CyberWire Daily - Militia said to be target of US cyberattack. Myanmar shuts down networks. Spam campaign. Supply chain issues for Huawei gear. Election security. Recovering from ransomware by paying up?
Episode Date: June 26, 2019Sources name a Shi’ite militia aligned with Iran as one target of last week’s US cyberattacks. Myanmar shuts down mobile networks in its Rakhine province, where the Buddhist insurgents of the Arak...an Army have been using Facebook for coordination and inspiration. A major spam campaign is distributing LokiBot and NanoCore. Finite State finds bugs in Huawei gear. Election security notes. And paying the ransom to ransomware extortionists. David Dufour from Webroot on the different trends they are tracking in Europe vs. the US. Guest is David Politis from BetterCloud with a warning about information sprawl. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_26.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Sources name a Shiite militia aligned with Iran as one target of last week's U.S. cyber attacks.
Myanmar shuts down mobile networks in its Rakhine province,
where the Buddhist insurgents of the Arakan army
have been using Facebook for coordination and inspiration.
A major spam campaign is distributing LokiBot and NanoCore.
Finite State finds bugs in Huawei gear.
Election security notes and paying the ransom to ransomware extortionists.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for
Wednesday, June 26, 2019. Last week's U.S. cyber attacks against Iranian targets haven't been
officially acknowledged by the U.S., but a number of current and former U.S. cyber attacks against Iranian targets haven't been officially acknowledged by the U.S.,
but a number of current and former U.S. officials are talking about them on background.
Exactly which Iranian targets the U.S. hit hasn't been discussed with great specificity,
reports having characterized the attacks as directed against a Revolutionary Guard
Associated Intelligence Group said to be involved in tracking shipping in the region
and as interfering with missile launch or command systems. Reports are now identifying at least one
of the groups affected. CNN says U.S. cyber strikes interfered with the operations of
Qatayib Hezbollah, a Shiite militia active in the region that's widely held to be an Iranian military proxy.
Qatahib Hezbollah is believed to have access to Iranian missiles, which suggests why it
may have been singled out for neutralization.
Warnings have been circulating to U.S. businesses since CISA's heads-up this Saturday that
enterprises should expect a continuing uptick in cyberattacks emanating from Iran.
should expect a continuing uptick in cyberattacks emanating from Iran.
Vice rather breathlessly attributes this to Iranian retaliation,
saying that the U.S. cyber operations, quote,
just put a target on American businesses, end quote.
In truth, the target's been there for some time,
as recent reports of increased Iranian attention to U.S. infrastructure appeared before last week's cyberattacks in the Gulf region.
Most of the warnings urge organizations to arm themselves against phishing attacks
with destructive wiper malware as the payload.
Myanmar has shut down mobile networks in substantial sections of the Rakhine province, CNN reports.
The blackout was imposed in conjunction with a military sweep. A regional
news outlet, the Irrawaddy, says the government intends to keep the networks down until the
situation in the troubled province stabilizes. Locals are believed to phone insurgents information
on government operations. UN observers have expressed concern that closing down the networks
increases the risk of human rights violations being encountered by the prospect that they'll go unreported.
Most of the international attention to ongoing violence in Myanmar has focused on the government's aggressive repression of the country's Rohingya Muslim minority.
But the current blackout and security sweep isn't directed principally at the Rohingya.
Instead, the government is seeking to shut down armed groups operating in the province.
First among those insurgent groups is the Arakan Army,
which Foreign Policy Notes claims to represent ethnic Rakhine Buddhists.
The Arakan Army has for some time used Facebook for coordination and inspiration,
despite Facebook's attempts to deny violent
groups the use of its platform. The widespread adoption of software as a service provides both
benefits and challenges to users and security teams. David Politis is CEO of BetterCloud,
a SaaS operations management and security platform, and he makes the case that security
pros should be on the lookout for information sprawl. You know, if you look at over the last five to ten years, the adoption of
SaaS applications has really gone through the roof. And what's driving that is this move towards
best-in-breed cations, best-in-breed infrastructure, best-in-breed environments in breed, infrastructure best in breed, environments. And compared to the legacy environments where it would be very homogenous, you would say,
I'm a Microsoft shop, I'm an IBM shop, and you would have everything in the stack,
Active Directory, Exchange, SharePoint, Lync. You'd have the entire stack, and that was your
environment. And in today's world, we've moved to this place where there's so many applications
available for the different use cases and the different types of productivity use cases that
you have in your environment that people are moving to this best in breed world. Maybe they
have Exchange for mail, maybe they're using Office 365, but then they'll have Slack for chat instead
of Teams, and they'll have zoom for video calls and
they'll have box instead of onedrive SharePoint so you're starting to see
these environments that are best in breed and I think that's been honestly
amazing for the worker the end-user it's changed the way that people work the way
people collaborate today in the workplace is unlike it's ever been
before and all this has only happened in the last is unlike it's ever been before. And all of this has
only happened in the last five years. I mean, if you look at it, Zoom wasn't around 10 years ago.
Slack wasn't around 10 years ago. Office 365 wasn't around 10 years ago. And so really,
in the last five to 10 years, we've seen this massive adoption and the rise of SaaS.
The challenge is the sprawl. The challenge is that it's not all in one system. It's not all
in one application. It's not all in one platform. And so the biggest challenge is centralizing all
the information so that there's actually a clear view of where all your data lives, how that data
is being accessed, how that data is being shared. That is the number one challenge that people have.
When you solve that, that already gives you the visibility. At least you can see what's there.
Now, there's a whole separate set of challenges around how do you control the access to those
applications or the data objects. But the number one thing we see where people are successful
is when they start bringing all of this data from these disparate systems into a single place where they
can at least see it audit it and dig into what's happening I'm imagining to
that having everything in view like that allows you to handle things like for
example encryption where you can make sure that whatever level of encryption
you think is appropriate to have dialed in by having that high level view of all your stuff, it makes it easier to make sure that
that's actually happening. Definitely. And really, actually, where encryption
comes in is what we're seeing, and this is, again, this is new in the last couple of years,
is we're seeing that the native SaaS applications themselves are starting to offer different types of encryption choices to their
customers. And it's all built in natively inside of these SaaS applications. And so part of our
view is we want to let customers control those native encryption choices that are given to them,
those options that are given to them by a Salesforce, for example, who has a native
encryption offering.
We want to give our customers the ability to leverage that.
It's not just encryption.
I mean, encryption is a piece of it, but it's also, for example, let's say you're looking
at all your files and you see some sensitive files that may be shared inappropriately in
Box, you want to be able to go and use the native security controls in Box to say, I
want to lock this file. I want to tag this file with confidential, and I want to send able to go and use the native security controls in Box to say, I want to lock this file.
I want to tag this file with confidential, and I want to send a message to use the native controls that are available from the
SaaS applications so that you're not changing the behavior of your users.
When you start changing the behavior of your users in those SaaS applications, when you
force them to change how they interact, it kind of defeats the purpose of using the SaaS
applications in the first place.
We've seen customers who have come in and said, you know what, I'm going to go.
Companies come in. They say, I'm going to go to platform XYZ, let's call it G Suite, for example. But I'm going to go there and I'm going to lock down all sharing, all collaboration,
anything, I'm going to lock it all down. Well, in that case, you might as well not move to
a cloud-based productivity application. And so I think the key is how do you leave,
let users do what they want
to do every day, but control to at least kind of have this invisible hand, if you will, that's
making sure that they're doing it in the most secure way. It's hard to describe exactly, but
that's how I envision. I envision security's job to be that invisible hand, to be there while users
are doing what they want to do every day, being productive, sharing their files, but just making sure that they're doing it the right way and in a secure way.
That's David Palitis from BetterCloud.
Researchers at Netscope are tracking a spam campaign that's been distributing
LokiBot and NanoCore since April. The fish bait is a notice about an overdue invoice with an ISO file,
specifically a disk image,
which is unusual in this sort of criminal campaign.
LokiBot, whose use in phishing attacks Netscope says is increasing,
steals browsing information, checks for web and email servers,
locates email and file transfer credentials,
and detects popular remote administration tools.
NanoCore is a remote access trojan, a rat. Finite State studied the supply chain and found
Huawei gear unusually buggy. It doesn't say the bugs were deliberately introduced by Huawei,
the Chinese government, or anyone else, but it does say that they amount to troubling
vulnerabilities. The report casts doubt on whether undeniably low-priced Huawei equipment
in fact represents best value.
U.S. authorities have suggested that it doesn't
and that there are better alternatives from both a security and an economic perspective.
As the next U.S. election cycle approaches,
the Global Cyber Alliance and the Center for Internet Security
offer an election security toolkit for the use of authorities who actually run the voting.
A survey by NormShield finds, surprisingly and encouragingly,
that declared presidential candidates appear to be taking their campaign cybersecurity more seriously
than has been the case in the recent past.
The U.S. federal government is also publicly committing to work with state and local officials to secure the election.
Administration officials at a press call organized by the National Security Council yesterday
said they were focused on two main problems,
potential interference, that is, ensuring that votes can be cast and counted properly,
and potential influence, that is, disinformation and other information operations.
The administration is expanding free support services to all 50 states and to all presidential campaigns.
That support includes, among other things,
sharing classified information with affected parties when it's relevant and necessary.
with affected parties when it's relevant and necessary.
A PWC study of leading cybersecurity practitioners,
trailblazers, as the study calls them,
finds, again, that what sets the successful apart is their ability to align cybersecurity
with business objectives and practices.
ProPublica reports that Emsisoft,
in an investigatory sting,
found that the Scotland-based ransomware recovery service Red Mosquito would pay the ransom and then charge the customer four times that amount for its services.
Here's how the sting went.
Emsisoft researcher Fabian Vosser made up some phony ransomware, called it Gotcha, and sent Red Mosquito an email with a request to help under the assumed
name of Joe Mess. He also set up contact info for the pretended attackers. Within minutes,
he said Red Mosquito contacted the faux hackers and began negotiating over the ransom. Bosser's
Mr. Mess identity had said he didn't want to pay the ransom, and he asked Red Mosquito to confirm
that they wouldn't do so on his behalf.
He received a non-committal,
We are still investigating and will get back to you as soon as possible.
But the correspondence between the ransomware recovery company
and the pretended masters of gotcha went something like this.
How much for decrypt?
$1,200 in Bitcoin.
You pay, we provide key and decrypter to recover data.
Can you do for 500 USD?
$900.
Take it or kiss data bye-bye.
We don't run charity here.
Shortly thereafter, Red Mosquito contacted Jomess with the good news.
They were pleased to confirm that we can recover your encrypted files.
The price?
$3,950.
Emsisoft objects mostly to the lack of transparency.
There might be times you'd pay ransom, Emsisoft says,
but you should be clear that that's what you're doing.
Some victims of ransomware are concluding it might be better to pay up.
We're not convinced this is generally a good idea,
but another Florida town has decided to pay up. We're not convinced this is generally a good idea, but another Florida town
has decided to pony up. Lake City became the second municipality in the Sunshine State to pay
ransom in as many weeks. On Monday, the city council voted to pay $460,000 to recover its
files. Of course, there's no guarantee the criminals will keep their word. They sometimes do and sometimes don't.
Lake City's nearly half a million is steep,
but if you've fumbled your defenses, it could cost you a lot more.
After all, the price tag for recovery in Baltimore is now $18 million and counting.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology. Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by David DeFore.
He's the Vice President of Engineering and Cybersecurity at WebRoot.
David, it's always great to have you back.
You recently spent some time over at InfoSec Europe,
and you brought back some interesting things to compare, Europe versus the U.S., and what you're seeing when it comes to threats and collaboration.
That's exactly right. Great to be back, David.
Always love to talk
about these topics. And I think you know, maybe some of your listeners don't, we have a very big
presence in Europe as well as the United States. And I think those of us in the U.S. always just
presume that everyone thinks about the same type of issues or think about things in the same way
that we do here in the States. But Europe has some different things that are concerning them,
none of which will be a surprise. I just think that the level of concern that maybe isn't here
in the States anymore that they have for certain things is pretty interesting.
Take us through what some of the things you learned.
We're going to sing the same old song of ransomware and phishing. But here in the US,
I don't want to say ransomware is under control,
but people are more familiar with it. We know how it works. We spend a lot of time understanding how
to prevent it, how to get rid of it. And we've all had the debate. Should you pay? Should you not pay?
I think that debate in those discussions are just now really coming to the forefront in Europe. And
I don't know if, you know, credit card scams were, you know, predominantly U.S. based for a while,
and now they're becoming global. I don't know if you take scams were predominantly U.S.-based for a while, and now they're becoming global.
I don't know if you take advantage of the U.S. first because that's where the money is, and then you start propagating elsewhere.
That could be happening.
But there's a lot of discussion, and you see a lot of concern about ransomware.
Yeah, it's interesting to me that it seems like there are some basic cultural differences that inform these things.
differences that inform these things. I think the big one is privacy, where we have GDPR,
and Europeans seem to have a different approach to privacy than we do here in the U.S.
That is a fact. And again, I'm going to bring that jump to GDPR. You know, that is number one in their minds, has been for several years. And to be fair, they had this huge regulation coming down
from the EU, whether depending on you think it's good or bad I'm not going to make that
discussion but they have had to focus so much of their energy on the GDP our
efforts over the last several years they haven't been paying as much attention to
ransomware phishing machine learning so what are your recommendations for folks
who are looking to do business in Europe?
Any sensitivities they should have when they're reaching out?
Well, for sure, the number one thing is GDPR.
It's still top of mind.
Everyone really focuses on that.
Data protection is key because people are worried about getting sued or things of that nature.
But in general, I think it's the same idea of how are you protecting the
endpoints? How are you protecting the customers? Focusing on phishing and ransomware right now is
something that they really are looking at. It's kind of what we talk about here, but just to get
the bundle in GDPR. I mean, it sounds like we've got more in common than we don't, but there are
some important nuances to take note of as well. That's exactly right. And, you know, the cycles are a little bit different over there.
I think we all end up at the same place.
We just might take different trains to get there.
All right. Well, David DeFore, thanks for joining us.
Great being here, David.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and
securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Thank you. Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you.