CyberWire Daily - Prime Minister Johnson tells Parliament about the National Cyber Force. Vietnam squeezes Facebook. Chinese cyberespionage. SEO poisoning. Printing ransom notes. CISA leadership.
Episode Date: November 20, 2020Her Majesty’s Government discloses the existence of a National Cyber Force. Hanoi tells Facebook to crack down on posts critical of Vietnam’s government. Chinese cyberespionage campaign targets Ja...panese companies. Egregor ransomware prints its extortion notes in hard copy. SEO poisoning with bad reviews. Mike Benjamin from Lumen on credential stuffing and password spraying. Our guest is Mark Forman from SAIC with a look at government agencies' COVID-19 response. And CISA may have a permanent director inbound. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/225 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Her Majesty's government discloses the the Existence of a National Cyber Force.
Hanoi Tells Facebook to Crack Down on Posts Critical of Vietnam's Government.
Chinese Cyber Espionage Campaign Targets Japanese Companies.
Egregor Ransomware Prints Its Extortion Notes in Hard Copy.
SEO Poisoning with Bad Reviews.
Mike Benjamin from Lumen on Credential Stuffing and Password Spraying.
with bad reviews.
Mike Benjamin from Lumen on credential stuffing and password spraying.
Our guest is Mark Foreman from SAIC
with a look at government agencies' COVID-19 response.
And CISA may have a permanent director inbound.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, November 20th, 2020.
Prime Minister Johnson has informed Britain's Parliament of the existence of the National Cyber Force,
a new joint command that's been in operation since April. The National Cyber Force contains elements from MI6 and GCHQ,
and from serving members of the military and personnel from the Defence Science and Technology Laboratory.
The force's planned end strength is placed at some 3,000,
a goal it is expected to reach by 2030. Its charter, according to the BBC, includes both
disruption of hostile communications networks and the conduct of information operations.
The National Cyber Force is what in the U.S. would be called a combat support organization.
Cyberforce is what in the U.S. would be called a combat support organization.
Its mission includes tactical support of kinetic military operations.
It might, for example, be called upon to protect British combat aircraft by disrupting enemy air defense command and control.
So it would play a tactical role analogous to that filled by traditional electronic warfare operations. ZDNet points out that the Secret Intelligence Service,
also known as MI6,
which we suppose we must point out is the home of Spy Fictions 007,
will contribute its expertise in recruiting and running agents
alongside its unique ability to deliver clandestine operational technology.
Thus, the National Cyber Force seems likely to have some
multi-domain capabilities. But the National Cyber Force also has an everyday mission.
It may be called upon to interfere with hostile systems being used to conduct or prepare cyber
attacks against the United Kingdom. And it may also be called upon to conduct influence and
counter-influence operations against adversaries.
It will operate separately from the longer-established and better-known National Cybersecurity Center.
A combination of increased regulation and tougher industry content moderation
is increasingly seen by many as the right direction for the future of online platforms in general
and social media in particular.
Hanoi might be providing a picture of how that future may look once it's realized.
According to Reuters, Vietnam is threatening to block Facebook
if the social network doesn't knuckle under to Hanoi's demands for censorship of local political content.
A senior Facebook official told Reuters,
quote,
We made an agreement in April.
Facebook has upheld our end of the agreement and we expect the government of Vietnam to do the same.
They have come back to us and sought to get us to increase the volume of content that we're restricting in Vietnam. We've told them no. That request came with some threats about what might
happen if we didn't, end quote. The government in
Hanoi responded to a Reuters follow-up with the simple statement that social networks should not
expect to be able to continue, quote, spreading information that violates traditional Vietnamese
customs and infringes upon state interests, end quote, which is one way of looking at it.
Many reports at week's end elaborate on Symantec's account
of the way in which the Chinese threat group Cicada,
also known as APT-10, Cloudhopper, or Stone Panda,
is leveraging the zero logon vulnerability
and using DLL side-loading attacks to collect intelligence on Japanese targets.
Those targets have been drawn from multiple sectors,
including managed service providers,
engineering, and pharmaceutical firms.
The effects are international,
since they extend to overseas subsidiaries
of the affected Japanese companies.
Egregor Ransomware, the strain that's been heralded
as most likely to take the place of the, for now,
retired maze, has adopted a particularly irritating method of delivering its ransom notes.
It spits them out in hard copy from compromised printers.
The security company Tripwire's State of Security blog has a report,
and they include a link to a video of a representative print run.
It amounts to a self-proving method of demonstrating compromise. It's one thing to
tell someone that you totally pwned them. It's a lot more convincing if you can cause that
notification to be printed on the victim's office inkjet. When the hoods put it that way,
it seems a lot less likely to be easily ignorable scareware, doesn't it?
A new report from the cybersecurity and cloud delivery firm Akamai
describes a relatively unfamiliar form of extortion
with a low barrier for entry.
Criminals are poisoning companies' search engine optimization results
and demanding a payoff in exchange for stopping the virtual bad-mouthing.
The SEO poisoning typically takes the form of injecting bad reviews
and negative comments into various online fora,
and then linking those comments back to search results.
This sort of extortion has surfaced periodically over the last few years.
It has, as Akamai points out, a fairly low barrier to entry.
And finally, the Cybersecurity and Infrastructure Security Agency's Executive Director, Brandon Wales,
has been leading the agency on an interim basis since the dismissal of former Director Christopher Krebs earlier this week,
but a permanent successor may be coming.
CyberScoop reports that Sean Planky, currently a senior official at the Department of Energy,
is in line for the top job at CISA. isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
My guest today is Mark Foreman,
Vice President for Digital Government Strategy at SAIC.
He joins us with results from their research
of government agencies' COVID-19 response
when it comes to cybersecurity. Basically, I think for so many of us, the same thing for
federal employees, you were told to go home and let's try out working virtually, and nobody ever
expected, almost overnight, that people would have to work remote.
So the situation for some employees, they had been teleworking, they were set up, but their agencies were never in some of the agencies managing especially the security
elements as well as the access to core mission apps at scale and with the security.
A lot of people had to use the BringWild own device, BYOD.
And of course, what that meant is getting access to things like Outlook web access
and not really access to your core mission applications. So that then presented problems.
And of course, associated with that is downloading documents onto a home PC, which violates a number
of other security concerns. So those were the kind of initial issues that had to be triaged in the early days of the pandemic.
Well, take us through some of the challenges that you all have listed here in your report.
Well, the top five really get into what does the future look like as we're managing through today.
The first two relate to keeping people safe in their work environment.
Some agencies, you have to come in to do the work.
You know, defense agencies, for example, and some of the public health laboratory examples.
In addition, some people want to return to work. Now, I think there's been reports from
the General Services Administration, and we clearly saw that come out of the survey, that return to
work doesn't mean that you're stopping working at home. What it means is the work environment shifts
and you rely on that more for collaboration. So how do you get the work environment safe so
people don't feel that they're infected when they come in, especially when they want to come in
to have meetings, maybe cross-agency meetings. And that is, I think, a key part of what we've seen as well in some of the general employee surveys
that have been made public in our area. The workforce and the decision makers want to make
sure the workplace is safe. After that, the maximum capabilities for telework and creating that systems environment that makes it secure from cyber attacks has evolved.
Social engineering has evolved with the pandemic.
And the executives and decision makers we surveyed identified that as going hand in hand with giving people access to their core systems, a lot of which are on site.
And then finally, dealing with fraud, waste, and abuse, and making sure that operations are
effective and efficient, that they're managing the taxpayers' funds well. And I think what this
relates to are a couple things. Of course, a lot of the controls that relate to fraud,
let's take it as an example. I think people are now coming to identify that some of that is a
result of information, identity information being sold on the dark web. And so there are a lot of requests for insight on how do we take this new environment, new fraud controls, and put them in place.
And, of course, we've seen that at the state government level as well.
But that's what's behind this question and the response that we got on how do you make fraud, waste, and abuse under
control in this new environment. Going forward into the future, I think the other element that
we saw from some of the anecdotes is people have to formulate new ways of working together,
new business processes. In the past, in some of the anecdotes, a manager could call down the hall to their staff
and quickly get everybody together. In the online environment, it just doesn't work that way.
So that was one of the challenges that relates to making sure the organizations can work effectively
together. Yeah, I can't help wondering if we're in for, or I guess to what
degree we're in for a real culture shift here when it comes to how people think about work,
you know, that both the worker side and the management side, that going through this together
has sort of demonstrated that people can work effectively and efficiently from home,
and they don't necessarily need to have that manager looking over their shoulder all day.
home and they don't necessarily need to have that manager looking over their shoulder all day.
Well, that's absolutely right. And of course, the thing that goes hand in hand in our survey is that 80% felt that they found it extremely or somewhat challenging preventing the transmission of COVID-19 in their offices.
And so the reality is they didn't feel they can call people back into work and go back to normal.
They'd much rather, and I think they've accepted that the future of work
is a remote environment, and adjusting for that is what they're now doing in this, what I would call the recovery phase of the pandemic response.
Our thanks to Mark Foreman from SAIC for joining us.
Don't forget that over on CyberWire Pro, we have a podcast called Interview Selects, where you can find extended versions of this and many other interviews.
You can learn more about that on our website, thecyberwire.com.
It's Cyber Wire Pro. Check it out.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Mike Benjamin.
He's the head of Black Lotus Labs, which is part of Lumen Technologies.
Mike, it's always great to have you back.
I wanted to touch today on one of the basics, which is credential stuffing and password spraying.
Can I get a review and insights from you, what we're dealing with here? What can you share with
us today? Yeah, so it's helpful to start with a bit of a definition. And so at its most simple
level, credential stuffing is taking passwords from previous leaks, usernames and passwords,
whether that be somebody's Gmail address with a password they used on one site,
trying to reuse it on another site,
could be business logins,
trying to reuse it in other places,
but basically credential reuse
and shove it at a massive volume
down some other service
to see how many times the credentials were reused.
So that's stuffing the credentials down into that service.
Password spraying is still
a high volume attempt to log in, but it's typically using simple passwords. So password one, two,
three, what is it? Fall 2020, whatever those passwords are that are particularly common,
and just trying them on every account that they can get their hands on. And now we can try and
break into the accounts that way. So that's credential stuffing and that's password spraying.
And so at a simple level, that's about what they are.
Now they've evolved in recent years
where now they're done through large proxy botnets.
And so what might sound relatively easy to stop,
one IP address sending a thousand logins
should be pretty easy to code to that.
Now it might be three attempts from one IP address
and then they rotate to the next proxy
server. And so the actors have become much more advanced in their attempts in order to evade
detection. They've even gone to the point where they're doing things around geolocality. So if
you are a US-based business, they may only use US proxies, or I live in Colorado, they might only
use Colorado-based proxies. So they've gotten more sophisticated in the attack methodologies
in order to hide themselves inside the noise of general logins users.
And is this the kind of thing that can get around?
You hear people talking about things like rate limiting
that can help with these sorts of things.
Would the botnets allow them to circumvent that?
Absolutely.
And so two types of rate limiting.
The most simple goes back to what I just said, and they'll rate limit a single IP address
and only allow it to log in every few seconds because human beings will take that long to
type it.
In other cases, let the entire site have a relatively reasonable burst on their normal
throughput, and then stop anything that goes above that because
it must be attacked. Either way, the actors in many cases are not just trying to break into one
service. They may be targeting 10 services. So they're fine waiting a few seconds between these
logins because they'll just creatively go from service to service to service. So rate limiting
is really, for the more advanced folks, not going to slow them down in any real way.
What sort of scale are we dealing with here? How big are some of these actors?
Yeah, so on the sophisticated side, we've seen them build bot us who's going slow, rotating IP addresses, associating a login to each IP address, and doing it from the place where general users are logging in?
It in some cases can be nearly impossible to find the actor in that noise.
And so those are the folks that are hard to get your hands on and stop.
Now, on the low end of the sophistication, they'll take a password dump, buy a VPS with Bitcoin and
attack from one place. Those ones are definitely easy to stop. So what's the big picture impact
here? I mean, why should folks care about this sort of thing? Well, the most simple is that we use our online identities or businesses
use those credentials to do something, whether it be shop, sometimes store information about
themselves. And those things can be of value in underground markets. So the louder, less
sophisticated actor groups, they're going in and they're pulling out information about just raw accounts and selling
them. So I got a thousand accounts, they'll sell for five bucks and they're trying to make money
off of it. So leaking your PII, getting access to something somebody shouldn't be in on the low
sophistication side, that's concerning, but not something we should run around with their hair
on fire about. The other side though,, is we see nation-state attackers doing,
where they want to target a company.
Well, guess what?
They'll go to every password dump they've ever found.
They'll go grab everything that contains the domain of the company they're targeting,
and they'll go try to break in with that.
It's frightening how often they are successful.
And so things like two-factor authentication in place at every perimeter access for a business, making sure that the security groups of consumer-oriented services are paying attention to credential dumps and trying them against their own service before the actors can even get to it.
Those kinds of things are really helpful.
And sort of a funny story one of my coworkers told me the other day.
He said, we're dealing with users that will set passwords forever. This is an
inevitability. And so it's up to us to either force them into multi-factor authentication mechanisms
or even on the simple side, just make sure that the password and input is of a high enough
sophistication and not one of those default credentials. But the way he drove it home to me, he said, we all saw the stories about the seeds
that were being shipped from China to people's homes. Kind of interesting news story a few weeks
ago. And I thought with the story, he was going to say, some people planted them, so people are
going to make silly mistakes. No, his story in the news article he posted to me, some people ate them.
And so we're dealing with people that at some level are going to eat random things that come in the mail. And so they're going to
make mistakes, even if they're not with a poor intention, it's going to happen. And so it's up
to us to think about how do we build the technology in a way that lets that kind of user in and lets
that kind of user not cause themselves
a problem. And so that's the burden we all bear in the security industry.
I think an old colleague of mine used to say, nothing is foolproof to a talented fool.
There you go.
All right. Well, Mike Benjamin, thanks for joining us. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders
who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Think different.
Listen for us on your Alexa smart speaker, too.
Be sure to check out this weekend's Research Saturday episode.
I'm joined by Matt Chiodi from Palo Alto Network's Unit 42
on their Cloud threat report.
We'll be talking about how cloud misconfigurations and cryptojacking continue to plague thousands of organizations.
That's Research Saturday. Hope you'll join us.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Rupra Kosh, Stefan Bazziri, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Bilecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Ivan, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Thank you. deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your