CyberWire Daily - Social engineering at Twitter. Phishing kits and hackers for hire. Cyberespionage. The EU sanctions actors for Cloudhopper, WannaCry, and NotPetya. And security advice from NSA and NIST.
Episode Date: July 31, 2020An update on social engineering at Twitter. A quick look at the phishing kit criminal market. The European Union sanctions individuals and organizations in Russia, China, and North Korea for involveme...nt in notorious hacking campaigns. North Korea’s North Star campaign is back and dangling bogus job offers in front of its marks. Deceptikons snoop into European law firms. Zully Ramzan from RSA on Digital Contact Tracing. Our guest is Tom Kellermann from Vmware Carbon Black on top financial CISOs analyzing the 2020 attack landscape. And both NSA and NIST have some advice on shoring up your security. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/148 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
An update on social engineering on Twitter.
A quick look at the fishing kit criminal market.
The European Union sanctions individuals and organizations
in Russia, China, and North Korea
for involvement in notorious hacking campaigns.
North Korea's North Star campaign is back
and dangling bogus job offers in front of its marks.
Decepticons snoop into European law firms.
Zully Ramzan from RSA on digital contact tracing.
Our guest is Tom Kellerman from VMware Carbon Black on top financial CISOs analyzing the 2020 attack landscape.
And both NSA and NIST have some advice on shoring up your security.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, July 31st, 2020.
Dave Bittner with your CyberWire summary for Friday, July 31st, 2020.
According to Twitter, the social engineering that enabled attackers to compromise high-profile accounts to run a Bitcoin scam was accomplished through a phone spear phishing attack.
It's unclear exactly what that means, but Graham clearly speculates that it involved impersonating a Twitter help desk,
possibly with a combination of SMS phishing, with a request to call a scam help site.
By Twitter's account, the social engineering that gave the hackers access to Twitter's internal support tools proceeded in at least two phases.
Twitter says that not all of the employees that were initially targeted had permissions to use account management tools, but the credentials the social engineers obtained from those personnel enabled the
attackers to sift through parts of Twitter's internal systems to collect information about
the company's processes. Then they used what they learned to find and target other employees who had
the access the attackers were after. Once they'd obtained credentials belonging to users with more extensive privileges,
the attackers were able to use them to access account support tools.
And from that point, they were able to run their lowbrow altcoin advance fee scam,
forsaking the deceptive ingenuity they'd employed in all those voice spear phishing attacks.
Twitter says it's increasing security.
As Ars Technica points out, Twitter has been criticized for the large number of people who
had access to its account support tools and for inadequate controls in place to prevent the sort
of abuse that ultimately compromised them. Twitter has represented its security improvements as
assigning a higher priority to security and in pushing forward pre-existing security work streams and improvements to our tools.
With regret, the company says customers may expect less responsive service
while it sorts out its procedures.
ZeroFox, the Baltimore-based firm known for social media security
and also for having the best-known and most active mascot in the security industry has published a guide to the current state of phishing kits.
Phishing kits involve the establishment of convincing malicious sites to which phishing victims can be directed and subsequently fleeced.
They also include letters that can be used in phishing expeditions, and they often come with a dashboard that the crooks can use to control their scams.
The researchers set the fishing kit industry,
for industry it is,
in the context of the criminal market.
They divide the participants in the market
into two classes, developers and operators.
The developers are the ones who make, market,
and support the fishing kits.
The operators are the developers'
criminal customers. The most popular sectors for which phishing kits are developed include
software-as-a-service companies, webmail providers, financial institutions, and payment-handling
firms. The European Union has issued its first sanctions against hackers, singling out individuals and institutions
in Russia, China, and North Korea. The news from Brussels is that six individuals and three groups
in total were sanctioned. The individuals under sanction are two Chinese nationals,
both for their involvement in Stone Panda's Operation Cloudhopper industrial espionage action, and four Russian nationals,
all GRU operators, fingered for intruding into the Wi-Fi network of the Hague-based
Organization for the Prohibition of Chemical Weapons.
The organizations named in dispatches are the Tianjin Weying Hightai Science and Technology
Development Company Limited, named for its role in providing financial, technical, or material support
for Operation Cloudhopper and for facilitating its activities.
Chosung Expo, a North Korean outfit that supported the Lazarus Group
and specifically in its conduct of the WannaCry attacks.
And finally, the Main Center for Special Technologies
of the Main Directorate of the
General Staff of the Armed Forces of the Russian Federation, that is, a major GRU unit that's
specifically cited for its role in the destructive NotPetya pseudo-ransomware campaign, as well as
for such voodoo bear or sandworms operations as the attacks against the Ukrainian power grid.
operations as the attacks against the Ukrainian power grid. Josep Borrell, the EU's foreign policy head, explained to the AP that the effect of the sanctions would be, quote, a travel ban, an asset
freeze to natural persons, and an asset freeze to entities or bodies. It is also prohibited to
directly or indirectly make funds available to listed individuals and entities or bodies, end quote.
The three campaigns the EU cites, Cloudhopper, WannaCry, and NotPetya, are all familiar and unusually destructive espionage efforts. It's also interesting to see the attempt against the
Organization for the Prohibition of Chemical Weapons, the OPCW, listed among the offenses
charged to the four named GRU operators. These men were
apprehended in the Netherlands in April 2018 and shortly thereafter expelled from the country.
It's believed that their hacking attempt was part of an effort to disrupt the OCPW's investigation
of a GRU attempt to assassinate a Russian defector in Salisbury, England, using Novichok nerve agent.
McAfee researchers have described Operation North Star, a North Korean cyber espionage
campaign that prospects workers in the defense and aerospace sectors with bogus job offers.
Pyongyang has used this approach intermittently since 2018. LinkedIn has again been used to
communicate the offers,
which are subsequently baited with malicious code. European law firms are being targeted by a hacker
for hire mercenary group, ZDNet reports. The group, which is known by the playground hacker name
Decepticons, has been described by Kaspersky researchers. The security company's APT Trends Threat Report for 2020's second quarter
describes the group as clever as opposed to technically advanced.
The Decepticons have been active for a decade
and are most interested in collecting financial information,
client information, and details of negotiations.
Kaspersky doesn't associate the group with any particular organization or threat
actor, that is, no one beyond the Decepticons themselves, who seem to be an unusually intrusive
business intelligence service and quite indifferent to custom law and regulation.
And finally, there's some useful advice from the U.S. government on dealing with current
vulnerabilities. The boothole vulnerability Eclipsium described this week, that's CVE-2020-10713,
which earned a CVSS rating of 8.2, not the highest, but pretty high,
affects a great many devices.
General consensus in the industry press holds that billions,
not a Saganist billions and billions, but a lot of
Windows and Linux devices are affected. It's going to be, many observers have said, a tough bug to
patch. But NSA has issued mitigation advice for the boothole vulnerability. Fort Meade suggests
two useful approaches. Users can update an endpoint's vulnerable boot components and revoke
the trust of existing boot components. This will be suitable for most individual users and small
enterprises, in NSA's opinion. Alternatively, for organizations that require higher levels of
security, they can implement secure boot trust infrastructure and customize their endpoints to
use it. And CISA and NSA have warned that there's currently a heightened risk of foreign espionage services
attacking U.S. critical infrastructure.
Most of that infrastructure in the United States is in private hands.
NIST, the National Institute for Standards and Technology,
reminds those who operate infrastructure that the Institute has guidelines available
for secure engineering that can reduce the risk of of technology. Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso. Whatever you choose, your espresso will be handcrafted with
care at Starbucks. And now a message from Black Cloak. Did you know the easiest way for cyber
criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
My guest today is Tom Kellerman. He's head of cybersecurity strategy at VMware.
Today is Tom Kellerman. He's head of cybersecurity strategy at VMware.
He joins us with results from their recent report on top financial CISOs analyzing the 2020 attack landscape.
Yeah, this report is seminal.
We surveyed and interviewed over a thousand CIOs and CISOs from around the globe.
They're all experiencing an increase of attacks.
They're all experiencing an increase of attacks. They're all experiencing increased attack sophistication.
But more notably, if you look at it from the lens of true ground truth,
the prime causes of breaches were OS vulnerabilities, application attacks, and island hopping.
And application attacks and island hopping are things we need to focus on because the nature in which APIs are being built out left and right to
facilitate digital transformation and the provision of financial services or the provision of just
services to your constituencies, hackers are taking advantage of that. And they're targeting
those very APIs to essentially island hop into entities and then use those entities' digital
transformation efforts to attack their constituencies.
The most prolific types of cyber attacks were custom malware attacks and cloud-based attacks,
specifically cloud-based attacks using Google Drive.
And process hollowing has become the new MO of living off the land or lateral movement
within organizations.
We've been focusing on PowerShell for too long.
I wish Microsoft would
just fix the problem, but then they also have the other problem of WMI. But frankly, process
hollowing has been widely embraced by the elite hacker crews of the world as the mechanism by which
to move from east to west or west to east within the infrastructure and then perform campaigns of
not only island hopping,
but essentially commandeering the entire infrastructure as a whole.
Wow. Are there any common elements for the organizations that are doing a good job,
that are effectively defending themselves? Do they have any common threads there?
Yes, they do. They've integrated their security controls. They understand that it's an all hands onands-on-deck approach and that they have to break down the silos between IT and security.
They've got to operationalize security through IT, and to do so, they need to dramatically increase visibility.
These same organizations are regularly conducting threat hunting exercises and using those as essentially a game-day film for the inevitable allocation of resources and personnel.
These people believe in securing applications, securing workloads, and they also believe in
the premise of just-in-time administration, in so much that administrative privileges
shouldn't remain indefinitely for anyone within an organization as just easy stepping stone.
Were there any surprises that came out of the survey that you did?
Anything you didn't expect?
Well, I didn't expect that process hollowing would increase by 300%.
And destructive attacks would be on such a rise.
I did expect the island hopping phenomenon.
I did expect the application attacks.
The OS vulnerabilities, the exploitation of OS,
yes, we've always talked about that in the past, but I think we're dealing with a resurgence.
There's a newfound renaissance. I think in large part that's attributed to the economy of scale,
the dark web. As noted in the World Economic Forum report that was released a few weeks ago,
they said that the dark web economy of scale will
be the third largest economy in the world by 21, which is scary to me. But also, more importantly,
they said that the second greatest risks to corporations globally will be cyber, which we've
all been waiting for, number one being obviously pandemics, which we're all dealing with. But I do
think that the COVID crisis and the pandemic of COVID is
exacerbating our attack surface. Our adversaries are taking advantage of the situation. Frankly,
the U.S. as a hegemony is very weak right now. And you've had nation states, non-state actors
and criminal groups all pursuing a campaign of attrition against us. This is the problem with
our industry. And I'm going to call a spade a spade here. This is the problem with our industry,
and I'm going to call a spade a spade here.
We've been focused far too long on the bullets,
the munitions that are being launched against us versus the interdependencies of the dark web
versus how did they target us in the first place
and the behaviors that coincide to be able to predict
when they're coming, how they're coming, and whether they're alone.
And I say this because the Lockheed Martin kill chain is outdated.
It is too linear.
It doesn't take into account what I would call the cognitions of an adversary.
Remember, a cognition is a precursor for behaviors.
We cannot just focus on TTPs.
I give MITRE 1 a thousand pounds of credit,
and I appreciate everything that they've done with ATT&CK. But now we must begin to think,
how do we predict new TTPs? How do we predict new combinations of TTPs? And how do we understand
and appreciate that it's not a kill chain? They're not coming in and leaving. They are staying in,
and then they're going to move laterally, and they're going to leverage island hopping.
And so how do we understand those behavioral anomalies within us?
Because we have to invert the security paradigm.
Decreasing dwell time is, I guess, the ROI for success in today's day and age.
But I'm hoping in the end, we can suppress adversaries unbeknownst to adversaries when they're inside of us and run them in circles.
That's Tom Kellerman from VMware.
If you want to hear an extended version of this interview, head on over to the cyberwire.com.
You can find it there in the CyberWire Pro section.
Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
And joining me once again is Dr. Zulfikar Ramzan.
He is the Chief Technology Officer at RSA.
Zuli, it's always great to have you back. I wanted to get your take on digital contact tracing.
As we find ourselves continuing to go through this situation with COVID-19,
this is top of mind for a lot of people.
What are your thoughts?
So, you know, first of all, I think, Dave,
it's important to realize that contact tracing
is an extremely well-known idea in epidemiology.
It's been around forever, basically.
It involves being able to identify individuals
who've been exposed or been in contact with somebody
who's been deemed to be infectious with the virus.
And really, it's about making those people aware
of the fact that they've been exposed
and recommending appropriate measures
like getting tested or quarantining
and so on and so forth.
Now, I think that given the COVID-19 situation,
how long people can be asymptomatic for a while
and the fact that they can be asymptomatic
and infectious at the same time,
it leads people to believe that,
hey, epidemiologists should really be implementing contact tracing mechanisms. Now, to me, I think traditional
contact tracing is very manual. So you have to have patient interviews, you've got to maybe
manually figure out where they've been and who they've been in contact with, and so on and so
forth. And really, making this process digital is about trying to reduce the error rate of the
manual process, number one. And number two, it's about being able to cast a wider net
so you can more effectively capture a wide variety of people
and let them all know that they've been potentially impacted.
As you look at the efforts that are going on globally with this,
where do you think folks are getting it right
and where do you think they're coming up short?
First of all, I think that there's an element where there's a lot of basic privacy
and fairness and discrimination questions that come up. You have to think about questions around
what data is collected, how is that data being used,
what checks and balances exist to avoid misuse and abuse of that data.
Is there a way to provide some level of governance on top of the systems
that are being used to perform
digital contract tracing. What I do worry about at a fundamental level is, are we creating a
massive surveillance system that could potentially be used for other purposes?
Today, we'll build a system thinking, hey, we need it for COVID-19. And maybe people are willing
to accept the privacy risk associated with those systems. But a year from now or two years from now,
as COVID becomes less of an issue,
these systems will still be around.
And there's a question of whether or not
the data being collected by these systems
could now have a deeper and more,
more maybe nefarious purposes for that matter.
Yeah, it's a really interesting aspect, isn't it?
That I think a lot of people would think,
yes, you know, maybe I'm willing to give up some of my privacy in the short term for the greater good to try to get us through this.
But that doesn't mean that I want to turn that information over forever.
Correct, yeah.
Maybe you're willing to provide information about your COVID status, but if that same data that was used to collect information about your COVID status can glean other insights about your health, like maybe it tells about other aspects
of your health history that you may not want to have divulged, all of a sudden, you may not have
that choice, right? All of a sudden, you may be caught in this difficult situation where the same
data being used to convey COVID status could be used to convey other aspects of your health.
Yeah, it seems to me too that a component of this
beyond the technology side,
that there's really, I guess, almost a PR side of this.
So being able to, the folks who are trying to do this
to effectively communicate the message
that this is what we're trying to do,
these are the privacy things that we put in place
and here's why we need your participation.
Right, and I think that's an important element of it.
I think with every technology, we have to have a corresponding way of communicating
about that technology.
For every one person who understands the technical details, you need 10 who can explain it in
maybe layman's terms or explain it to policymakers and talk about the implications.
If you don't have that in place, that effective communication channel where you can really
educate the broader population as well as educate policymakers, we're going to be in for a very, very tough ride.
And I think we're already seeing this now where these apps
that are talking about doing, let's say, Bluetooth-based contact tracing, they're not perfect.
They have security issues occasionally. There are some vulnerabilities associated with Bluetooth,
although not very common these days, but still do come every now and then.
People need to understand the risks.
And then more importantly, it's also important to realize
that two things with contact tracing.
One is if you want this type of Bluetooth-based contact tracing
to be effective, it's got to be prevalent.
If you don't have enough people doing contact tracing,
its effectiveness goes down considerably.
And the second element to keep in mind is that to me,
the digital part of contact tracing
is just a means to an end, right?
It's a way of identifying potential exposures.
But the real heart of contact tracing,
when you talk to epidemiologists,
it's really important to follow up
with that exposure information
to ensure that the people who have been tracked
and who've been identified as potentially being exposed
are given the right set of recommendations.
They're being told, hey, you shouldn't be doing these things now that you've been exposed
or you should be getting tested.
So there's a whole aspect of follow-up that goes beyond that technology piece alone.
And I think unless you get all these pieces right to an appropriate degree, we're not
going to see the effects of digital contact tracing take place effectively enough in the
way that we want to.
Yeah.
All right.
Well, Dr. Zulfikar Ramzan, thanks for joining us.
Always a pleasure.
Thank you so much, Dave.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.