CyberWire Daily - Suppressing Trickbot: cyber warfare and cyber lawfare. Chaining vulnerabilities. An intergovernmental call for backdoors in the aid of law enforcement.
Episode Date: October 13, 2020Trickbot gets hit by both US Cyber Command and an industry team led by Microsoft. CISA and the FBI warn that an unnamed threat actor is chaining vulnerabilities, including Zerologon, to gain access to... infrastructure and government targets. Ben Yelin shares his thoughts on the US House’s report on monopoly status for some of tech's biggest players. Our guest is David Higgins from CyberArk on how work from home has put a light on privilege access security. And the Five Eyes plus two call for legal access to encrypted communications. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/198 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Now at a special discount for our listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash n2k code n2k. and an industry team led by Microsoft. CISA and the FBI warn that an unnamed threat actor is chaining vulnerabilities,
including zero logon, to gain access to infrastructure and government targets.
Ben Yellen shares his thoughts on the U.S. House's report on monopoly status
for some of tech's biggest players.
Our guest is David Higgins from CyberArk
on how work from home has put a light on privilege access security.
And the Five Eyes Plus Two call for legal access to encrypted communications.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, October 13th, 2020.
The unknown operators that Krebs on Security said were disrupting TrickBot turns out to have been
neither vigilantes nor criminal rivals,
but rather U.S. Cyber Command, the Washington Post reported late Friday.
Cyber Command had been concerned that TrickBot's use in deploying ransomware made it a potential threat to the November elections.
The disruption apparently took the form of sending updates to the botnet's command and control servers
that effectively severed communications with the machines the gang controlled.
The updates, of course, were bogus.
The damage wasn't permanent, but it was disruptive,
and it was noticed and remarked upon by the criminals themselves.
In high, all caps, chatroom dudgeon,
Cyber Command's operations are, as the New York Times describes them,
from Fort Meade's midterm election protection playbook, developed in 2018.
Microsoft also took action against TrickBot with the cooperation of ESET,
Lumen's Black Lotus Labs threat research, NTT, and other organizations, obtaining a court order
allowing Redmond to take the botnet down.
The New York Times says Microsoft and its partners had been unaware of U.S. Cyber Command's
activities against the botnet and that the two actions appear not to have been coordinated.
The effect of the sort of takedown Microsoft and its partners executed is basically twofold.
First, it prevents further deployment of the malware, and second, it cuts
off already infected machines from executing further commands. Sophos, which congratulated
the companies involved in the takedown on its blog, also downplayed in an interview with ITWire
the likelihood that ransomware or a financial information stealer would represent a dedicated
threat to elections.
Insofar as they're talking about criminal ransomware gangs, they've got a point.
The gangs are interested in money and in politics only insofar as it can get them money.
But there are other respects in which ransomware can threaten the conduct of an election.
Some ransomware has proven itself imperfectly containable, and it can infect
systems that aren't its principal targets. But more to the present point, TrickBot is thought
to be a well-established Russian-speaking gang, and such gangs operate at the sufferance of Russian
security and intelligence services. They're regarded as easily co-opted, and it would have
been unwise to ignore a significant botnet as representing nothing more than a criminal operation.
Microsoft's Corporate Vice President of Customer Security and Trust, Tom Burt, said Microsoft had been planning the move since April.
We have now cut off key infrastructure so those operating TrickBot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.
Some experts maintain the disruption is limited and likely temporary since the botnet is diffuse and dynamic.
Swiss botnet monitoring firm FadoTracker shows numerous tricked-out servers still online.
Threat analysts at Intel 471 say they have not seen any significant impact on TrickBot's infrastructure and ability to communicate. But this seems in some respects unduly pessimistic.
As those who've monitored the gang's chatter have observed, the hoods themselves have been
doing a lot of complaining.
Bloomberg offered a different perspective. In its far more optimistic estimation,
quote, it will likely take months or years for the criminals to recover, if at all, end quote.
According to Security Boulevard, the trick-bot perps are considering a 1,400% ransomware demand raise in retaliation.
And of course, there's no more a permanent solution to ransomware
than there is to, say, shoplifting.
The best you can do is contain the gangs
and reduce what the retailers call shrinkage.
On Friday, the Department of Homeland Security's
Cybersecurity and Infrastructure Security Agency and the FBI
issued a joint alert updated yesterday describing an effort by APT actors to chain Windows and VPN vulnerabilities in a campaign directed against state, local, tribal, and territorial government networks, critical infrastructure, and election support systems. They succeeded in penetrating and establishing a degree of persistence in some of their targets,
and the target selection is suggestive,
but CISA and the Bureau say that election security wasn't compromised.
The alert includes an extensive review of the exploits used,
and it outlines measures that organizations can take to protect themselves.
You can find this alert and others on the CISA.gov website.
On Sunday, representatives of the Five Eyes, India, and Japan
issued a joint international statement on end-to-end encryption and public safety.
The statement affirmed support for strong encryption,
but deplored, quote,
counterproductive and dangerous approaches
that would materially weaken or limit security systems, end quote, and then called upon companies
to design systems so that law enforcement could, with proper authorization, access encrypted
communications. They specifically called for an international regime in which governments and
software companies would cooperate to achieve three goals. First, embed the safety of the public in system designs, thereby enabling companies to
act against illegal content and activity effectively with no reduction to safety,
and facilitating the investigation and prosecution of offenses and safeguarding the vulnerable.
Second, enable law enforcement access to content in a readable and usable format
where an authorization is lawfully issued, is necessary and proportionate,
and is subject to strong safeguards and oversight.
And, engage in consultation with governments and other stakeholders
to facilitate legal access in a way that is substantive
and genuinely influences design decisions.
In the view of the officials who drafted the Joint Communiqué,
which is framed entirely in terms of protecting children from online exploitation,
a goal hardly anyone likely to gainsay,
the way in which end-to-end encryption is presently handled amounts to irresponsibility.
Quote,
which end-to-end encryption is presently handled, amounts to irresponsibility.
Quote,
End-to-end encryption that precludes lawful access to the content of communications in any circumstances directly impacts these responsibilities, creating several risks to public safety in two ways.
One, by severely undermining a company's own ability to identify and respond to violations of their terms of service.
This includes responding to the most serious illegal content and activity on its platform,
including child sexual exploitation and abuse, violent crime, terrorist propaganda, and attack planning,
and by precluding the ability of law enforcement agencies to access content in limited circumstances where necessary
and proportionate to investigate
serious crimes and protect national security where there is lawful authority to do so.
So, the goal is a familiar one. Devise means by which duly constituted legal authorities could,
under the right circumstances that would be strictly controlled, gain access to otherwise inaccessible communications.
The criticism is equally familiar. Privacy and security hawks object that criminals and other
bad actors could, in principle, find and exploit what would, in their view, amount to legally
mandated security weaknesses. And, of course, there's also the objection that such capability
would amount to a standing temptation to abuse by even well-intentioned law enforcement organizations. We could try hot yoga. Too sweaty. We could go skating. Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat.
Travel moves us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
David Higgins is EMEA Technical Director at CyberArk.
He joins us with thoughts on how work from home has changed the threat landscape
and made privileged access management and security even more important.
Privileged access management is something that's become a key element.
It's been hugely important from a security strategy.
The reason being is when we look at incidents, whether they be cyber attack as nation state,
there's a commonality that takes place in these attacks, which is at some point they
look to escalate their privileges.
They look to perform credential theft and perform actual movement in order to get to
their objective, whatever that may be.
So it's become a really key element in a security strategy to protect that privileged access,
which historically has been your administrators, IT admins.
But also in today's world, it's expanding to, of course, the cloud platform automation.
And even the definition itself of privileges is expanding to some business type users as well.
expanding to some business type users as well.
So at its basic level, I mean, is it who in your organization has access to various parts of your network,
the different data that's found throughout?
At a basic level, yeah, that's part of it, right?
If you look at it from the kind of traditional IT administrator,
these are individuals that have the keys to the kingdom.
They're keeping the lights on within the business.
They're supporting servers, maintaining databases.
And they'll be using separate identities
in order to execute that kind of access,
which is the privileged access.
And it's that access that's targeted,
and it's therefore that access that needs to be protected.
We need to make sure that the right users
are getting the right level of access at the right time,
and importantly, for the right reasons.
Yeah, I could envision that people would,
the natural impulse would be,
well, let's give the CEO access to everything.
I mean, she's the boss after all.
But at the same time, she's likely to be a real target.
So perhaps that's the person who you want to minimize access in case
someone gets into their accounts. Definitely. You've got to look across the different types
of privileged identities. And that isn't just the IT admins, exactly as you mentioned, right? It
could be the CEO, it could be the head of finance. And you've got to focus on what's going to pose
the biggest business impact to your organization. And that's where to start. That's where to lock
down. But you're right, just simply because someone is senior or executive doesn't mean they
should just have access to everything the access to everything is is the approach that's kind of
been taken today it's well it's easier just to just drop them in the admin group right gives
them the access they need it's a lot more than they need but then there's no formal process or
proper process to make sure that's being reviewed or being kind of removed afterwards. And this just kind of
builds up over time. And, you know, when an attacker's in an environment, they're going to
seek out those accounts that have far-reaching access rights. That's David Higgins from CyberArk. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security.
Also my co-host over on the Caveat podcast.
Hello, Ben.
Hello, Dave.
On this week's Caveat, you and I have an interesting discussion about important news that dropped,
which is the report from the House of Representatives on the monopolies,
the claimed monopolies, what they're
claiming are monopolies of some of the biggest tech companies in the world, the Facebooks of
the world, the Googles, you got your Facebooks, you got your Amazons, you got your Apples.
Can you unpack this for us here? I mean, what's the upshot of this report from the House?
Sure. So it is a 450-page report that was released after this House committee collected over 1.6 million pages of documents and held pretty contentious hearings with the CEOs of these companies.
And it's not easy to haul Mark Zuckerberg, Jeff Bezos, Tim Cook, and Sundar Pichai in front of a congressional committee and get them to share their anti-competitive practices.
So it was a very comprehensive investigation, and this is the culmination of that investigation.
And what they determined is that these four companies really do have monopolistic power
as it relates to their spheres of influence.
You know, Facebook controls the market for social media.
It's been able to bully its competitors out of the market.
And not only are they market participants, but because of their position within that market, they're able to set the rules and standards for that industry.
And that's very destructive for the promotion of competitive business practices.
of competitive business practices.
And the same is true for Amazon as it relates to online shopping,
Google for search engines, and Apple for all of the things that they produce,
the App Store, iPhones, etc.
So this report not only calls them out for having monopolistic power that's akin, in their opinion, to some of the monopolies we saw
at the beginning of the 20th century that led to the progressive era in this country,
the oil barons and railroad tycoons, as they mention. But it also has some recommendations.
So one of the recommendations is they want to make it tougher for tech giants to buy up smaller
companies in order to consolidate the industry. They want to introduce a non-discrimination
requirement to stop platforms from prioritizing their own products over rivals.
And they also want a series of measures to enforce antitrust laws.
They would increase their own powers as members of Congress,
but also they want to empower federal agencies to start enforcing some of the antitrust laws
that have been on the books but that have been dormant over the past 40 years, where we've really sort of abandoned our centuries-long effort at going against these anti-competitive business
practices. So, you know, the moral of the story in the report is all of these companies have
delivered clear benefits to the general public. You and I, and probably all of our listeners,
have used their products and have reaped the benefits
of their products. But when you have these types of companies that run the marketplace and compete
in that same marketplace, they can come up with a set of rules for themselves while they force
others to play by an entirely different set of rules. And that ends up hurting the consumer.
When the consumer doesn't have choices, there's less incentive for these large
companies to protect the interests of their users. And we see that with things like, you know,
Facebook and its political ads, Facebook and the Cambridge Analytica scandal, where, you know,
if there were actually a competitive marketplace, people could go and use the services of a
competing social media company.
That would be a way of holding Facebook accountable.
But because of their market power,
that's just not really an option.
So it's the consumers that end up getting hurt the most.
So I think it's a really interesting report.
Obviously, most people are not going to read all 450 pages,
but I'd highly encourage you if you have interest in this stuff.
That's what we have you for, Ben. I know, well, it's not like I'm going to read all 450 pages, but I'd highly encourage you if you have interest in this stuff. At least-
That's what we have you for, Ben.
I know. Well, it's not like I'm going to read all 450 pages. However,
I did read the executive summary and I did stay at a Holiday Inn Express last night.
Well, there you go.
How much, what do you suppose could come of this? I mean, we've got,
obviously these companies disagree with the findings. And with the size of these companies comes a lot of influence.
You know, they are able to invest in the world's best lobbyists.
Yeah, exactly.
So not only do they have monopolistic power, they also have a lot of political power.
You know, and they also make a lot of content moderation decisions that, you know, can augment their own power as well.
So it's hard to know exactly what's going to come from this. This is a recommendation from
one House committee. We're getting towards the end of this session of Congress, meaning it's
very unlikely that they will turn this report into some kind of legislative proposal in the near term.
But if this is something that lingers as a salient political issue,
and we're in a future Congress, you know, this might be the starting point for negotiations on
a bill to increase competitive practices in the tech industry. And I think that's something that
actually could garner bipartisan support. I think there are members on both the political left and
the right who have, you know, maybe different problems with monopolization in this industry,
but both see it as a major concern.
So I would not necessarily write this off as an issue
that's going to be destroyed by polarization.
The tech companies will fight tooth and nail against this.
They want to maintain these anti-competitive practices
because that's what's allowed them to accumulate $5 trillion worth of capital. And, you know,
that's a very difficult interest to go up against. But I think this really could be the basis
or at least the start of a movement to erode at some of these anti-competitive business practices.
All right. Well, Ben Yellen, thanks for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro. It'll save you time and keep you informed.
And it plumps when you cook it.
Listen for us on your Alexa smart speaker, too.
you cook it. Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is
proudly produced in Maryland out of the startup
studios of DataTribe, where they're
co-building the next generation of
cybersecurity teams and technologies.
Our amazing CyberWire team is
Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan,
Harold Terrio, Ben Yellen, Nick Volecki,
Gina Johnson, Bennett Moe, Chris Russell, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.