CyberWire Daily - Nobelium is back. A signed driver is gamer-focused malware. Idle hands. Third-party cloud risk. Bad practices. A net assessment of national cyber power.
Episode Date: June 28, 2021The SVR’s Nobelium appears to be back, this time with a less-than-fully successful cyberespionage campaign. The Netfilter driver is assessed as malware. Idle hands seem to make for more attacks agai...nst online gaming. Mercedes-Benz USA reports a data exposure incident. CISA starts to keep track of bad practices. The International Institute for Strategic Studies publishes a net assessment of national cyber power. Carole Theriault looks at the security implications of frictionless online commerce. Our guest is Clar Rosso from (ISC)2 with insights on Building Resilient Cybersecurity Teams. And Loki is a trickster, and his name is a lousy password. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/123 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The SVR's nobellium appears to be back,
this time with a less than fully successful cyber espionage campaign.
The NetFilter driver is assessed as malware.
Idle hands seem to make for more attacks against online gaming.
Mercedes-Benz USA reports a data exposure incident.
CISA starts to keep track of bad practices.
The International Institute for Strategic Studies publishes a net assessment
on national cyber power. Carol Terrio looks at the security implications of frictionless
online commerce. Our guest is Claire Rosso from ISC Squared with insights on building
resilient cybersecurity teams. And Loki is a trickster and his name is a lousy password.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, June 28th, 2021. Microsoft has found a new cyber espionage campaign by Nobelium,
a threat actor associated with Russian intelligence services.
The campaign has featured password spraying and brute force attacks,
and while assessed as having been largely unsuccessful, will bear watching.
As Microsoft points out, this type of activity is not new.
The attempts were highly targeted, broken down into primarily IT companies, followed by government and smaller percentages for non-governmental organizations and think tanks,
as well as financial services.
The activity was largely focused on U.S. interests, about 45%, followed by 10% in the U.K. and smaller numbers from Germany and Canada.
In all, 36 countries were targeted.
Much of the reporting on the activity connects it to the SolarWinds supply
chain compromise, but the connection lies only in a common attribution to Nobelium,
a group associated with Russia's SVR. Microsoft recommends enabling multi-factor authentication
as one prudent step to take in protecting an organization against threats of this kind.
an organization against threats of this kind.
G-Data on Friday announced that it had found a malicious rootkit inadvertently signed by Microsoft.
The company notified Microsoft, who, as G-Data puts it, promptly added malware signatures
to Windows Defender and are now conducting an internal investigation.
G-Data noticed that a Microsoft-signed driver called
NetFilter was communicating with Chinese command and control IPs that contributed no obvious
legitimate functionality, and that raised their suspicions. Their investigation led them to
conclude that NetFilter was malware. Microsoft's Security Response Center said, quote,
Microsoft is investigating a malicious
actor distributing malicious drivers within gaming environments. The actor submitted drivers for
certification through the Windows Hardware Compatibility Program. The drivers were built
by a third party. We have suspended the account and reviewed their submissions for additional
signs of malware, end quote. The problems seem confined to the gaming sector,
and specifically to the gaming sector in China.
Redmond also says the risk is a post-exploitation one.
Quote,
An attacker must either have already gained administrative privileges
in order to be able to run the installer to update the registry
and install the malicious driver the next time the system
boots, or convince the user to do it on their behalf. Microsoft thinks the hackers' goal was
to spoof geolocation and thus enable themselves to play from anywhere. The hackers also seem likely
to be able to gain an advantage in certain games over other players and may be interested in compromising their
competitors' accounts by using commodity hacking tools like widely available keyloggers.
And in the interest of full disclosure, we mention that Microsoft is a CyberWire sponsor.
The discovery comes as attacks against online gaming have been trending upwards.
Some of the motivation for such attacks is obvious, like the coin mining the
Krakonosz cryptojacker Avast discovered in pirated copies of popular games like NBA 2K19,
Grand Theft Auto 5, Far Cry 5, The Sims 4, and Jurassic World Evolution.
But overall, there seems to be no single overarching reason for the spike.
SC Magazine suggests that it may, in part, be explicable as opportunistic.
People have been relatively inactive during the pandemic,
and, well, idle hands are the devil's workshop, and so on.
Mercedes-Benz USA disclosed Thursday that almost 1,000 customers or potentially interested buyers' personal data were exposed in an unsecured cloud database.
Self-reported credit scores, driver's license and social security numbers and credit card information were among the compromised information.
Mercedes-Benz says there's no evidence of malicious use and that the responsible vendor has fixed the problem.
We're accustomed to hearing about best practices and to security experts sharing of such lists of such recommended practices.
But in some respects, failure can be more instructive than success.
And so, the U.S. Cybersecurity and Infrastructure Security Agency, CISA, has begun cataloging bad practices.
CISA will add to its catalog over time, but its first two entries are unlikely to be controversial.
They are, first, use of unsupported or end-of-life software in service of critical infrastructure and national critical functions is dangerous and significantly
elevates risk to national security, national economic security, and national public health
and safety. This dangerous practice is especially egregious in internet-accessible technologies.
And, second, use of known fixed default passwords and credentials in service of critical infrastructure
and national critical functions is dangerous and significantly elevates risk to national security, There's an emphasis on critical infrastructure throughout,
although CISA notes that the bad practices are
pretty bad no matter where people commit them. Note, too, the emphasis on how egregious it is
to do this stuff on internet-accessible technologies. The International Institute
for Strategic Studies has published a long research paper ranking the world's major cyber powers.
Cyber Capabilities and National Power, a Net Assessment, says the U.S. is number one.
The report says, What sets the U.S. apart on offensive cyber is its ability to employ a sophisticated surgical capability at scale.
It didn't consider all the states it might have.
It didn't consider all the states it might have.
Four of the Five Eyes are in the assessment,
but they left out New Zealand, which seems a curious omission.
Three states IISS calls close cyber allies of the Five Eyes were included,
France, Israel, and Japan,
whereas others, notably Germany, the Netherlands, the Nordic countries, and former Warsaw Pact members now aligned with NATO were left out.
The familiar four adversaries, China, Russia, Iran, and North Korea, are in the study,
and they include four developing cyber states, namely India, Indonesia, Malaysia, and Vietnam.
But the omissions may be redressed in the future.
IISS regards its study as a first in assessing relative national power in cyberspace,
and they see their present work as laying out a whole-of-society approach to the issue that can be used more broadly.
The methodology used to compile the rankings is principally qualitative
and analyzes the wider cyber ecosystem for each country.
They looked at strategy and doctrine, governance, command and control, core cyber intelligence capability, cyber empowerment
and dependence, cybersecurity and resilience, global leadership in cyberspace affairs,
and offensive cyber capability. One of the distinctive advantages the study saw the Americans enjoying
is their large base of cybersecurity companies. The obstacles the U.S. faces in employing cyber
power are principally the IISS rights of a legal or political nature.
Finally, to return to passwords, especially ones that are frequently used and really not particularly good in the first place,
people are still using lame passwords derived from the Marvel and DC superhero universes.
Spec Ops Software has published a list of the 40 most common super passwords.
The list as a whole is too long and discouraging to repeat here, but we'll favor you with the top ten.
Loki comes in first, followed by his Asgardian nemesis Thor. Number three is Robin, maybe because
Batman is too obvious, so choosing Robin displays a certain gesture in the direction of low cunning.
Then Joker, followed by Flash, and finally at number six, Batman.
Superman is number seven, and Vision, Falcon, and Penguin round out the top ten.
Not that you'd be using any of these, but if you are, well, shame on you.
Report yourself to SysA at once.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The gap between the number of open positions and the number of qualified candidates in cybersecurity is an ongoing concern.
The team at ISC Squared recently surveyed over 2,000 employers and job seekers to try to get a handle on what can be done to help close that gap.
Claire Rosso is CEO at ISC Squared.
Claire Rosso is CEO at ISC Squared. cybersecurity professionals. That's globally, I think, about 79% more cybersecurity professionals we need than what we have. And so what prompted the team to do this survey was really to start
thinking about how do we close that gap and what are we going to need to close that gap?
And that led us down the road of, well, let's talk to people who are in the field,
road of, well, let's talk to people who are in the field, as well as people who are pursuing careers in cybersecurity, and see what we come up with and what kind of tips maybe we could give
employers. Well, let's go through the report together. What are some of the highlights?
Well, I think one of the highlights is that organizations really need to take a new approach to hiring cybersecurity
professionals. If I were to use a baseball analogy, I would say currently organizations
are trying to build their team by using exclusively all-stars via free agency,
when in effect what organizations need to be doing is developing a farm system
and looking for utility players who can give their programs depth and longevity. It's the
difference between the quick win, bringing in that all-star, and playing the long game where you
develop team members over time. More specifically, one of the things that we've been finding in the survey that
supports the idea of playing the long game and investing in your people is that an increasing
number of people who want to enter cybersecurity are actually not coming from an IT or cybersecurity
background. Was there anything in the responses that you got throughout the process of this survey
that surprised you?
Any feedback that you got that was unexpected?
Well, unexpected or quite interesting, what I would say is in addition to what I already
mentioned about the increasing number of professionals without IT
experience that are interested in pursuing cybersecurity careers, we also are seeing that
women and younger women are increasingly interested in cybersecurity careers. I would say for several
years now, we've been stuck between 20 and 25 percent of the cybersecurity workforce globally as women.
And when we look at young women with less than three years of experience, that's 37 percent.
So that's a significant increase.
increase. We also saw in the study that women who didn't come from IT backgrounds were more likely to want to pursue careers in cybersecurity. That's Claire Rosso from ISC Square.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. When considering online transactions, is it better in general to slow things down or speed
things up?
I suppose to some extent it depends on which side of the transaction you're on. is it better in general to slow things down or speed things up?
I suppose to some extent it depends on which side of the transaction you're on.
That said, the security considerations of transactional velocity are worth pondering.
Our UK correspondent Carol Terrio has been doing just that,
and she shares this commentary.
Have you heard of this term frictionless? I see it everywhere this day, though let's be honest, I am in a particularly technological echo chamber. But for
those that are uninitiated, it basically means removing any friction between you, the customer,
or the consumer, and the item that the company wants you to use or the thing that you want to buy.
So if I were a waffle maker and I wanted to sell you waffles online, my pages would have pictures
of very yummy, tasty waffles. And when you clicked on it, I wouldn't want to have five different
things that you need to do before you've
purchased the waffles. Indeed, what I really want is a one-click solution because that helps my sales.
And if you think about it for a second, it also suits the consumer or you and me because we don't
have to go through many hoops to get from A to B. Saves us time. Now, the issue with
frictionless online services is it takes the thinking out of the process so that you can do
it automagically, all with muscle memory, without even giving it a second thought. And the question
is whether these kind of one-click frictionless systems
are leaving us more open to attack. Imagine we're so used to clicking through via email to a specific
merchant to make purchases that it could easily be duped without us actually paying attention.
And if we the consumer are duped, then it's our responsibility. The onus is
on us, the consumer, not the company that has been spoofed by the scammer. I don't think there's any
stopping the frictionless world. It saves everyone time. But as smaller, less security savvy
companies offer frictionless experiences, they may actually be putting their customers
inadvertently at risk. For frictionless environment companies, they need to have your payment details
and your personal details already in the system. So if that gets cracked because their security is not up to scratch, what do you do then? So my advice is this,
be careful with whom you allow to store your personal information and your credit card details.
Use a complex, unique password. Another tip here is to use a trusted password manager because if
you are phished and you accidentally click on a dodgy url and go to a
spoofed website your password will not be automatically entered stay safe out there
this was carol terrio for the cyber wire And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Justin Sabey, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.