CyberWire Daily - Phishing, cryptojacking, and commodity malware. New supply chain security measures. And have you heard about this Black Friday thing?
Episode Date: November 27, 2019A Fullz House for Thanksgiving. Google finds that nation-state phishing continues at its customary high levels. DeathRansom, the low-end ransomware that didn’t actually encrypt files, has now begun ...to do so. The Stantinko botnet adds cryptomining functionality. Microsoft reflects on Dexphot, and the sophistication it brings to ordinary malware. Supply chain security rules are coming to the US. A lawsuit in Tel Aviv. And some final notes on Black Friday. Daniel Prince from Lancaster University on business innovation and cyber security. Guest is Francesca Spidalieri from Salve Regina University on the importance of collaboration from all sectors. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/November/CyberWire_2019_11_27.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A fool's house for Thanksgiving.
Google finds that nation-state phishing continues at its customary high levels.
Death Ransom, the low-end ransomware that didn't actually encrypt files, has now begun to do so.
The Stentinko botnet adds crypto mining functionality.
Microsoft reflects on DexFot and the sophistication it brings to ordinary malware.
Supply chain security rules are coming to the U.S.
A lawsuit in Tel Aviv.
And some final notes on Black Friday.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, November 27, 2019.
Security firm Risk IQ has offered an updated warning about a recently discovered cyber criminal outfit they've called fool's house the gang operates in two ways credential and private information phishing and then skimming or phishing pay cards during e-commerce checkouts their goal is fools
that is pay card information plus extensive associated pii Fishing is a common nation-state tactic as well. Google, which tracks
more than 270 government-run groups operating on behalf of about 50 countries, reports that
between July and September it issued more than 12,000 warnings to victims in 149 countries,
as close to everywhere as makes little difference. Google notes that this is about the same warning rate, give or take 10%, they observed during the same period in 2017 and 2018.
So the interests and levels of activity displayed
by the world's intelligence services seem to be holding steady,
at least insofar as this snapshot indicates.
Leaping Computer offers an account of a new strain of ransomware,
Death Ransom, that's upped its game.
When it first started out, Death Ransom wasn't an encrypting strain of ransomware at all.
The earlier infestations, researchers observed, didn't really encrypt a victim's data,
but merely appended a.wctc extension to affected files.
If you simply stripped out the extension, the files became usable again.
But Death Ransom last week began actually encrypting the files. Researchers see a possible
connection, at least in terms of infection vectors, to Stop Ransomware, which has used
adware as its way in. Researchers at the security firm ESET have found a cryptojacking campaign that operates through YouTube videos' descriptive texts.
The operators behind the Stantinko botnet have added some Monero mining functionality to their malware.
Most of the victims of this cryptojacking have been in Russia, Belarus, and Kazakhstan.
Microsoft reflects on lessons learned from a year tracking the polymorphic Dexfot threat.
In sum, ordinary threats are showing increased sophistication. Microsoft reflects on lessons learned from a year tracking the polymorphic DexFot threat.
In sum, ordinary threats are showing increased sophistication.
The goal of DexFot may not be particularly sophisticated,
since one of its more characteristic bits of functionality is crypto mining,
but it's evasive, persistent, and hard to expel, and it's the kind of criminal threat that one sees on the digital main street.
And it's the kind of criminal threat that one sees on the digital main street.
Francesca Spedalieri is a cybersecurity consultant at Hathaway Global Strategies and senior fellow of cyber leadership at the Pell Center from Salve Regina University in Rhode Island.
We spoke recently about the challenges universities face keeping up with the pace of rapid advances in cybersecurity,
as well as the role they play supporting their local community.
A lot of the large data breaches we hear regularly on the headlines. Usually we hear
the big corporations, but it's really the small and medium businesses that have the most to lose
in the aftermath of a breach. So we decided to dedicate our time and research and effort in helping
the community of small and medium-sized businesses and smaller organizations to better understand the
cyber threats inherent to their organization and the context in which they operate. And we launched
a series of programs from lectures and seminars and tabletop exercise. We do more in-depth research. We provide
policy recommendations to both of those businesses that come and engage during our events, but also
our congressional delegation has been part of the Rhode Island Governor Cybersecurity Commission.
So as a think tank, we engage on a variety of fora to provide expert information,
thought leadership, policy recommendations, research.
So it's really important to have that outreach that extends not only to the broader cybersecurity
community, but to your local community as well.
Absolutely. In fact, our local community is all welcome to attend our event.
We try to raise awareness among senior leaders and decision makers, as well as other senior level
people across society about not just the technical issues of cybersecurity, but also about the
economic, political, regulatory challenges of operating in a digital age. I know you're involved with some of the graduate programs there and some of the coursework and so
on. What is the challenge that you face in keeping that work current in an area that's changing as
rapidly as cybersecurity is? Well, thank you for that great question. First of all, I have to say
that I'm very proud to work for a university that was among the first in the United States and certainly in the New England region to recognize that addressing cybersecurity required not just IT experts with computer science and software security skills,
but also professionals with an understanding of the political context, institutional theory, behavioral psychology, ethics, law, economics, and other sciences.
So when we started including courses and seminars in the curriculum at SALSE,
we thought about the issues as a multidisciplinary subject.
And so we started adding courses in the Administration of Justice and Homeland Security Department.
We added courses in the Administration of Justice and Homeland Security Department. We added courses in the Business Department, more recently in the Healthcare Administration Department.
And we try to keep those courses constantly up to date by engaging with those companies that need the professionals that often cannot find in the broader community.
You also work on the Rhode Island Joint Cyber Task Force.
Can you give us an overview?
What does that team set out to accomplish?
Yes, so the Rhode Island State Police
has a very capable computer crime unit
that responds and investigates cybersecurity incidents
and help companies and organizations
defend from cyber threats as much as they can.
A few years back, they also established a joint cyber task force.
This task force brings together members of the Rhode Island State Police Crime Unit that I just mentioned
with individuals representing higher education, hospital, finance, utility, Defense, the Rhode Island National Guard. And it provides a forum, similarly to what we do at the Pell Center, to share information,
provide analysis and update on cyber threats.
But it's also a way for the organization to meet the first responders, the law enforcement
officials that would be coming in if there was a major incident.
The group also oversees
educational initiatives, a tabletop exercise, they have a great cyber range. So there is a lot of
different ways for the community to engage through these joint cyber task force. Yeah, it's interesting
to me how you mentioned sort of the breadth of programs at the university that you have extended
of programs at the university that you have extended knowledge of cybersecurity into. And I think it really speaks to this need for a variety of viewpoints and perspectives within the field.
What sort of recommendations do you have for folks who are looking to expand their level of education,
either starting out in school or looking for a
graduate program, what sort of mindset should they have coming into a program like yours?
They have to understand that cybersecurity affects all of our organization. Every business
today is a digital business, but not everybody needs to become a computer scientist or engineer.
There needs to be a cyber component to most disciplines,
and that's what we have been trying to do at South Virginia University. So I understand it's
very difficult sometimes to navigate the field because there is almost a not clear career path
or compensation structure when we say we want to work in cybersecurity. There are not generally
accepted qualifications. There is really a lack of clarity about job description.
So I first try to help students or mid-level career professionals
that want to now pursue a career in cybersecurity
to understand what is it they actually like to do.
If they're more technical people, then I might recommend certain certification,
whether it's to become a pen tester, a network analyst.
But there are also a need for business professionals, legal professionals,
law enforcement officials to understand the cyber context in which they operate.
So Salve, for example, was the first university in the United States
to make it a core requirement for all of our MBA students to take a cybersecurity course.
When I designed that course, it's called Management of
Cyber Opportunities and Threats. What we had in mind was to train that mid-level professional
that needs to be able to talk to both the server room, the IT professional, but also the boardroom,
the senior leaders that were not training computer science and engineering, but nonetheless need to make the most important decision within their organization
about risk management, incident response, whether to fund or not certain projects
that will affect the cybersecurity posture of their organization.
That's Francesca Spidalieri from Salva Regina University.
Following the direction provided this spring by Executive Order 13873, the U.S. Commerce
Department has proposed rules for securing the IT and communications supply chain.
That executive order gave the Secretary of Commerce a leading role in supply chain security
with authority to prohibit or mitigate transactions that involve technology that was designed, developed, manufactured or supplied by some person or entity
owned by, controlled by or subject to the direction of any foreign adversary.
The goal of such restrictions and mitigations is to reduce the risk of sabotage or subversion,
of catastrophic effects on critical infrastructure,
or of risks to security or safety.
A public comment period on the new procedures will open shortly.
You will recall Facebook's recent filing of a lawsuit against lawful intercept vendor,
spyware vendor if you prefer, NSO Group.
Facebook alleges that NSO Group used some of Facebook's properties to distribute its
surveillance tools.
that NSO Group used some of Facebook's properties to distribute its surveillance tools.
As it filed a lawsuit on behalf of its subsidiary WhatsApp,
Facebook also suspended a number of NSO Group employees' individual personal Facebook and Instagram accounts.
Those employees have now filed a countersuit against Facebook in Tel Aviv District Court,
asking that the social network unblock them. They call the suspension collective punishment.
It is, they say, a hurtful and unjust move by Facebook.
Their resort to legal action, the employees say,
comes only after Facebook ignored repeated requests they made directly to the company.
Of course, it's the beginning of the big shopping season this Friday,
Black Friday, as we've oddly come to call it. Yesterday, we shared some of the big shopping season this Friday, Black Friday as we've oddly come to call it.
Yesterday we shared some of the online safety tips the U.S. Cybersecurity and Infrastructure Security Agency is offering.
Security companies are also offering suggestions, and they come down to many of the same reminders.
Keep your software up to date, don't buy from dodgy sites, beware of clicking links and email messages, and use multi-factor authentication.
What kinds of purchases are likely to get you in trouble this time of year? Beware of clicking links and email messages and use multi-factor authentication.
What kinds of purchases are likely to get you in trouble this time of year?
Researchers at Kaspersky have been looking at what the crooks are up to and are paying particular attention to the botnets that distribute Trojans.
There's a great deal of spoofing going on,
and the spoofing seems concentrated on clothing, jewelry, and toys.
Close behind are brands associated with travel, hotels, ticket booking sites,
even taxi cab companies.
So keep a sharp and skeptical eye out.
And of course, a happy Thanksgiving to you all.
We're taking the rest of the week off to spend with our friends and family.
We'll see you back here next week.
Calling all sellers. next week. Winning with purpose and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Daniel Prince.
He's a senior lecturer in cybersecurity at Lancaster University.
Daniel, it's always great to have you back.
We wanted to touch today on business innovation and cybersecurity.
What do you have to share with us today?
It's great to be back. So at Lancaster, I'm running a project which is really looking at how businesses can innovate their business practice through cyber innovation.
And I borrowed a concept that we have here in the UK around from cybercrime, looking at
two sides of that. So cyber enabled and cyber dependent cyber crime. And what we've got here is what I'm calling cyber enabled and cyber dependent cyber innovation. Because what for me, cybersecurity is one of the most innovative kind of IT disciplines out there at the moment, constantly having to try and reinvent the way that we defend, coming up with new technologies, both to actually stop attackers but also to try and
actually build the best protection we can. The attackers are certainly
evolving and so are we on our side. So what I'm doing is with a group of people
here at Lancaster and with three other universities in the northwest based around Manchester,
Manchester Metropolitan University, the University of Manchester and the University of Salford,
is where we're running a program of support working with companies to really instill cyber innovation at the core, looking at how they can use
cyber
enabled innovation, so increased protection means that they can do things better
and faster, or cyber-dependent innovation. So, can they use new cryptographic techniques to provide
tracking services for goods and products? Can they come up with new authentication mechanisms
for smart door locks? Things like this. So really putting cyber innovation at the heart of
the business rather than having it as something that sits kind of almost alongside. And for me,
that's one of the key things with just dealing with cybersecurity. And hopefully this will be
part of the answer of putting cybersecurity at the core of the business. So really getting to
the point where cybersecurity can even be a differentiator for businesses?
Well that's one of the key things that we talk to businesses about.
How can you take the fact that you're doing all of this good work in cybersecurity and
make that a market differentiator for your product, for your service, for your company?
Because it's a crowded marketplace and if we can use cybersecurity to really help that company to stand out from the crowd, that's certainly one area that we can push on. But
what we talk about within the project, which we call the Cyber Foundry, is defend, innovate,
and grow. So the first step has got to be about defense, so making sure the company's got the
right kind of protections in place. Then how do we innovate using cybersecurity? And then how do we grow that company? So those are kind of our three mantra keywords, if you like.
And for the companies themselves, what kind of messaging do you imagine them putting out
to their customers to put the word out that this is how they're doing things?
So again, it really depends on what the company's trying to achieve. So yeah, we can work with them to think about how that cybersecurity defense message is
a key part of their sales technique, but also thinking about how the defense is a key part
of their business strategy going forward.
Yes, it's a lot about marketing messages and making sure that everybody is aware of what
they're doing, but also for some of the larger companies, it's about clear market signaling that they're taking cyber innovation seriously.
So for some companies where they've got cyber innovation as a core part of their business strategy and being able to say that, it goes beyond marketing messages and actually tells people that they've got cybersecurity instilled in the core of their business.
All right. Well, Daniel Prince, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe
and compliant. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.