CyberWire Daily - Shifting techniques in cybercrime. Miscreants take note: “the aperture” will henceforth be wider for US Cyber Command and offensive ops. What Radiohead did.
Episode Date: June 12, 2019TA505 and Fin8 are both up to their old ways, with some new tricks in their criminal bag. A reminder about social engineering and Google Calendar. A new assertiveness is promised in US cyber operation...s, as the Administration “widens the aperture.” Updates on the security concerns that surround Huawei and ZTE. And Radiohead takes a different approach to online extortion--just render what they’re holding for ransom valueless. Craig Williams from Cisco Talos on the Jasper Loader. Guest is Lisa Sotto from Hunton Andrews Kurth LLP on the report Seeking Solutions: Aligning Data breach Notification rules across borders. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_12.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
TA-505 and FIN-8 are both up to their old ways with some new tricks in their criminal bag.
A reminder about social engineering and Google Calendar. A new assertiveness is promised in U.S. cyber operations as the administration
widens the aperture, updates on the security concerns that surround Huawei and ZTE,
and Radiohead takes a different approach to online extortion.
Just render what they're holding for ransom valueless.
render what they're holding for ransom valueless.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, June 12, 2019.
We'll begin today with some news from gangland.
According to Trend Micro, TA-505, the criminal group best known for its association with credential-stealing
financial malware Drydex, may be shifting tactics, but it remains recognizable. The
possibility of misattribution can't yet be ruled out, but there's enough overlap between old and
new campaigns to suggest evolution and not the emergence of a distinct gang.
Another criminal outfit, FIN-8, is showing renewed activity.
Researchers at security firm Morphosec say FIN-8, which had been a bit quieter than usual,
is back with a new version of the Shell-T backdoor.
The gang is currently focused on targets in the hospitality industry.
The U.S. signaled a new willingness to undertake offensive operations
in cyberspace to counter hostile nation-state economic espionage. During annual meetings of
the Wall Street Journal's CFO Network, National Security Advisor John Bolton alluded to the policy
shift. He noted that much of the U.S. action in cyberspace had been devoted to dealing with and deterring election interference.
That's changing.
We're now opening the aperture, he said, broadening the areas we're prepared to act in.
That newly broadened aperture is, in particular, wide enough to encompass foreign industrial espionage.
In general, it's an evolution of the American strategy to impose costs on adversaries.
As Bolton pointed out, the U.S. has decided, quote,
to say to Russia or anybody else that's engaged in cyber operations against us,
you will pay a price.
If we find that you're doing this, we will impose costs on you
until you get the point that it's not worth your while to use cyber against us, end quote.
Thus, widening the aperture seems to be a decent metaphor.
It's not a shift or direction, but rather a more active and assertive version of existing strategy.
Up till now, the costs imposed for theft of IP have been a mix of naming and shaming, indictments and sanctions.
Action in cyberspace proper has not figured prominently in the U.S. response to economically motivated espionage, although it has been used,
most recently during the 2018 midterm elections against Russian troll farmers.
The Washington Post did some quick consultation with various security industry figures
and found that their general sentiment was cautiously in favor of the policy.
They acknowledge that U.S. cyber counter offenses will probably generate blowback from the opposition,
Russia and China for the most part, and that U.S. companies should be prepared.
On the other hand, when you've named, shamed, sanctioned, and indicted, it does seem important
to have an option that's tougher, but not so tough as, say, delivering a brace of tomahawks or the vertical insertion of a ranger regiment.
Huawei told the UK's Parliament Monday that the company wasn't bound by Chinese laws
requiring cooperation with Beijing's intelligence services.
In fact, the company's representatives went so far as to deny that there were any such laws.
Most observers think that this claim is disingenuous at best,
and that at the very least, the National Intelligence Law of 2017 enjoins exactly such cooperation,
as do at least ten other related laws enacted over the past decade.
And the government does tend to regard the law as the servant of the state and the state's policies, not a constraint upon them.
U.S. Commerce Secretary Wilbur Ross reiterated the administration's view, shared by Congress, which has recently been in a pretty hawkish mood in this respect, that big Chinese firms like Huawei pose a security threat.
Secretary Ross pointed out that both Huawei and ZTE have been
problems. They've been treated differently, he said, because of the different nature of their
offenses. ZTE was sanctioned last year in what amounted to a corporate near-death experience
because, Secretary Ross explained, the company was in violation of court-ordered agreements to
respect sanctions on Iran and North Korea. The U.S. let ZTE off the
hook after the company agreed to extensive controls on its behavior, including embedding
a U.S. compliance team with ZTE. Huawei, the larger of the two companies, presents a more
comprehensive threat to the global supply chain. Chinese retaliation for U.S. blacklisting of
Huawei is widely expected as the Sino-American trade and security war escalates.
Companies in both countries have apparently been thinking for some time about how they might weather this particular storm.
Huawei, already feeling the pinch of sanctions in the form of lower sales and delayed product launches,
has for several years been working on its own operating system.
product launches, has for several years been working on its own operating system.
In the U.S., Apple has been looking to its supply chain. One of its bigger suppliers,
Foxconn, says it can shift its iPhone-related production out of China should Sino-American relations deteriorate to a point where continuing to supply Apple from Chinese plants became
impossible. Let's suppose your organization suffers a data breach.
Who are you obligated to notify?
The answer varies from state to state, and then, of course, there's GDPR.
The U.S. Chamber of Commerce recently partnered with law firm Hunton Andrew Kurth to publish
a report titled Seeking Solutions, Aligning Data Breach Notification Rules Across Borders.
Lisa Soto is partner and chair of the Global Privacy and Cybersecurity Practice
at Hunton Andrew Kurth LLP.
It's a little bit of a cacophony.
So we have in the United States 54 data breach notification laws
among the states and other jurisdictions.
We have 50 state breach notification laws,
plus Guam, U.S. Virgin Islands,
Puerto Rico, and D.C. We have a couple of breach notification requirements at the federal level
that are sectoral. So in the healthcare space, in the financial services space, it is a fragmented
approach at best and really quite messy. And then globally, we have one pan-European rule for data breach notification.
That's in the General Data Protection Regulation that came into effect in 2018.
The problem, of course, with this sort of global melange is that when a business or entity suffers
a data breach, breaches are not confined by country. So it's very unusual
to have a data breach that affects only people in New York or Arkansas or North Dakota or
California. Instead, a data breach will impact people not only all over the country, but all
over the world. So we have to, as counsel, interpret what could be 78 different
country regimes to figure out what the breach notification obligations are.
From a practical point of view, I'm a company doing business over state lines and maybe around
the world. How much of a burden is this? It's a huge burden. It requires significant expertise. It requires significant resources.
So not only are you trying, when you suffer a data breach or a cybersecurity event, not only
are you working to remediate the event to either kick the intruder out of your system if you have
a live intruder or figure out what happened if it's a historical event and you've just discovered it.
You don't know what the nature of the event is in many cases or what the scope of the impact is. We're setting in motion a fairly significant forensic investigation using third-party forensic investigation firms,
and at the same time looking to do a legal analysis based on facts that are unclear.
There's a significant amount of work that goes
into just figuring out what happened and then taking that information and trying to apply
many, many different laws to the facts as we know them and as they keep evolving. Because when you're
doing a forensic investigation, the facts tend to not be static. They'll change over the course of the investigation.
It's a significant amount of work. One of the things that you're recommending in this report
is the establishment of a framework that would handle data breach notification worldwide.
It would be very helpful if there were a king of the world who could pose a single breach
notification framework globally. That's not going to happen. So instead, you know,
what would be useful is for companies to pick up a set of best practice principles and embed
those principles into their legal regimes so that there's a consistent framework globally.
Because a single breach that might occur, for example, in Pennsylvania might impact people in 150 different countries with 150 different requirements and 150 different types of notifications going out to the affected individuals.
And that's not good for consumers.
That's not good for businesses.
Resources get waylaid trying to manage this fragmented legal approach. Who's most likely to take the lead on
something like this? If we were to see a global framework be proposed, who has the most traction
to see something like this through? Unfortunately, there's no sort of international body that can
take this and run with it and impose this kind of framework.
But what we can do is, with various jurisdictions, to embed these principles into their local laws so that there's more uniformity globally and less of this patchwork quilt approach globally.
globally. So I think it's really just a question of getting out there and starting to inculcate these types of best practices with various governments so that there is a possibility of
more uniform adoption globally. That's Lisa Soto from Hunt & Andrews-Kirth. The report is titled
Seeking Solutions, Aligning Data Breach Notification Rules Across Borders.
aligning data breach notification rules across borders.
Yesterday was patch Tuesday.
Microsoft patched 88 vulnerabilities, 21 of them classified as crucial.
Four of the vulnerabilities fixed, bleeping computer notes,
seems to be the ones disclosed by Sandbox Escaper.
Adobe also patched, as expected, addressing issues in its Flash, Cold Fusion, and Campaign products.
And finally, here's one way of responding to online extortion. Make the asset being held for ransom worthless to the extortionist. That's what the band Radiohead did when some guy hacked
a band member's files and gained access to unreleased recordings and alternative takes
they made while working on their OK Computer album, released in 1997.
The band decided not to pay The Hood the $150,000 he demanded in exchange for a promise not to release the material.
They went ahead and released it themselves.
It's not very good, the band said, but if you want it, you can now buy it all for cheap.
Proceeds go to Radiohead's favorite charity, Extinction Rebellion.
So, OK Computer.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life. You'll be solving
customer challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like, right now? We know that
real-time visibility is critical for security, but when it comes to our GRC programs, we rely on
point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for
cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home? Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Craig Williams.
He's the director of Talos Outreach at Cisco.
Craig, it's always great to have you back.
You and your team have taken another look
at an updated issue here with
something called Jasper Loader. First of all, give us a little of the history here, and then
what's the new stuff you've discovered? You know, the way that malware is distributed,
or at least commodity malware, these days on the internet is often through a loader,
and the loader can be something like Jasper Loer or smoke loader, or, you know, any of the other ones that we blogged about. But in this particular case,
we took a look at Jasper loader. But Jasper loader was basically the loader that was taking
advantage of this newly required invoicing system in Italy and a couple other countries around the
world. And so for those of you who don't remember this interesting scenario,
there was a law passed in Europe basically stating that if a business is invoicing a person,
they have to use this online invoicing system, right? I mean, doesn't that sound like a great idea? Why not? It makes things easier for some people, I suppose. Yeah. Why not provide a
seemingly trusted source for PDFs and other
types of documents that definitely couldn't be malware? And so you can see where this was going.
You know, in our first blog, we talked about how people are abusing it, how even though it's got
some security properties on the messages, it's really not secure and it's being abused in a
pretty significant way. But the actual malware itself was not super evasive.
It was a little obfuscated, but nothing super fancy,
nothing that really raised our eyebrows and made us go, whoa.
And then I guess our blog post went out and our podcast went out,
and they decided to, you know, do some flexing.
And so I said, oh, yeah, watch this.
Yes.
So the new version is quite a bit more evasive.
You know, we go over all the
details in the blog post. It's got some significant obfuscation added. It's got some interesting
functionality changes. You know, they even added just layers of obfuscation just to try and make
automated analysis more difficult. You know, there's a couple of different ways you can look
at a malware sample. And depending on the way that you pursue investigating that malware sample, certain types of obfuscation are more effective
than others. You know, for example, if you're looking at, you know, a piece of malware,
like say, you know, looking at PowerShell obfuscated, it's kind of hard, right? You
might have to write something to simplify it, right? But on the other hand, if you're
willing just to fire up a sandbox and just
run the obfuscated shell, then you can get a report out pretty quickly. You don't really have
to spend a lot of time obfuscating it. And as long as your, you know, your sandbox is set up
properly, you've got a report on what it does with minimal effort. And so this is one of those,
you know, like time-honored complexity problems, how can the attacker make this as difficult
to sort through as possible, but at the same time, really not waste a lot of extra time that's
easily bypassed? And so we see a lot of really clever things. And so it's amazing to me that even
years into this, I've been doing this for 15 years, we're still seeing kind of the same tricks
being applied in new scenarios, right? You know, breaking the malware apart in different stages, for example,
just obfuscating simple shell scripts and using the scripts to inject basically garbage. So when
you look at it, it's hard to visually identify what they're doing. And it's interesting to me
that we just still continue to see this and it still continues to be effective despite the fact
that, you know, sophisticated researchers should have the tools able to defeat this relatively
easily. Is it that it's so much of a numbers game that, you know, they may not have to be able to
get by the sophisticated researchers if enough of it's getting by those who might not be so
sophisticated? And that might absolutely be it, right? You know, you've got to realize that,
you know, it's like the ransomware problem, right?
You know, I love it when I'm out of the conference or something
and somebody is talking about how their network was super secure
and then all of a sudden they had ransomware on it, right?
And every time I hear that, I'm just like,
oh, so you mean you didn't notice you were owned?
You know, like that's the one thing that ransomware does is it makes it obvious that you've been compromised.
Otherwise, these, you know, victims can be compromised for months, if not years,
and simply never notice it. You may lose access to all your files, but you now have an idea when
the compromise ended effectively, or when your data leak potentially ended.
You know, you have to go looking for something.
Exactly.
How to get in.
Yeah.
Yeah.
Interesting.
All right.
Well, as always, it's an interesting blog post on Jasper Loader.
Craig Williams, thanks for joining us.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you
time and keep you informed. Listen for us on your Alexa smart speaker too. The CyberWire podcast is
proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building
the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is
Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you
back here tomorrow. Thank you. hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.