CyberWire Daily - Ransomware or wiper? Emotet’s resurgence. Updates on Services NSW breach. COVID-19 cyberespionage. BTS replaces Guy Fawkes?
Episode Date: September 8, 2020Thanos is back, but as ransomware or a wiper? Cyber agencies in France, Japan, and New Zealand warn of a spike in Emotet infections. Australian authorities say 186,00 were affected by the breach at Se...rvices NSW. Georgia decries cyberespionage at its Lugar Lab. COVID-19 cyberespionage efforts have been intense, as have counterintelligence efforts designed to defend labs and supply chains. Rick Howard looks at identity management. Ben Yelin covers tightened surveillance of political advisors. And Anonymous may have a successor: K-pop stans. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/174 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Now at a special discount for our listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash n2k, code n2k. Cyber agencies in France, Japan, and New Zealand warn of a spike in Imhotep infections.
Australian authorities say 186,000 were affected by the breach at Services NSW.
Georgia decries cyber espionage at its Lugar lab.
COVID-19 cyber espionage efforts have been intense, as have counterintelligence efforts designed to defend labs and supply chains.
Rick Howard looks at identity management.
Ben Yellen covers tightened surveillance of political advisors.
And Anonymous may have a successor.
K-pop stands.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, September 8th, 2020.
And we're back from the Labor Day weekend. Did you miss us?
We missed you and hope you enjoyed the holiday, if holiday it was,
in your neck of the woods. Here are some stories that broke over the long weekend.
Early Friday, Palo Alto Network's Unit 42 reported a Thanos campaign against two government
organizations not identified in the report in the Middle East and North Africa regions.
This variant overwrites the master boot record to deliver its demand for $20,000 in Bitcoin,
but this is both unusual and, from the attacker's perspective at least, counterproductive.
Cyberscoop quotes Recorded Future as observing that the attack may be a destructive wiper posing as ransomware.
The good news, such as it is, seems to be that the attempt to overwrite
the master boot record was bungled, unsuccessful. Leaping Computer notes that Thanos affiliates
were less than fully successful in more traditional June attacks against European targets.
French, Japanese, and New Zealand authorities have issued warnings of an increase in email-borne Emotet campaigns
actively working against targets in their countries.
Many of the payloads are carried in malicious PDF or, more recently, dock attachments.
Some government agencies have themselves been the victims of the botnet-driven campaign,
and ZDNet reports that France's cybersecurity agency ANSI yesterday issued a warning that government officers should avoid opening emails with attached doc files.
The Sydney Morning Herald has an update on the data breach at Service NSW.
47 compromised employee email accounts were used to obtain personal data of 186,000 customers and staffers.
At-risk customers are being notified by mail. The opposition Labor Party has expressed its dissatisfaction with the way the government's
handled the affair. Labor's shadow minister for public services, Sophie Katsis, says that minister
for customer service, Victor Dominello, needs to face the public and face the music for the breach.
Quote, under Mr. Dominello's watch, cyber criminals have broken into Service NSW
and may have stolen people's birth certificates, credit card details, medical records,
financial information, and even sensitive legal enforcement information, Ms. Kotze said,
enumerating the kind of PII believed to have been compromised.
said, enumerating the kind of PII believed to have been compromised.
Georgian authorities confirmed that a cyberattack on the Lugar Lab Biomedical Research Center in Tbilisi took files related to research into the COVID-19 pandemic.
The cyberespionage is not yet attributed to anyone, but Georgia's foreign ministry says
it's investigating and won't hesitate to name the perpetrator once they've determined who's responsible.
Georgian authorities haven't said so,
but the country has long been the subject of Moscow's attentions.
The Lugar Laboratory, named after former U.S. U.S. Senator Richard Lugar,
represents a joint attempt by the governments of the United States and Georgia
to provide safe and even positive uses
for the talents of Soviet-era biowar researchers, a significant number of whom had worked in Georgia.
Its origins lie essentially in that non-proliferation effort. Work on the lab,
which falls under Georgia's National Center for Disease Control and Public Health,
began after a 2004 agreement between Washington and Tbilisi.
Constructed with the support of U.S. funding, the Lugar Lab became fully operational in 2013.
Any American cooperation with a former Soviet republic, indeed with any former Warsaw Pact
country, amounts to a burr under Russian saddles, and so it's not surprising that the Lugar Lab should have done so.
With Moscow disposed to read the worst intentions in anything Washington does,
that's understandable.
Less understandable, and even less forgivable,
are the Russian disinformation campaigns that have imputed a Georgian-American conspiracy
to deliberately spread infectious diseases.
In any case, the Lugar Lab is the
sort of organization that would quickly draw the attention of Russian intelligence services.
But do remember, it's worth noting that Russian intelligence services amount to the usual suspects,
and that Georgia's government hasn't yet called them out. While Russia's SVR foreign intelligence
service has displayed a close interest in pandemic-
related biomedical research, Chinese and Iranian intelligence services have also undertaken
considerable efforts to collect intelligence on COVID-19 work. So, the incident at the Lugar Lab
isn't a one-off. The New York Times reports that COVID-19 research has become a common target for collection
by espionage agencies. In this, Chinese services have been particularly active. Their targets have
tended to be U.S. research universities. The Times' story makes particular mention of the
University of North Carolina, with some effort also made to penetrate biomedical companies.
It appears they've had limited success with the companies they've targeted,
Gilead Sciences, Novavax, and Moderna,
but universities seem to offer a relatively softer target than government or corporate labs.
And according to The Times,
Beijing has sought to make use of its influence with the World Health Organization
to facilitate collection of biomedical intelligence.
with the World Health Organization to facilitate collection of biomedical intelligence.
Russian efforts to steal COVID-19 research have been more focused on the United Kingdom,
where Oxford University and its pharmaceutical corporate partner AstraZeneca have been targeted by the espionage services.
CyberScoop has an account of U.S. efforts to secure vaccine research.
Operation Warp Speed is the name that's been given to the American crash effort to produce a vaccine by January, and the program has a significant security component.
Formerly known as Security and Assurance, this sub-program represents a joint effort among the Defense Digital Service, National Security Agency, FBI, the Department of Homeland Security, and the Department of Health and Human Services.
The program provides security advice and assistance to the companies developing the vaccine
and to the companies establishing the supply chain that will deliver the 300 million doses Warp Speed intends to produce by the beginning of 2021.
And finally, remember Anonymous?
of 2021. And finally, remember Anonymous? Sure, the Guy Fawkes mask and ARCO's syndicalist collective tended to overpromise and underdeliver, especially after some of its more prominent
members were arrested. Anyway, there may be a successor movement, K-pop stans, devoted followers
of one or more K-pop bands. This phenomenon appears to be a large and loose aggregation,
more collection than collective, of K-pop hotheads.
The K-pop stans have apparently undertaken spontaneous hacktivism
a few times during the past few months of lockdown and disquiet.
Forbes points with alarm to what it calls
a 100 million strong crowd of hackers and hacktivists,
the BTS ARMY.
BTS is a popular K-pop boy band, BTS standing at least sometimes for Burn the Stage, as we remember from the TV and YouTube commercials, and ARMY representing an acronym for Adorable Representative
MC for Youths. BTS' hit Dynamite continues at the top of the Hot 100,
but whether this represents a serious movement
or simply another reason to wish for middle schools everywhere
to reopen as soon as possible is unclear.
Still, arguably, better than Rick Rowling.
Better than Rick Rowling. And a spa. And endless snacks. Yes! Yes! Yes! With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And it is always my pleasure to welcome back to the show Rick Howard.
He is our chief analyst, also our chief security officer here at the CyberWire,
doing his best to keep us all out of trouble.
Rick, always great to have you back.
Oh, man, don't put that pressure on me.
I know, right? Who needs that?
Well, listen, this week on CSO Perspectives,
you have gathered up members of the hash table,
and you are tackling identity management.
Now, to me, that is one of those things that sounds simple on the surface,
but the devil is in the details, right?
It's absolutely true.
And after spending a couple of weeks on this and talked to a bunch of experts about this,
it turns out there's like four things that any identity management program should have.
And I'll just kind of go through the list, right?
So the first one is you should have a way to federate with your partners, all right?
And we talked about that before but it's basically
trusting another organization if they trust you and you trust this user then they trust that user
so a way to automate that that's been around for many many years now so federation the second one
is you need an ability to give your employees to escalate their privilege it's kind of like the old
pseudo command in the if you're a unix guy from back in the day, right?
But on a grander scale, we need to build,
Rick doesn't run as an administrator all day long.
He runs as a normal user,
but he needs a way to get permission
to do administrator type things.
So that's another key factor to it.
And then the third one is to automatic extra authentication. Okay, this is
the typical one where the, you know, the CEO needs to get access to the M&A database, right? And maybe
for that particular data set, we want to make extra, we want to take extra care that the CEO
is actually who she says she is. So we might throw an additional authentication layer on that like two factor or something, right?
And then finally, the fourth thing
that all identity management programs should have
is a way to manage the identities of all your employees
throughout their life cycle, all right?
Because many companies, you take on different jobs,
you get promoted, you move laterally, right?
And I was talking to the thinning CISO,
Susie Smibert, old friend of mine, out of Canada, and she has a perfect way to describe this. She
calls it entitlement accumulation. You have someone that starts a front desk, and then they
move into a support role, and then accounting, and HR, and they move around, but they retain and accumulate
entitlement as they move through the organization with their tenure. And that is especially prevalent
with senior leaders because to develop senior leaders, generally they get moved around
organization. So you have senior leaders with access across a slew of business functions just because they've been
you know developed and grown through the organization and that's a high risk if that
identity was to be compromised. So there is entitlement accumulation where we don't want
to see it happen at times if employee move roles but we do regular certification of entitlement,
and then we remove a lot of access every single time we go through those exercises.
What we've been doing is integrating our IDE platform
or other tools that manage identity with the system of records for HR.
So as a role or anything is changed in our HRI systems,
there's automated workflow that trigger entitlement review
or change of entitlement in a suite of systems.
Not the entirety of our organization,
but there's a lot of automation to help us not have hands-on keyboard.
Okay, so interesting stuff for sure from Susie.
You know, one of the things that strikes me here, Rick,
is that all this stuff that we've been talking about with identity management,
how does that interact, how does that cross over with zero trust?
Is that something that you and the hash table talked about?
We did talk about that.
And what's interesting is that those two concepts
in our network defender space really evolved in parallel.
You know, if our listeners listened
to the last week's episode,
I kind of went through a history of identity management.
And we really had the tools came into focus
where we were using them sometimes in the early 2000s,
but they were stable by 2014.
Now, the idea of zero trust,
they were kind of bopping around in the early 2000s too,
but really didn't get formalized
until John Kinnervog wrote the white paper in 2010.
But today, even today, all right,
most people struggle with their zero trust program.
So it wasn't like we said we needed zero trust, so we needed identity management. That's not what happened.
In the early days, we used identity management as an HR tool, you know, to track employees as
they moved around the organization. It wasn't here lately that we realized that identity management
is essential to do zero trust. So, but all of us are struggling to get there because they weren't
built together in the first place.
Now we're trying to kind of scoot them together.
Yeah.
All right.
Well, do check it out.
It's CSO Perspectives.
It is part of CyberWire Pro.
You can find out all about that on our website, thecyberwire.com.
Rick Howard, thanks for joining us.
Thank you. thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your
company safe and compliant.
And joining me once again is Ben Yellen. He's from the University of Maryland Center for Health and
Homeland Security.
Also my co-host over on the Caveat podcast. Ben, always great to check in with you.
Good to be with you, Dave.
Interesting story from the Washington Post. This is written by Devlin Barrett.
It's titled, Barr Tightens Rules on Surveillance of Political Candidates and Advisors.
Some news here from Bill Barr, our attorney general.
What's going on here, Ben?
So this goes back to the Carter Page scandal
or the so-called Russiagate scandal
emanating out of the 2016 election.
In that election, the FBI made an application
to the Foreign Intelligence Surveillance Court
to track some of the communications of Carter Page,
who had been an advisor to the Donald Trump presidential campaign. When the FISA warrant
was granted, he was no longer on that campaign. But obviously, this raised concerns about using
the FISA process to initiate political investigations against presidential campaigns.
This controversy grew, particularly when we learned that part of those applications were
falsified. They didn't dot their I's and cross their T's. There was a lot of missing information
and missing context. So what Attorney General Barr is trying to do here is to make sure that that does not happen again.
In order for there to be an investigation of a presidential campaign or any advisors formal or informal to that campaign,
officials have to consider warning that person that foreign governments may be targeting them.
If the federal government does not do that, the FBI director has to spell
out in writing the reasons for not doing so. So these are new checks on the FBI's ability to
initiate these investigations without informing those campaigns. So the way, at least this
theoretically would have worked in 2016, is the FBI would have had to have gone to the Trump campaign
and said,
hey, we have a little bit of information on one of your advisors, Carter Page. He might have connections to the Russian government. We wanted to give you a heads up. Why don't you tell us
about it? Give us an explanation. We don't want to start a political investigation if this is
not merited, if this is based on false information. So this goes into effect immediately. It is going
to be in effect for the 2020 presidential campaign. And I think, at least in the view
of Attorney General Barr, will stop the FBI from pursuing surveillance efforts if it doesn't have
all of its ducks in a row. So what's your take on this? Will this make a difference? How much of this is good faith,
practical stuff? How much of it is rhetoric and political theater? Some of it certainly is
political theater. I mean, for one, Carter Page had left the Donald Trump campaign by the time
the FBI obtained the warrant. So this memo, it's not clear whether this memo would have actually,
or the rules put
in place here by Attorney General Barr would have stopped that surveillance. Because at that point,
Carter Page was a private citizen. It's also unclear, based on these new regulations,
who is potentially defined as an informal advisor to a political candidate. Political candidates
have probably hundreds of informal advisors,
hundreds if not thousands. So is it somebody who's had a discreet communication with that campaign?
You know, if, for example, former Vice President Joe Biden called up, you know, President Obama for an informal conversation on campaign advice, would that make, under this new policy,
President Obama an official informal advisor to the campaign and therefore not eligible for the type of surveillance practices that took place in 2016?
So I don't think this has been a perfectly considered new set of regulations.
I generally think it's important to avoid either actual political investigations during a presidential
campaign or even the appearance of political investigations. I will note, you know, that
nothing about the investigation to the Trump campaign had actually been released when people
were voting in 2016. That's certainly in contrast to the information that was released about the
investigation into former Secretary of State Hillary Clinton's email servers.
But, you know, I think this is a valid effort to try and stop our law enforcement agencies from being overzealous
and for starting political investigations during, well, we're supposed to be engaged in a small d democratic process.
are supposed to be engaged in a small d democratic process.
All right. Yeah. Interesting development as we certainly wade deep into election season here,
right, Ben? Absolutely. Yeah. Something that we'll follow going forward.
Yeah. All right. Well, Ben Yellen, thanks for joining us. Thank you. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
Save you time, keep you informed,
and it's too cool for school.
Listen for us on your Alexa smart speaker, too.
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment called Security, ha!
I join Jason and Brian on their show
for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks
where all the fine podcasts are listed,
and check out the Recorded Future podcast,
which I also host.
The subject there is threat intelligence,
and every week we talk to interesting people
about timely cybersecurity topics.
That's at recordedfuture.com slash podcast.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.