CyberWire Daily - Some possible insight into what a Chinese cyberespionage unit is up to. Hackathons, from Beijing to Washington. Panda Stealer is after crypto wallets. And Peloton deals with a leaky API.
Episode Date: May 6, 2021Some possible insight into what a Chinese cyberespionage unit is up to. Hackathons, from Beijing to Washington (the one sponsored by Beijing developed an iPhone zero-day used against China’s Uyghurs...). Panda Stealer is after crypto wallets. Microsoft's Kevin Magee reflects on lessons learned in the last year. Our own Rick Howard speaks with Todd Neilson from World Wide Technology on Zero Trust. And Peloton deals with a leaky API. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/87 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Some possible insight into what a Chinese cyber espionage unit is up to.
Hackathons from Beijing to Washington.
Panda Stealer is after crypto wallets.
Microsoft's Kevin McGee reflects on lessons learned in the last year.
Our own Rick Howard speaks with Todd Nielsen from Worldwide Technology on Zero Trust.
And Peloton deals with a leaky API.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, May 6th, 2021. Last month, Japanese authorities attributed a that the TIC-APT,
which had been conducting cyber espionage against about 200 organizations,
prominently including the Japan Aerospace Exploration Agency,
was being run by China's People's Liberation Army.
Kyoto News characterized the unit as a counterintelligence outfit,
although it actually appears to be a SIGINT unit, and said that a Chinese engineer and Communist Party member
had been referred for prosecution. PLA Unit 61419 is again in the news,
this time with some possible insight into its internal operations. Recorded Futures' INSICT group has
found procurement documents indicating that the PLA unit has sought to purchase foreign antivirus
programs. The INSICT group thinks it likely that the intention is to use them for exploitation,
either to use them as test environments for PLA-developed attack tools, or to identify
vulnerabilities that could be
exploited for initial intrusion in zero-day attacks. The specific tools PLA Unit 61419
sought subscriptions to include some well-known names, including products from Kaspersky,
Avira, McAfee, Dr. Webb, Norton, and others. Using these antivirus tools for test and development
strikes the Insect Group as a likely harbinger of supply chain attacks.
Their report says in its conclusion, quote, given the pattern of Chinese state-sponsored
exploitation of the global software supply chain described above, as well as China's exclusion of
foreign antivirus software as an option for
government organizations, the brands and products indicated should be monitored for future
exploitation. Focus should be placed on adversarial simulations, penetration testing,
patching known vulnerabilities, and monitoring for anomalous traffic related to these antivirus
products. Coincidentally, or not, shortly after publishing its article
on Chinese purchases of antivirus technology,
Recorded Future's record came under a distributed denial-of-service attack.
There are indeed coincidences, sometimes, because stuff does happen,
but some coincidences do seem suspicious and worth a second look. We note that over the
weekend, a Belgian ISP that serves much of that country's public sector also came under a
distributed denial-of-service attack. The ISP, Belnet, has since restored service, but as Computing
reported, the attack caused the cancellation of a hearing before Belgium's Parliamentary Foreign Affairs Committee that would have heard testimony on human rights in China's
Xinjiang Uyghur Autonomous Region. As one Belgian MP remarked, attribution would be premature,
but it would be naive to ignore the context of the attack.
Other news about Chinese cyber operations suggests a motivation for Beijing's
interest in promoting autarktic hacking competitions and discouraging participation
in international tournaments. MIT Technology Review reports that U.S. intelligence services
have concluded that an iPhone exploit nicknamed Chaos disclosed by a researcher from Qihu360 during the inaugural Tianfu Cup hacking competition in 2018,
was subsequently used by Chinese security services for surveillance of China's Uyghurs.
The Tianfu Cup was established as a domestic Chinese alternative
to such international hacking competitions as Pwn2Own.
Trend Micro this week has described PandaStealer,
an information stealer spread by phishing that targets digital currency wallets.
PandaStealer has been most active against targets in the United States,
Australia, Japan, and Germany.
It's apparently a financially motivated criminal operation
interested in rifling wallets for altcoin.
Exercise equipment manufacturer Peloton is dealing with reports of a leaky API that could expose personal data of users, TechCrunch reports.
Pentest Partners, which disclosed the issue to Peloton in January, says the API permitted unauthenticated requests for user
account data. The API permitted access to a Peloton user's age, gender, city, weight,
and workout statistics. If it happened to be the user's birthday, interested unauthorized
third parties could also obtain details that are hidden when users' profile pages are set to
private. Peloton has drawn some high-profile users, U.S. President Biden among them.
The company says there's no evidence the flaw has been exploited in the wild,
but TechCrunch thinks they've been dilatory in addressing it and evasive in their discussions of the issue.
Peloton explained that they did act to correct the issues Pentest partners disclosed to them,
but that they didn't do a good job of closing the loop on the disclosure.
Quote, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported.
We want to thank Ken Monroe for submitting his reports through our CVD program
and for being open to working with us to resolve these issues.
End quote.
The U.S. Department of Defense has opened all of its publicly accessible websites
and applications to its Vulnerability Disclosure
Program. Part of that program is the Hack the Pentagon invitation to outsiders to take a whack
at finding vulnerabilities in the Defense Department's networks. And as CyberScoop
points out, more of the Pentagon's infrastructure will henceforth be whackable. solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility
is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at BlackCloak.io.
The CyberWire's own CSO, Rick Howard, has been checking in with experts on a variety of topics.
This week, it's cyber threat intelligence. Here's Rick.
I got the chance to talk to Todd Nielsen, who at the time was the lead for global security efforts at Worldwide Technology.
But between the time that I did the interview and now, Todd has taken a new CISO gig and has yet to disclose who his new employer is.
But we discussed how the old defense in depth strategy that I used back in the 1990s,
you know, deploying firewalls, intrusion detection systems, and antivirus systems into an overlapping grid has kind of morphed into a subcomponent of a much larger zero trust strategy.
Now, Todd is an acronym man, and he refers to defense in depth as DID and zero trust architecture as ZTA.
So listen carefully for that.
I think that zero trust, it's an architecture, it's a model, it's not a product.
It's the new version of DID simply because it has multiple pillars. So Zero Trust includes the user, it includes the endpoint, it includes SASE networks, it includes your router switches, network controls, it includes cloud.
By definition, you have to lock everything down to provide a Zero Trust environment.
And that takes multiple layers
to do that and multiple components, multiple tools. But I also think, gosh, that DID may be
good for Joe's Chicken Shack with five users, but it may not be good for a global top five bank.
Joe's Chicken Shack. I love that phrase. And I'm totally going to steal it for whenever I talk
about small, medium, and large organizations from now on.
Joe's Chicken Shack is my new small organization. But in my head, I don't hear Joe's Chicken Shack,
I hear the Nub Shack, baby. But Todd is right. Zero trust is hard to do and may be a bridge too far when it comes to the Joe chicken shacks out there.
I think a zero trust ongoing programmatic approach today is reserved for those larger
enterprises that have the resources, time, and money to do it. If you just have a Shopify cart
hosted on Shopify and you're selling widgets online in your small company,
zero trust might not be good for that environment. But if you're an enterprise and you have
keys to the kingdom, if you want to protect the formula for Coke,
maybe you want a complete lockdown zero trust strategy around your crown jewels,
but yet not a zero trust on open marketing information that you give out to all your clients.
Maybe they use DID for something simple, but then they go back to the ZTA for something complex.
There's never one right answer for every company.
Todd believes that it all comes down to forecasting risk and having that honest conversation with the board about their risk appetite.
Once you have your risk exercise, your risk appetite decided, and you have identified your assets,
now you can apply the zero-trust strategies to those higher-risk areas that may need that investment today.
can apply the zero trust strategies to those higher risk areas that may need that investment today.
Mapping risk to business goals first, and then your ability to execute is the tertiary.
One thing is certain, zero trust is not a destination. It's a journey, a journey that you will most likely never get to the end of. There are a gazillion different things you can
do to improve your zero trust landscape. But the idea that an organization will reach some sort of nirvana zero trust end state, where you can stop what you're doing,
look around twice and say, yep, I made it to zero trust. That's not realistic. It's more like a
mirage on the horizon hovering just out of your reach as you inch closer and closer to it. Or as
one of Todd's fortune 10 customers like to call it, it's a unicorn. It doesn't exist.
That's how he feels about it, at least today, in terms of getting to the end of Zero Trust.
To your point, it's a journey.
I like to say it's programmatic.
You can't say we're going to do a Zero Trust project and we're going to check it off and check these boxes.
And when we get there, we have Zero Trust.
It doesn't work that way either.
And so I think it's very much programmatic.
The best way to adopt a Zero Trust is to eat it at one bite at a time.
There is no question that zero trust should be one of your atomic strategies that you will use
to decrease the probability of material impact to your organization due to a cyber attack.
Over on the CyberWire Pro side, I did an entire season on my CSO Perspectives podcast about the first
principle strategies that we all should be deploying, and Zero Trust featured prominently.
But as Todd said, if your organization is the size of Joe's chicken shack, maybe you
should focus on some basic resiliency before diving headfirst into the deep waters of Zero
Trust.
That's our own CSO, Rick Howard.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And I am pleased to be joined once again by Kevin McGee.
He is the Chief Security and Compliance Officer at Microsoft Canada.
Kevin, great to have you back.
You know, we are just about at the one-year mark here with the pandemic.
And I think most people would agree that it's been quite a year.
I want to touch base with you and sort of check in with,
as you've been working with your team and you look back at this past year,
any lessons that you all have taken away so far?
Yeah, thanks for having me back again, Dave.
We often don't really look at the sort of the people aspect
or the layer eight aspect of security teams.
And managing a security team is always a difficult challenge,
but managing a security team through a pandemic
has been extremely difficult.
And like you said, one year in,
we're really starting to see exhaustion set in.
People are feeling overwhelmed
and they're feeling like often
we're losing this war against attackers.
So how do we think about leadership?
How do we think about managing people?
And how do we really encourage and support them through the pandemic? Because we're not going to return to a normal. We're in a new normal state. So there's lots of lessons learned that we've had
over the past year. And I had a chance to sit down with my team and really have a deep dive on what's
working, what's not, and was really surprised with some of the things that we learned.
Well, take us through some of the insights there. What did they have to share?
Yeah, from my perspective, much of what I've learned as a manager over the years has been how to support and coach people in in-person experiences. And I'm having to relearn and
reimagine leadership for a video world. And I felt really sort of bad about maybe I'm not showing up in a
great way, but my team was really excited to share, hey, no, we're all trying to figure this
out together. Interviewing, hiring, onboarding, managing, supporting employees you've never met
before can be extremely challenging for a manager as well. But it also opens up a whole set of new
opportunities about thinking about location doesn't really matter. We can look
for the best talent regardless of where it is. That's allowing us to add much more diversity
to our candidate pool as well and bring in new skill sets. It's also allowing people to sort of
live the lifestyle that they want to maybe in a remote location or not close to a major city.
So there are some subtle changes that are making the work-life balance better, not just worse as well.
What were your team telling you about dealing with the ongoing stress, with just the burden that we're all living in this world, the weight of existing, trying to do your best, doing your job while you still have the reality that this pandemic goes on? One of the big challenges that came up was just recognition. And no one really wants a pat on the back or a shout
out, but a lot of the work we do, if we do it well, and the most important work we can't talk
about. So you can't get a gold star or you can't get an award for often in cybersecurity. So how
do we create opportunities to recognize employees?
And then how do we create different experiences
where we can sort of release stress
and work together as a team?
So our team came up with the idea
of we would take on mentoring some startups
and mentoring some students.
And we would work with students that are graduating
to coach them and help them break
into the cybersecurity industry.
And that one-on-one time with a student really gave them a sense of purpose,
increased their morale, made them feel like they were making a difference,
and gave them another person-to-person connection.
But it was also something that we could recognize them for and reward them for.
So it was very fulfilling.
So finding some side projects or finding some other ways to give back as a team to the industry or whatnot is a great way to overcome some of these challenges and feel like you're making a difference.
What about for managers? I mean, do you have any advice for them?
I think often we say, do what we say, not what we do.
We say, do what we say, not what we do.
And I think the main thing, and this is my manager actually told me, make sure there's something left in the tank for you at the end of the week.
Because a lot of times I felt really incumbent on myself to be there for my team, to be super
supportive and whatnot.
And this has been a marathon, making sure that you're taking time for yourself is not
only good for you for self-care,
but also it's modeling the proper behavior for your team. If you're working weekends and you're
working nights when you shouldn't be, then they're going to feel compelled to that they have to do
that as well too. So they're looking to us to see what we do, to see what's acceptable, to see what's
normal in this time. And our actions speak just as loud of our words. So as leaders in the industry,
we need to make sure that we're setting the proper tone from the top as well.
What do you think is on the other side of this? What kind of changes do you think are going to
stick once the pandemic is in the rearview mirror?
Well, I'm hoping it's a lot of the good that we take with it, which is, you know, we don't always
have to get on an airplane to go somewhere. We can hire people that don't live in a major city as long
as they have a greater connection. A lot can be done remotely. We can strike better work-life
balances. I'm hoping we keep the good and we drop, obviously, some of the bad. What we will
need to still continue to work on is sort of this always on, always present,
you know, back-to-back calls and whatnot. I'm hoping that doesn't stick with us as well.
And we can sort of get back to a little more sense of, you know, separation between work life and
our regular lives. But that's going to be a challenge. And we're going to have to be very
cognizant of that. And we're going to have to really take action to make sure we're setting those boundaries,
not just allow things to happen.
Otherwise, our work will creep in and take up every moment of our times,
and that's not necessarily a good thing.
Yeah, yeah.
All right.
Well, Kevin McGee, thanks for joining us.
Thanks, Dave. And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.