 20 pages of notes
when I went through that book the first time.
That's how much information is in it.
But I would say that the documentary finds a nice through line of the book's material.
They don't go through everything, of course, but they pick the highlights.
They start off with Stuxnet in 2010,
which is arguably the beginning of this new kind of thinking when the U.S. and Israel decided to use cyber as a way
to delay the Iranian nuclear program. They moved to the Iranians' attack on the Sands Casino in 2014,
demonstrating that a small nation can devastate a mini city. Because most people don't realize
that casinos are mini cities. Besides the gambling, they have all that, you know, admin stuff they
got to do. And then from there, they covered the North Korean attacks on Sony, showing that a small
country could prevent a major U.S. corporation from doing what they wanted to do, namely showing
a crappy movie in theaters. They pretty much stopped that. All right.
And then finally, they switched to the Russians, one of the big boys, and their cyber attacks against the Democratic National Committee and their subsequent influence operations
on the U.S. election.
They talked a lot about how the Russians used Ukraine as a petri dish to test their operations
with the big malware operation of NotPetya.
Yeah.
Well, I'm on board with you here.
This is definitely one to check out.
The documentary starts streaming on October 16th.
That's 8 p.m. Eastern time on HBO and HBO Max.
You can listen to Rick's full interview with David Sanger
about the book and the documentary.
That'll be up later this week on CyberWire Pro.
Rick Howard, thanks for joining us.
Thank you, sir.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and And joining me once again is David DeFore.
He's the VP of Engineering at Webroot.
David, it's always great to have you back.
I know you and your team recently published a report that was about fishing
and how things have changed during our global pandemic.
What can you share with us today?
Hey, David. Great to be back, as always.
Yeah, we typically do an annual threat report,
but this year, with everything going on in the world,
we decided we might want to do a mid-year temperature check
just to see how things are going.
And fishing came to the top. We were
focused on COVID and working from home, and it was all about phishing.
So what sort of things did you find here?
Well, if you can believe it or not, and I'm not talking about malicious email,
I'm talking about email in general. We saw a 34% increase in the amount of email people were getting.
And I thought a year ago I was getting a lot of email,
but a third more now, it's just crazy how we're getting inundated.
And so, of course, inside of that increase,
we're seeing a huge uptick in the phishing campaigns that are being put on through COVID,
people wanting to get their stimulus check
and telling you how you
can get it quicker. You know, these types of things, we're really starting to see a lot of
threats around that. Well, with the increase in email, what kind of stuff are we seeing hitting
our inbox? Well, I think none of this will be surprising, but it's just kind of critical to
bring up so people are keeping it top of mind. A lot of things are, hey, make a donation or,
you know, click here, click this link to be able to donate to help, you know, COVID survivors or
things of that nature. Or maybe, hey, you want to get your stimulus check quicker, click this link
and give us your account information and we'll get your stimulus check deposited in, you know,
a few minutes. None of
that is true. You know how that works, David. They're just trying to get you to click that link.
Is the educational message getting around? I mean, are people knowing to not click on these things?
Well, absolutely they are. And that actually impressed us quite a bit that people are aware
that they shouldn't be clicking phishing links. People are very knowledgeable about what phishing is. The problem that we're seeing is kind of twofold.
One, people are getting inundated with emails from colleagues or, you know, customers even,
where it may be coming from their personal account. It may be coming from their business
account because everyone's working at home. So they're getting a lot of email from unfamiliar places and some some of its legitimate for them to do their job
and the other big issue is you're at home with little Susie or little Johnny
from school and you're trying to make them lunch and you're trying to answer
emails and you're trying to respond to your boss and so so there's also a
distraction factor where people aren't as focused on what they're reading and
they're more apt to click as well so what what are the take-homes here? I mean, are there technical solutions? Is this a
training issue or is it a little mix of both? Well, I think it's a little mix of both. I think
everyone has fully accepted that every employee is now frontline IT support because we're not
sitting in an office. So there is an education component.
And the refreshing thing, and you and I have talked about this many times on the show,
the security industry has realized that the user's not as dumb as we want to make them out to be.
People really want to do the right thing. If we can educate them, like I said, most people know
what phishing is. We just got to keep it top of mind and in their brain to be aware of it.
But on top of that, the thing that people really need to be doing is slowing down and
taking the time to read what's going on.
And if you're in a busy spot, maybe don't answer your email.
Set aside some time when you can do it thoughtfully.
Hmm.
I guess part of that's a leadership thing too,
making sure that your team knows
that you want them to take time looking at those emails,
you know, deciding whether they're legit or not.
Slow down, don't rush.
We're going to give you, provide you with the time to do this.
That's exactly right.
And this also, to take a, you know,
example out of the government playbook,
the IRS is never going to send you an email saying, click this link and give me your bank
account information. So to your point, David, management of the company and people working
from home should be like, look, if it's urgent, I'll give you a call. If it's in an email,
get to it when you can. Just stay focused on the work you're doing. And if there's a little bit of a distraction, that's okay. And to your point, we need to make that
clear to our employees that, that, you know, we'll get ahold of you some other way. Still,
don't click the link. The email is not going to be the urgent. Everything's on fire,
drop everything you're doing and tell me your bank account information.
Right. Right. All right. Interesting information. David DeFore, thanks for joining us.
Great being here, David.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
You deserve a break today.
Listen for us on your Alexa smart speaker, too.
Don't forget to check out the Grumpy Old Geeks
podcast, where I contribute to a regular segment
called Security Ha.
I join Jason and Brian on their show for
a lively discussion of the latest security
news every week. You can find
Grumpy Old Geeks where all the fine podcasts
are listed. And check out the Recorded
Future podcast, which I also host.
The subject there is threat intelligence,
and every week we talk to interesting people
about timely cybersecurity topics.
That's at RecordedFuture.com
slash podcast.
The CyberWire podcast
is proudly produced in Maryland out of the
startup studios of DataTribe, where they're
co-building the next generation of
cybersecurity teams and technologies.
Our amazing CyberWire team is
Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Volecki,
Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer
Ivan, Rick Howard, Peter Kilby,
and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.