CyberWire Daily - Online fraud, some targeting shoppers and investors, others going after e-commerce retailers. Updates on the cyber phases of Russia’s hybrid war.
Episode Date: December 22, 2022The FBI warns of malicious advertising. A new gang makes an unwelcome appearance in the holiday season. Ukraine will receive more Starlink terminals after all. Cyber phases of the hybrid war: a view f...rom Kyiv–the bears and their adjuncts are opportunistic agents of chaos. Caleb Barlow thinks boards of directors need to up their cyber security game. Our guest is AJ Nash from ZeroFox with a look at legislative restrictions on TikTok. And reports say that US National Cyber Director Chris Inglis is preparing to retire. We wish him the best of luck. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/244 Selected reading. Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users (FBI) A sophisticated fraud ring is waging war on commerce, using rapidly changing tactics (Signifyd) Ukraine to Get Thousands More Starlink Antennas, Minister Says (Bloomberg) Ukraine’s Cyber Units Aim to Retain Staff, Keep Services Stable as War Enters Year Two (Wall Street Journal) Top Biden cybersecurity adviser to step down (CNN) Chris Inglis to resign as national cyber director (CyberScoop). First-ever national cyber director Chris Inglis set to retire in coming months: sources (Axios). White House cyber adviser to resign (The Hill) Chris Inglis, Biden's top cyber adviser, plans to leave government in coming months (POLITICO). White House Cyber Director Chris Inglis to Step Down (Bank Info Security) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The FBI warns of malicious advertising.
A new gang makes an unwelcome appearance in the holiday season.
Ukraine will receive more Starlink terminals after all.
Cyber phases of the hybrid war?
A view from Kiev.
The bears and their adjuncts are opportunistic agents of chaos.
Kayla Barlow thinks boards of directors need to up their cybersecurity game.
Our guest is A.J. Nash from ZeroFox
with a look at legislative restrictions on TikTok.
And reports say that U.S. National Cyber Director Chris Inglis
is preparing to retire.
We wish him the best of luck.
From the Cyber Wire studios at Data Tribe,
I'm Dave Bittner with your Cyber Wire summary for Thursday, December 22nd, 2022. The FBI has issued a warning that cyber criminals are actively pursuing victims by dangling malicious ads in front of them.
The Bureau says cyber criminals are using search engine advertisement services to impersonate brands and direct users to malicious sites that host
ransomware and steal login credentials and other financial information. The Bureau points out that,
of course, advertising isn't necessarily or inherently nefarious, but that internet users
should approach the ads their search engines deliver with the same informed skepticism they would bring to any
other occasion for social engineering. Malvertising can appear in any number of contexts, of course,
but the Bureau points out that the recently observed bad behavior has been connected with
financial services and often with financial services of a very particular kind. The FBI
says in its warning, these advertisements have also been used
to impersonate websites involved in finances,
particularly cryptocurrency exchange platforms.
These malicious sites appear to be real exchange platforms
and prompt users to enter login credentials
and financial information,
giving criminal actors access to steal funds.
So there you go. The Bureau doesn't say so, but we will. There's nothing inherently nefarious about cryptocurrencies,
nor is there in principle anything dicey, shady, or loosey-goosey about the exchanges on which such
currencies are traded. Whatever the mistakes allegedly made, for example, in the FTX affair,
you know, the ones that cut Mr. Bankman Freed's stay in the Bahamas short, that doesn't mean that
all such exchanges and speculation are necessarily crooked or foolhardy. But don't get caught up in
the mania. There was nothing inherently nefarious about tulip bulbs in the 1630s either, but that didn't keep a lot of good Dutch burgers from losing their shirts speculating on flowers.
The FBI offers advice for individuals.
Check URLs, consider using an ad blocker,
and if you know a firm's URL, consider typing that instead of searching for the company by name.
The Bureau also has some tips for businesses.
Use domain protection services and educate your users.
So as the madmen of Madison Avenue used to say back in the day,
it pays to advertise, and the criminals know this too.
Recognizing fraud gets easier when you know that the crooks are buying search engine ads to push their schemes.
The fraud the FBI's warning against threatens individuals seeking to make online trades or purchases.
There are also threats to businesses engaged in e-commerce.
Security firm Signified reported this morning that a new cybercriminal gang has made an appearance during the holiday season.
The firm's research indicates that the gang, which appears to be based in Southeast Asia,
made a tentative appearance almost a year ago, but hit with full force last month.
So the earlier attempts at fraud were self-consciously trial runs and reconnaissance,
Signified thinks.
It seems to be a patient, confident, and well-organized retail
fraud operation established to bilk online retailers. The unnamed group made off with
an estimated $660 million in stolen laptops, cell phones, computer chips, gaming devices,
and other goods in the month of November alone. The threat is immediately to e-commerce retailers, only secondarily to consumers.
So, as the holidays have a couple of weeks, more or less, to run,
keep your guard up, online merchants.
Potential difficulties now resolved.
Ukraine says, according to Bloomberg,
that it will receive more than 10,000 additional Starlink terminals from SpaceX over the next few months.
SpaceX founder Elon Musk had said some things at the end of October that suggested Starlink's service to Ukraine might prove too expensive to continue.
But those issues have now apparently been addressed.
issues have now apparently been addressed. Starlink has been important in restoring and maintaining Ukraine's internet connectivity, briefly disrupted during the opening days of
Russia's war. The resilience the satellite-based communications system offers has been of
significant value to Ukraine under wartime conditions. Victor Zora, Deputy Chief of Ukraine's
State Service of Special Communications and Information Protection,
spoke at length with the Wall Street Journal about the state of cyber operations in the present war.
Zora said,
We are facing tens of cyber incidents daily.
That means that they have a lot of resources, that they are seeking opportunities every day.
Their strategy is seeking vulnerabilities,
is providing attempts to gain persistence in networks,
attempts to exfiltrate data,
attempts to disrupt services in Ukrainian government entities,
the telecom sector, critical information infrastructure,
and seeking impact that they can bring to all the infrastructure.
It's a strategy of opportunistic attacks seeking to induce chaos
in the target. Zora says, that's the strategy, an opportunistic strategy, a chaotic strategy,
but a strategy that is focused on harming Ukraine, on bringing impact to our economy,
to our infrastructures, to our everyday life, and to our resilience.
to our everyday life and to our resilience.
And finally, CNN reports that Chris Inglis,
who since July of 2021 has served as U.S. National Cyber Director,
will leave his post in the next few months.
He's the first to hold the position,
which the administration created last year,
and his intention is to retire.
We wish him all the best in his final weeks on the job,
hope he enjoys a long and happy retirement,
and we thank him for his service, not only in the White House,
but in the years he spent at NSA before that.
Coming up after the break,
Caleb Barlow thinks boards of directors need to up their cybersecurity game. Our guest is A.J. Nash from ZeroFox with a look at legislative restrictions on TikTok.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and
their families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The popular social media platform TikTok continues to draw scrutiny from U.S. legislators primarily over concerns of Chinese ownership of the platform and the potential security implications that come from that.
Several U.S. states have banned the TikTok app from government devices, and it looks like the feds are following suit. For more on this story, I checked in with A.J. Nash,
vice president and distinguished fellow of intelligence at ZeroFox.
There's 19 states now have at least partially blocked access to TikTok
on government endpoints, government computers.
I think there's actually 20 states.
I think Indiana has a lawsuit.
West Virginia and Louisiana were the last two to just join.
I saw Washington might be next up, so it's going to continue, I think, on the state sides. From the federal standpoint,
as you said, the federal government has a ban. In fact, they just shoved that into the $1.7
trillion omnibus funding bill. So it's pretty well accepted as a bipartisan challenge.
So I think that's going to pass through because certainly the funding will anyway.
And I don't see this getting cut out or argued about.
This has been brewing for a while.
You have a company that's based in China that owns this technology.
And there really isn't, Chinese private enterprise isn't like US or Western private enterprise.
The separation between business and government isn't like U.S. or Western private enterprise. The separation between business and government isn't the same.
Chinese companies can be compelled to cooperate with the government,
assuming they don't do it of their own free will anyway.
So the risk is pretty high, and this is a massive platform
with a lot of content that is almost certainly available to Beijing,
to the Chinese government.
From your perspective there with your colleagues at ZeroFox, what are the legitimate concerns about
TikTok in terms of the information it gathers, both overtly and behind the scenes?
Yeah, it's probably the biggest question, you know, I get asked right now, or we all,
I think, in the industry are being asked is, why does this matter? What is TikTok's threat? What does it do? And there's a subtle piece to this
that people don't necessarily gather. TikTok can be used as a
massive collection platform for personal information, for
interests, for pattern of life analysis. It gets into
all sorts of sentiment analysis. The Chinese
government has invested a lot of time, energy, and money in big data processing,
and this is another big data capability.
So if you can bring all of that content in, you're able to analyze that and understand
what's popular, what's trending, or what is likely to trend, for instance.
That can be used for sentiment manipulation.
Popular opinion can be changed through social media. Also, again, you can collect against just understanding
what are the trends in marketing? What are the trends in brand? What might be readiness for
military? We have military folks that have been in TikTok. There's so many aspects of collection
that come into play with a platform like this.
When you think of it in the macro scale, most of us think of us the way we think of ourselves.
Well, I'm not doing anything very interesting.
I'm just posting a video here or I want to just put my art there.
And not necessarily understanding the larger scale impact as it relates to your workplace,
as it relates to your institution of education, or any of those other factors.
But to me, the biggest piece comes down to two pieces, I guess. It comes down to the ability
to collect just a vast amount of content, again, about trends, about personal information,
about perhaps business information, and the ability to influence, which I happen to think
is incredibly concerning right now, and I think the government does as well.
We've seen a lot of influence campaigns over the last, boy, I don't know,
at least six years or so publicly talked about,
influencing how people think about vaccines, how people think about elections,
how people think about, geez, just about anything, right?
So the ability to have a platform, to control a platform that can control the message in subtle ways that may not be noticed is remarkably concerning.
Now, the folks who run TikTok are saying that there's a lot of misinformation about what they do and how they do it, and that they've put up their own firewalls to prevent China from demanding this information.
Do those arguments hold any water?
Well, I don't have a great deal of faith in those arguments personally, and neither does our
government apparently based on what we're going forth with. I think the challenge we have, and
this isn't about trying to demonize anybody, and this is one of the concerns we have in this
country whenever we talk about foreign countries and their governments and how they do things,
is this demonization. That's not the point point china just does things differently their government is structured differently their
their culture is structured differently and they have different sets of standards whether that's
right or wrong is a totally different discussion but in china the understanding has been for a
long time that there really are no abilities to create firewalls companies who decide they want
to go against the Chinese government,
those leaders don't end up running those companies much longer.
So I appreciate what the leadership for this company is saying,
and I understand the position.
It's certainly a strong business position to take.
But no, I don't happen to believe that there's the ability
to withstand government intervention.
In fact, it's written directly into the laws in China
that the Chinese government can demand this content.
So my assumption, and I think our government's assumption,
is that this information goes to Beijing.
How much do you think this is going to matter,
the banning of TikTok on the devices of folks in the government,
at the state level, at the federal level?
It's still presumably going to be as popular as ever for consumers.
Yeah, I think that's true.
I think, you know, this is a good symbolic gesture.
I think it's important.
But frankly, TikTok probably shouldn't have been on any of these devices to begin with.
You know, there would be few, if any, people within government agencies
who would have an official need to be using TikTok.
And if you don't have an official need for anything, any technology, it shouldn't be on the device when
you're talking about government, state or federal government. So I would imagine in most cases,
these already didn't exist. For those who've had TikTok on their endpoints, on their phones or on
their computers, chances are they were doing it in violation of some policy anyway, and they'll
just be rooted out. So I don't think it's going to have a massive impact in that regard. I think you're right. I think hundreds of millions of people use this
platform in private lives and will continue to. I do think this can create the next step, though.
If you see governments start taking these actions, then you could be looking at private companies
say, well, we should probably follow suit. There's a reason to believe there's a risk. So you'll see
private companies start to take this action. And then the question becomes, how far do you project that out? Can a
private company have a policy about how their employees interact or work within social media,
which I think we've proven that is absolutely possible to do. So I think we're going to see
this continue to grow. And that's where I believe the impact will come, is when we see the government,
if we see private enterprise, start having policies about how their own employees are able to interact on social media
in places like TikTok. And they may well be banned from having any reference to the company
within TikTok. And that could open up all sorts of other discussions.
That's A.J. Nash from ZeroFox. And I'm pleased to be joined once again by Caleb Barlow.
He is the founder and CEO at Silete.
Caleb, it's always great to welcome you back to the show.
Something you and I have talked about in the past is the positions of boards of directors
and the degree to which they have expertise in cybersecurity.
Where do you suppose we stand now?
Well, let's talk about this in the context of a public company, Dave.
And this topic comes up about every six months.
The Securities and Exchange Commission weighed on this issue earlier in the year by proposing new rules for public companies and how they oversee cybersecurity.
There's even a bill in Congress that's proposed a similar rule.
And the idea being that various regulators are saying, hey, boards of directors need to have someone on the board with cybersecurity expertise.
And at first blush, this sounds like
a really good idea. And I think it is. But we as the cybersecurity industry have probably got to
start stepping up our game to both be prepared for this, but also to help define what is an
acceptable skill as cybersecurity expertise. And what's interesting, when you talk with boards,
you hear all kinds of crazy stuff about how somebody had, oh, well, we had a breach in my
past company, so I have cybersecurity expertise. Oh, I see. Really? You have expertise as a victim.
That's probably not ideal, right? Right. It's like saying, I was in a plane crash, so I can fly the plane.
Right, right.
Yeah.
So there is an analog here, which is really how financial expertise, which is also required on a board of directors, is structured and the structure of the audit committee.
So the basic idea is that a board needs to have independent board members. So
key word here, independent, meaning that they're not part of the company's management, that has
financial expertise. So this would typically be somebody that's maybe a CFO or a retired CFO at
another company. In addition to that, there's an audit committee. And, you know, so that is,
again, a committee of the independent board, typically with more than one person that has financial expertise that is supplemented with, you know, a company
that's doing the audit.
Well, think of the analog in a cybersecurity company.
You probably have a third-party assessor that is kind of equivalent to that audit that is
evaluating the company and providing advice and guidance.
And they're probably now reporting that in and are hired by the board versus hired by
the CISO.
But that individual with cybersecurity expertise is probably a CISO in another company and
or a retired CISO or maybe somebody with prior law enforcement experience or investigative experience.
We've got to start seeing that those skills step up, but it's going to mean that we've got to do some things as a community to up our skills.
Well, so what does the vetting process look like then, ideally?
Well, the first thing to understand about corporate boards is there's definitely a demographic.
And unfortunately, cybersecurity is there's definitely a demographic. And unfortunately,
cybersecurity is going to break this demographic, right? If we look at who's on boards,
it's typically people 50 plus that are either retired or near retirement and have lots of
expertise. That's why you want them on your board, right? Well, guess what? Anybody over 50 didn't
grow up. Nobody over 50 went to school and studied cybersecurity. This is too new of a field.
So now, granted, there's plenty of 50-year-olds that have migrated into it. But I think the
reality here is the first thing we have to recognize is boards are going to have to start
getting comfortable bringing some talent onto the board that's probably significantly younger
than a lot of the board members, which also probably means
they're still in the middle of their career, which is also very different than what you have on
boards. But as a community, we're going to need to start stepping up our skills because the language
and discussion at a board level and the expectations of someone at a board is totally different than what you would see in a management meeting, right?
You're there to guide and advise, not to run the company.
And that's a very different set of skills than, you know, a lot of CISOs out there have today.
Well, help me understand.
So should we be looking for board members for whom their primary role is to be the cyber person? Or are
we looking for board members who we bring in for other reasons, but who have a certain degree of
cyber knowledge as well? Well, let's think of it in terms of how the governance flows. Now,
governance is a key word here because that's what a board does, is provides governance.
So when the CFO prepares the financial statement
for the company, they prepare it. It's evaluated by a third-party auditor. They present it to the
audit committee. The audit committee asks questions. And more often than not, the audit committee may
have directions that they want the CFO to take in terms of how specific costs may be evaluated, moving specific funds
around, what level of cash we maintain at the company. Those discussions are going to occur
at the board level. They're collaborative, but at the end of the day, they're a top-down discussion
from the board where the board is ultimately deciding on the strategy and the CFO is an instrumental part
of defining that as well, but the CFO is executing it, right? Now let's contrast that with the
discussion that occurs today with your average CISO walking into a board meeting. The CISO walks
into the board meeting and explains the cybersecurity posture of the company and is educating the board.
The board, without the cybersecurity expertise,
has no idea, most often than not, what in the world the CISO is talking about,
and they're getting educated by the CISO. So the board is making really a decision of,
do I trust this individual in their judgment or not? Which is fine, but they're not able to approach the question,
they're not able to approach the data that they're being fed inquisitively, ask questions from their
own experience, and give maybe unique and different direction. And that's where we have a governance
breakdown more often than not on corporate boards. Now, it doesn't mean the CISO is not doing a great
job. What it means is that the board doesn't know whether the CISO is doing a great job or not.
So what's the solution then, ideally? How do we handle this?
It's really simple, right? I think we've got to do a couple of things. One, if you're a CEO at a
public company, you need to be bringing your CISO into more board meetings than you do.
And look, people like to keep those conversations tight to a limited audience. But the fact of the
matter is that CISO has got to start to learn the language of the board, how that conversation
occurs, what the expectations are, what board members want to see. And the only way that's
going to occur is by being in the room.
What that also means is the CISO has got to start to listen to those conversations and leverage every opportunity they get to sit on boards. And then, you know, as board chairmen,
you've got to kind of put aside the past demographics of who you typically have on
your board and start reaching out and bringing in CISOs from other companies,
from other industries, from law enforcement, et cetera, onto your boards and expecting them to
have an integral interaction in those board conversations. Yeah. All right. Well, Caleb
Barlow, thanks for joining us. Thank you. thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep
your company safe and compliant.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Thanks for listening. We'll see you back here tomorrow. Jennifer Iben, Rick Howard, Peter Kilpie, Simone Petrella, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. AI, and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's