CyberWire Daily - Sandworm in Google Play. Internet sovereignty. Bogus accounts on LInkedIn. Pupil becomes teacher. Six-year sentence for DDoS. Big bug bounty at Google. Ransomware updates. Pegasus inquest.
Episode Date: November 22, 2019Google researchers provide a Sandworm update. Internet sovereignty considered: an aid to law enforcement or a means of social control. LinkedIn reports on the 21-million bogus accounts it closed over ...the past year. Teacher becomes pupil as marketing learns from informaiton operators. Ohio man gets six years in Akron DDoS case. Ransomware case updates. A Parliamentary inquiry in India will look into the deployment of Pegasus against WhatsApp users. Craig Williams from Cisco Talos on the Panda cryptominer. Guest is Keenan Skelly from Circadence on getting the younger generation excited about cyber. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/November/CyberWire_2019_11_22.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Google researchers provide a sandworm update,
Internet sovereignty is considered,
an aid to law enforcement or a means of social control.
LinkedIn reports on the 21 million bogus accounts it closed over the past year.
Teacher becomes pupil as marketing learns from information operators.
An Ohio man gets six years in an Akron DDoS case.
Ransomware case updates.
A parliamentary inquiry into India will look into the deployment of Pegasus against WhatsApp users.
and India will look into the deployment of Pegasus against WhatsApp users.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, November 22, 2019.
Google security researchers revealed that the Russian threat actor Sandworm uploaded malicious apps to the Google Play Store
in an attempt to infect Android devices with malware, Wired reports.
Google discovered malicious versions of legitimate Korean language apps
in the Play Store in December of 2017,
which were apparently part of Russia's efforts to disrupt the 2018 Winter Olympics.
That discovery led the researchers to another malicious app
that had been in the
Play Store for two months, this one targeting Ukrainians. Sandworm also launched phishing
attacks against Ukrainian Android application developers in an attempt to compromise their apps.
The Sandworm team is probably best known for its deployment of black energy malware
against sections of the Ukrainian power grid in 2015.
If you're like us and you prefer that threat actors' names be more ursine than vermiform,
call them Voodoo Bear.
It's the same fine crew.
Probably.
As the UN continues its protracted deliberation over the Internet sovereignty measures advanced by Russia and some like-minded states,
Decipher points out that Internet sovereignty will actually do little to suppress cybercrime.
But of course, online gangbusting isn't really the point, and you don't have to be Elliot Ness
to figure that one out. What's of interest to the authors of the proposed international regime
seems pretty clearly to be social control, not crooks spreading ransomware
or engaging in carding. To see a sovereign internet in action, read Wired's account of
how sovereignty is being realized in Iran. As it happens, Tehran was not one of Russia's co-sponsors,
but this week it clamped down hard on internet access as it seeks to tamp out domestic unrest
that flared up over economic issues.
The immediate flashpoint was an increase in gas prices, but this has simply accelerated
some long-guttering discontent.
As Wired points out, Iranian-American families are among those feeling the effects of Tehran's
controls.
It's proving difficult to the point of impossibility for them to reach and check in with relatives
back in Iran.
LinkedIn's first moderation report, issued yesterday,
says that the business-focused social network booted some 21 million fake accounts over the past year,
and the Telegraph wonders if the sock puppets, catfish, and people with non-existent job offers
at companies no one's ever heard of were the work of spies.
If many or most of those accounts weren't, then all we have to say is the world's intelligence
services have really been asleep at the switch. So, if information operations are really marketing
in battle dress, what happens when a commercial entity decides it looks good in camouflage?
State-style information operations can find, and now have found,
their way into clickbait commercial marketing,
as a NISO's inquiry into a U.S. news startup
and its employment of writers based in Macedonia suggests.
Far left or far right, as long as concocted inflammatory news stories drive traffic,
it seems to be a win, the New York
Times reports.
The company involved is LaCourte Media, which aspires, its co-founder Ken LaCourte says,
to find middle ground and restore faith in media.
Such aspirations are in tension with the profit that can be realized from clickbait.
As Mr. LaCourte told the New York Times, quote,
I wanted to try to find middle ground.
Unfortunately, the thing that works best right now are hyperactive politics.
On one hand, that's at odds with what I want to do,
but you can be more successful
by playing the edgy clickbait game.
End quote.
The New York Times observes
that the spreading of politically divisive content
or even blatant disinformation and conspiracy theories by Americans is protected free speech.
The Macedonians who crank out the clickbait would appear to be hired guns.
There's some evidence they were also contractors for Russian disinformation operators during
the run-up to the U.S. 2016 elections.
A 33-year-old man from Ohio, James Robinson, was sentenced to six years in prison for launching
DDoS attacks against the websites of the city of Akron, Ohio, and the Akron Police Department,
according to ZDNet.
Mr. Robinson, who claimed membership in Anonymous, said he launched the attacks because he held
a grudge against Akron's police force.
Google will pay a $1 million bug bounty to anyone who can fully compromise the Titan M chip used in
Pixel devices, Ars Technica says. Additionally, the company is offering $500,000 for an exploit
that allows data exfiltration from a Pixel device. Following up on two high-profile ransomware attacks,
we see that the BBC reports that Ruon University's hospital Charles Nicole
has refused to pay the ransom and that the hospital has reverted to manual backups.
We hope they succeed in keeping their patients safe.
The other attack is the ransomware infestation Louisiana suffered earlier this week.
The strain of ransomware involved has been identified as Raiak.
The state continues its recovery, and the National Guard has been playing a role in that response.
This will probably be the emerging model of state cyber response plans.
In India, the Parliamentary Standing Committee on Information Technology
has opened an inquiry into the affair of the Pegasus infestation found in WhatsApp,
the Business Standard reports.
At issue is whether elements within India's government deployed the spyware
against journalists, activists, and other potential domestic political malcontents.
Meanwhile, India Today reporters Withreal Gusto and Shim Sharabim
tracked down some NSO group reps who were going about their business in Paris.
NSO's people, the outlet said, were not particularly forthcoming on camera,
which is really no surprise.
What is surprising is the way India Today somehow makes it seem
that a trip to Paris represents some kind of hardship.
Paris represents some kind of hardship.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now. We know that real-time visibility
is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies,
like Atlassian and Quora,
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation
to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Learn more at blackcloak.io. aren't dead yet, documenting the voracious but simple Panda. Take us through. What are you guys tracking here? Well, basically, Panda is the name we're giving the actor behind this particular
campaign. Now, like a lot of actors we've seen over the last, I don't know, let's call it 18
months, this one's decided that the way that they're going to monetize their malicious behavior is through
crypto mining. Now, you know, some people may not be super familiar with crypto mining if they've
lived under a rock for the last year. So in the event you've escaped from a cave or some sort of
government facility, the reason malware authors turn towards crypto mining is because unlike
ransomware or other profitable means it's relatively easy to
get away with right most people are never going to know if a crypto miner has been installed in
their network right and because there's no damages law enforcement is not going to put it anywhere
near the top of their priority list i mean if you think about it, right, what's the actual damage caused to most networks from crypto mining? Well, it's going to be processor usage, some, I guess you could argue, power consumption.
Right.
So from an adversaries perspective, crypto mining, basically significantly less risk,
no damages, so not really furious victims coming after you.
And it's going to be a slow, steady and consistent payout. And because no one knows that they're infected, well, it's going to keep paying out for the foreseeable future.
What are some of the specifics of Panda? What's unique about it?
Well, you know, there's not a ton that's
unique here. It's another crypto mining malware that basically looks for crypto mining malware
so that it can be the only one, which I, of course, always enjoy the bad guys when they
close the door after them and kick everybody out. The opsec around Panda is not amazing.
You know, similar TTPs throughout their campaign. And some of the infrastructure was even reused.
But it's important to realize that even though this seems, you know, relatively low,
sophistication-wise and benign, it is using relatively sophisticated means to spread,
right?
It's using Mimikatz and things like that.
And so it kind of goes back to some of the good old-fashioned ways
to secure your Windows systems.
Don't have SMB1 exposed, right?
If you don't need it, don't have it on.
Definitely don't have it exposed to the internet.
And make sure that you're patching, right?
I mean, a lot of the issues that it's taking advantage of,
you really shouldn't be vulnerable anymore,
particularly with modern defensive software.
Now, the fact that you all have named this Panda, is that a little tip of the hat to where you might think it'd be originating? We would never do that. That's so silly.
I see. Of course. Right. How silly of me to even suggest it. Let's move on then. What sort of prevention methods should folks have beyond the basics that
you just outlined? I mean, is this an easy one to detect or how stealthy is it? Well, you know,
in the past we saw this use open source frameworks that were really popular in China of all places.
And so it's that kind of software. It's Windows. Basically, if there are
known vulnerabilities and public exploits, it's potentially going to be a vector. Combine that
with traditional brute forcing through things like Mimikatz, and it becomes very effective.
And so I would make sure that people look at what boxes are
talking to what, right? You know, potentially one of your boxes shouldn't be logging into all the
others as administrator. Hopefully you have NetFlow or some other tool to look at. And make
sure you turn on automatic patching, even in your open source software, if it's available.
All right. Well, the blog post is titled, Cryptocurrency Miners Aren't Dead Yet,
documenting the voracious but Simple Panda.
Craig Williams, thanks for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep
your company safe and compliant.
My guest today is Kenan Skelly. She's Vice President of Global Partnerships at Circadence.
Earlier in her career, Kenan Skelly served in the U.S. Army as an explosive ordnance disposal technician
and went on to work for the Department of Homeland Security,
where she served as chief for comprehensive reviews in the Office for Infrastructure Protection.
Our conversation centered on the need to get a broad range of young people excited about potential careers in cybersecurity.
It's not just about getting kids interested in tech.
There are social and cultural issues at play as well.
I actually had a young cyber patriot student not too long ago who was absolutely phenomenal.
She could code in 16 languages and she was so smart.
And when it came time for her to pick what her major was going to be, she said, well,
I think I'm going to be a doctor.
And I was like, why?
Why would you want to do that?
You're so good at this and you obviously love it.
You've been in all of the clubs for, you know, four or five years.
And her response was actually, I just don't see myself as a black hoodie kind of girl.
Wow. And that was really eye opening for me about
how we are doing as, you know, a cybersecurity industry, really reaching out to those more
diverse groups and helping them realize that cybersecurity is everything. It's everywhere.
There's so many jobs that take cybersecurity into play. And coding is one of those things that is
going to help you no matter what career you have.
So tech has sort of been something that young men or young boys seem to get involved in much earlier than young girls do. Now, over the last decade or so, as the community has been making
a concerted push to try to identify how we can meet the cyber skills gap that we have right now, which
is 3.5 million in the next five years.
That's a really big number.
So when we start thinking about how to get at that number, it's really important that
we look outside the sort of standard demographic and try to really get more diverse and inclusive
hiring practices in place, programs in place for young diverse students who
are interested in cybersecurity and interested in moving forward. And one of the challenges that
we've actually faced is young women in particular are very excited about STEM. They're very excited
about coding. And in my personal experience, they tend to do things like Girls Who Code,
do things like CyberPatriot or these other
programs where they can really get into the process. But then when it comes time to make
decisions about where they want to go in a career, a lot of times they just don't see themselves
in this career. And one of my biggest pet peeves is the fact that we as an industry have not been
very good about marketing to those folks.
We always tend to put up that black hoodie guy who's with his Mountain Dew and working through a problem.
We have some work to do still.
Yeah, clearly.
Well, from a practical point of view, I mean, how do you propose that we do a better job of getting that message out there and being welcoming?
do a better job of getting that message out there and being welcoming?
So I think part of it is providing really good mentors and really good accessible people who are doing cybersecurity as a part of their everyday job, but don't necessarily fit into
that title that people are looking at. Like they don't have a hacker title, right? But they might
be the chief marketing officer at a very large company
who uses cyber skills and coding and really pushes cybersecurity within their firm,
those types of things. Or having the CISOs and the CIOs come out and talk to young people and
really get them interested in all of the different facets of what cyber and cybersecurity means
today. If we just look at healthcare,
for example, there's a lot of cybersecurity initiatives going on in healthcare right now.
And it's really fascinating to me to see all of the jobs that are kind of coming out of that
specific sector that are very focused on cyber, but not jobs that you would think. So you could
be a doctor and have a lot of coding experience and security experience,
helping your organization protect the data of your patients in a much more fun way and a much more sort of realistic way.
So do you suppose that part of this is for those folks who are already in the industry to get out there and be ambassadors to that sort of message?
and be ambassadors to that sort of message?
100%. I find that it's not always easy
if you're trying to break into the field.
It's not really easy to find somebody
who necessarily fits the idea of cyber
that you're trying to get into.
So having mentor groups, I think, is a huge thing.
I'm a big fan of Women's Society of Cyberjutsu,
who really brings together local communities of women who are interested in cyber and kind of helps them identify who that right mentor, who that right person might be for them.
I think that's something that really has to be done by a lot more people. see some organizations, you know, some big tech companies really driving this initiative forward
a lot more and putting out some of their greatest assets in terms of cybersecurity folks and really
allowing them to be a little bit more active in the mentoring side.
And Sir Caden, you have a new gaming platform. Can you describe to us what's going on with that?
Previously, we had been focused on one of our products, which is Project Ares, which is great for bringing somebody in who's maybe new to cybersecurity, sort of intern, or somebody who's interested in learning the basics and moving forward.
But one of the things that we started thinking about was, you know, that security awareness piece really is the first step. If you're looking at a, let's say,
a global enterprise organization, they're probably doing something with PhishMe or KnowBe4 to really
get at that general cybersecurity awareness. And that's really, those things are working very well
for phishing attacks right now. But what we kind of looked at is what about all of the other things
that are out there that people need to be aware of, like ransomware or, you know, connecting to
the Wi-Fi at your local coffee shop or things like that. But we wanted to present it in a way
that it could also help identify maybe cybersecurity talent that's kind of latent right now. So we
really wanted them to understand
advanced concepts like the cyber kill chain and what it takes for a hacker to get your data and
really use that to some benefit. So we created a game called Insight, which is just super fun,
first of all. It can be played on a mobile device. It can be played on a desktop application. And what it does is it gives you a set of your own hackables that you have to protect and defend against other hackers.
your data and then use that in a nefarious way by weaponizing it and then really creating an event that's meant to install malware on your device or install some other nefarious means. But all of
this in a very fun, kind of lighthearted way. Gamification is a huge, huge win for something
like cybersecurity games, something like this. And I kind of always akin
it to angry birds, right? Most people I know have angry birds on their phone. And it teaches you
physics, but it teaches you those types of things in a very abstract way that you don't even
understand that you're learning. So if you're thinking about insight, for example, we're teaching you very
complex ideas about how hackers are trying to get to you personally, how they're trying to get to
you at an enterprise level in your job, you know, all of these things that you should be looking
out for every day to really protect yourself and your organization against some of these ideas.
You have cool things within the platform, like you can earn cryptocurrency,
that you can upgrade your defenses and upgrade sort of the things that you want
to be able to do in the game. But every single section of the game,
as you start to learn more and more types of sort of events within the cyber
kill chain, you also get teaching moments regularly.
And the more teaching moments that you take out of this, the more points you can earn or more,
you know, sort of cryptocurrency you can earn. And with those things, you can continue to upgrade
and really, you know, protect what you have. In this case, what we're really looking to do
is provide them with an area of expertise that is so fluid and
easy to use that they continue to grow throughout the process. Now, on the back end of that, with
the metrics that we collect, we're able to identify by individual or organization kind of how their
learning curve is progressing. So you may have had someone in the accounting department start out
with very low-level skills. Maybe they keep getting hacked in the accounting department start out with very low level skills.
Maybe they keep getting hacked in the game, but they're not really using currency. They're not
really upgrading. They're not really doing other things. That's an easy teachable moment to go back
and say, actually, did you know you could do this? And this will kind of change your outlook.
Or as they're continuing to move through on the opposite side of the spectrum, what we often find are sort of cyber gems within an organization who
actually have a remarkable proclivity for cybersecurity and then can then be transitioned
into sort of the next step of the training or learning pathway where they get to get more
access to more technical information and see if
they're a fit for cybersecurity. So this has been really good with some larger organizations who are
interested in taking people they already have and upskilling them or cross-skilling them to do
cybersecurity activities as well. So you can really find those folks who you may not have
otherwise known had a skill for this sort of thing within your organization.
Absolutely.
It's like The Last Starfighter.
It kind of is.
It kind of is, yes.
But cooler.
But pretty cooler.
Oh, I don't know, Kenan.
The Last Starfighter is pretty cool.
It was.
It was pretty cool.
That's Kenan Skelly from Circadence. For professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Thank you. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.