CyberWire Daily - OceanLotus tracked. Threats to K-12 distance education. Adrozek is credential-harvesting adware. MountLocker gains criminal affiliates. FCC acts against Chinese companies. CISA internships.
Episode Date: December 11, 2020Tracking OceanLotus. US advisory warns of cyberthreats active against schools trying to deliver distance learning. Adrozek joins credential harvesting and adware. MountLocker’s criminal affiliate pr...ogram. The FCC takes action against Chinese companies deemed security risks. Predictions, and holiday advice. Johannes Ullrich from the SANS technology institute wonders what’s in your clipboard? Our guest is Nina Jankowicz from Wilson Center on her new book - How to Lose the Information War - Russia, Fake News, and the Future of Conflict. And internship opportunities at CISA. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/238 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Tracking Ocean Lotus,
U.S. advisory warns of cyber threats active against schools trying to deliver distance learning.
Adrazek joins credential harvesting in Adware.
Mount Locker's criminal affiliate program.
The FCC takes action against Chinese companies deemed security risks.
Predictions and holiday advice.
Johannes Ulrich from the SANS Technology Institute wonders what's in your clipboard. Our guest
is Nina Jankowicz from the Wilson Center
on her new book, How to Lose
the Information War, Russia, Fake News
and the Future of Conflict.
And internship opportunities
at CISA.
From the CyberWire Studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, December 11, 2020.
Reuters reports that Facebook has associated the Vietnamese threat actor Ocean Lotus, APT32,
to a company in Ho Chi Minh City, Cyber One Group.
Cyber One Group said on their now suspended Facebook page,
we are not Ocean Lotus, it's a mistake.
Vietnam's foreign ministry hasn't responded to inquiries from Reuters,
but Hanoi has in the past denied any connection with or responsibility for Ocean Lotus.
The attribution is unusual in its unambiguous association of a cyber espionage group with a contractor.
Facebook, which has been squabbling with the government of Vietnam over content control,
declined to give a detailed account of its evidence,
saying that doing so would impair its ability to track Ocean Lotus in the future.
A joint cybersecurity advisory from the U.S. Cybersecurity and Infrastructure Security Agency,
the FBI, and the multi-state ISAC yesterday warned that that cyber attacks on schools have become increasingly
widespread as kindergarten through 12 systems attempt remote instruction during the pandemic.
The advisory singles out ransomware, with Rayuk, Maze, Nephilim, AKO, and Sodinokibi being among
the most commonly observed strains, Trojans, especially Zeus and Schleyer, distributed denial of service attacks, often by
DDoS for hire gangs, and video conference disruptions as the most prevalent threats.
The agencies urge schools to follow a familiar set of best practices to help secure themselves
as the pandemic continues to stress their systems. Teachers and staff and students and the families of all these.
Microsoft 365 Defender Research Team has released a study of Adrozec,
browser-modifying malware that affects most, if not all, major browsers.
The researchers say that Microsoft Edge, Google Chrome, Yandex Browser,
and Mozilla Firefox are all subject to modification.
It's adware.
Quote, Adrasek adds browser extensions,
modifies a specific DLL per target browser,
and changes browser settings to insert additional unauthorized ads into webpages,
often on top of legitimate ads from certain engines.
Microsoft 365 says, adding that
the intended effect is for users searching for certain keywords
to inadvertently click on these malware-inserted ads,
which lead to affiliate pages.
The attackers earn through affiliate advertising programs,
which pay by the amount of traffic referred to sponsored affiliate pages.
End quote.
Adrozec is usually distributed as a drive-by download.
It modifies browser settings, including security settings.
Like most forms of adware, Adrozec gets revenue from the referrals it generates.
That's normally considered a fairly low-grade threat, obnoxious and profligate of resources,
but not really a high-end, high-grade threat, obnoxious and profligate of resources, but not really a high-end,
high-risk threat. But in Adrazek's case, the adware also steals credentials, and that's a
serious matter indeed. So it seems that adware is following the path ransomware took, the original
crime continues, and is then joined by additional malignant functionality. If this becomes a trend, and there's no reason to think it won't,
adware may increasingly be accompanied by credential harvesting,
in the way the ransomware is now routinely accompanied by information theft,
as well as data encryption.
Researchers at BlackBerry are describing the latest ransomware-as-a-service development,
MountLocker Ransom ransomware combines traditional encryption with data theft
to add more heft to the extortion and is being run in an affiliate campaign.
The researchers describe it as simple, lightweight, and efficient ransomware.
The operators work quickly against their targets,
and they appear to be gaining more criminal market share.
The U.S. Federal Communications Commission yesterday took two actions against Chinese
companies. The first requires carriers receiving federal funds to remove and replace equipment
that poses a security risk. The second begins the process of revoking China Telecom's authorization
to operate in the U.S.
As you might expect, we've been receiving a lot of notes on the pandemic's opportunities for bad actors,
common sense about shopping securely during the holidays,
and some CISA internship opportunities.
And to summarize what the social engineers are going to do, it's like this.
They'll take you to a high place, show you all the kingdoms
of the earth, and so on. That's the kind of FOMAs being tried before. Don't let it work on you
either. That unbelievable offer of a stupendous deal if you work as a secret shopper? It may look
like a beacon of light, but trust us, it's coming from a very dark place. So beyond being taken to a high place,
expect more COVID-19 vaccine scams and more criminal collaboration.
Checkpoint finds that malign activity
keyed to the pandemic is assuming three general forms.
Cyber espionage directed at researchers
and pharmaceutical companies engaged in vaccine development.
Phishing and waterholing domains with a COVID-19 theme,
and finally, bare-faced scams hawking bogus treatments.
Proofpoint, for its part,
foresees more ransomware-hitting cloud repositories,
the continuing threat of social engineering,
a relative abatement but not disappearance
of business email compromise,
and growing collaboration among criminal groups.
The winter holidays are upon us. Hanukkah began yesterday evening and will end next Friday evening.
Christmas is just two weeks away, so last-minute shoppers are finding time closing in on them.
Risk IQ has published its holiday e-commerce blacklist threat report for 2020.
The size of the opportunity would seem to explain why the threat is so active this time of year.
RiskIQ says that 30% of all retail sales occur between Black Friday and Christmas,
that there's a 35% rise predicted in U.S. e-commerce sales compared to last year,
probably reinforced by pandemic-driven social isolation,
and that 83% of shoppers will spend 50% of their budget online.
Finally, it's neither a trend nor a holiday security story,
but since applications close in early January, this is a seasonal story.
Students interested in an internship at the U.S. Cybersecurity and Infrastructure Security Agency may wish to explore some recently announced opportunities. The agency is offering student
trainee positions in IT management in several pay ranges. You'll find links to the job announcements,
which are too long to speak here, in today's CyberWire Daily News Briefing. You can find that
on our website, thecyberwire.com.
The jobs are open to high school students, undergraduates, and grad students.
And a tip of the hat to the folks over at Cat's Eye who tipped us off to the opportunity.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
My guest today is Nina Jankowicz, Disinformation Fellow and former Fulbright-Clinton Public Policy Fellow from the Wilson Center.
Her new book is titled How to Lose the Information War, Russia, Fake News, and the future of conflict. I was living in Ukraine in 2016 and 2017 when the U.S. election was happening and all the
revelations about Russian interference in the election came to light. And I was working as a
strategic communications advisor to the foreign ministry of Ukraine under the auspices of a
Fulbright fellowship. And being there basically on the front lines of the information war, you know, Ukraine has been dealing with this stuff more
in a concentrated way since 2014 and 2013 when the Euromaidan revolution began and Russia
illegally annexed the Crimean Peninsula and invaded eastern Ukraine, the Donbass. So they're
very familiar with these tactics, as are a lot of other Central
and Eastern European nations in the Baltic states, places like Poland, the Czech Republic.
And I just felt that, you know, watching the U.S. response, which was really categorized by a lot of
hubris, you know, it was a lot of how could this have happened to us when things like this had
been happening in Central and Eastern Europe for the past 10 to 15 years, I really felt that there was a lot that we, the United States, could learn from our allies in
Central and Eastern Europe. And that's what the book looks at. Five different Central and Eastern
European countries, Estonia, the Republic of Georgia, Ukraine, Czech Republic, and Poland,
and how they responded to the threat of Russian disinformation and increasingly to the threat of domestic disinformation as well.
Well, take us through what you've outlined here.
I mean, what were some of the key ways that these nations dealt with this issue of Russian information operations?
So one of the most important things is that they all recognize that it's a problem, which I don't think that we can say for the United States, frankly. I mean, I did a hearing a couple of weeks ago for the House
Intelligence Committee and only the Democrats showed up. It was a hearing on disinformation
and conspiracy theories ahead of the election. And the Republicans just did not deign to make
an appearance. And that's very saddening to me because I've briefed Republicans on the Hill before. They care about these issues, but it has become so politicized to even talk
about disinformation, particularly in the context of Russia. And that leaves us vulnerable, frankly.
Over the past four years, we've done very little to raise the costs for actors like Russia who are
using disinformation to achieve their policy goals, to affect and
influence our political conversations. And the fact that we're allowing it to be politicized
and not even addressing the lowest hanging fruit in terms of dealing with the problem,
like transparency around political ads and mandating that through Congress, just shows
how difficult this problem is to solve when you don't recognize that it's a problem.
shows how difficult this problem is to solve when you don't recognize that it's a problem.
Are you optimistic? Do you think we have a chance at getting control over this to the point where it's, you know, not the issue that it is today? It would be hard for me to get out of bed in the
morning if I didn't think we could do something about it. I do think that, you know, there are a
lot of things that we haven't even
entertained yet. Over the past four years, we really have not seen a good faith effort by the
U.S. government to tackle this problem. We have seen parts of the U.S. government dealing with it,
in particular, you know, the folks at the Department of Homeland Security, Cyber and
Infrastructure Security Agency have done some really valiant work, but they're a small team
and they're underfunded. There are other similar teams across the government. If we had a united strategy that
was bringing together the best brains and, you know, Russia policy, cyber policy, strategic
communications in a node in the federal government, I'd feel a lot better. But as it is right now,
we don't have that sort of joined up policy. That's a problem. The politicization of this issue, as I mentioned before, remains an impediment to creating
policy at the congressional level. And we've not seen really any sort of consensus building in the
cross-sector environment. So either between public-private partnership with the social
media platforms or bringing in civil society organizations as well who are looking out for things like rights to free speech and human rights online.
I think there are so many smart people who are working on these issues in the United States that, yes, we can absolutely make a dent.
But the reality is that we have been tardy and our responses have been in the international realm tertiary to a lot of what our allies is doing.
We are absolutely falling behind
and in some cases abdicating our responsibility
to the rest of the world
as the place that hosts these platforms
where so much disinformation spreads
to do something about this.
So I think the clock is ticking
and hopefully we don't tarry too much longer
because this is an issue
that is getting more concerning by the day.
Our thanks to Nina Jankowicz for joining us.
The book is titled How to Lose the Information War,
Russia, Fake News, and the Future of Conflict.
Don't forget we have extended versions of many of our CyberWire interviews
as part of CyberWire Pro.
You can find out more about that on our website, thecyberwire.com.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute and also the host of the ISC Stormcast podcast.
Johannes, it's great to have you back.
Today we are talking about clipboards,
and I have to admit that I am a bit of a clipboard nerd
in that I use a clipboard manager and it has greatly enhanced my lifestyle.
So I'm very interested to hear that you have set your sights on some issues with clipboards.
What are you going to teach me today?
Yeah, that's really something our handler, Rob Wenbrink, here has researched in detail. And that's, well, Malware is actually going after your clipboard
because you have a lot of interesting things in your clipboard.
It may be passwords that you copy-paste from a password manager.
It may be an account number.
For example, there is Malware that goes after crypto coin addresses and such
that you may copy-paste because they're way too long to type them directly.
And there are now a couple of ways how software is trying to prevent some of these attacks.
For example, some password managers, they'll try to clear the clipboard after you copy the password.
So you copy the password, you paste in your browser,
then the password manager deletes or erases that password from the clipboard,
which may or may not work, actually.
You're a clipboard nerd.
I'm not sure if you enabled that clipboard history feature,
which sort of gets a little bit in the way there.
Because clipboard history means, well, that cleared password is now just being added
instead of overriding the password that you have.
So it's a handy database to all the keys to my kingdom.
Exactly. And Malware has certainly figured it out.
Now, from a defensive point of view, you can, of course, monitor what software is
accessing the clipboard. And iOS, Apple's operating system, has taken a little bit of the lead here.
I'm not sure if you noticed this, but in iOS 14, the latest version of iOS, you'll get a little
alert whenever some software is accessing your clipboard. Actually, I think it was LinkedIn or a couple other pieces of software
that sort of got into trouble for doing just that. They call it sort of monitoring your
clipboard, just like Malware does.
Now, on other platforms like Windows and such,
of course, we don't have it in the operating system like this, but
Microsoft's Sysmon tool
actually just recently added a feature that will also monitor what software is using your clipboard.
And the nice thing with Sysmon is Sysmon is a tool that you can install on your Windows systems,
and you can tell it to report back to your security monitoring console and such, what's
happening on the system. Now, you better set up some decent rules
so you're not getting flooded with alerts. But you can
basically have it alert you centrally at the security operations
center. Hey, this is a workstation where some software is doing weird
stuff at the clipboard.
center, hey, this is a workstation where some software is doing weird
stuff at the clipboard.
I see. That's interesting.
The clipboard manager I use in macOS,
for example,
you can disallow certain things
from being put in the history.
So you can say,
anything that comes from my password manager,
let's leave that be.
Yeah, that's a real neat feature.
Actually, I was just the other day
getting annoyed at that feature
on the MySQL database.
It does not save any command
that contains the word password in the history.
And as a Unix nerd,
always doing your cursor up,
you'd rather go 20 lines back in your history
than typing LS.
But all of the lines that contain a vert password,
and this was like a database where I tracked some SH passwords
that we had from our honeypots, so that term came up a lot.
It was a little bit annoying, but yes, that's the feature you're looking for.
You want to kind of limit what data is being sent to your clipboard.
I don't say avoid it.
You can't really avoid it because you want to have these complex passwords.
So you often do have to copy-paste it.
Right, right.
And yeah, isn't it fascinating how it's that balance, you know,
between convenience and security, right?
I mean, that's the age-old problem we've got here.
I can just have a simple password, put it on a post-it,
and you don't have that problem.
Just stick it to the bottom of your keyboard.
I don't understand what the problem is.
Yeah.
All right.
Johannes Ulrich, thanks for joining us.
Thank you. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast
of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
The nighttime, sniffling, sneezing,
coughing, aching, stuffy head fever
so you can rest medicine.
Listen for us on your Alexa smart speaker, too.
Be sure to check out
our Research Saturday program
this weekend, my interview with Craig Williams and Matt Olney from Cisco Talos
on their NotPetya and Olympic Destroyer research.
It's a good one.
That's Research Saturday.
Check it out.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Haru Prakash,
Stefan Faziri,
Kelsey Bond,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Volecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick,
Jennifer Iben,
Rick Howard,
Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
See you here next week. Thank you. deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your