CyberWire Daily - NSA warns that Russia is actively exploiting patched VMware vulnerabilities. CISA alert also a warning to Iran. DeathStalker update. Market pressures in the Darknet. Greetings from Pyongyang.
Episode Date: December 7, 2020NSA warns that Russian state-sponsored actors are actively exploiting patched VMware vulnerabilities in the wild. A CISA alert puts Iran on notice. DeathStalker hired guns are now active in North Amer...ica. Darknet contraband markets are experiencing the sort of pressure and consolidation legitimate markets undergo. Rick Howard checks in with the hash table on CSO and CISO roles. My continued conversation with Betsy Carmelite from Booz Allen on their 2021 Cyber Threat Trends Report. And a weird shift in North Korean propaganda...is Pyongyang having a Hallmark moment? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/234 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
NSA warns that Russian state-sponsored actors
are actively exploiting patched VMware vulnerabilities in the wild.
A CISA alert puts Iran on notice.
Death stalker hired guns are now active in North America.
Darknet contraband markets are experiencing the sort of pressure and consolidation legitimate markets undergo.
Rick Howard checks in with the hash table on CSO and CISO roles.
My continued conversation with Betsy Carmelite from Booz
Allen on their 2021 cyber threat trends report, and a weird shift in North Korean propaganda.
Is Pyongyang having a hallmark moment?
From the Cyber Wire studios at at DataTribe,
I'm Dave Bittner with your CyberWire summary for Monday, December 7th, 2020.
NSA this morning published an alert concerning vulnerabilities VMware patched last week.
The bugs are being actively exploited by Russian intelligence services.
NSA is particularly concerned to warn federal agencies and the companies that make up the defense industrial base,
but the agency's advice is also intended for any users of the affected VMware products.
As is so often the case, password access is required for exploitation.
NSA writes,
Exploiting the vulnerability requires authenticated password-based access to the management interface of the device, which is encrypted with TLS.
That interface typically runs over port 8443, but it could be over any user-defined port.
NSA recommends that NSS, DoD, and DIB network administrators limit the accessibility of the management interface on servers
to only a small set of known systems and block it from direct Internet access.
And of course, as always, patch.
And of course, as always, patch.
CISA's alert last Thursday, in which it warned of a likely increase in Iranian cyber attacks,
is seen by many observers, NextGov reports, as aimed more at an Iranian audience than a U.S. domestic one.
The U.S. government may be interested in reminding Iran that it's on the alert for them, that it knows what to look for, and that it's prepared for accurate, supportable attribution,
and that it will leave speculation about any possible retaliation as an exercise for the audience.
The large Israeli insurance firm Shibit, at the end of last week,
refused to pay the actors behind a ransomware attack the company sustained.
The Times of Israel reports that Black Shadow, the criminal organization that claimed responsibility,
on Friday began releasing some of the data it stole.
Bitcoin.com says exchanges between attackers and victims include a demand for 200 Bitcoin,
roughly $3.8 million, but Sharebit tells Haaretz that the motive was strategic and not financial.
The data is thought by some to have been moved to Iran.
Security firm Kaspersky reports that the death stalker Hackers for Hire
are now working targets in North America.
The group is using the Power Pepper backdoor,
which itself uses DNS over HTTPS as a communication channel,
the better to conceal communication with the control server behind legitimate-looking traffic.
Power Pepper uses a variety of evasive techniques,
including steganography, to fly below the defender's radar.
Kaspersky's read on the hoods behind Deathstalker is that they're hired guns.
Right now, in the United States and Canada,
they've apparently been hired to gun for financial and legal services.
Chain analysis looks at darknet markets and sees both consolidation and a drop in activity.
The number of active markets has fallen to 37 from a high of 49.
Some of the decline the researchers attribute to the same COVID-19 delivery pressures legitimate markets face,
but they think the operation of market forces accounts for most consolidation.
Law enforcement attention may in part be credited with the drop in transactions.
Law enforcement attention may in part be credited with the drop in transactions.
Kaspersky shared some predictions with TechRepublic that the security firm thinks will have particular importance for the healthcare sector in 2021.
The researchers believe attacks against developers of COVID-19 vaccines and treatments will continue, with theft of data on breakthroughs being at a premium. They see health-related cyberattacks as a probable geopolitical bargaining chip,
with attribution a matter of diplomatic contention.
In an independent statement on the problem, not coordinated with or based on Kaspersky's research,
but arriving at similar conclusions, CNBC quotes former CISA director Krebs
to the effect that the familiar
four, Russia, China, Iran, and North Korea, are actively engaged in industrial espionage aimed
at developments in COVID-19 research. Krebs said yesterday on Face the Nation, quote,
the big four, Russia, China, Iran, and North Korea, we have seen to some extent all four of those countries
doing some kind of espionage or spying, trying to get intellectual property related to the vaccine.
So, in this respect, 2021 will witness a continuation of a trend already well-established
in 2020. To return to Kaspersky's predictions, the security firm also sees cybercriminals as a growing threat to the healthcare sector.
Criminals can also be expected to pursue private medical organizations.
They not only hold valuable data, but they may be less able to protect it than are better-resourced public healthcare organizations.
As patient data migrates to the cloud, Kaspersky expects criminals to follow.
And, of course, medical topics will retain their prominence as fish bait.
Writing in HelpNet Security, FutureX offers its take on the near future of encryption.
Like every other seer we've consulted, they foretell a greater role for the cloud,
as cloud-based encryption and
key management become more important to financial services in particular. Homomorphic encryption,
which encrypts data in use, will see more widespread adoption, as will bring-your-own
encryption. BYOE is seen as offering a hedge against certain forms of third-party risk,
especially legal and regulatory risk, and device manufacturers
will increasingly move toward crypto-agility the better to be prepared for quantum computing
when it eventually arrives.
Looking ahead to the next U.S. administration, the Washington Post's Cyber 202 lays out the
case for significant continuity in cybersecurity policy.
lays out the case for significant continuity in cybersecurity policy.
The discontinuities are likely to be largely organizational,
such as the reappointment of a national cyber coordinator,
a position the most recent National Defense Authorization Act reinstated.
With respect to safety during the holidays,
Spec Ops Software emailed us their updated list of the 15 most common and most commonly exposed in breaches holiday-themed passwords.
They are, in order, Star, Angel, God, Elf, Jesus, Snow, Carol, Noel, Santa, Chocolate, Gift, Bells, December, Xmas, and Jolly.
Chocolate, gift, bells, December, Xmas, and jolly.
Piety, affection, and happiness are all excellent,
but their expression in credentials is probably a mistake.
They're short, they're not random, and they're easily guessed,
even by a soulless algorithm.
The Wall Street Journal notices an unusual turn in North Korea's self-presentation through social media.
Pyongyang's become positively cuddly, with sweet homages to mom and kimchi, not to mention low-key,
friendly tours of grocery stores and parks. The goal appears to be the rendering of the
DPRK as a place where normal people can lead quiet lives. It's unsettling. We're used to
seeing over-the-top accusations of how the American
fascist hangmen enslaved South Korea, of how the weather was responsible for the late dear leader's
moods, even of images of the dear successor hobnobbing with Dennis Rodman. But mom, we love
you. And isn't it wonderful that it's kimchi season again? It's a lot to wrap your mind around.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with
Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
We'll be right back. or shake up your mood with an iced brown sugar oat shake and espresso. Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home. Black
Cloak's award-winning digital executive protection platform secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached.
of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Rick Howard.
He is the CyberWire's chief analyst and also our chief security officer.
Rick, always great to have you back.
Thanks, Dave.
You know, Rick, last week on your CSO Perspectives podcast, you mentioned that CISOs and CSOs were not board-designated corporate officers
like the CEO or the CFO.
Wow, can you put some more alphabet in that?
I know, it's like alphabet soup.
And you said that their titles had been designated to give the appearance of senior weight,
but legally they were not equivalent.
Now, beyond everyone who listened to your show, you know, suddenly have a chip on their shoulder
when it came to their interactions with the CISOs and the CSOs, right?
Here's the question that came to mind for me.
Does it matter? Is it a distinction without a difference? So, that is an excellent question.
In fact, so good, okay, that I dropped that little hand grenade right on top of the CyberWire's hash
table to see what our experts thought. And you know what? It turns out maybe not that much.
I was talking to Gary McCallum about this.
He is the USAA CSO,
and he's been there for like a gazillion years,
so he knows where everything is.
And he said that the corporate officer label might help a little, maybe,
but it wasn't essential.
It can't hurt.
But again, you could be designated that,
and I guess it would help a little bit, but it's more important as what is the tone at the top, right? It wasn't essential. It can't hurt. But again, you could be designated that.
And I guess it would help a little bit, but it's more important is what is the tone at the top, right?
What level of support does that person, that position have, regardless of what they're
designated as, right?
And you could even make an argument that it also depends on where they're placed in the
organization.
If they're very, you know, multiple levels down, do they have the level of visibility
they need on this issue? You know, does that indicate the level of support they have or
they don't have from the company? So I think it's one variable among several, and I don't think he
could do anything but help, but I don't think it's a critical success factor necessarily.
So according to Gary, it's much more important for the CSO or the CISO to be part of the C-suite.
Can we say C any more times in this thing?
I know.
I mean, does this provide any shielding for them, too, to not be at that level?
I mean, can that be a good thing?
Is it protective for the folks who have this role?
You know, I don't know. It seems like it's a legal distinction, okay,
for certain regulatory requirements
that's probably not important for the job
that the CSO and the CISO is trying to do.
It's more important to be seated at the C-suite table
as a valued contributor, all right?
So I don't want to be buried three layers down
working for the CIO.
I want to be at the table helping the business make decisions.
Right, right.
So having that seat at the table is really where the rubber meets the road in this case.
Exactly.
Yeah.
It reminds me of, you know, the joke from The Office, you know, are you the assistant manager or assistant to the manager, right?
Yeah, that's very true.
Yeah.
All right.
Well, it is CSO Perspectives.
Rick Howard talking to the hash table this week.
Thanks for joining us.
Thanks, Dave.
Cyber threats are evolving every second, Thank you. full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Betsy Carmelite.
She is a senior associate at Booz Allen Hamilton.
Betsy, it is always great to have you back.
You and I have been talking about Booz Allen's recent 2021 Cyber Threat Trends Report.
And one of the things I wanted to touch on with you is this notion about supply chain attacks,
specifically via cloud-hosted development environments.
That popped up in the report.
Can you share some of the details with us?
Yes.
Specifically, we're looking at threat actor interest in targeting platforms as a service solutions where we see the cloud development
environments, these cloud-hosted development environments. For a brief background with
platform as a service, the customer manages some of the software but not the underlying hosts and
infrastructure, so there's a shared responsibility there. Historically, threat actors have targeted shared libraries, software development kits,
and use it as a means to conduct widespread attacks. This is really where they can insert
malicious code into benign applications and carry out nefarious motives. And so we're seeing as
cloud-hosted development environments become more popular, we think these solutions may attract the same illicit activity that other development tools and resources have seen in previous attacks.
Can you go through some of the specific risks with us?
Sure. With platform as a service, there's really a natural meeting point or convergence of several already tried and true paths of attack. We've seen
actors generally have interests in inserting themselves in the dev environment for malicious
means, and we've seen threat actors riding on cloud hosting infrastructure for a long time,
for example, hosting malware payloads on cloud storage, ultimately to cause damage and compromise
the places where legitimate software
tools and services are being built. So this convergence is another avenue of manipulating
the supply chain. So this is where we get to impacting the products and subsequent
customer deployment downstream. Well, let's go through some of the mitigations there. I mean,
how do folks protect themselves against this sort of thing? Sure. So if you're the consumer, organizations can protect against software supply chain attacks by deploying EDR and point detection response tools that may detect anomalous or suspicious behavior by applications, including those normally believed to be trustworthy. If you're the software developer,
it's a good practice to make extensive use of code signing
to secure software components.
And those components can include configuration files or scripts
and to check the digital signatures of imported libraries or updates.
Code signing keys should be stored to prevent those rogue users
of the development environment from signing malicious code.
And lastly, again, if you're the developer, you should secure your development environments by using strict access controls, ensuring prompt deployment of patches.
When using cloud-hosted development tools, organizations should consider private cloud deployments and those models to
provide additional control over the environment. Well, it's the 2021 Cyber Threat Trends Report.
Betsy Carmelite, thanks for joining us. Thanks, Dave. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Become legendary.
Listen for us on your Alexa smart speaker, too.
Don't forget to check out the Grumpy Old Geeks podcast
where I contribute to a regular segment called Security, ha!
I join Jason and Brian on their show
for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks
where all the fine podcasts are listed. And check out the Recorded Future podcast, Thank you. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe
where they're co-building the next generation
of cybersecurity teams and technologies
Our amazing Cyber Wire team is
Elliot Peltzman, Puru Prakash, Stefan Vaziri
Kelsey Bond, Tim Nodar, Joe Kerrigan
Carol Terrio, Ben Yellen, Nick Volecki
Gina Johnson, Bennett Moe, Chris Russell
John Petrick, Jennifer Iben, Rick Howard Peter Kilpie, and I'm Dave Bittner Thanks for listening.
We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.