CyberWire Daily - Phishing for COVID-19 vaccine data. Bandook is back, and mercenaries have it. School’s out for ransomware. Skepticism about foreign election manipulation. The forever sales.
Episode Date: November 30, 2020North Korean operators phish a major pharma company. The Bandook backdoor is back, and probably being distributed by mercenaries. A school district cancels classes after a ransomware attack. Man U con...tinues to work on recovering its systems. Former CISA Director says there are no signs of foreign manipulation of US elections. Rick Howard wonders what exactly all those CISOs do. Betsy Carmelite from Booz Allen with insights from their 2021 Cyber Threat Trends Report. And Cyber shopping and the forever sales. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/229 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
North Korean operators fish a major pharma company.
The Banduk backdoor is back and probably being distributed by mercenaries.
A school district cancels classes after a ransomware attack.
Man U continues to work on recovering its systems.
The former CISA director says there are no signs of foreign manipulation of U.S. elections.
Rick Howard wonders what exactly all those CISOs do.
Betsy Carmelite from Booz Allen with insights
from their 2021 Cyber Threat Trends Report
and Cyber Shopping and the Forever Sales.
From the Cyber Wire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, November 30th, 2020.
Reuters reported over the weekend that AstraZeneca, a leader in research toward a COVID-19 vaccine,
had been prospected by North Korean intelligence operators.
The attackers worked a social engineering angle against the pharma company's personnel,
using LinkedIn and WhatsApp to dangle bogus job offers as fish bait before AstraZeneca employees.
The attempts are thought to have been unsuccessful.
South Korean Pyongyang watchers see the Kim regime as under increasing stress from both
COVID-19 directly and from the pandemic's effects on the DPRK's already strained economy.
Some of that stress is being turned inward, the Washington Post reports.
Some of that stress is being turned inward, the Washington Post reports.
Checkpoint researchers have noticed renewed attacks using a signed strain of the 13-year-old Banduk backdoor.
The malware had previously been associated with the Lebanese and Kazakh governments.
The Dark Caracol threat group has been Banduk's best-known user, but it hasn't been seen recently.
Checkpoint thinks the target distribution, this time around at least,
suggests the activity of an unidentified third-party mercenary group selling its attack services to governments.
The infection chain has a familiar three-step structure.
It begins with phishing, the phish hook being a malicious Microsoft Word attachment, arriving in a zip file.
Once opened, macros drop and execute an embedded PowerShell script, which in turn installs the Bandook backdoor.
Many, but not all, of the executables have been signed with valid certificates issued by Certum.
Checkpoint says this suggests a connection to Dark Caracal, itself had been attributed to lebanon's general security directorate checkpoint however thinks the range
of activity suggests an offensive infrastructure is being sold by a third party to governments
and threat actors worldwide sectors targeted include government agencies, financial services, energy, the food industry, health care,
education, IT, and legal organizations. And Banduk attacks have affected Singapore, Cyprus, Chile,
Italy, the United States, Turkey, Switzerland, Indonesia, and Germany. Baltimore County hasn't
resolved the effects of the pre-Thanksgiving ransomware attack it sustained.
WJZ reports that the school district will continue to suspend instruction on Monday and Tuesday of this week, at least.
Details on the attack remain sparse as the schools concentrate on recovery.
According to WJZ, the Baltimore CBS affiliate,
the Baltimore County Public Schools have told faculty, staff, and students that it's safe to use Chromebooks issued by the school district and to use Baltimore County Public Schools' Google accounts.
They should not use school-issued Windows devices until further notice.
A Maryland state audit of the Baltimore County Schools' cybersecurity posture, released the day before ransomware shut down classes last Wednesday, found significant risk in the system.
The Baltimore Sun quotes the Office of Legislative Assessments as concluding, quote,
significant risks existed within BCPS's computer network.
For example, monitoring of security activities over critical systems was not sufficient and its computer network was not
properly secured, end quote. Schools generally have found it difficult to cope with the remote
learning needs the COVID-19 pandemic has imposed. The Washington Post last week reported that the
Fairfax, Virginia schools were seeing a significant increase in failing academic progress, and that's
without any malicious intervention in distance
learning. Nor is this a problem confined to the United States. The Wall Street Journal has an
account of the difficulties schools in India are having delivering remote learning. So schools'
adaptation to new methods of instruction has often proven fragile, and like any online operation,
it's also been distinctly vulnerable to disruption
by ransomware attack. The analogy with criminal attacks on healthcare providers is obvious.
Consciousless hoods will hit organizations when they're under stress and most vulnerable.
Premier League football club Manchester United has continued to play its matches,
but its recent ransomware incident remains under investigation.
Some internal systems remain unavailable, according to InfoSecurity magazine.
Britain's National Cyber Security Centre is investigating. There's no word yet on any ransom demands.
Working on CBS's 60 Minutes yesterday, former CISA director Krebs was particularly concerned to debunk claims of foreign manipulation of U.S. voting systems and vote counting.
So we spent something on the order of three and a half years of gaming out every possible scenario
for how a foreign actor could interfere with an election.
Countless, countless scenarios.
There's a theory in circulation, for example,
that software used in Dominion voting systems was developed in Venezuela
under the direction of the late strongman Hugo Chavez,
and that such software is designed to corrupt and manipulate U.S. vote tallies.
Krebs says it's all hooey.
Votes aren't being counted offshore,
and there's no evidence in either initial counts or recounts
that the U.S. election was stolen by any combination of foreign intelligence services
or transnational groups.
There's no evidence that any machine that I'm aware of
has been manipulated by a foreign power.
Period.
That's former CISA director Christopher Krebs on CBS's 60 Minutes.
Imperva's monthly Cyber Threat Index extrapolates from the recent attack trends
and sees bad bots as a major problem during the online holiday shopping season.
This represents a general trend toward threat automation.
HelpNet Security reports that WatchGuard expects that trend
to mark threat activity in the coming year as a whole.
If it's occurred to you that Black Friday and Cyber Monday
no longer seem as distinctive as they once did, you're not alone.
The Shreveport Times notes anecdotal evidence that the online
shopping season, particularly as marked by sales, has now spread beyond the two days that formerly
served as hotspots of online consumption. Sales and shopping have been running for some time,
and they're not stopping tomorrow. The usual cautions and counsels that apply to all online
shopping, of course, apply
now. Don't fall for dodgy retail sites. Be suspicious of requests for more personal information
than seems reasonable for the transaction you're trying to make. Keep your software up to date and
use a credit card or gift card for purchases, not a debit card or, heaven forfend, a direct transfer
from your bank account. Be aware that scammers will send you emails telling you that some online account needs updating, restoration, or verification.
Usually, the sender's domain will tip you off to a scam.
Amazon, to take one big online brand, is unlikely to be contacting you via a Gmail address.
Not everyone is advocating a shopping frenzy. Some upscale retailers, according to The Drum,
have moved to the next stage of the marketing dialectic,
encouraging their clientele to reject consumerism.
Planet-friendly accessory and footwear brand Allbirds, for example,
is actually touting a seasonal price hike
as it exhorts its followers to break tradition, not the planet. Buy less,
demand more is Patagonia's slogan as it would move its customers toward the mediated immediacy
of globally conscious consumption. Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber. That's vanta.com slash
cyber for $1,000
off.
Clear your schedule
for you time with a handcrafted
espresso beverage from Starbucks.
Savor the new small
and mighty Cortado.
Cozy up with the familiar flavors of pistachio or shake up your mood
with an iced brown sugar oat shaken espresso.
Whatever you choose,
your espresso will be handcrafted
with care at Starbucks.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And it's my pleasure to welcome back to the show Rick Howard.
He is the CyberWire's chief analyst and also our chief security officer.
Rick, always great to have you back.
Hey, Dave.
So this week on CSO Perspectives, you were talking about the actual CISO job and where it fits into the corporate hierarchy. Now, I'm sure I am not
alone, and I'm sure you got this a lot when you were back at Palo Alto, where people would
pass you by in the hallway and they'd go, what the heck does that guy do?
My whole career.
Yeah, right, exactly. So you've been able to keep that mysterious.
But seriously, I mean, who does the CISO work for?
Well, there are many schools of thought about that today.
And really, there's no correct answer.
And it's really dependent on the organization's culture.
But to understand why that is the case, you've got to be very clear about that the title, the CSO, in most cases, does not have the same weight
and authority as other officers in the organization that have both the C and the O in their title,
you know, like the chief executive officer, the chief technology officer, and the chief legal
officer. Now, according to Chalon David over at Smart Business, shareholders elect board directors to oversee the business,
and then these directors choose officers to run the company day to day. Because of their officer
role, I got that in air quotes, right? These people assume a fiduciary responsibility to
their shareholders. The rest of the organization's people are just employees. So, and typically,
CSOs and CIOs, for that matter, are not corporate officers. They are employees with kind of fancy
titles. So, they're C-suite in name only? Yeah, that's really the case, right? Because they needed
some authority, but boards and the higher-ups didn't think they needed the full weight of a
corporate officer.
So what's interesting is that the corporate structure has been the same for like 80 years. It started back in the early 1930s and didn't really change until the mid-1980s.
And then CEOs started to realize that these newfangled personal computers,
they might be more than just data processing machines,
that they might be the nucleus of a business strategy
that could give them a competitive edge.
Imagine that.
Amazing about how they came to that, right?
So around 1985, American Airlines hires this guy
by the name of Max Hopper
and gave him this lofty title of Vice President
of Information Technology.
And according to CIO Magazine, this made Max the first ever CIO. Now, it was so important that
Harvard Business School's James Cash said that Hopper legitimized the role by making it clear
that he had made a unique contribution to be from the executive who understood technology and can
help influence strategy.
Just a year after that, Businessweek magazine declared that the CIO was management's newest
star.
So that's great for them, but the bad news is we didn't get the first CISO until 10 years
later.
In 1995, in the wake of a very public Russian malware incident, CityCorp
hired a guy by the name of Steve Katz as the first ever chief information security officer.
And Steve is and was a great avatar for what a CISO should be.
He was cut out of the same cloth as Hopper, a technician who could talk to business leaders.
But unfortunately, other CISOs hired after him didn't quite meet that
standard. And now this is a gross generalization, all right? Because as I'm wont to do.
Yeah. Brace for it. Hang on, everybody. But most new CISOs that came after Steve grew up on the
technical side, myself included. And we had difficulty
expressing technical risk in terms that business leaders can understand. We couldn't convert
technical risk into business risk. Yeah. You know, I remember those early days and it would seem like
everything on the technical side was always a crisis and it was sort of mysterious to the
folks in the boardroom. Yeah. Oh, man, that was so true back in those days. And we thought everything that happened, you know, was going to burn the house
down. And CISOs got their reputation quickly for being the Dr. No of the organization. Right,
right, right. They said no to a lot of many internet projects, and they got their reputation
for being so hard to work with that the corporate officers decided they didn't want to deal with them on a daily basis. So it wasn't long before senior management started to stuff CISOs
underneath the CIO within the organization. So, I mean, is that where we are these days?
Is that where most CISOs land or they're working for the CIO? Yeah, in most cases, that's true.
The bulk of the CISOs out there work for the CIO. But there are other organizations where the CISO and the CIO are peers
and both work for either the same executive or different executives.
And that's what we're talking about in this week's CSO Perspectives.
All right.
Well, be sure to check that out.
That is CSO Perspectives.
It is part of CyberWire Pro.
You can find out all about it over on our website, thecyberwire.com.
Rick Howard, thanks for joining us.
Thank you, sir.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and and i'm pleased to be joined once again by betsy carmelite she's a senior associate at booze allen
hamilton uh betsy you and your team uh there at booze allen have recently published the 2021
cyber threat trends report um and one of the things I wanted to highlight there was work that
you all have been doing on contact tracing and some of the potential cyber attacks that could
be associated with that. What can you share with us today? Sure, sure. In relation to that report,
this is really the new lens through which we're seeing the realities of the pandemic and we're
seeing the world, you know, moving forward with advances in technology, such as these contact tracing apps. So what we're seeing is that these COVID-19
contact tracing apps and their ecosystems, we believe, have created opportunity and made it
appealing for threat actors, possibly state-aligned or for-profit criminals and trolls to target these apps.
And because the apps are being developed on a country-by-country basis to track nationwide data,
some of that is mandatory tracing in countries.
We've seen this in Singapore in recent weeks, for example.
As of July 2020, Qatar, for example, has achieved a 91% adoption rate through its installation mandate.
There's really a large potential for large-scale targeted operations against the apps and the data that they hold.
You know, just in the past few days, I saw my phone popped up here in Maryland and said, you know, would you like to take part in contact tracing here locally? So it was interesting to me that we're continuing to
see this rollout, I suppose in this case, better late than never. I'm curious, you know, what are
you all thinking in terms of mitigations for this? Sure. Well, to answer that, let me outline a
couple of the risks that we're seeing here. To your point, Dave, in the U.S., we do have a little
bit of security here in the sense that large U.S., we do have a little bit of security here
in the sense that large U.S. databases of COVID app tracking or nationwide tracking through these
apps does not exist. So that could be considered a weakness of COVID tracing, but it's a boon to
our privacy here in the U.S. But a few of these risks, we're looking at the contract tracing apps
being developed with minimal regard for privacy and security,
sometimes resulting in insecure apps, centralized databases of population-wide personally identifiable information.
Secondly, adversaries may attempt to surveil these users or install data stealing and surveillance backdoors,
leading to theft of large PII databases.
They could create fake outbreaks and blackmail and harass users.
And finally, risk of these threats will be the highest in the countries with high adoption
rates, which are typically undemocratic countries that mandate these installations with steep
civil and criminal penalties.
Yeah. So again, I mean, what do you recommend then in terms of mitigations?
Sure. Much of the burden for securing these contact tracing apps will fall on the companies
contracted to develop and deploy them. So there's some accountability there for sure.
This is a process that should include security testing of the app, the use of robust authentication and access controls for communications
with back-end databases. However, organizations concerned with the potential risks to mobile
devices in their environment, they should consider exploring the use of mobile device management,
MDM platforms that can centralize the control
and enable remote management of data security, the configuration, software deployment, other
admin functions of their devices. Companies should also explore the use of application
containerization solutions that may be used to isolate enterprise applications or data on
employees' personal devices.
And finally, it all really goes back to general security best practices to enterprise mobile devices.
What are the access controls?
They should be fairly strict.
Data encryption is a must.
And always training users to recognize potential threats.
All right.
Interesting information for sure. Betsy Carmelite, thanks for joining threats. All right. Interesting information for sure.
Betsy Carmelite, thanks for joining us.
Thank you.
That's Betsy Carmelite from Booz Allen.
We're going to be making our way through their 2021 Cyber Threat Trends Report over the next
few Mondays. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
It's Australian for beer.
Listen for us on your Alexa smart speaker, too.
Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment called Security Ha.
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks
where all the fine podcasts are listed.
And check out the Recorded Future podcast,
which I also host.
The subject there is threat intelligence,
and every week we talk to interesting people
about timely cybersecurity topics.
That's at recordedfuture.com slash podcast.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, That's at recordedfuture.com slash podcast. Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilby,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.