CyberWire Daily - Nuisance-level hacktivism. Ongoing cyberespionage and cybercriminal campaigns. EU unhappy with Russia’s hacking the Bundestag. CISA has a new cybersecurity resource.
Episode Date: June 4, 2020Nuisance-level hacktivism continues to surround US protests. The Higaisa APT is active in Southeast Asia. Goblin Panda is back, with USB-borne malware. A new strain of ransomware is described: “Tyco...on.” The EU considers whether to sanction Russia over the GRU’s hack of Germany’s Bundestag. CISA launches a new public resource for cybersecurity. Zulfikar Ramzan from RSA on cybersecurity and digital risk in the context of pandemics. Our guest is Grant Goodes from GuardSquare on security of mobile app voting. And a Texas man pleads guilty to conspiracy to commit money-laundering in the course of a BEC scam. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/108 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Nuisance-level hacktivism continues to surround U.S. protests.
The Hegesa APT is active in Southeast Asia.
Goblin Panda is back with USB-borne malware.
A new strain of ransomware is described, Tycoon.
The EU considers whether to sanction Russia over the GRU's hack of Germany's Bundestag.
CISA launches a new public resource for cybersecurity.
Zulfiqar Ramzan from RSA on cybersecurity and digital risk in the context of pandemics.
Our guest is Grant Goods from Guard Square on security of mobile app voting. I'm Dave Bittner with your Cyber Wire summary for Thursday, June 4th, 2020.
Episodic nuisance-level hacktivism continues to accompany protests in the U.S.
According to KXAN, Anonymous has claimed responsibility for taking down an Austin, Texas, public website in an anti-police gesture,
and Variety reports that K-pop fans remain an odd
force in social media hashtag jamming. Anonymous, as we've had occasion to remark, is now probably
better regarded as a lifestyle brand than as an identifiable group, and in that respect,
come to think of it, it's a lot like K-pop, more style than conspiracy.
This morning, Malwarebytes published an update to their research into the Hegesa group,
an advanced persistent threat first described by Tencent early last year.
Hegesa is, Malwarebytes says, with circumspection and ambiguity,
that Hegesa is believed to be tied to the Korean Peninsula
and is thought to have been active at least since 2016.
It's used Ghost and Plugaxe Trojans in the past.
In its current campaign, Hagesa is using what Malwarebytes describes as a malicious shortcut file that stages a multistage attack.
Hagesa establishes its initial presence through spear phishing,
with the messages carrying a malicious LNK file bundled
within an archive file. Kaspersky reports finding a new strain of USB-based malware,
USB Culprit, that's being run by Chinese-speaking threat actors Cyclodeck or Goblin Panda,
the two operational entities that are active under a mutual quartermaster.
USB Culprit is intended for use against air-gapped systems.
Its targets have been in Southeast Asia, primarily Vietnam, but also Laos and Thailand.
It's worth noting that when people talk about malware or stolen information being able to cross an air gap,
that's less exotic and magical than it sounds.
In general, as in this case, it refers to malware being loaded
onto some removable medium. This isn't a new technique. It's generally believed that Stuxnet,
for example, infested the Iranian uranium centrifuges via baited USB drives. So,
important safety tip, don't stick that thing in your computer. You don't know where it's been.
Another bit of research published this morning comes from BlackBerry, which describes a new
strain of ransomware the researchers are calling Tycoon. They describe it as a multi-platform Java
ransomware targeting Windows and Linux that has been observed in the wild since at least December
2019. The operators deploy it as a trojanized Java runtime environment
and use an obscure Java image format to, as BlackBerry puts it, fly under the radar.
Tycoon attacks have been highly targeted,
hitting small and medium-sized companies in the education and software sectors.
The attackers establish themselves on the network
by working through a compromised remote desktop protocol server,
that is, an RDP server.
Similarities in naming conventions, as well as some overlap in the language of the ransom notes themselves,
suggest that Tycoon might be related to the Dharma Crisis gang.
So far, only a relatively small number of victims has been affected, but the campaign is still young.
relatively small number of victims has been affected, but the campaign is still young.
Akamai has warned that its honeypots have shown that Stealthworker botnet remains an active threat. Affecting Windows and Linux systems, Stealthworker was discovered in February 2019
by Malwarebytes and further examined last October by Fortinet. Stealthworker is known for its ability to brute force popular platforms and
services, including Drupal, WordPress, Joomla, OpenCart, Magento, and MySQL. As Akamai points out,
botnets like these prey on weak authentication measures and automation in order to infiltrate
servers and infect them with malware. The company sees Stealth Worker as an illustration of why multi-factor authentication and sound password policies, like using difficult-to-guess passwords
and never reusing them, is an important security step. Politico sees the German intention to
prosecute a Russian GRU operator, Dmitry Abaddon, for hacking the Bundestag as indicating hardening European attitudes toward Russian cyber operations.
Even TASS is authorized to take notice of the indictment.
EU diplomats met yesterday in Brussels to begin consideration of whether or not to impose sanctions against those involved in the cyber incident.
This would be the EU's first use of its sanction authority against cyber operators.
This would be the EU's first use of its sanction authority against cyber operators.
There is a national election coming up here in the U.S. this November, which will be here before you know it.
Grant Goods is chief scientist at GuardSquare, a mobile application security firm. He shares his insights on the security of mobile app voting.
In general, there's two overlapping security concerns here.
One is the whole field of mobile application security in general.
And the second is the security of any form of non-in-person, not paper voting.
The second category is, I would say, an academic research topic.
It is not a solved problem.
is i would i would say an academic research topic it is it is not a solved problem the whole question of verifiability of the votes secrecy of a vote and we're talking individual votes here they are
tough problems to solve without the classic paper ballot approach however putting that aside
i think the big challenge here is to provide the best possible security so that
attacks from clearly nation-state actors might be interested in influencing the outcome of an
election. We need to make sure that we're putting our best security foot forward with these types
of applications. Yeah, it's an interesting thing to think about, and I can't help wondering about
the whole issue of timing. You know, to me, it seems like it would be interesting thing to think about. And I can't help wondering about the whole issue of timing.
You know, to me, it seems like it would be one thing if we had the benefit of time, if we had a few years to work through this and to test it and that sort of thing.
But as we come up on this election this year, this sort of, I guess, double whammy of the possibility that people won't be able to vote in person.
the possibility that people won't be able to vote in person,
and then also knowing that there could be some outside influences who are trying to affect our election,
that really presents interesting challenges.
I fully agree.
I think that this has been a problem, as I mentioned,
for a number of decades,
the consideration of how to do an electronic vote,
whether it be in person with
a voting machine or remotely over the internet. But it's now, due to our current situation,
this is going to have to be addressed. And effectively, I think this may accelerate the
entire field. We're probably going to make some missteps, I'm almost certain of that,
but I think we can avoid the most obvious ones. And I think I would stress that the key to almost any mobile application security problem is not to rush.
In this case, we know this is coming.
We have until in the US until November.
That should be adequate time to create a design.
It will not be perfect.
We will be academic.
So we'll say you have this and this and that flaw, but we will get a good design.
Then we need to make sure the vendor producing the software is
reliable and trustworthy themselves. Then we must, in my opinion,
institute some form of oversight on that software. It needn't be
the entire world. It can be, again, a limited subset.
We need people that are not associated
with the people in the election that it can give oversight. And if we combine all of that and then
apply standard software design principles, use good cryptography, and then harden the app properly,
I think the result will be immune or largely immune to the sorts of concerns we have.
That's Grant Goods from Guard Square.
The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, CISA,
yesterday announced the launch of a new public resource for information about cybersecurity and the other areas in the agency's portfolio.
CISA Director Krebs said yesterday in
an interview on Intelligence Matters that as a matter of course nations would collect COVID-19
information. He said, quote, we do expect every intelligence service to be in the mix here,
end quote. China has been the most brazen in its pursuit of information about the pandemic and
research into treatments, but COVID-19 is an obvious intelligence target.
NATO yesterday issued a statement of solidarity with all health care
and research organizations that have been affected by cyberattacks.
And finally, a 64-year-old Texas man has taken a guilty plea
in the U.S. District Court for the Southern District of Texas, Houston Division,
to a charge of conspiracy to commit money laundering.
Kennedy Kim acknowledged his role in a business email compromise scam
in which he impersonated corporate persona to either intercept or initiate electronic funds transfers,
the money being diverted into accounts he controlled.
He faces up to 20 years in prison when he's sentenced later this year,
and he's agreed to provide victims with full restitution.
That will amount to, as the plea agreement says,
at least $745,540.70.
Calling all sellers. Thank you. winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Zulfikar Ramzan.
He is the Chief Technology Officer at RSA.
Zulfi, it's always great to have you back.
I wanted to talk to you today about kind of where we find ourselves with the pandemic
and how cybersecurity folks are sort of sizing this up when it comes to digital risk
in this context of being in a pandemic.
What can you share with us? So I think, you know, Dave, when I look at what's happened in the world,
I mean, nobody could have predicted the situation we're in today. We sort of saw some aspects of it
coming. But if you just think about it, a few weeks ago or a couple of months ago, you and I
were together at the RSA conference and the world was still feeling relatively normal. And a few
weeks after that, everything shut down really rapidly.
And when I talked to a lot of our customers,
they were all focused on how they could, number one,
enable and get through this change.
So they were thinking about what it meant for their workforce
and how to enable a remote workforce.
Many of them today are grappling and continue to grapple
with basic questions around
what does the Security Operations Center look like
in this new world.
I should be thinking about risk at a more fundamental level,
and really changing what risk means and what acceptable risk entails, given the overall crisis.
What sort of rebalancing are you seeing going on as people are turning those knobs?
What sort of things are they looking at?
Well, I think one of the first things that a lot of our customers are looking at is,
number one, how to rethink their security strategy
at a fundamental level.
Before, there were a certain set of assumptions
they would make about what was acceptable risk,
what they could account for, and so on and so forth.
And so the first thing is,
what does their security operations center look like?
The traditional security operations center has been this physical entity, right?
People get together when there's a big incident, there's a war room, and different parts of
the organization get together in that war room.
We now have to rethink what that means in a virtual context.
Can you have a virtual war room and run it effectively?
Now, this is easier said than done because in a massive security incident,
it's truly an all-hands-on-deck effort. You tend to have participation from every single
line of the business. So your legal team is involved if there are legal implications
associated with the incident. If there is a customer-facing impact, you might have your
sales team involved because they may have to talk to customers. If your sales team is talking to
your customers, your marketing team is involved to figure out
what messages have to be relayed
and how to package that appropriately.
And you also have certainly your IT team,
your IT security teams that are always involved
in these incidents.
And then your finance team may be involved
because all of a sudden you've got to write all these checks
and potentially hire people or bring in
third-party incident response expertise
and someone's got to fund all that. And so when you think about it, every aspect of an incident is
truly an all-hands-on-deck effort. And to make that successful, you have to find new ways to
collaborate, but now in a virtual environment. Yeah, I want to touch on incident response in
particular. I mean, you know, to me, that would often involve, you know, folks getting on
planes and traveling to where the incident was and having to deal with things, you know,
putting boots on the ground to try to work through something. Has that equation changed?
Yeah, so I think all of a sudden, there's no expectation of being able to get boots on the
ground anymore. Many organizations certainly have closed their front offices, they're trying to
minimize visitors. Even if somebody showed up to the office itself, there's no guarantee that anybody would be
there to let them in, or in that case, to a data center. And so in that regard, a lot more is
happening remotely. But what's also happening now remotely is before when you want to search for an
incident or investigate an incident, you would typically look for anomalous behaviors, right? Do I see
behaviors different from what I typically expect? Our understanding of what to expect has also
shifted in the context of a pandemic. All of a sudden, everybody's remote. It's not like you
have only one person being remote or a handful of people being remote. Everyone's remote all of a
sudden. Their behaviors are very different. Now, the way that I behave is maybe there's a handful
of IP addresses to which I connect or from which I connect. I'm using a lot more cloud applications probably if I'm a remote
worker. And so that means that being able to investigate what's occurring becomes even more
challenging. And so I think that gives rise to two kind of fundamental questions. One thing I think
is that how do we sort of evaluate what normal looks like in this new world? I think, by the way,
there's a glimmer of hope here,
because in many ways, normal is a lot easier to measure,
and it's a lot easier to get a baseline when everybody's essentially in one place,
even if it's their homes.
And so all of a sudden, before when I used to connect to my work systems,
I might be connecting from different locations.
If I'm on a plane somewhere, I might be in different countries.
Now there's, again, two or three IP addresses.
They can pretty much nail down, it's me, my behaviors are much more easy to predict,
which means that deviations from those behaviors are easier to identify.
So I think that's one glimmer of hope, quite frankly.
The second element, I think, is that we've also got this new challenge
in that all of a sudden, if I was using, let's say,
and focused on maybe network visibility to understand what was going on,
if individuals are now using more cloud services, if they're at home, they may not be on the enterprise network directly as much anymore. cloud, as well as your network core, and being able to amalgamate data across all three elements and bring them together so you can effectively build a proper cybersecurity program that looks
at all aspects of what's going on in your digital infrastructure.
All right. Well, Zulfiqar Ramzan, thanks for joining us.
Absolutely. Always a pleasure, Dave.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.