CyberWire Daily - Regin in Yandex? Golang is out and busy. So is the ShadowGate crew. The ICO wants an explanation from the Metropolitan Police. Trackers in news sites. Phishing those who seek “Verification.”
Episode Date: June 28, 2019Yandex says it was hacked with Regin spyware. The Golang cryptominer is spreading, again. And the ShadowGate ransomware crew is newly active with a dangerous drive-by. Three data exposures are reporte...d. London’s Metropolitan Police are in trouble with the Information Commissioner’s Office. A look as tracker behavior. The Verified Badge as a phishing lure. And congratulations to a Loeb Award winner. Micahel Sechrist from BAH on Deep Fakes and data integrity. Deloitte’s new head of cyber Deborah Golden shares her leadership philosophy. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_28.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Yandex says it was hacked with Reagan spyware.
The Golang crypto miner is spreading again.
And the Shadowgate ransomware crew is newly active with a dangerous drive-by.
Three data exposures are reported.
London's Metropolitan Police are in trouble with the Information Commissioner's office.
A look at tracker behavior.
The verified badge as a phishing lure.
My conversation with the new head of Deloitte Cyber, Deborah Golden.
And congratulations to a Loeb Award winner.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, June 28, 2019.
Russian online services giant Yandex,
the Russian Google,
says it detected and remediated
a Reagan spyware infestation late in 2018, Reuters reports in an exclusive.
Reagan, a tool named after the Dwarf Smith of Norse mythology, has been publicly associated by Edward Snowden with the Five Eyes.
In this case, the malware appears to have been active in October and November of last year.
Yandex says its security teams detected the infection and contained it quickly.
A company spokesman told Reuters, quote,
It was fully neutralized before any damage was done, end quote.
Although one wonders how they could be so certain of this.
Kaspersky was called in to help with the remediation,
and the security company said that the infection's goal was espionage
and that its immediate targets were developers.
Kaspersky and the U.S. government both declined to comment when contacted by Reuters.
The Russian government did comment,
saying that they hadn't heard about anything like this going on at Yandex,
but that they're not surprised because, as they put it,
Russian companies are attacked every day, and a lot of those attacks come from the West.
Reagan tends to get pretty good reviews as a technical piece of work.
Symantec's Vikram Thakur told Reuters that, quote,
Reagan is the crown jewel of attack frameworks used for espionage.
Its architecture, complexity, and capability sits in a ballpark of its own.
Trend Micro is tracking a campaign using a spreader to scan for vulnerable machines it
can infect with the Golang coin miner. The scanning is interesting, as are some of Golang's
more assertive features. It scans and mines, to be sure, but according to Trend Micro's researchers, it also disables security
tools, clears logs and histories, and also finds and kills any competing crypto mining activities
that may have been present on the victim machine. The Shadowgate ransomware gang,
also being tracked by Trend Micro, is back with what Ars Technica calls the worst drive-by attacks
in recent memory.
The campaign, which uses compromised websites as its infection vector,
employs the Green Flash Sundown Exploit Kit.
It actually accomplishes three things.
It installs Sion ransomware, a dangerous strain,
Pony botnet malware, and a cryptojacker. The gang's activities had previously been confined largely
to South Korea, but it's broken into the European and North American markets in a big way.
The best protection is patching, because the usual route into a machine is through an old
unpatched instance of Adobe Flash, and antivirus software usually detects the exploits and payloads.
Several data exposures have come to light late this week.
Krebs on Security writes that PCM, the California-based cloud solutions provider, was compromised
in May by attackers who stole administrative credentials PCM used to manage clients' Office
365 accounts.
The hacker's goal appears to have been obtaining information useful in gift card fraud.
Researchers at security firm UpGuard discovered exposed AWS S3 buckets belonging to data
management firm Attunity on May 13. They confirmed the exposure and notified Attunity on May 16.
It's unknown which of Attunity's clients were affected,
but UpGuard says it found data apparently belonging to Netflix,
TD Bank, and Ford. The data have since been secured.
Comparatech found and disclosed an exposed MongoDB database belonging to MedicareSupplement.com.
The database appears to be a marketing leads tool, but it's said to have included some personal medical information as well. MedicareSupplement.com isn't an insurance company, but rather a firm that enables users to find such supplemental coverage as may be available to them. users includes personal information and a range of what Comparatech describes as marketing-related information. That would include lead duration, clicks, landing pages, and so forth.
Comparatech says that Medicare's supplement has apparently secured the database.
They add that the New Jersey-based company has a good Better Business Bureau rating
and that there's no sign it's experienced other data incidents.
The UK's Information Commissioner's Office has imposed two enforcement orders on London's Metropolitan Police.
At issue is the Metropolitan Police's failure to respond to Subject Access Requests, an SAR,
in which people inquire about certain data the police might hold about them.
This seems more a matter of backlog than deliberate resistance on the part of the Metropolitan Police.
Under the applicable law, failure to respond to an SAR is a violation of data protection responsibilities,
not merely blowing off some citizen's random curiosity.
A study by Firut looks at the hidden behaviors and concealed activities of third- and fourth-party tools and scripts on the user side of websites and web apps,
with a view to coming to grips with the risks these present.
What the study found was basically an expansive attack surface.
News sites are especially rife with trackers.
Most of the major news sites in North America, Germany, and the UK
use ad trackers that automatically transfer data across borders,
and they consistently send information about user behavior to Russia, among other places.
Vanity has a new name, and Vanity, thy name, is apparently Instagram.
Sukuri researchers say that social engineers are using an application for the swanky and evidently highly coveted verified badge
as fish bait while trolling for vain Instagrammers' credentials.
The hoods have set up a plausible-looking application page,
but the information they're soliciting should raise red flags of warning for the properly wary user.
First, they ask you for your Instagram credentials,
which no reputable and thinking service would do.
And second, they ask you to confirm that you are in fact you
by asking for your email address and email service login password,
which no reputable and thinking service would really and truly ever do.
Why do they want your email?
For lots of reasons of opportunity for fraud,
but in particular because it will allow them to reset your Instagram credentials
should they find themselves locked out of the account formerly known as yours.
The information they ask for amounts to two big red flags. A smaller but still significant one
is their domain name, the Instagram. It's Instagram for business.info, which, needless to say, ain't Instagram.
Why would you want that badge of authenticity?
Well, do your friends have one?
Probably not.
Be the first one on your virtual block to get yourself badged,
or alternatively, forswear worldly vanity and devote yourself to better things.
No, we thought not.
And finally, congratulations to Andy Greenberg,
who won the Loeb Award yesterday for his reporting on NotPetya.
His piece in Wired last year,
The Untold Story of NotPetya,
the most devastating cyber attack in history,
is well worth reading.
Congratulations, and well done.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
status of your compliance controls right now, like right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Thank you. Learn more at blackcloak.io. stories about deep fakes and the growing technology that's enabling that sort of thing.
And I'm curious what you're seeing and what your team is tracking when it comes to this stuff.
Yeah, thanks a lot for having me back. I mean, so one of the things that we're seeing is a little bit of how can attackers or those with a kind of strategic interest, you know, ice out truth.
those with a kind of strategic interest, you know, ice out truth. And what I mean by that is,
are, you know, we're seeing kind of the rise in, in the public space about who's has access to the actual truth of the matter. This could be in the pro or anti vaccination debate, it could be in the
fake news, and real news debate, it can bleed over, obviously, to the deepfake world where we're talking about whether an image or a video is created and is purported to be from the actual organization or individual itself or not.
It could be from also when we're talking about just whether the data that you might get back that you see in your environment is being tampered with.
your environment is being tampered with. And we're seeing that potential with ransomware payments and what you get back and determining whether that is really your data as it existed
before it left the environment. So all these things are kind of, you know, assaulting kind
of previous notions or kind of challenging kind of the overall how we kind of arrive at ground
truth. And one of the sort of functions that we see is
very important to countering this trend is to build an intelligence function within organizations.
And necessarily doesn't have to just be around cyber threat intelligence, but one that kind of
builds in a level of confidence and assurity in the data that you work with in your enterprise,
of confidence and a surety in the data that you work with in your enterprise and how to have kind of a better trust that what you're arriving at is, is really your known ground truth. You know,
that like, like I said, this could be with, you know, data that resides even in a business
application. How do you arrive at that without having some sort of baseline of what that known data or good sort of data looks like in your environment?
So that's when I when I'm talking about your ground truth.
That's what I mean is that there are sort of ways that, you know, arrive at a known good and a known bad in an organization.
And that really is a function of having, you know, a good level of confidence and integrity in the data itself.
Yeah, and I imagine with things like deep fakes, when we're dealing with imagery, how much are we relying on a chain of custody of being able to track what changes have been made internally and perhaps externally with third parties, with partners along the way?
So, you know, one of the things organizations have built is a certain repository with, you know,
certain values or hash functions that are associated with certain files and data that
you've kind of correlated to be the true or the authentic version of that data to some sort of
high degree of confidence.
Obviously, you know, nothing's perfect and there's no 100% assurity and security or in
confidence level itself.
But you want to have kind of certain best practices and implementations built in that
can arrive at a high degree of that confidence and high authentication of that data internally.
And that is really, you know, working closely with a team that
can validate this data and kind of how the mechanisms arrive at it being your data.
All right. Well, it's certainly an interesting development and one to track.
Michael Seacrest, thanks for joining us.
Thank you so much.
Thank you so much. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker Golden. She's recently been named the head of
Deloitte Cyber, an organization with over 4,200 employees here in the U.S. In an industry where
only 5% of executive positions are held by women, she's a champion for diversity,
but not just for diversity's
sake. You know, I've been in the field in some capacity or another for about 25 plus years,
always been intrigued by technology and computers. I grew up in a household where my father was
heavily dedicated to the IT profession from his collegiate career all the way through to working
for an organization for 35 years focused
in their CIO shop. And so grew up with trinkets in the house. And one of the things that my father
always did was he never brought home a manual for how things worked. And I was always intrigued with
how to put them together and how to make them work and how to think through the process of
enabling them through technology or ultimately, you know,
what you're trying to achieve and kind of traverse through my career. And so after I graduated,
I have both an undergraduate and a master's degree. I actually came into Deloitte. I worked
for another company for two years, but basically I've spent the predominance of my industrial
career here at Deloitte. And one of the things that I think differentiates me and how I kind
of look at how my career has evolved, I've always looked at it from a business side.
So what is the business trying to do? What are we trying to solve for? What is the outcome we're
looking for? And how do we talk about these things in a business sense, while at the same time trying
to solve for the cyber piece of it? And if you think back, you know, again, to my childhood,
as I said, I was trying to solve for without having the manual. And so it makes complete sense to me
when I think about how my journey has gotten me to where I am of really always wanting to solve
for that problem and understand the complexities associated with it, while at the same time,
trying to achieve and help clients ultimately achieve their mission or their goals without necessarily making it a
cyber front. Because I think cyber has historically been a technology issue. And so instead, and where
we need to and continue to evolve to is having cyber really be built into the cornerstone of
all business aspects and how we approach the world, how we approach our industry, how we approach our problems.
Now, as you were making your way around the organization and taking on new challenges,
was leadership something that was always front and center for you?
No, actually, it wasn't. I'm a heads down, work hard kind of person. And, you know,
my work ethic and work attitude and collaboration really is front and center for me.
And so I always say, you know, I'm a partner's partner.
And I don't mean that by title or by action. I mean it by the sense of I'm here for everyone, right?
I'm here to help better if it's a client, whatever my client's looking to achieve, if it's my team, if it's whether that's leading up or leading down, right? And so to be in the trenches
and working and having everyone else's back, while at the same time, of course, you always aspire
to do something different. I didn't set out to say, you know, this is going to be what I am
tomorrow. I just said, I know we've got to work together and try and collaborate to get there.
And I think over time, I have realized that obviously, if you want to continue to evolve yourself,
leadership obviously becomes, you know, front and center to that. And I think one of the things that
I pride myself on is not only am I an authentic leader, I really do try to be an inspirational
leader as well. So how do you create leaders amongst leaders is one of the things that over
time has become really important to me as I've been put into a variety of different leadership positions. You know, as you look across the industry,
looking at cybersecurity, there's the statistics that you see are that between,
depending on who you ask, I've seen between 13 and 20 percent of folks in the field are women.
Deloitte does much better than that. Around a third of the folks
at Deloitte are female. First of all, what do you think is behind that? What do you have going on
there at Deloitte that encourages that? And why is that important? I'm incredibly proud by the fact
that we promote a diverse workforce and we're really deliberate about it. It's not something
that we look at as an afterthought. I myself, obviously, am incredibly deliberate and purposeful about creating and
sustaining a diverse workforce. But it's not just me. It's the culture we've built. If
you think about how Deloitte has evolved their initiatives associated with diversity, it's
candidly been going on since the day I joined Deloitte. We've got a lot of time and energy, as you think about, as we should, all levels of the firm really looking
to create that authentic workforce that is purposeful in its diversity. And I think that's
very different than looking at and saying, we need to hit a statistic. We need to make sure we do
better. We need to make sure that we have X number of Y types of people. You have to be passionate about wanting to do it. And you also have to be passionate about how do you retain these types of individuals. So it's not just about getting them in the door. It's about how do you actually retain people. And I think the retention programs, you know, we are a place that people want to be.
Do you see that diversity as being a competitive advantage?
Do you see that diversity as being a competitive advantage?
100%. I'm also a firm believer that you need to have diversity of thought to solve problems.
If you create everything in a linear manner where everyone's thinking the same way, I guess it's easier.
I guess maybe you come to conclusions quicker because everybody agrees.
And by the way, there's good things to have about healthy tension.
And that doesn't mean that diversity is always causing tension. It means that diversity is always bringing different types of thought to solving problems. And it is absolutely a differentiator.
And it's also something that helps me learn, right? Every one of us should always want to
learn. I constantly am wanting to try and understand, like I said, how trinkets work.
And that includes people. And
so when you think about how people think, when you think about what drives individuals, how we
solve problems, the more diversity we can bring to solving some of our clients' most complex
problems, we are going to get there in much more unique ways. What advice do you have for that
youngster who is considering a career in cybersecurity, and maybe they're one of the
underrepresented groups, a member of one of those groups. What words of wisdom do you have for them?
You know, start early. As we all know, STEM programs are going more and more K through 12,
and you've got so many different options so that when you think about, you know,
where are you in a cyber? It's not I want to be just cyber. It's, you've got individuals. I have kids or friends of mine who have children who come up to me and say,
you know, my daughter, my son, my niece, nephew, whomever, they want to go build missiles and they
want to go build rockets and they want to go be doctors. And when you talk to them a little bit
more about that, then they're like, well, what happens if someone gets into the missile or what happens if someone gets into the application? And so they're already
thinking about it. We know the younger generation, again, K through 12, they're on computers,
they're on, you know, phones, they're on devices. The world that we live in is changing. We know
we're going to have autonomous vehicles. We've got refrigerators that can order food for us.
I think what we need to encourage people to do is, again, as they're doing, how do you think about the impact of those
things on your lives? And I think also the dynamic of the individuals are changing too. We know
younger professionals, younger individuals are looking to put more and more data out there,
right? There's more people, whether it's chat messages, whether it's photos. And so there's
also a changing dynamic, which is interesting to me around privacy of data.
And I think when you start talking about all these things, getting interested about those
types of concepts at a very young age, so that when you come into the workforce,
you're not thinking about it like privacy or security is some technology component.
You're thinking about it, I want to go build a missile,
and it's going to be really important for me to make sure I understand cyber and privacy or data
in order to do that, not just the components of how to actually build the missile. Cyber becomes
that component equally as important as the materials to build that missile.
That's Deborah Golden. She's the new head of Deloitte Cyber.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast
of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.