CyberWire Daily - Sunday looks like sanction day for WeChat and TikTok. Grayfly and Blackfly (and APT41). Maze hides payloads in VMs. Ransomware is implicated in a death. Google Play housecleaning. Fox, chickencoop.
Episode Date: September 18, 2020The US Commerce Department announces a clampdown on TikTok and WeChat, to begin Sunday. An overview of the Grayfly and Blackfly units of APT41. Maze begins delivering payloads inside a VM. A ransomwar...e attack on a Düsseldorf hospital is implicated in the death of a patient. Google wants less stalkerware and misrepresentation in the Play store. Caleb Barlow from Cynergistek on the Military's CMMC program. Our guest Galina Antova from Claroty highlights importance of secure remote access in industrial systems during times of crisis. And an alleged fox was allegedly guarding the henhouse. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/182 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. Commerce Department announces a clampdown on TikTok and WeChat, which begins Sunday.
An overview of the Greyfly and Blackfly units of ABT41.
Maize begins delivering payloads inside a VM.
A ransomware attack on a Dusseldorf hospital is implicated in the death of a patient.
Google wants less stalkerware and misrepresentation in the Play Store.
Caleb Barlow from Synergistech on the Military's CMMC program.
Our guest Galina Antova from Clarity
highlights the importance of secure remote access in industrial systems
during times of crisis.
And an alleged fox was allegedly guarding the hen house.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, September 18th, 2020. The U.S. Department of Commerce this morning announced that most transactions with WeChat and TikTok will be banned, effective Sunday.
Commerce explained the decision as follows, quote,
While the threats posed by WeChat and TikTok are not identical, they are similar.
and TikTok are not identical, they are similar. Each collects vast swaths of data from users,
including network activity, location data, and browsing and search histories. Each is an active participant in China's civil-military fusion and is subject to mandatory cooperation with the
intelligence services of the CCP. This combination results in the use of WeChat and TikTok creating unacceptable risks to our national security.
The action was taken pursuant to Executive Orders 13942 and 13943.
Seeking Alpha reports that TikTok is looking to rally allies among rival social platforms to challenge the coming U.S. ban.
allies among rival social platforms to challenge the coming U.S. ban. And whatever Washington ultimately decides about a TikTok spinoff, the Wall Street Journal notes that any such
arrangement would require Beijing's approval, too. Symantec Enterprise takes the opportunity
offered by U.S. indictments to publish an overview of China's APT41, which it tracks as having two
subgroups, Greyfly and Blackfly. Greyfly is known for compromising its victims through public-facing
web servers and for using variants of the Barlai poison plug and crosswalk prox IP malware in its
attacks. Greyfly casts a fairly wide net, but it's generally been interested in
the food, financial services, healthcare, hospitality, manufacturing, telecoms, and
government sectors. Three of the men named in the U.S. indictment, Symantec says, were involved with
what appear to be Grayfly operations. Blackfly, for its part, tends to use PlugX Fast, Winty Pasteboy, and Shadowpad malware.
The crew is best known for hitting the gaming industry, but Symantec has also seen it attacking
the semiconductor, telecoms, materials manufacturing, pharmaceutical, media and advertising,
hospitality, natural resources, fintech, and food sectors. The two Malaysian
nationals named in the indictment are apparently associated with Blackfly. The remaining two
Chinese nationals indicted? They're accused of coordinating activities between the two groups.
Researchers at Sophos describe how maze operators have begun distributing their ransomware payload inside a virtual machine, which renders it more difficult to detect.
The Ragnar Locker gang began using the tactic earlier this year, and Maze is willing to learn from its criminal competition.
An attack at a major German hospital brought down internal systems and forced a woman in need of emergency care to travel 20 miles to another city
in the first documented ransomware-related fatality,
Leaping Computer, an ABC News report.
According to the AP, the patient died during transport to another hospital
when the ransomware attack rendered emergency services at Uniklinik Dusseldorf unavailable. The hackers exploited a
known and patchable Citrix ADC vulnerability, apparently intending to target an affiliated
university, and when contacted about their mistake, quit the attack. Which gang hit the
hospital is unclear, but the hospital says it's remediating the attack. Ransomware groups like Mays, Doppelpamer, Nephilim, and Klopp have said they don't target hospitals,
but such promises have sometimes proven hollow, and in any case, the gang's aim isn't always perfect either.
Over 700 U.S. healthcare facilities were hit last year,
and despite the criminals' pious assurances early in the COVID-19
outbreak that they would avoid attacking the healthcare sector, hospitals and biomedical
institutes became popular targets during the pandemic. Given the extent to which hospitals
depend upon networked medical information to organize and deliver care, many have thought
that a ransomware-implicated death was only a matter of time.
And now, unfortunately, that time has come.
Google has announced more stringent policies against stalkerware
and misrepresentation for Google Play.
ThreatPost points out that rules are designed to rule out various designer dodges,
but also allow exemptions for parental monitoring apps.
And so how's this for irony?
The U.S. Securities and Exchange Commission yesterday announced
that the co-founder of a cyber fraud prevention company
has been arrested and charged with, what else, fraud.
Adam Rogas, the co-founder and former CEO of Las Vegas-based NS8,
is alleged to have misled investors through false financial statements
and led them to believe that his company was a growing software-as-a-service provider
and that it was a solid investment.
As the SEC puts it, quote,
From at least 2018 through June 2020,
Rogas altered NS8's bank statements to show millions of dollars in payments from customers.
Rogas allegedly sent the falsified bank statements and revenue figures on a monthly basis to NS8's
finance department, which used them to prepare NS8's financial statements.
In at least two securities offerings, NS8 and Rogas apparently provided investors and
prospective investors the false financial statements, showing millions of dollars in
revenue and assets and other information incorporating the falsified revenue figures.
The SEC alleges that as a result of Rogas's fraud, NS8 raised approximately $123 million in 2019 and 2020,
and that Rogas ultimately pocketed at least $17.5 million of investor funds.
NS-8 has posted a statement about the matter on their website,
The government investigation and an internal investigation into this conduct are ongoing.
At this time, no one else has been charged
and the company is cooperating fully with federal investigators.
The NS-8 Board of Directors has learned
that much of the company's revenue and customer information
had been fabricated by Mr. Rogas.
These events created significant cash flow issues for the company
and required a significant downsizing impacting all
of its employees. The remaining NS8 leadership and board of directors is working to determine
financial options for the company and its stakeholders going forward. End quote.
The office of the U.S. Attorney for the Southern District of New York described Mr. Rogas as
the proverbial fox guarding the hen house,
and says he faces one count of securities fraud, which carries a maximum sentence of 20 years in
prison, one count of fraud in the offer or sale of securities, which carries a maximum sentence
of five years in prison, and one count of wire fraud, which carries a maximum sentence of 20
years in prison. As always, do remember that persons
charged are entitled to the presumption of innocence and that sentences, if any, are imposed by the judge.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
This far into the pandemic and the resulting shift to remote work,
it's fair to say most organizations have settled into a new routine
and have made appropriate security adjustments.
But what about industrial systems?
Our guest is Galina Antova from Clarity,
and she joins us with insights on the importance of secure remote access
in industrial systems during times of crisis.
Industrial systems, we typically refer to them as operational technology components and networks.
And those are actually the networks that run the world's infrastructure.
So very commonly found in things such as manufacturing and oil and gas, but also in everything from data centers to
buildings. So really quite prevalent around the infrastructure of the world. Traditionally,
those systems have been air-gapped 10, 15 years ago. And then as they started getting networked,
we started seeing more and more exposure, more and more risks associated with them.
And what's really interesting is because they stay
in the field for such a long time, there are a lot of legacy systems with a life cycle of 25,
35 years. So if you compare the state of those operational technology networks to the traditional
IT networks, there's probably a gap of about 20, 25 years. And the fact that there's a lot of legacy
industrial infrastructure out there is what really makes them challenging to protect.
Now, as you can imagine, remote access is hard on its own in IT networks.
It is that much harder when it comes to operational technology networks because any changes within the configuration and how those industrial networks are accessed could result in a potential
additional attack vector. And what the COVID crisis kind of showed us and really accelerate
is that those are the type of infrastructure changes that need to be thought through in advance.
Yeah, well, I mean, let's dig into that. What are some of the things that you've been tracking as we've gone into this
mode of reacting to the COVID pandemic? So first of all, in terms of that particular
part of the network, the operational technology networks, as I mentioned, even today, they're
treated with, they have a different risk profile, obviously, because intrusions in those networks have much more severe consequences
than just data privacy, et cetera, on the IT side of the house. And so when it comes to giving
direct secure access, remote access to those networks, that has been traditionally a challenge
and something that security professionals have not really been willing to go into the same extent as they have to the IT networks.
Now, of course, the COVID crisis necessitated that some of the personnel, some of the engineers are off-site.
And so the choice was either completely shut down production or have some form of a secure remote access
that allows you to at least continue partially operating with limited staff
on site. So what are your recommendations for organizations to get on top of this? If they
know that secure remote access is something they need, what are the options that are out there for
them? So first of all, it's not either or. It's not security or connectivity. There are very well documented ways in which you could have
remote access solutions that are also very secure. Of course, technology is one step.
It's really important to also have a process that supplements that, you know, so that people are not
doing things like, you know, sharing passwords or sharing accounts, which was something that
unfortunately is still somewhat common
when it comes to engineering within operational technology networks.
So having a good cyber hygiene, implementing the right technology,
and just following the right governance process,
those are the basic steps to follow.
The current crisis has also revealed beyond kind of the operational topics,
The current crisis is also revealed beyond kind of the operational topics, has really revealed a challenge and an opportunity when it comes to the role that the CISOs and CIOs play as they're COVID crisis, we saw obviously the board of directors getting involved very frequently into overseeing the changes that were happening, obviously, because it was a crisis situation.
But one of the things that I've observed in my career, and especially in the last few years dealing with operational technologies, that that technology agenda is not always very well represented at the board level, right?
So many different reasons for that.
A lot of the boards have only experts with finance background.
And I think this is really where the CISOs specifically could have a stronger voice because they could be advocates not just for, you know,
spending money for the sake of spending money for security.
Usually security is seen only as an expense.
But really, in this case, COVID showed us that security, cybersecurity and implementing it right
could enable those digital transformation projects that then become a competitive advantage.
So I think that that was one kind of very strong agenda and a conversation that took
place during the crisis. And I fully expect that this continues to be the case after the crisis,
because, again, companies saw that this could be something that helps them along the way.
And it's not just a cost expenditure. That's Galina Antova from Clarity. a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution
trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you
total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe
and compliant. And joining me once again is Caleb Barlow. He is the CEO at Synergistech.
Caleb, always great to have you back.
I wanted to touch today on the CMMC program that we've been seeing from the military
and some of the broader implications that could have for folks.
First of all, let me ask you to give us a little backstory here.
What are we talking about?
So this is the Cybersecurity Maturity Model Certification, or CMMC. It is being driven by
a woman named Katie Arrington. And Katie is the CISO for the Assistant Secretary for Defense
Acquisition. She was actually on your show a few weeks back. Now, the basic use case here is in the sensitive, confidential, but not classified space of military procurement.
The U.S. is losing about $600 billion a year in exfiltration, data know, one downstream part as a subcontractor,
to like the folks that mow the lawn
at a military base or the caterer.
And remember, the folks that mow the lawn,
well, they need to know the layout of a military base.
The folks that make the food,
well, they need to know troop movements.
So it's not necessarily classified data
they have access to,
but they still have access
to a whole lot of sensitive data,
and the government wants to secure that. Now, here's why I find this fascinating, Dave.
This is the first time we've actually seen somebody get aggressive about forcing some
level of control. Now, we have lots of different regulations out there, everything from, frankly, HIPAA, GDPR, CCPA, whether you're on the security or the privacy side.
All of these things talk about security requirements, but usually they use very fungible language like best practices or best in class, you know, and maybe they refer to a framework,
but rarely do you ever see someone actually score your performance. And that's what's going to
happen here with CMMC. And so how does this trickle down to the rest of us? Well, okay,
so you're not a military contractor. You're probably wondering, well,
why do I care about this? Well, I think you care a lot about it because it's actually, in my opinion,
a great model and approach of how to do this. So first of all, it's all based on NIST, and we all
know and love, and frankly, many of the people that probably listen to this podcast contributed
to the development of the NIST cybersecurity framework. So it starts
there as kind of the base fundamentals, you know, and then there are a series of controls that are
added on top of that. But, you know, if you look at the controls, you're all going to have a lot
of familiarity with them. But the difference in this case is it requires a third-party assessor
to go in and assess this. You can't self-assess anymore. So that's the first major change.
Now, you know, in other industries do require assessments.
For example, healthcare, you have to understand your risk,
but it doesn't have to be done by a third party.
But the big difference in this case is the rating you get,
the grade, if you will, of your maturity.
So this isn't so much a performance rating.
It's where are you on the maturity curve? If you're not able
to reach a certain level of maturity, there's some contracts you can't bid on, or you might,
if you already have them, you might lose them in the future. And that is a major shift. And I think
if the U.S. military can do this, there's a lot of other industries that are likely to follow a
very similar model. And it's well laid out,
it's well thought through, and I think it's something we all need to pay attention to.
So is this something where you could see other verticals could say, hey, we're taking the lead
here and we're going to adopt this, we're going to make a few tweaks here, but overall we think
this is a good framework for us to use moving forward? Well, think of a major bank that has, you know, hundreds of downstream vendors
that support it.
Vendor, you know,
this could certainly come in
in vendor management where,
you know, the state of the art
of vendor management today
is getting somebody to try
to pen test a company
from the outside.
It's not very telling
what their real security posture is.
You could see this come into play
in insurance underwriting, right?
I mean, you know,
today insurance underwriting is kind of a bit of a black art when it comes to your cybersecurity posture. specific on what types of security provisions you have in place.
And this is the first time we've really seen someone articulate a vision that probably will work.
So it could be the new sort of gold standard, something for other folks to aim for.
Oh, I think there's no question
that this will be the new gold standard, and it sets a bar that we haven't seen in any other
industry. All right. Well, Caleb Barlow, thanks for joining us. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time, keep you informed, and it rocks around the clock.
Listen for us on your Alexa smart speaker, too.
Don't miss this weekend's Research Saturday, where I speak with Matt Olney from Cisco Talos
on their report, What to Expect When You're Electing.
That's Research Saturday.
Check it out.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.