CyberWire Daily - Taking down Thallium. Cloud Hopper: bigger (and worse) than thought. US tightens screws on the supply chain. The bite of winter and the scent of plums.
Episode Date: January 2, 2020Microsoft takes down bogus domains operated by North Korea’s Thallium Advanced Persistent Threat. The Cloud Hoppercyber espionage campaign turns out to have been far more extensive than hitherto bel...ieved. The US wants Huawei (and ZTE) out of contractor supply chains this year. India will test equipment before allowing it into its 5G networks. And the California Consumer Privacy Act is now in effect. Joe Carrigan from JHU ISI with the story of a financial advisor who payed the price for falling for a phishing scheme. Guest is Dave Burg from EY on the global perspective of cyber security risk. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/January/CyberWire_2020_01_02.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Microsoft takes down bogus domains
operated by North Korea's thallium-advanced persistent threat.
The Cloudhopper cyber espionage campaign
turns out to have been far more extensive than hitherto believed. India's thallium advanced persistent threat, the cloud hopper cyber espionage campaign,
turns out to have been far more extensive than hitherto believed.
The U.S. wants Huawei and ZTE out of contractor supply chains this year.
India will test equipment before allowing it into its 5G networks. And the California Consumer Privacy Act is now in effect.
in effect. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, January 2nd, 2020. Happy New Year, everyone. It's good to be back.
Microsoft has confirmed that the North Korean threat group Redmond tracks as Thallium has
indeed been aggressively pursuing Windows users, and that Microsoft has seized 50 as Thallium has indeed been aggressively pursuing Windows users and that Microsoft has seized 50 domains Thallium used in its espionage campaign.
Microsoft prefers elemental names for APTs
and says that Thallium worked for the most part through spear phishing
that spoofed emails from Microsoft.
One lesson to be learned from the campaign is the importance of attention to detail.
Security-aware users are accustomed to looking closely at the sender's email address
to spot communications that aren't from whom they appear to be.
In this case, Thallium, which pretended to be sending unusual sign-in activity notices from Microsoft,
used a domain that substituted an R and an N for the first letter M in Microsoft.
That could be easily overlooked if one was rushed or inattentive.
So bravo Microsoft for securing the takedown.
The Wall Street Journal on Monday published its investigation
into the Cloudhopper cyber espionage campaign that Reuters reported in December 2018.
The U.S. Justice Department at that time indicted
two Chinese nationals, both of whom remain at large, and alleged that the duo had been working
for the Chinese Ministry of State Security's APT10. It now appears, according to the journal,
that the espionage was far more widespread than originally reported. The known victims back when Reuters broke the story
included IBM, Fujitsu, Tata Consultancy Services,
NTT Data, Dimension Data, Computer Sciences Corporation,
HPE, and DXC Technology,
and it should be mentioned that none of them were notorious security slackers.
The U.S. Justice Department, in its indictment,
alluded to 14 other companies
that allegedly fell to the ministrations of the hackers, two gentlemen who are believed to have
been employed by the Huaying Hatai Science and Technology Development Company, which itself
served as a cyber operations contractor to the Chinese Ministry of State Security's
Tianjin State Security Bureau.
APT10 seems to have been particularly interested in compromising managed service providers.
This is entirely sensible as a target selection strategy,
given the extent to which enterprises have continued to increase their reliance on managed service providers.
Ann Neuberger, who leads the National Security Agency's Cybersecurity Directorate,
is quoted by the Journal as offering a Willie Sutton-esque motive for the targeting.
Why rob banks? Well, that's where the money is. At least a dozen cloud providers, for example,
were hit and their customers' data were open to inspection by the ministry.
Since each cloud provider will have many customers, the total number of organizations affected can be expected to be large indeed.
The journal reports that the cloud providers in particular were less than fully forthcoming with both federal investigators and the providers' customers,
and this experience is said to have moved the U.S. Department of Homeland Security
to push for regulations that would require more cooperation in the future.
Some of the affected providers, notably HPE, strongly denied that they had given anything less than
their full cooperation to investigators. The journal quotes an APE spokesman as saying,
to suggest otherwise is patently false. The Chinese operator's take appears to have been
a mix of industrial and traditional espionage collection.
Apart from whatever trade secrets may have been culled from the affected companies,
the U.S. government now says, according to the Journal,
that some 100,000 U.S. Navy personnel records were also exposed.
The World Economic Forum rated both data theft and large-scale cyberattacks among their top
five global threats in 2019,
and it's likely they'll stay on the list for 2020. Dave Berg is a principal at EY, serving as their
America's cybersecurity advisory leader. He shares his insights on the global aspects of cybersecurity
risk. I think we find ourselves today in a situation where the cyber threat that companies
in the United States and around the world face continues to be very serious, continues to be
an area where executives are increasingly aware and interested in asking questions.
But I think we are increasingly not doing enough. I also see many companies working very hard to make sure that as they develop new products and services,
they're thinking about dealing with cybersecurity and various privacy-related risks.
But all in all, we're just not where we need to be as a society.
And where do you suppose that – who does that rest with?
I mean, is it private industry not stepping up?
Is it nation states not stepping up?
Is there plenty of blame to go around?
I think there's blame to go around.
But I mean, I'm a believer that market forces are ultimately going to solve this problem.
And I think that very smart companies are going to wind up putting cyber first and getting
to a place where either their business partners or consumers are essentially
guaranteed safety and security because of the capability of the way that products and services
and technology work together. I think there are interesting avenues at a nation-state level where
those countries who can afford to do more to protect businesses that operate within their
providence could or should or will do more. And that will wind up becoming a strong competitive
advantage, both I think in the near term, midterm and long term. I've heard a lot of people say
that they would like to see action there at the federal level so that we don't end up with this patchwork of state laws.
And I'm curious what your insight is on how that extends to the global marketplace. I mean,
is there someone positioned to take the lead to establish what are the agreed upon global norms
going to be? Well, you know, look, I think that in reality, the European Union got out in front first by driving GDPR,
and then you had the CCPA follow.
And we've certainly seen more interest in the United States government to push various
consumer privacy protection regulation, even at the federal level.
I do think that a federal movement, a U.S. federal movement in this space
would be meaningful and would be significant because in my capacity, in my career, I've had
an opportunity to travel around the world extensively to meet with companies, but also
regulators around the world. So I think that any additional movement by the U.S. federal government would really, I think, be a very strong and positive step that the rest of the world would likely soon follow.
What sort of advice are you giving your clients on ways for them to best prepare themselves for what's to come in the near future here? I think that one of the most important strategic conversations that I'm having or that we are
having is to be pushing very hard to get the business owners or business units to really,
truly, fully embrace cyber from the moment that they have a strategic thought.
I think the other is that, as businesses change, you see more and more push to the cloud
or more and more use of new technologies that are sitting out in what would be considered IoT or OT
space. The most sophisticated companies are incorporating those new products and services
and the security implications, again, from the very beginning moment. I think the third piece of advice that I would share is that
resilience and recovery is very much not just in vogue, but critical to business vitality.
And so we learned a couple of years ago from the seriousness of the not Petya attacks,
how important it is to be able to get a business back up and running. We see in heavily regulated
industries, like in financial services, there's a very strong push to be able to get a business back up and running. We see in heavily regulated industries,
like in financial services,
there's a very strong push
to be able to demonstrate resilience and recovery.
I think it's incredibly important.
So, you know, we used to talk about
business and continuity planning and disaster recovery.
Those things are actually back.
They're back in force.
They're incredibly important.
They're actually very hard
to do well. And I think it's something that must be focused on, not as a academic study,
but in fact proven over and over again, tested. Those are the three, I think, main things I would
recommend companies focus on. That's Dave Berg from EY.
The U.S. General Services Administration has announced that its procurement schedules,
to be refreshed on January 15th of this year,
will include bans on doing business with companies whose offerings include
substantial or essential components from specified Chinese companies,
notably Huawei and ZTE.
FedScoop points out that this will affect
companies whose supply chains are too enmeshed with those of the proscribed companies.
Federal contractors should look closely to their supply chains and their subcontractors.
The new rules will move them into poorly charted compliance terrain.
India, for its part, will subject equipment proposed for 5G networks to security trials,
a development the Economic Times reports has been welcomed by Huawei,
which expects to be able to pass such tests in a pinch.
The company, which had a good 2019 despite the security controversies it encountered,
says it expects 2020 to be difficult.
But the company's CEO has a brave face.
Quote,
to be difficult. But the company's CEO has a brave face. Quote, if not for the bone-deep bite of winter, where would we get the heady scent of plums? End quote. Our gardening desk
says they usually expect the heady scent of plums in April, but all blossoming, of course, is local.
And to return to compliance, the California Consumer Privacy Act, the CCPA, went into effect yesterday.
How this American GDPR will affect businesses in practice remains to be seen.
But remember, you may not be interested in California, but California is interested in you.
And finally, we're happy to be back with our normal schedule of podcasts after the holiday break.
Did you miss us? We missed you. And finally, we're happy to be back with our normal schedule of podcasts after the holiday break.
Did you miss us? We missed you.
Thanks for listening, and we wish all of you health, happiness, success, and prosperity in 2020.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute,
and he is also my co-host on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
You have a really interesting story to share with us this week.
This comes from Financial Advisor IQ,
and it's about someone paying some consequences for some financial missteps.
Right.
What's going on here?
There was a financial advisor who was employed with UBS, which is a large financial firm. Right. What's going on here? There was a financial advisor who was employed with UBS,
which is a large financial firm.
Right.
And this guy got into the industry
in 1999
and has been with UBS
since 2008.
Okay.
So he's a long-term guy.
One of his customers
got their email compromised.
And the scammers sent him
an email asking for him to transfer
half a million dollars out of his customer's account to some third-party bank accounts.
Asking this financial advisor to do the transfer. Okay.
Right. So they acted as if they were the customer, sent an email saying,
hey, I need to get half a million dollars moved into these accounts. And this email was not
legitimate. Okay. He went ahead and sold some investments and then transferred the money out,
only to find out that it wasn't the customer who sent the email.
Right?
The customer then issued a dispute.
Now, UBS has a policy that when this kind of event happens,
you have to verbally confirm by calling the customer,
which this investor did not do.
Okay. Right. He did not follow the policy. And in fact, the article says that he went so far as telling people that he had followed the policy. Oh, interesting. Yeah. So this doesn't have a
bad ending for anybody but the actual company, UBS. The customer actually was reimbursed for their funds by UBS.
And this advisor was dismissed by UBS for not following the policy.
Okay.
He has since found another job.
But FINRA has now fined him and suspended him for 45 days.
FINRA is the Financial Industry Regulatory Authority.
They're not the SEC.
They don't regulate trade companies.
But they regulate how investment bankers behave.
Okay.
They're a consumer protection agency.
I see.
They're a consumer protection organization
within the U.S. government.
Okay.
And they have fined this person $7,500
and suspended him for 45 days.
He has agreed to the 45-day suspension
and to pay the fine,
but without admitting or denying FINRA's findings.
It's interesting to me that the company had policies in place to try to protect themselves
from this.
And their customers.
And UBS has, I'm happy to hear that UBS has this policy in place.
Right.
The fact that this guy didn't follow the policies has cost UBS some money.
And it's cost him. And it's cost him.
And it's cost him.
It's cost him $7,500, not nearly as much as a half a million dollars it cost UBS.
Right.
But also cost him 45 days of work.
That's a significant suspension.
Sure.
Yeah.
I mean, I can imagine if I give this guy the benefit of the doubt, I can imagine he's busy at work.
I'm sure he is.
He's day to day. He's under the types of pressures that we're all under with our jobs.
And he cuts some corners. Maybe this is a client that he works with all the time.
This sort of thing is routine. There's never been a problem before. So what's the worst thing that
could happen? And kaboom. Yep. It sounds to me like a complacency issue, Dave,
which is kind of, I think, what you're alluding to here.
Yeah.
You know, I don't think that this person will do this again.
That's for sure.
Yeah, yeah, yeah.
And, well, I also wonder, if you're UBS,
do you take another look at what's going on here?
I mean, obviously, you use this as a lesson, a cautionary
tale. You share it with the rest of your employees. Hey, you know, these things are serious.
They're here for a reason. Right. And here's what happens if you don't do them. Yes. But I wonder,
do you then, do you have some sort of verification that, you know, someone has to,
do you have two-factor calls? You know, I mean, do you have to put another layer in or not?
I don't know the answer to that.
Yeah, like in this case, they talk about somebody who is his sales assistant.
Do you then have the sales assistant also follow up with the customer to make a phone call and get verbal authorization?
Or maybe the assistant verifies that the call was made.
Right.
You know, or something like that.
Or the assistant's in the room when the call's made.
Exactly.
Yeah. Exactly. Right. You know, or something like that. With the assistants in the room when the call is made. Exactly. Yeah.
Exactly.
Right.
Has to, and the assistant is on the hook, you know, for the liability there.
Who knows?
I don't know.
I guess we're.
Yeah, you and I are sitting here.
We're Monday morning quarterbacking this to death.
In industry, we really don't understand.
That's right.
That's right.
Yes.
So tune in tomorrow for more talking out of our butts with Dave and Joe.
in tomorrow for more talking out of our butts with Dave and Joe. But I think it's a valuable lesson here and an interesting cautionary tale for those folks who are in charge of
these sorts of things. The human factor, right? It was processes were in place to protect against
this and all it took was somebody in a hurry or lulled into a sense of complacency. And the scammer gets away
with half a million dollars. Half a million bucks. Right. All right. Interesting story.
Joe Kerrigan, thanks for joining us. My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, Thank you. Thanks for listening.
We'll see you back here tomorrow. Thank you. innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.