CyberWire Daily - Supply chain hacks versus Airbus. Phishing around Google Cloud. Masad Clipper and Stealer on the criminal-to-criminal market. Quick zero-day exploitation. DoorDash hack. Inside JTF Ares.
Episode Date: September 27, 2019The Airbus supply chain is reported to be under attack, possibly by Chinese industrial espionage operators. Phishing campaigns impersonate Google Cloud services. A new commodity information stealer is... on offer in the black market. The vBulletin zero-day was weaponized surprisingly quickly. DoorDash discloses a hack that exposed almost five million persons’ data. And a look at JTF Ares operations against ISIS shows commendable attention to increasing the enemy’s friction. David Dufour from Webroot on the need for a variety of areas of expertise in security. Guest is Caleb Barlow CEO and President of Cynergistek, discussing the security implications of being CEO of a public company. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/September/CyberWire_2019_09_27.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The Airbus supply chain is reported to be under attack,
possibly by Chinese industrial espionage operators.
Phishing campaigns impersonate Google Cloud services.
A new commodity information stealer is on offer in the black market.
The V-Bulletin Zero Day was weaponized surprisingly quickly.
DoorDash discloses a hack that exposed almost 5 million persons' data.
Insights on being the CEO of a public company.
And a look at JTF Ares operations against ISIS
shows commendable attention to
increasing the enemy's friction.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Friday, September 27, 2019.
Cyber attacks against supply chains are among the third or nth party risks that have drawn increased attention over the past year.
A high-profile manufacturer, Airbus, has been the subject of an industrial espionage attack on its suppliers.
AFP reported yesterday that some major Airbus suppliers were hit by a cyberattack that seems designed to steal trade secrets.
Engine manufacturer Rolls-Royce was affected,
as was Xpleo, a technology consultancy and supplier. At least two other companies in the
Airbus supply chain were also attacked, but their identities are not yet publicly known.
Neither Airbus nor Rolls-Royce have commented on the incident. Xpleo told AFP it could neither
confirm nor deny reports of an attack. Airbus did
say that it, like any major company, is aware of cyber attacks, but it had nothing to offer
concerning this incident, which AFP sources to unnamed security experts. Bloomberg has reported
that Airbus has nonetheless taken steps to shore up its security. Sources suggest that the attackers
worked against a virtual private network that connected Airbus to its security. Sources suggest that the attackers worked against a virtual private network
that connected Airbus to its suppliers.
The hackers appear to have been particularly interested
in collecting information relevant to obtaining aircraft certification.
The two aircraft whose technical details drew the most attention
were the A400M, a military transport aircraft,
and the commercial passenger aircraft A350.
There is so far no firm attribution, but informed speculation points to Chinese espionage.
Either APT-10, which is also known as Stone Panda and Menupass,
or JSSD are being mentioned in dispatches.
JSSD is associated with the regional security ministry in Jiangsu.
Jiangsu is a center of Chinese aerospace industry,
which is seeking to enter the commercial airline market.
Chinese aircraft company Comac is producing the country's first mid-range airliner,
the C-929, but it's been having difficulty obtaining certifications,
which of course constitutes a significant barrier to entry in this particular
market. Security firm Zscaler reports finding phishing campaigns, which the company assesses
as sophisticated, abusing AppSpot.com and Web.app, both legitimate domains associated with Google
Cloud. The researchers say the campaign, which deploys well-executed landing pages that spoof the two widely used sites,
is similar to a phishing effort they found in July that was engaged in similar deception with respect to Microsoft Azure.
Juniper Networks reports a new strain of spyware delivered by Trojanized Windows Executables.
Windows executables. Once installed, the Mossad Stealer spyware interacts with a telegram bot the threat actor controls to find and exfiltrate data. The information Mossad takes is browser-based,
which is useful because it often holds credentials and paycard information.
It also automatically swaps out any cryptocurrency wallets it comes across with a wallet of its own.
Mossad is off-the-shelf
crimeware traded in the criminal-to-criminal dark web markets as Masad Clipper and Stealer,
where it goes for the low, low price of $85 or so. Juniper points out that this means it can and
will be deployed by an indefinitely large number of threat actors beyond the malware's original
authors. The vendors have thought a bit about their marketing.
They start you off with a free version and then offer increasingly capable versions at correspondingly higher prices.
Security firm Imperva reports that vBulletin Zero Day is being exploited in the wild.
If they're correct, and there's no reason to think they aren't,
the vBulletin case shows how quickly a vulnerability can be weaponized after its publication.
The company says it observed the first malicious request exploiting the vulnerability less
than nine and a quarter hours after the vulnerability was posted to SecLists.org.
DoorDash disclosed that it sustained a major data breach, data on some 4.9 million customers,
dashers, gig workers who deliver for
the service, and merchants were exposed to an unauthorized third party in May of this year.
The company says the incident affected those who joined DoorDash before April 6, 2018.
Customers, dashers, and merchants who joined more recently are unaffected.
NPR has published an unusually long look at Joint Task Force Ares,
the U.S. Cyber Command unit tasked with hunting ISIS in cyberspace.
The account seems to derive from unusual access to JTF Ares
and is rich in what we can only call Tom Clancy-esque detail.
We note that JTF Ares leaders, for example,
are said to give the order to initiate a cyber
attack by saying, fire. If they were the gunner-inspired leaders we've sometimes been led
to expect them to be, we'd have thought they'd use the more proper cancel-at-my-command, since
when-ready is the default for fire commands. But let that pass. The Americans, the Russians say,
are notorious for not reading their own field manuals,
which makes it difficult to train against them. Besides, General Ed Cardin, when responsible for
JTF Ares, didn't come up as a gunner. In any case, fire it was, and thus JTF Ares opened Operation
Golden Symphony in 2016. Golden Symphony was intended to disrupt ISIS inspiration, that is ISIS online media
operations, and that goal it seems to have achieved. It's noteworthy that the JTF Ares
people interviewed note that technical virtuosity was wisely not the point. The operation succeeded
because it concentrated on introducing friction into ISIS online media operations wherever it
could.
That friction would be familiar to anyone who's worked with any corporate IT environment.
NPR lists some of them that ring very true.
Slow downloads, drop connections, access denied, program glitches.
General Jennifer Buckner, who led JTF Ares in subsequent phases of the operation,
illustrated it this way. She told NPR, quote, Some of these are not sophisticated effects, but they don't need to be. The idea that
yesterday I could get into my Instagram account and today I can't is confusing, end quote.
Among the more prominent casualties of Operation Golden Symphony were Dabiq, the ISIS online
magazine, which folded, and the caliphate's news service Amak, which, among other things, lost its mobile app.
Many of the ISIS foreign language news services also folded and have not been re-established.
NPR quotes Citizen Lab on the dangers of actually using cyber attack tools,
since using them also tends to proliferate them, and that's a risky business.
But the operations against ISIS the piece describes don't seem to lend themselves since using them also tends to proliferate them, and that's a risky business.
But the operations against ISIS the piece describes don't seem to lend themselves to this kind of reuse.
For example, how do you reuse the knowledge that the guy you're working against
uses the same numbers for every credential?
And that's not just passwords, but answers to security questions like,
what's your pet's name?
For the record, the ISIS IT guy said his pet's
name was 1257. The analysts knew because, like Tabasco sauce, the ISIS IT guy used that on
everything. Speaking of the Russians, as we did just a moment ago, one of the more interesting
parts of NPR's account is the brief comment that another organization comparable to JTF Ares has
been established. It's called the Russian Small Group,
and we trust they've got their fire commands down.
A question.
If people in North America call Russia's GRU hackers Fancy Bear,
do the Russians have a comparable name for U.S. Cyber Command?
And which animal would they use as its mascot?
Calling all sellers. would they use as its mascot? faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is David DeFore. He's the VP of Engineering and Cybersecurity at Webroot. David, it's always great to have you back. The importance of cybersecurity
continues to expand throughout organizations, and it's touching more and more things.
And that means there are a lot of new roles for people to play within organizations.
more things. And that means there are a lot of new roles for people to play within organizations.
First of all, thanks for having me back. You know, we are seeing a lot of new roles, both inside organizations and then, you know, where you're hiring people to support security.
And then, and additionally, the training that people need in universities and things like that
to be able to come in and build products that actually help prevent threats or detect threats of that nature.
So there's quite a lot going on right now.
So can you give me some specific examples? What kinds of things are folks spinning up these days?
Well, one of the biggest things, and I know we hear about this a lot, so please let's remember I'm on the engineering side,
not on the sales and marketing side, AI and machine learning.
I'm on the engineering side, not on the sales and marketing side.
AI and machine learning.
I cannot underscore the need in the industry for folks who are trained and well-qualified in building solutions with that in it.
Because we're trying to get past the hype of saying we've got AI or we've got machine learning.
And what we need are those people that are really well-trained in how to implement those solutions such that products use them most effectively.
And that is not something you just learn overnight.
There's a lot of work involved in understanding how to build those models,
build machines that consume data, and then understand how to pull and analyze that data to build effective machine learning tools.
Yeah, and I think we're also seeing that, besides the traditional computer science pathway, that there are lots of other roles within
cybersecurity. Folks coming up through school or looking for perhaps a new career, they can take
advantage of those needs. That's absolutely right. And, you know, we are looking across the board at
different types of folks in the industry, from mathematicians, people who understand human behaviors.
We're seeing a lot of them get involved with the machine learning folks
to be able to develop user-based stuff.
Totally not being my normal snarky self here,
we need a lot more technical PR, technical marketing folks to come out
to be able to really educate
the consumer and the industry because a lot of us engineers aren't really good at communicating.
But you meet people with that technical background and understanding, but in all types of fields.
Don't let the technical stuff scare you away from perhaps pursuing a career that's related to cyber.
That's exactly right. And right now, there's really not a better place to be
than getting involved in cybersecurity in some way. And another thing, David, that a lot of people,
you know, once you're in the industry, you realize actually helping people. And that
feels pretty good, too. No, it's a great point. David DeFore, as always, thanks for joining us.
Thank you for having me, David.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
My guest today is Caleb Barlow. He's CEO and President of cybersecurity services firm
Synergistic. Prior to that, he was Vice President of Threat Intelligence at IBM Security.
I've spoken with Caleb Barlow before,
but this time I wanted to focus on what the transition was like to being the CEO of a
public company and how his experience in security informs his leadership style.
You want to ask a lot of questions, you know, especially once you get past that first set of
interviews and you realize you've got the job, you really want to understand, all right, where are the bodies buried? What do I need to worry about? And I think as a
leader today, whether you're taking a role as a CEO or frankly, you're taking a new leadership role,
we have to shift our paradigm a little bit as security professionals. I mean, I have told the story probably a hundred times, and I'm sure
you've heard this before, Dave, of, you know, as a, you know, if you're in a bear attack, you don't
need to outrun the bear. You just need to outrun your friends. You know, security professionals
use this metaphor all the time. I actually think we need to stop using that metaphor because this
is no longer about if I'm breached. This is really about I'm going to get breached.
It isn't a question of if it will occur.
It's really just a question of when.
And a lot of companies, it's happening all the time.
So we really need to think about when in that bear attack, because it's not just a bear,
it's probably a whole pack of bears.
That's what I was thinking.
What if there are two bears?
Yeah, exactly.
What if there are two bears or a whole pack of bears, right? We've got to shift our thinking because that's the
landscape we're dealing with now. And now we've got to think about how are we going to prevent
that from occurring? How are we going to mitigate the damage? And most importantly, how are we going
to respond to that moment of crisis? So a lot of what I started to look at as I came into this role
were, well, what is our security posture? And I think, interestingly enough, there are a lot of questions that you can ask now that
you couldn't have asked two or three years ago.
So things like, hey, is the network segmented?
Do you have EDR?
Is two-factor authentication on everything?
And every security professional listening to this podcast knows,
you know, three years ago, you couldn't have asked those questions. You would have been asking,
you know, hey, do you have AV, right? But nowadays, you really can ask those questions. And
if you don't get good answers to those questions, then okay, here's a task we need to go
deploy to get these things done, because those are kind of the new basics
I mean, I can't imagine being in a company today that doesn't have two-factor and unfortunately
There's a lot of companies that don't
The other thing too that I really spent a lot of time on was looking at the latest security assessment
And you know, that's a good benchmark. Obviously if you compare that to NIST, that's a great way to kind of see where you are. And in any company,
there's going to be the places you're strong and the places you're weak. And hopefully the areas
where you're weak aren't the places where you've got the crown jewels or, you know, where there's
a high risk vulnerability. But that's the first step is just to kind of get a picture of where
am I at and how big of a problem do I
have that I'm walking into. How do you manage that transition though? Because I mean, I can imagine
coming in, that's a good point of deflection to say, okay, I'm taking over as CEO, I'm going to
get to know everyone here and some changes are going to be made. They're necessary, and we're going to do some new things.
And I can imagine people reacting and saying, yes, that absolutely makes sense.
But at the same time, you're going to, you don't want to increase friction either.
You don't want you coming to the company to generate the reaction of, oh, boy, here we go.
You know, now it's going to be, everything's going to be so much harder,
and we're not going to be able to do things the way we've always done them. Oh, and here comes this security guy, and everything's going to be so much harder and we're not going to be able to do things the way we've always done them.
Oh, and here comes this security guy and everything's going to be so much harder.
Right, right.
You know, because there's this constant balance.
And I'll tell you, I think one of the things you have to do is being willing to step on
your heels and listen to why decisions have been made.
Because generally speaking, hopefully you're dealing with smart people that know what they're
doing.
And there's probably a good reason. I mean, I'll tell you, I had a bunch of questions around
the vendors that were being used and why some of the choices were being made, mainly just because
my own naivety of I hadn't worked with those vendors before, so I naturally didn't trust them.
And the team was able to walk me through a lot of the decision-making process,
how they did their evaluations.
And you quickly look at things and go, all right, that's a pretty good decision.
But I'll tell you something else that was really interesting is I started asking questions
not only around what do we have, where are the crown jewels, how is data stored, how
is it protected, segmented, access control, all the things you'd think you'd normally
ask your CISO.
But I also started to ask questions like, do we really need this data?
Why do we have it?
What's it costing us to store this?
What do we get out of keeping it?
And are we better off just getting rid of some of it?
And Dave, it was fascinating because I don't think anyone had ever asked that question before.
Should we maybe put some record retention guidelines on some of this stuff and purge
it out over time if we don't need it? And as silly as that sounds, as basic of a question as that
sounds, it's amazing how much that can de-risk your long-term posture. Because I think a lot of companies, as we all
got excited about AI and having lots of data, we just collected it all.
Now you got to sit back and go, do I really want this data? Because the more data I have,
the bigger risk I have too.
Yeah, it's an interesting shift that I've noticed as well. Going from this notion that data is valuable to
data might actually be radioactive. Oh, absolutely. And it all comes down to what it is. Is it
healthcare data? Is it other forms of PII? Is it financial records? And also, what's the regulatory
environment? Even if you're a US company, if you're selling anything in Europe or doing anything in Europe,
you've got GDPR to contend with.
The penalties there are just staggering.
But people often forget in the US alone, there's over 52 different breach disclosure laws.
You don't want to go sideways with any of those.
Now, also as a public company, even Sarbanes-Oxley now has expectations on
corporate officers around breach disclosure. Things can become material pretty quickly.
And if executives are trading with the knowledge of a breach, this can also cause issues. And I
think the first kind of public example of where we saw that and we really saw the SEC lean in
was around Equifax, where in that case,
the CIO was even sentenced for insider trading. What we're starting to see now, and this has
historically been happening more outside the United States, a lot of which has been happening
in the Middle East. We've started to see some activity of this in Europe, and we're starting
to see more and more of this now in the United States in the form of ransomware are destructive attacks where you come in one idle Tuesday and it's all gone. All of it. The backups,
the primary systems, the servers, the workstations, the laptops, even the phones don't work because
they're voice over IP. Everything's gone. Now, what a lot of people have been thinking about
from an incident response perspective was just up to the point of, oh, somebody stole the data. Let's go do forensics,
figure out how they did it, maybe who was behind it, and how much data they stole.
That was the end of the story for incident response really up until the last year or two.
Now it's all about something is happening. Business is being impacted.
I need incident command.
I need incident remediation.
And those are two very different disciplines.
So interestingly enough, though, we don't have to recreate what to do here.
The incident command system was first developed by a guy named Alan Brunicini in
Phoenix Fire Department, where he was trying to figure out how to deal with wildfires that were
occurring in Phoenix and the surrounding areas where you'd have to coordinate response amongst
all kinds of different fire departments. So he built this thing called the incident command
system. And it's a method to make decisions and understand an organizational hierarchy when you have to put a hierarchy together all at once in a hurry.
Well, interestingly enough, in a large-scale incident in a company, you have the same problem because you can't rely on the structure of the company to respond to that incident.
The CEO is on a plane for the next 12 hours. The next person in charge doesn't know anything about cybersecurity.
And three of the other executives you can't get a hold of because all your systems are down.
So you've got to have a way to respond where you're responding in a lot of ways from the bottom up
with people that are specially trained in how to do this. And I think as companies realize more and more that this is a business recovery type of incident,
we're starting to see those tools that come from the realms of instant response or the military
and get retranslated into cybersecurity.
And again, the good news is we don't have to reinvent how to do this.
We just have to translate it into cybersecurity.
That's Caleb Barlow.
He is CEO and president of Synergistic.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.