CyberWire Daily - Some notes on cyber gangland. South Koren APT using zero days against North Koreans? USB attacks. Telework challenges. CMMC remains on schedule.
Episode Date: March 27, 2020Ransomware gangs don’t seem to be trimming their activities for the greater good. TA505 and Silence identified as the groups behind recent attacks on European companies. An APT possibly connected to... South Korea is linked to attacks on North Korean professionals. A criminal campaign of USB attacks is reported. Problems with VPNs and teleconferencing. The Pentagon’s CMMC will move forward on schedule. Rob Lee from Dragos on ICS resiliency in the face of Coronavirus, guest is James Dawson from Danske Bank on the unique challenges of IT Risk & Controls in global banking. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_27.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Ransomware gangs don't seem to be trimming their activities for the greater good.
TA-505 and Silence identified as the groups behind recent attacks on European companies.
And APT possibly connected to South Korea is linked to attacks on North Korean professionals.
A criminal campaign of USB attacks is reported.
Problems with VPNs and teleconferencing.
And the Pentagon's CMMC will move forward on schedule.
KCMMC will move forward on schedule.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, March 27, 2020.
So, were you counting on the ransomware gangs to keep their promise
to leave hospitals alone during the pandemic?
Dark reading says you should prepare to be disappointed.
But really, that shouldn't surprise anyone.
Ransomware has continued against the usual range of targets.
Digital Shadows and others who've kept an eye on some of the sketchier online meeting places for hoods
do note some vague, feebly well-intentioned ruminations about taking care not to harm the
vulnerable, but a post on Torum shows a representative slip of the mask. This particular skid wrote,
how can we on and offline take advantage of the coronavirus and make some real money?
That is, how could we do this awful thing to people who are stressed and afraid?
Oh right, that's because they want the
money. It's the sort of thinking done by those who reckon the value of others' suffering at zero.
Not a good time to relax your guard, and to law enforcement everywhere, good hunting.
Speaking of cybercrime, group IB researchers have attributed recent attacks against European manufacturing and pharmaceutical companies
to the Russian-speaking cyber gangs Silence and TA-505.
The attacks exploited privilege escalation vulnerabilities in Windows 10.
There's an apparent connection between the two gangs' attacks,
but it's unclear whether that connection amounts to actual cooperation or simply the use of malware from a common supplier.
Google's threat analysis group has concluded that an unknown but sophisticated APT from South Korea
exploited five zero-days last year in a campaign against selected North Korean targets.
The zero-days were in Internet Explorer, Google Chrome, and Windows Kernel,
and the targets are described as North Korean professionals.
Researchers at Kaspersky told Wired that they see a possible connection to Dark Hotel,
a threat group that's been linked to various East Asian governments,
but that's now come to be thought of as possibly associated with Seoul.
When Kaspersky began tracking dark hotels some six years ago,
the researchers characterized the typical targets as being corporate executives,
CEOs, senior vice presidents, sales and marketing directors, and top R&D staff.
According to Kaspersky, the recent activity against North Korea, whether it's dark hotel or
not, shows a lot of polish. It's unusual to see
that many zero days used in a coordinated campaign. It's also noteworthy that in the
recent late 2019 campaign, the attackers began by prospecting their targets with a series of
benign emails. The better to overcome suspicion and set them up for the eventual hit.
Trustwave reports an unusual USB attack.
The victims receive a letter purporting to be from Best Buy,
thanking them for being a long-time customer and offering them, as a reward, a $50 gift card.
It can be spent on any of the items listed in the conveniently enclosed USB thumb drive.
In fact, the drive contains a keyboard emulator ready to install
a reconnaissance payload that collects information about the infected device and reports it back to
a command and control server. So, in general, don't put that thing in your USB port. You don't know
where it's been. Bleeping Computer reports that an unpatched iOS vulnerability can prevent some virtual private networks from encrypting all traffic, possibly exposing users' data or IP address.
The issue is troubling given the rise of VPN as people increasingly work remotely.
According to The Telegraph, teleconferencing service Zoom may be open to certain forms of eavesdropping.
And Vice reports that Zoom's iOS app shares analytical data with Facebook,
whether or not the user has a Facebook account.
Privacy Matters says there's nothing in Zoom's privacy policies to indicate that this is happening.
Vice summarizes the data collection as follows,
quote,
The Zoom app notifies Facebook when the user opens the app,
details on the user's device, such as the model, the time zone, and the city they are connecting from,
which phone carrier they are using,
and a unique advertiser identifier created by the user's device,
which companies can use to target a user with advertisements.
It goes on to add that this is similar to data
the Ring smart doorbell was determined to be sending Facebook's way.
Yesterday, the U.S. Department of Defense firmly quashed rumors
that it was going to delay implementation of the Cybersecurity Maturity Model Certification,
familiarly known as the CMMC, NextGov reports.
The department has executed its Memorandum of Understanding
with the independent not-for-profit group
that will serve as the accreditation body,
and businesses should expect the program to proceed as planned.
The accreditation will apply to new contracts,
and it won't be retroactively imposed on existing agreements.
The CMMC is similar to standards contractors have used for self-assessment.
The use of an independent accreditation organization, however, is new.
Self-attestation is going the way of the dinosaur, apparently.
As governments continue to improvise technical aids to assist them in tracking and controlling the COVID-19 pandemic,
the Wall Street Journal notes that leaders aren't exempt.
British Prime Minister Boris Johnson has come down with coronavirus and is self-isolating.
He says he's got mild symptoms and will continue to work from home at No. 11 Downing Street.
We're working from our homes, too, and the Cyber Wire will keep publishing on schedule during the coronavirus emergency.
Stay healthy, and as always, stay in touch.
Virtually, not physically in touch.
Physically, stay six feet or two meters apart.
Notice that if you use the English system,
you're allowed at least 17 centimeters more intimacy than if you were on the metric system.
See, there are advantages to staying old school
and not chasing the newest Johnny-come-lately innovation from Paris.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1 thousand dollars off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
My guest today is James Dawson. He's advisor to the head of IT business risk and controls
in the office of the CISO at
Danske Bank. The global banking industry is generally acknowledged as being on the leading
edge of security practices. And of course, the fact that they are highly regulated has a lot
to do with that, along with the reality that they have a big target on their backs being where the
money is. Here's my conversation with James Dawson. The biggest change that I've noticed
recently is that it's almost like leadership, people, the world in general, everyone from
the worker bee at the McDonald's to the head of, you know, a global organization, they're more in
tune to IT, cyber, and technology than they ever were before. So I find that for me, it's almost a little
easier. I spend a little less time going in and explaining the basics and I can get right down to
the nitty gritty of what's happening. To me, it kind of points to this idea that there's been
maturation from both sides. In other words, you're saying you don't have to explain to them
as much as you used to, but I suppose the flip side of that is that you become better at being
able to speak in shorthand their language of risk as well. Yeah, and better at serving them. I think
that decision makers have a lot on their mind.
Men and women have so many other things on their mind.
When you come to them with a cyber risk or control issue and you want to try to get to
an answer or a decision or a pre-decision, it used to take a lot of time.
But now that they're so sympathetic to what's going on, they're more attuned to the world
and to cyber and to technology, it's easier to get to a solution for them.
I spend less time explaining things, although I do think it is a good skill to be able to explain complicated things in a simple way.
Because no matter what we do in cyber technology, as you know, I imagine you know, Dave, people still need to have a little bit of coaching and need to have things explained to them in very, very simple ways.
Get to the KISS role with, especially in cyber. So if you can do that, that's a great skill to have. You don't even have to be that technically proficient, but if you can explain something and
you understand the basics of it, I found that that really, really helps. Are there any unique
challenges that you face in the highly regulated world of global banking?
You know, there are.
You have two things that you're always fighting against, and that is meeting your obligations.
Those are laws.
So for every country of operation of a global bank, you've got to meet certain laws and regulations.
And they're different for different countries.
They may deal with privacy.
They may deal with data handling.
They may deal with privacy.
They may deal with data handling.
They may deal with record keeping.
But there are laws or protection of people's rights, whether they're employees or customers.
And then the other thing is you have to also know or understand the business.
You need to get down to what do we really do here?
You know, a lot of people say, oh, I've worked for a bank for a couple of years, and they don't really know what the bank does.
So I always like to think of risk and controls around what's the business purpose?
What is the critical process that the business does or each of the business lines do?
Understand that, and you'll be able to really help them serve them and really protect them from a cyber standpoint or from any risk standpoint.
So understanding the business, and I found that that was really, really essential.
But what about the human side of things?
Obviously, no shortage of technology when it comes to global banking and slinging money around the world at the speed of light, as it were.
But it's still, at the end of the day, it's a people business.
It is a people business.
And, you know, there's nothing that we do,
whether we're in a global bank or a global pharmacy or whatever,
or a small mom and pop company around the corner.
You serve people.
That's what you do.
You're there to serve people.
Everything we do, and by the way,
every risk scenario that you go through in cyber
starts with a human and ends with a human. So in between, there's a lot of machines,
but it usually starts with a human and it starts with unstructured data and the entry of unstructured
data or some process that some human does, they enter an ABA wire number into a program, right?
I like to think of IT risk and controls as not a technology thing,
not a cyber control thing. The world today, I think, and especially in banking, and this happens
in almost every industry, they went to the end first. Everybody jumped to the end as we learned
about how to protect organizations from cyber threats. They started at the wrong end. They
started with their risks and their
controls. Whereas where they should have started is identifying the business critical processes
first. What do the people do? What's the most important process or three or four processes
in that business line? And then from there, build out your IT risk and controls.
Let me come at it from a different angle though
because I wonder about particularly if I'm in charge of security
or even if I'm, let's say I'm on the board
and I'm getting messages from cybersecurity vendors
and they're telling me, hey, listen, you know, that, you know,
you mentioned earlier not having to worry about, for example, you know, the system that
the janitor uses.
Well, I can imagine them spinning a tail that says, hey, you know, that system that the
janitor uses every day to clock in and out.
What happens one day if that janitor was, a flash drive by his daughter with a video of his grandson singing a song and he can't wait to see it?
So he plugs it into the computer and kaboom, now we're all infected.
Sure.
And we do get those questions.
So you kind of made a good side point before you asked the question about the vendor.
So you kind of made a good side point before you asked the question about the vendor.
I usually find that vendors, although many of them have excellent products, and I have some favorites out there in the world that I love, but many of them, of course, they're there to sell you their product or service.
So you've got to take that with a grain of salt.
And I think that boards and CEOs and men and women of those positions learned that. But if you can get around that and explain to them
or the vendor can explain to them
why that one risk scenario that you described to them
is important to the operation of the bank
or the operation of the company overall,
then you might have an argument.
But yes, there's always these rare instances
where somebody's going to come in
and maybe the janitor,
maybe she just doesn't like the bank, you know?
Right.
She just wants to do bad things.
That's going to happen.
You know, everyone knows that 60 to 70 percent of all your threats come from inside the house.
So that's where you need to clock in and out, how extensive is their connectivity to the important stuff?
Right.
And how likely is that event, that scenario from happening?
Right.
You know, risk and control assessment is very basic.
It's impact and likelihood.
So, you know, you have to weigh those two factors.
and likelihood. So, you know, you have to weigh those two factors. And so whenever someone presents a scenario to me that seemed like a one-off or an if of an if of an if, you know, I always say to
them, sure, that possibly could happen, but the likelihood is so low that I'm going to rank that
as a very low risk and I'm not going to concentrate on it. More importantly is my high risk and maybe
my medium risk, depending on my business type. I always take my team members.
I have quite a few people that work with me now.
I always take them and I always sit down and say, let's take a look at this business process,
this mission critical process, and let's try to figure out where the humans are involved in it.
That's where you're going to have a lot of risk.
That's where you're going to have mistakes.
And then I also say to them, now think like a criminal, those men and women who do bad things.
If you were an insider and you had a grudge against the bank or you were an outsider and you wanted to try to extort the bank from money, what would you do?
What would you do?
That's James Dawson from Donska Bank.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, Thank you. fault-deny approach can keep your company safe and compliant. And joining me once again is Robert M. Lee. He is the CEO at Dragos. Rob, it's always great to
have you back. You know, as we are in the midst of this coronavirus event globally. One story that I have not heard, thankfully,
is the light's going out.
The power is staying on.
Those critical services are still being delivered.
And I thought it'd be a good opportunity for you and I
to discuss the resiliency of these kinds of services.
If you could share some insights with us,
how are these systems designed to keep up and running?
Yeah, absolutely.
So look, I mean, all these companies,
especially these massive companies that provide these kind of services,
have a variety of business continuity plans and disaster continuity plans.
And they're always rehearsing and making sure they're good to go.
Obviously, something like a global pandemic
is something that is probably not on the common tabletop exercise list, but they still
think about what would happen if we can't go to the site, what would happen if we are unable to
interact with our systems in the normal way. And so we see a number of companies going the distance
and we see a number of people at those companies really doing the right thing, trying to make sure
that operations continue so that
everybody and everybody's way of life can continue. So a good example is, you know,
from the oil company perspective, as an example, Equinor up in Norway, as well as Shell,
had announced that they had some folks out on offshore rigs that had been infected with
coronavirus and that they were kind of self-quarantining off to the side in their cabin,
that they were checking the other staff on the rigs to make sure that they were self-quarantining off to the side in their cabin, that they were checking the other staff on the rigs
to make sure that they were okay,
but business was continuing as normal.
That's an awful position to be in at times
for the employees to do this,
but a lot of those companies give those employees the options
and figure out what's best for them,
and they're tripping over backwards to take care of their people.
And I guess kind of where I'd leave that on the oil side as an example
is you'll find a lot of those folks out in the rigs,
out in the refineries, et cetera,
want to go continue to do their job.
And it's not just in doing it because of pay
or other considerations.
Again, those companies oftentimes have pretty flexible options
for their folks.
It's doing it because the folks that work in the industrial community are very mission-driven, and they understand the impact of the work that they do. And you'll find the same
type of dedication in the power and water sector, as an example, or in manufacturing, where the
lights aren't going to go out just because people are teleworking. You've got people, critical
personnel, mission critical personnel
that are still going into the plants, still going into the generation facilities,
transmission, et cetera, and doing their day-to-day job.
So long story short, no one should be expecting disruptions
in day-to-day life, especially as it relates to oil, gas, water,
electricity, et cetera, because of the dedication and passion towards the mission that those folks have.
Now, in this age of connectivity,
does that provide these organizations with more flexibility
to be able to keep things running than they had in the past?
For sure, some of them.
So there's always going to be a human component
to a lot of these production environments.
Even if you wanted to have a fully unmanned facility,
as an example, they usually don't just for considerations
around safety or environmental protections.
So you might have a smaller staffing,
and that's just a trend of the industry,
to just have smaller amounts of staff,
but you still have people there for safety purposes.
And you would see the same thing in these kind of scenarios
where because of the trend in automation that we've seen,
because of the developments in technology we have,
these assets take less people than ever
to be able to operate them safely and correctly,
which absolutely supports scenarios like this.
But at the same time, there's also still considerations around it.
As an example, in the U.S. electric system, you're not able to remotely connect in to bulk electric assets. The NERC SIP
regulations put a variety of controls around what you can and can't do, especially with regards to
remote access. And that isn't to say that we should look at changing that. I mean, maybe.
Maybe, you know maybe consider disaster plans
and how the regulations would allow
different modes of operation during true disasters.
But what I would say is it's already existing,
therefore people already know how to work around it.
So are people still going to site? Yes.
Are less people than ever going to site? Yes.
But are operations continuing as normal and are they built to site? Yes. Are less people than ever going to site? Yes. But are operations continuing as normal, and are they built for that?
Absolutely.
All right. Well, Rob Lee, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris
Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.