CyberWire Daily - Patch Exchange already, will ya? GoldenSpy lurks in tax software Chinese banks prefer their foreign clients to use. Magecart gets cleverer. Another unsecured AWS S3 bucket, and this one’s not funny.
Episode Date: June 26, 2020Microsoft urges Exchange server patching. Sure it does your taxes, but it’s got another agenda, too: the GoldenSpy backdoor may be in your tax software if you do business in China. Magecart ups its ...game. DDoSecrets says they’re not going to roll over for Twitter’s “Nixonian” schtick. Camille Stewart from Google and Lauren Zabierek from Harvard’s Belfer Center on the #Sharethemicincyber event and why systemic racism is a threat to cybersecurity. Rick Howard wraps up cybersecurity canon week with guests Richard Clarke and Robert Knake, authors of The Fifth Domain. And there’s another unsecured Amazon S3 bucket, and this exposure could present a serious risk to some people who already have trouble enough. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/124 - More info on the #Sharethemicincyber event. - Camille Stewart's essay on systemic racism in cyber. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing
the world what AI was meant to be.
Let's create the agent-first
future together. Head to
salesforce.com slash careers
to learn more.
Your business
needs AI solutions that are
not only ambitious, but also practical
and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.
Microsoft urges exchange server patching.
Sure, it does your taxes, but it's got another agenda, too.
The golden spy backdoor may be in your tax software if you do business in China.
MageCard ups its game.
DDoS Secret says they're not going to roll over for Twitter's Nixonian shtick.
Camille Stewart from Google and Lauren Zabrick from Harvard's Belford Center
on the Share the Mic cyber event
and why systemic racism is a threat to cybersecurity.
Rick Howard wraps up Cybersecurity Cannon Week
with guests Richard Clark and Robert Kaneki,
authors of The Fifth Domain.
And there's another unsecured Amazon S3 bucket,
and this exposure could present a serious risk
to some people who've already had trouble
enough. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Friday, June 26, 2020. Microsoft continues to urge users of its Exchange email servers to patch and bring them up to date.
A known, and it's worth emphasizing, patched vulnerability, CVE-2020-0688,
has been under active exploitation by nation-state intelligence services since April.
As ZDNet asks, why would any intelligence service worthy of its trench coats,
we paraphrase and mix many
metaphors, burn a zero day when they could just waltz in through a known hole? Here's a rundown
of what you might be in for if you use Exchange and figure, hey, patch, smatch, I've got other
things to do. First, the older versions of Exchange didn't create a unique crypto key for
the control panel,
which means that those versions used identical validation and decryption keys in their control panel's backend.
Malformed requests to the Exchange control panel containing malicious serialized data can be unserialized,
enabling the malicious code to run on a server's backend,
and that code runs with system privileges,
which lets attackers do pretty much whatever they want.
So take a minute, spend a buck, and patch Exchange.
Security firm Trustwave says it's found a new malware family, GoldenSpy,
embedded in tax software companies doing business in China
have been required by their Chinese bank to install.
It does the taxes. It also opens a system-level backdoor.
Trustwave found the malware in the course of doing some threat hunting for a client that had recently opened some offices in China.
Their local bank had required them to install a software package, Intelligent Tax, produced by the golden tax department of icino
corporation here's some of the suspicious behavior that led trustwave to classify golden spy as
malware first it installs two identical versions of itself both as persistent auto start systems
if one stops running its twin starts and if is deleted, the twin promptly downloads another copy.
Second, while there's an uninstall option for Intelligent Tax that actually does uninstall Intelligent Tax,
that option leaves Golden Spy untouched, even after Intelligent Tax is nothing more than a memory.
Third, Golden Spy isn't downloaded and installed at the same time as Intelligent Tax.
It waits two hours and then quietly downloads and installs itself without presenting any
notification on the affected system. There's no obvious purpose for such a delayed, no-notice
installation other than a desire to escape the target's attention to fly under the radar.
Fourth, when Golden Spy talks, it doesn't talk
to the intelligent tax network infrastructure. Instead, it chatters to a domain that hosts
other variants of GoldenSpy. It makes three attempts to contact its command and control
server and then randomizes its beaconing times. As Trustwave points out, that's a known way of
steering clear of detection by security technologies installed to detect beaconing malware.
Finally, and most damningly, GoldenSpy operates with system-level privileges, which means it could be used to do, well, practically anything.
Install new malware, prepare reconnaissance, escalate privileges, create new users, and so on.
privileges, create new users, and so on. So sure, Intelligent Tax will do your taxes,
but Golden Spy is the kind of gravy you probably don't want slathered over your enterprise.
Ask your bank exactly why they insist on this particular software.
We note in passing that tax preparation software has carried some bad mojo in the past.
It's an unrelated incident, but do recall that Em emmy doc a tax prep solution widely used in ukraine was compromised to serve as the vector of not petya accountants look to your tools
a malware bytes report describes how mage cart operators have improved their game
the paycard skimming malware is now being hidden in EXIF metadata of image files.
There are several criminal gangs known to use Magecart. This particular upgrade appears to be the work of Magecart Group 9.
The extortionists who compromised India Bulls have made good on their threat
to begin releasing data if the company didn't pay the ransom.
The Hindustan Times reports that the first tranche of company information has been leaked.
Where do vulnerabilities come from?
Mostly, according to SYNC's study of open-source software security, from indirect dependencies.
Twitter may have banned DDoS Secrets after the Blue Leaks information dump,
but DDoS Secrets rejects what they call the social platform's unexpectedly Nixonian move,
and the group tells Wired they'll be looking for other venues in which to post whatever they come up with in the future.
And finally, researchers at VPN Mentor have discovered another unsecured database,
and this one is particularly nasty in its potential implications.
A domestic violence prevention app, Aspire News app,
built with what seemed to be intelligent good intentions
by a U.S.-Georgia-based not-for-profit
called When Georgia Smiled.
The idea was to provide emergency services
for victims of domestic abuse.
Those included not only a help section
with links to various resources,
but also a function that enabled users
to send emergency distress messages also a function that enabled users to send
emergency distress messages to a trusted contact person. The app looks like an ordinary news app,
presumably to better to escape the notice of an abuser, should the abuser paw through the victim's
phone. Among the ways that distress signal could be sent is a voice recording that gives the
victim's details, home address,
the nature of their emergency, and their current location. There were some 4,000 voice recordings left accessible to the internet on a misconfigured AWS S3 bucket. TechCrunch independently verified
the data exposure and noted that When Georgia Smiled, the not-for-profit behind the Aspire News app, was founded, backed, and promoted by Robin McGraw and her husband, Dr. Phil McGraw.
When Georgia Smiled secured the S3 bucket on June 24,
the same day both VPN Mentor and Amazon Web Services told them about it,
neither CBS nor the Dr. Phil Foundation responded to TechCrunch's requests for comment.
How would one disclose this data exposure to users without further endangering them is a touchy question,
because the usual forms of notification could easily place these users at risk.
TechCrunch wrote,
Given the sensitivity of the data, we did not reach out to app users for fear that it would compromise their safety.
Instead, they downloaded the app themselves, recorded a short snippet, and found that indeed
it was out there in the cloud for those who might be looking to find it. As Dr. Phil has said,
there are some sick people in this world, and let's all be careful that we don't inadvertently
abet them.
All week, our own Rick Howard has been interviewing the winners of this year's Cybersecurity Canon Awards, which recognizes the must-read books in the cybersecurity space.
This last interview is special.
Not only are the authors getting inducted, but they've also been selected as Lifetime Achievement Authors.
The book is The Fifth Domain,
and the authors are Richard Clark and Robert Kanacki.
Richard Clark gets us started.
Thank you.
We wrote the two books about nine or ten years apart,
and the first book was a great success,
widely read and widely criticized at the time when it came out, criticized as being too alarmist.
And the reason we wrote the second one, 10 Years On, and I think Rob would agree with this, is that 10 years on, it doesn't seem alarmist at all.
10 years on, most of what we said would happen has happened.
Cyber war is a regular way of life. It is a regular phenomenon. Nation states have cyber commands. They attack
critical infrastructure. All of that came true. So we wrote the book to say, no, no,
no, no, no, no, we were right. That's always good to be able to do that. But also to confess that we were wrong
because we said then no company can defend itself successfully. And I think what we document in
the fifth domain is that some companies are successfully defending themselves. And we wanted
to describe what those companies were doing that other companies were not.
JOSH SHARFSTEIN- So Robert, let's get you in here.
You guys published a book last summer.
How's the feedback been?
What are you getting from all your peers?
ROBERT WRIGHT JR.: I think it's been really good.
I think it's the book that many of my colleagues in government
wanted to write, that it sort of captured
a lot of the thinking.
And I try and credit as many of them
as we can both directly and in the acknowledgments.
Sort of the thinking on what we were trying
to do during the Obama years in terms of moving cybersecurity
forward and having a vision for spreading the message
that cybersecurity is actually possible,
that the defeatist attitude
that many take in the field wasn't helping, and that the ideas of active defense, of threat
hunting, of using the kill chain, that these are models that can actually defeat even the best
adversaries, even the most tenacious adversaries. And so I think it captured a lot of what many
people were saying, yes, this is the moment.
What we need now isn't necessarily to reinvent all the technologies in the stack.
We need to acknowledge that what we need is motivation, investment, incentives.
And if we can get those things right,
we can get on a cycle of perpetually improving cybersecurity
and stay one step ahead of our adversaries.
And so I think it's generally been very positively received in the peer community.
It was definitely well received by the Canada community.
We all loved it.
About half of us read it and couldn't wait to get it on the Hall of Fame list.
And I could literally spend the next seven hours talking to you guys about all the things
you mentioned in the book.
But we are here because of the pandemic,
and this interview is a proxy for your acceptance speech
of the Cannon Hall of Fame Award, the Lifetime Achievement Award.
So, Dick, any last words you want to say along those lines,
and then we'll go to Robert.
Well, Lifetime Achievement Awards are usually given to somebody my age,
so I don't know why Rob's getting one.
I'll say this.
Thank you. It's meaningful for both of us. It's meaningful to get the recognition. I think what we stand for is our history, Rob's history and
mine. We both worked in the White House on policy. We both worked in the private sector,
both with cybersecurity companies and with companies that buy those products.
And what we took away from all of that experience
is it takes a partnership of all of those,
of the cybersecurity companies,
of the companies that need to be defended,
and most importantly, of the government.
And let's hope that next year,
we have a government that will get back
into the business at the policy level. Robert, how about you?
Well, I think for me, it's just a tremendous honor to be recognized along with Dick and with all the
other inductees into the Hall of Fame. It's an incredible group of experts and practitioners.
And so I'm just honored to have my name included
with them. So the two books are The Fifth Domain and Cyberwar, The Next Threat to National Security
and What to Do About It. And now these two authors are officially inducted into the Cybersecurity
Hall of Fame as lifetime achievers. So congratulations, you guys, and thanks for being on the show.
That was The Cyberwire's Rick Howard speaking with authors Richard Clark and Robert Konecki.
The book is The Fifth Domain.
Be sure to check out all of the winners of this year's Cybersecurity Canon Awards.
You can find them online.
Just do a search for Cybersecurity Canon.
I'm, like, so worried about my sister. You're engaged. You cannot marry a murderer. I was sick. We'll be right back. and Chris Messina. The only investigating I'm doing these days is who shit their pants. Killer message to you yesterday?
This is so dangerous.
I got to get out of this.
Based on a true story.
New season Mondays at 9 Eastern and Pacific.
Only on W.
Stream on Stack TV.
And now a message from our sponsor Zscaler,
the leader in cloud security.
Enterprises have spent billions of dollars
on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security. Thank you. to specific apps, not the entire network. Continuously verifying every request based
on identity and context. Simplifying security management with AI-powered automation. And
detecting threats using AI to analyze over 500 billion daily transactions. Hackers can't attack
what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being
sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data
brokers. I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
Today, get 20% off your Delete.me plan when you go to joindeleteme.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to joindeleteme.com slash N2K and enter code N2K at checkout.
That's joindeleteme.com slash N2K, code N2K. It's my pleasure to welcome to the show Camille Stewart from Google and Lauren Zabrick from Harvard's Belfort Center.
We're going to be talking about ways in which voices not always heard in the security community and the business sector that support it might be better heard.
that support it might be better heard.
They're both involved with the Share the Mic in Cyber event,
which they hope will address some of the systematic oversights that can persist undetected.
I saw the Share the Mic Now campaign on Instagram,
and Lauren saw it as well, and I sent out a tweet.
I just was excited about this movement to create space
and elevate voices in different spaces. And so I put out a tweet
asking folks if they would be interested in seeing this happen in cybersecurity and national security.
And Lauren quickly responded and said she'd been thinking of the same thing,
had actually reached out to another colleague to explore the idea. And we connected offline
and decided to bring Share the Mic in Cyber to the the idea. And we connected offline and decided to bring Share the Mic in Cyber
to the cybersecurity community. And so Lauren, what are you hoping to get out of this? At the
end of the day, what do you want people to walk away with? I would love for two things to come
out of this. So first, I really want the community to come together. I'll be honest, I was not really aware of all the different practitioners within the cyber community and just reviewing everybody's profile. I've been so blown away by everyone. get those people to a different platform and, you know, perhaps even give them, you know,
more opportunities, I think would be incredible. So bring the community together and then providing
that platform for people and who knows, maybe something amazing can come out of it.
Camille, what are your thoughts on that?
So both of those things, I hope this is a catalyst. I hope that what we see from this is not
just a connection between two people for a day on Twitter or LinkedIn. I hope we see this be the
start of a relationship between the pairs, the start of our audience, everyone who's been engaged
in the campaign following new voices. I hope it yields career changes and opportunities. And I just hope it
catalyzes consciousness in our community, in our sector about race issues, about the fact that,
yes, there is a pipeline issue, but there are already a number of really talented folks,
Black folks, but of all races and walks of life and sexual orientations, etc., who are already working in this space and could benefit from platform, could benefit from, you know, connections, new job opportunities, all the things that help us all move forward in our careers.
And so I hope this yields folks being a little bit more intentional about how they engage and how they build out their networks.
about how they engage and how they build out their networks.
So I want to switch gears here and talk about your recent article that was published by the Council on Foreign Relations, and it's titled Systemic Racism is a Cybersecurity
Threat.
Camille, what prompted you to write the article?
So in the wake of George Floyd, Ahmaud Arbery, Breonna Taylor, and all the other Black Americans being killed,
I, like many of us, had a strong emotional reaction, but also a strong intellectual reaction.
I have long talked about the intersection of race and misinformation, disinformation,
disinformation and long understood how systemic racism, overt racism, and race weave into foreign policy and national security and carry that with me in the work I do and talk to a lot of folks
about that work. But I had never quite articulated it in the cyber security space. Although I was
doing that work, I felt like it was important to make that connection for people. So for the people who felt like this was a social issue or a domestic issue separated from national security issues, or even if they understood intellectually that maybe it was a national security issue, but maybe didn't think it was a technical issue or a cybersecurity issue, I wanted to make that direct connection for folks and start to pull out areas beyond just misinformation,
disinformation, because I think that is probably one of the few places folks recognize it, that
in workforce, that cybersecurity is truly a threat to any mitigation we could put in place and how we
mobilize technology in our society. What's your hope coming out of this? if we're able to take advantage of this moment to use it as a catalyst
for positive change, how do you hope things will be different or better in the future?
The most ambitious me hopes we dismantle systemic racism. The more pragmatic me is hoping that
we have an industry and just a workforce in general that is more
conscious of how systemic racism interacts with their work and is more action-oriented
in being anti-racist.
Not just not being racist, but being anti-racist.
So being an active advocate for your peers, being thoughtful and intentional about how
you include diverse voices and build teams thoughtful and intentional about how you include
diverse voices and build teams, about thinking about how you recruit talent and how different
experiences might yield a similar or complementary result, but may not translate in the same
way as you're used to on paper, how people ingest information and then reflect that back
to you.
how people ingest information and then reflect that back to you.
Just being more open to the differences in the lived experiences of folks who are in your space and how you can be an advocate for them, how you can help amplify them,
how you can give them a platform to do the thing that they already wanted to do.
And one big thing is just because it's not something that's affecting you,
but if you hear your colleagues say this system, this program, this event, et cetera, has these
disparate outcomes or is offensive, stand with your colleague, right? It might not be happening
to you, but obviously it's important for them to bring it up. Your colleagues who are othered in some way, whether they're a minority
or have a different sexual orientation, et cetera, don't bring things up that intersect
with that lightly. So for them to say, I'm underleveled because I'm X, or this program
is offensive because of Y, that took a lot for them to say it. And you should listen to that.
Our thanks to Camille Stewart from Google
and Lauren Zabrick from Harvard's Belfer Center
for joining us.
There is much more to my conversation
with Camille Stewart and Lauren Zabrick.
We'll have a complete version of our interview
here in our CyberWire podcast feed.
If you're on Twitter, check out hashtag
share the mic in cyber.
I'm pleased to have been a part of this event today.
You can find my Twitter account at Bittner.
I shared my account with Brandon Robinson.
He's a senior sales engineer at Proofpoint.
Camille Stewart's article at the Council on Foreign Relations is titled,
Systemic Racism is a Cybersecurity Threat.
Do check it out.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Databe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant.