CyberWire Daily - New nation-state actors in cyberspace. SiliVaccine AV said to incorporate pirated code. Credential stuffing and password reuse. GravityRAT evades sandboxes. GDPR approaches.
Episode Date: May 2, 2018In today's podcast we hear that more nation-states have acquired and are using cyber capabilities. North Korea's SiliVaccine anti-virus product appears to have pirated an old version of Trend M...icro's scan engine. Despite warnings of credential stuffing, people still reuse passwords. GravityRAT now takes its victims' temperature. Many firms remain unprepared for GDPR. Questions arise about possible overpreparation by two of the biggest companies out there. And some dimwit has hacked a highway sign in Arizona. (Congratulations, knucklehead.) Justin Harvey from Accenture on the uptick in credential harvesting they’re seeing. Guest is Piero DePaoli from Service Now with results from their recently published security report. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
More nation-states acquire and use cyber capabilities.
North Korea's SillaVaccine antivirus product
appears to have pirated an old version of Trend Micro's scan engine.
Despite warnings of credential stuffing, people still reuse passwords.
Gravity Rat now takes its victims' temperature.
Many firms remain unprepared for GDPR.
Questions arise about possible over-preparation by two of the biggest companies out there.
And some dimwit has hacked a highway sign in Arizona.
Congratulations, knucklehead.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, May 2, 2018.
It's unsurprising, but worth noting,
FireEye says more states are acquiring effective
cyber capabilities and using them for espionage and other disruptive operations.
Vietnam in particular is mentioned in dispatches.
North Korea has had its own homegrown antivirus product, SillaVaccine, for some time. Upon inspection, it seems less homegrown
than thought. Researchers at Checkpoint obtained a sample sent to a journalist as apparent fish bait.
They concluded that SillaVaccine is built around a decade-old version of Trend Micro's scan engine,
modified to ignore certain virus signatures, effectively whitelisting some DPRK attack tools.
The sample was also bundled with malware from North Korean threat actor Jakku.
The pirated AV product is associated with two concerns, Pyongyang Guangmyeong Information
Technology and STS Tech Service.
Trend Micro points out, correctly, that the pirated code in no way affects their
current products' security or reliability. The producers of Silla vaccine are thought to have
obtained the old Trend Micro code from some third party. Why, one might ask, would one decide using
a North Korean antivirus product was a good bargain? For one thing, if one were among the
relatively small number of North Korean internet users,
one might have little choice.
It's unlikely that the glorious self-reliant software kiosk at the ever-victorious mall
carries ESET or Bitdefender or Silance or Trend Micro or WebRoot or Kaspersky.
If you're not one of the DPRK's residents, you might not realize it was a DPRK-associated product.
STS Tech Service, for example, is an organization of unclear provenance.
It's not to be confused, by the way, with STS Technical Services,
an honest Wisconsin business that Glassdoor says is a pretty good place to work.
Or you might be incautious enough to accept an emailed offer of
free antivirus. A lot of reputable companies offer free versions of their products to
individuals as loss leaders. Who's to say this one isn't okay? And finally, believe it or not,
we've actually seen descriptions by apparently serious and not obviously insane people who've
made the case online that North Korea might be a pretty good offshore option if you're looking for affordable
coders to which we can only say just say no widespread concern about credential
stuffing attacks has brought the problem of password reuse to the fore but reuse
continues unabated according to a last pass study people reuse passwords because they're afraid they'll forget them.
LastPass, of course, is in the business of selling password managers,
so their results align with their business, but their point is a good one and well taken.
The finding that personal passwords often get reused on business sites is particularly troubling.
We're not sure this is much better than writing them down on a sticky note under your keyboard.
In that case, at least,
you know that your big threat is an evil maid attack.
For the record, we don't recommend
using sticky notes as password managers.
But we do know it goes on.
Piero De Paoli works with ServiceNow's security group.
They recently teamed up with the Poneman Institute
for a global
cybersecurity study, surveying over 3,000 people around the world. Piero de Paoli joins us to share
the results. Publicized data breaches are actually just the tip of the iceberg. You know, the beauty
of getting to so many people in nine different countries around the world, is we were able to really get a wide view of the market.
And what we found was that 48% of organizations who responded to our survey had had a data breach in the past two years.
So just the things we're hearing about in the news is really just the tip of the iceberg.
So one of the things that this report focuses on is patching and specifically the challenges when it comes to patching.
Can you take us through some of the information you gathered there?
Yeah, and really we came up with really three big themes around patching.
The first is that the teams are overwhelmed.
They're getting hit with so much data from so many different security tools.
And what we found is that 64% of the organizations who said that they were looking at hiring more
people to go and solve the problem. And on average, those organizations are spending about 320 hours
a week on vulnerability patching. And they're looking to hire to get another 50%
more capacity in that area. So if 320 hours a week is essentially eight full-time people,
look at adding another four. The second was that a lot of the things they found around those
processes were they were using a lot of manual process to do this work. And so while they're looking at adding more people,
they may be adding them to processes that are very manual in nature.
And so this may not actually help the problem,
which is why we kind of call this the patching paradox.
Adding more people may not actually help.
And then the third is because of the big swath of people we were able to get to,
we were able to cut that data by the organizations who
were breached and organizations that were not. What we found is that of the organizations that
were not breached, they rated themselves as being 41% better at patching vulnerabilities than the
folks who were breached. And so we found that really being good at patching is one of the
things that can really help reduce the organization's breach.
And what did you discover in terms of feedback on why patching continues to be such a challenge for organizations?
A few different things.
You know, as they're looking for more people, they're struggling to hire.
There's a great study from ISACA that shows that there'll be a 2 million people global shortage of cybersecurity
professionals by 2019. When we got into the data and understand a little bit about why it's so hard,
many cases a security person is finding the vulnerabilities and it's somebody on the IT
side in a parallel group that's actually doing the work for patching. And 73% of the respondents
said that the security and IT teams don't have a
common view of all applications and systems. And that 57% of them said that things were slipping
through the cracks because they're using things like emails and spreadsheets to manage this whole
process versus having a more robust system for doing so. So in terms of take-homes and
recommendations, what are you suggesting people do?
First is that, you know, take an unbiased inventory of vulnerability response capabilities
and look for some areas. We've got this great survey that kind of goes into a bunch of data.
Look for places that hit home. And from there, you can move to number two, which is start to
tackle some of the low-hanging fruit, like being a little bit better at vulnerability scanning and prioritization.
The third is I mentioned that 73% of folks were not seeing a common view
of applications and systems between security and IT.
We want to break down those silos,
make sure that those teams are able to actually access the same data,
and that will solve a lot of problems.
The fourth was optimize the overall response process, document this thing end to end, and
then look for places within that process to potentially automate.
And then the fifth is that really by doing a lot of this stuff, if you're able to put
things into a more easy to use process for employees, this may actually help retain the talent that organizations already have,
and it can create a bit of a high-performance culture within a security team.
And just given there's such a dearth of security talent,
this will help not only maybe recruit new people to the organization,
but maybe help retain folks because jobs elsewhere just won't look as exciting.
That's Piero De Paoli. He's from ServiceNow.
You can check out the results of their survey on their website.
The gravity rat Trojan, which has troubled India for months,
has, according to Cisco's Talos Research Group, become more evasive,
using CPU temperature changes to detect virtual machines used for sandboxing.
Its origins are unknown, but some think signs point to Pakistan.
CERT India says that Gravity Rat has been used to stage targeted attacks.
GDPR takes effect at the end of the month, and a CompTIA survey suggests that more than
half of U.S. businesses are unprepared for the new European privacy and data protection law.
Two companies that appear better prepared than most are Google and Facebook,
but their preparations aren't much to the liking of either European regulators
or the publishing industry.
The regulators see the two big advertising and data collection giants
as seeking ways of evading at least the spirit, if not the letter,
of GDPR, especially with respect to Facebook's new approach to privacy. And publishing concerns
like Condé Nast, Bloomberg, Hearst, and The Guardian complain that Google is effectively
trying to offload its responsibility for obtaining consent to use personal data onto the publishers,
while Google itself refuses transparency in its own use
of data obtained through the publishers' use of Google services.
This, the publishers complain, increases both their burden and their liability.
And we'll finish with the pointless crime news of the day.
Some loser in Arizona hacked a highway sign to display the words,
Hail Hitler.
We assume he meant Heil.
And we'll leave it as an exercise to speculate about why people do such things.
Talk amongst yourselves.
Keep your eyes on the road.
Because distracted driving is always dangerous. Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. And joining me once again is justin harvey he's the global incident response leader at accenture
justin welcome back um you all have been seeing an uptick in credential harvesting activity
what can you share about that dave we we work these complicated cases that involve thousands of machines, it's fascinating that some of the
most simple attacks are still being perpetrated in the world. And the one that we're seeing the
most of is called credential harvesting. And the way it works is an adversary profiles an
individual within a company. And sometimes this individual is the CFO. It's someone that perhaps does accounts
payable. And I might add, it's very easy to identify these people in organizations with
tools like LinkedIn. You go in, you type in the company name, AP, accounts payable, CFO, boom,
there they are. And then there's a little bit of open source intelligence to find their email address.
You find their email address and you send them a carefully crafted email that they are going to want to click on.
Sometimes it is an association. Sometimes it looks like it's from the personal email address of something they know.
And it says, click here for a document or click here to find something out so it tricks them
into clicking that link a link that looks very valid and it brings up a
login page now if you're doing it to a gmail user you'll make it look like a
gmail login if you're doing it to a corporate user if you do a little bit of
investigation you can find out probably they have an Office 365 exchange, in which case you
would make the login page look like a Microsoft Office 365 login page tailored right for that
company. And many times the adversary will be able to figure out what that looks like because
they'll type owa.companyname.com or they'll type email.companyname.com. And usually what'll happen is there's your Outlook
web access page. And it tricks people into going to this page. And usually they change one or two
letters. If it's an L, they put a one. If it's an I, they'll put an L, things like that. When the
user goes to there, they will type in their valid credentials because they think that there's been a
problem with the system and they need to re-authenticate. And then there's a blank page after that. By that time, the cyber
criminal has collected their username and password, maybe even takes that fake website down,
and then they could log in as that user. The next stage of the attack is usually a little bit more
custom. We're seeing various abuses of their
username and password. Sometimes it is stealing all of their email for blackmail. Sometimes it is
rerouting all of their emails to somewhere else. Sometimes it's even masquerading as that person
and sending an instruction, like the CFO instructing someone from Accounts Payable
to pay a bill to this account number, or even looking for new invoices that are coming in,
getting the invoice, changing the account routing number to a foreign bank, and submitting it via email to accounts payable.
You might then think, well, doesn't the other person receiving that email know that the submitter is being impersonated. And oftentimes,
they don't know. In these larger companies, you might be in a completely different country than
the submitter, but the request still looks legitimate. And to cover their tracks even
further, an adversary will actually set up complicated or complex outlook rules. If the
accounts payable person does have a question,
it gets routed to a hidden folder,
which then the adversary can say,
no, this is real, please submit for sure ASAP
and defraud these companies of funds.
So it strikes me that the bad guys do this because it works.
What are your recommendations
for people to protect themselves from this?
I believe most of the entrance of cybercrime into threats, it really revolves around the people.
The stock answers I always give are better user awareness, better training of the users, better simulations.
I just love those companies out there that are doing phishing simulations and they're almost gamifying it.
How many months can you go without clicking on a phishing attack?
So that's number one.
It always starts with user education and awareness.
The second thing would be two-factor authentication, Dave.
I can't stress this enough.
I am still encountering large-scale institutions that do not have two-factor enabled. And it is so
critical, at least for your email, at least for your VPN, at least for your virtual desktop,
that you enable two-factor. Now, I know that two-factor may not be the easiest thing to implement,
meaning that there are dependencies and there's software you need to do and there's rollouts. But
if I were a listener out there today and hearing this and I didn't have two-factor
and I had responsibility for this, that would be the next thing I would do.
Pick up the phone and get a two-factor solution for your critical services to begin with
and then try to proliferate it as necessary.
Good advice as always.
Justin Harvey, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.