CyberWire Daily - That odd and bogus 5G meme. Malvertising. Data breach hits Pakistani mobile users. xHelper update. Data privacy and data utility. COVID-19 and cybersecurity.
Episode Date: April 10, 2020The curious history of the delusion that COVID-19 has something to do with 5G. Malvertising spoofs a security company’s website. Data breach hits Pakistani mobile users. xHelper is still in circulat...ion. Data privacy versus data utility. COVID-19-driven patterns of cybercrime. And more on Zoom and the challenges of working remotely. Mike Benjamin from CenturyLink on ddosing, botnets and IoT news, guest is Nathalie Marcotte from Schneider Electric on the role cybersecurity plays in convergence of IT/OT. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_10.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The curious history of the delusion that COVID-19 has something to do with 5G,
malvertising spoofs a security company's website, a data
breach hits Pakistani mobile users, X Helper is still in circulation, data privacy versus
data utility, COVID-19 driven patterns of cybercrime, and more on Zoom and the challenges
of working remotely.
remotely. From the Cyber Wire studios at DataTribe, I'm Dave Bittner with your Cyber Wire summary for Friday, April 10th, 2020. State actors, notably China, Russia, and to a lesser extent Iran,
have actively pushed various lines of disinformation about COVID-19's origins and propagation.
A Military Times op-ed wonders how well prepared the U.S. Department of Defense is to parry
large-scale disinformation campaigns and concludes that the answer is not very.
In fairness, it's a tough and unfamiliar problem, and there's no easy list of best practices
to inform effective countermeasuring.
Some of the difficulty in handling disinformation may be seen in the speed with which misinformation
spreads, and the surprising reach even implausible memes can have. Wired traces the strange conviction
that COVID-19 is somehow related to 5G, and that such relationship has been created by some conspiracy
or other to a January interview in a Belgian publication. It's since been picked up by the
dreary and tiresome celebrity tribes of slacktivists and influencers, with regrettable but predictably
far-reaching effects. Some of those effects have even been kinetic, as cell towers in the English
Midlands have been vandalized and telecommunications workers threatened. A malicious domain hosted in
Russia and apparently controlled by criminals is spoofing a Malwarebytes site in a malvertising
campaign designed to infect visitors to the bogus site with the raccoon information stealer.
visitors to the bogus site with the raccoon information stealer. SC Magazine quotes Malwarebytes'
suspicions that the campaign is at least in part criminal payback for the company's efforts against cybercrime. The malvertising is thought to appear to a significant extent on adult websites,
not venues in which Malwarebytes would normally be expected to place ads.
According to Business Recorder, the personal information of some 115
million Pakistani mobile users is for sale in the dark web. The criminals are asking $2.1 million
for the data, which include full names, addresses, mobile numbers, NIC numbers, and tax numbers.
The database is freshly hacked this week, the hoods are quoted as saying in their
come on. Kaspersky has been warning of the ex-helper Trojan, a persistent strain of Android
malware that Dark Reading and others have been calling unkillable. More than 55,000 devices
worldwide are believed to have been infected so far. As governments work to deploy technology
that would enable them to get a handle
on the COVID-19 pandemic, privacy hawks continue to worry that it may be easier to establish
collection systems than it will be to roll them back once the emergency passes. But the case for
collection and analysis remains strong and has all the life-and-death urgency one would expect.
New security beat makes the argument for the life-saving potential of data.
FireEye blogs that the patterns of cyberattack during the pandemic
show a familiar array of bad actors and attack techniques.
What's changed are the target sets and the content surrounding the approach.
That familiarity is certainly there,
but there are other interesting ways in which the
criminals themselves are responding to black market forces. Some of the criminal surge,
as Wandara points out, is simply the familiar pattern of criminals being drawn to fresh
opportunity. Quote, it's no surprise that bad actors are taking advantage of the global pandemic.
If there was ever a time to target a huge captive audience, it is now.
But not all the criminal activity is driven by increased opportunities and enlarged attack
surfaces. The Free Press, for example, says that Mumbai is seeing criminals shift to online crimes
as street crimes become harder to pull off, because presumably it's more obvious as people
stay off the streets and because the police are on alert for it.
As criminal tools continue down the path of commodification,
making that transition won't be as difficult as it once would have been.
Insight Crime has an interesting overview of how criminals themselves are also feeling an economic pinch.
Some of their own supply chains have been disrupted,
mules may be hard to come by, for example, and they're scrambling for ways to make up for lost
revenue. One of the security problems the COVID-19 pandemic presents is the sheer volume of noise it
introduces, especially for healthcare organizations already stretched by high volumes of demand for
medical services. Under such conditions, MedTechDive reports,
medical devices themselves might become attractive targets for attack.
They share in some of the laggard security that one sees in the Internet of Things generally,
and as targets of opportunity, they'll prove irresistible to some criminal hackers
whose consciences impose few restraints on their behavior.
Infosecurity magazine talks with experts who think the shift to telework will probably outlast the
coronavirus state of emergency. It brings with it not only greater dependence upon a set of tools
whose ease of use may exceed their security, but also the heightened risk of those cloud
misconfigurations that had already become a common cause of inadvertent data exposure
long before COVID-19 was first glimpsed.
One of the experts they talked to is Steve Durbin,
Managing Director of the Information Security Forum,
who sees emergency remote work as passing through three phases.
The first is the challenge of getting telework tools into workers' hands.
The second is parrying targeted attempts against this greatly expanded attack surface.
And the third?
Durbin told InfoSecurity magazine,
Phase 3 will come about through increased stress and cyber-anxiety,
which will result in a lowering of vigilance and, frankly,
the sheer boredom of having to work remotely when the normal routine has been built around social interaction.
End quote.
Underground markets are seeing a brisk trade in compromised Zoom credentials.
ThreatPost reports that thousands of them are being actively sold in the black market.
The stolen credentials appear to come from various sources
and not from any single breach, nor even from any small set of breaches or data exposures.
Teleconferencing specialist Zoom, of course, has been prominent in the current discussion of remote
work. Its ease and reliable availability made it a popular choice for enterprises of all kinds and
sizes, from storefront churches to the U.S. Department of Defense. The Voice of America
points out that FBI warnings haven't affected use by U.S. Department of Defense. The Voice of America points out that FBI warnings haven't
affected use by U.S. government agencies as much as one might expect. But its dramatically increased
use exposed troubling privacy and security issues. Both the German government and the U.S. Senate
have told their people not to use Zoom, ZDNet reports. The U.S. Department of Homeland Security
has issued various less stringent cautions,
and Federal News Network says these are being received differently by various agencies,
many of whom weren't that invested in Zoom to begin with. Zoom itself has scrambled to put
security fixes in place, including Forbes reports, giving hosts more control over security and
restricting the visibility of meeting IDs.
They've also closed a hole Citizen Lab found in Zoom's waiting rooms that could have enabled unauthorized parties to eavesdrop without permission.
The company has created an advisory council of CISOs,
led by former Facebook security chief Alex Stamos,
to help it up its privacy and security game.
Zoom's CEO told Time in an interview
that the company has learned its lesson
and hopes to regain users' trust.
Other providers of remote work tools and services
are of course interested in capturing
as much of this market as possible.
Computer World reports that Google and Microsoft
are talking up the security of their offerings.
The subtext seems to be, please don't confuse us with Zoom.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform secures their personal devices, Thank you. been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
My guest today is Natalie Marcotte. She's president of process automation at Schneider
Electric, one of the leading global providers of industrial automation. A large part of her
role involves OT security, the operational
technology side of the house, and that of course involves the ever-increasing intersection of OT
and IT. So if you look at it from the IT-OT convergent aspect, you know the question has
a lot to do with what we're calling, and a lot of people are calling, a digital transformation,
which implies IT, OT, Industry 4.0, many concepts, but they all relate to this digital transformation
and what's the impact on the OT world. So whatever you call it, our customers, they want to improve
their operations and their business performance in ways that before they were not able to imagine.
So they're trying to take advantage of
all these new technologies and they're expanding connectivity across their people, assets, system,
and they want to extract more data and they want to use that data to improve their operation and
process. So the benefit of all this connectivity with all this disconnection between the people, asset, and more and more of it,
it's that now it's synchronized the company operations and the business function.
So it allows them to be able to control their business performance, and we like to say in real time.
So the risk, though, associated with that, it does widen the attack surface and the potential cyber criminal, because every new connection, every newly connected device at all level, and it's true for OT, is now becoming a potential entry point for the bad actors.
when a company set off its digital transformation,
then it's clearly that cybersecurity cannot be an afterthought.
And it's, you know, more and more, you know,
people are saying the OT world, you know, is learning from the IT.
It's true, but now it's started to be an integrative part.
So there's too much at stake for them financially and operationally.
They have no choice, but they have to think about it right up front. So when they do implement technology
that will converge IT and OT,
that demands really that they rethink their approach
as it relates to cybersecurity.
So what I would say is that you should make
your comprehensive security strategies
part of your standard risk
management program up front and that's some of the best practices we are seeing out there.
So we know as well that these cyber attacks continue to grow in numbers, sophistication,
the damage and it does require proactive and ongoing response. So you need to understand your
risk up front and then you know that this risk will vary from site to site So you need to understand your risk upfront, and then you know that this risk
will vary from site to site, and you have to consider that in your strategy as well.
It's also worth mentioning that regulation and standards are also playing a quite significant
role in there. And depending on where you are geographically, what industry you're in,
you might be required to follow and comply with certain standards and regulations, regardless of your risk threshold.
So these are all components that need to be taken into account when you define your cybersecurity strategy.
The bottom line is that cybersecurity landscape is changing every day, and we always have to be ready.
When an organization is approaching these issues,
what needs to happen at a cultural level
to make sure that the IT teams and the OT teams
are collaborating and don't end up inadvertently
being adversaries with each other?
So that's an interesting question.
So we cannot ignore the fact that IT and OT are converging, and you're right.
That means IT and OT expertise needs to come together nicely as well, which means that
the team will need to work together.
The good news is that they can learn from each other.
OT has a lot to learn from IT because of more IT technology
has been used in OT environment
and vice versa.
So they both have to learn from each other.
And when you looked at it,
there's difference aspect,
but technically there's more similarities
than difference.
The big difference come a little bit
with the impact
and the difference difference in the OT
world. You tend to work in real time and it's more challenging when you put in place different
protections, mechanisms. You cannot necessarily put the whole plan off or you have to wait for
the time to do it. So the planning is, as well as the impact is different in terms of,
in the IT world, the impact of malfunction
on the computer system or the infrastructure
is a little bit more financially driven.
On the OT world, the impact would be around safety,
around environment.
So once people can really bridge these differences of impact and
the way of working from a technical aspect, they have more in common. The good news is they have
more in common than they have differences. So more and more we see collaboration between the two,
and I think it's going to expand as we go forward, as both sides get the benefit from the other.
With the view that you have on the industry
from your position at Schneider Electric,
what sort of advice do you have
for the people who are out there every day
trying to make these systems more safe?
They have to look at three aspects.
They always have to look
because it's not just a technical challenge.
They have to look at their processes
and they have to look at the people aspect of things.
In many cases, they could have the right technology,
but if they don't address processes or people,
at the end of the day, they will still be vulnerable.
So they really have to look at the comprehensive program
that will address these three aspects
into an overall program itself.
And they do have to collaborate.
They do have to collaborate.
And we see that as well as best practices out there.
They do have to collaborate with their suppliers.
They have to collaborate among themselves with end users.
And we see more and more in the whole industrial
cybersecurity world, this desire for collaboration.
I would encourage them to do so even with, you know, there's a lot of forum being put in place.
We've been working with ISA on the consortium for cybersecurity, really allowing them to share best
practices, to hear from the others of impact, vulnerability, impact incidents. So
more and more we share together, more and more we're going to improve our position,
we're going to defend the industry, and it's the benefit of all of us. So it's like safety.
It's an area where we have to collaborate and remove some of the competitive elements into
the process. That's Nath Natalie Marcotte from Schneider Electric.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And I'm pleased to be joined once again by Mike Benjamin.
He's the head of Black Lotus Labs at CenturyLink.
Mike, always great to have you back. I wanted to check in and get an update on
what you and your team have been tracking when it comes to DDoSing and botnets and things when it
comes to IoT devices. What sort of things have your attention? Yeah, thanks, Dave. So a number
of years ago, we all saw headlines on a almost daily or weekly basis about Mirai and which
variant of the week was proliferating across the
internet. But more recently, we've seen that news die down a little bit, things not be as
interesting. And I thought it would be really interesting to just sort of touch in and look at
what those botnets have been doing. So I went into our system and polled how many unique botnets we'd
polled out of the IoT DDoS space over the last few months. And we found 900 unique botnets in
the last 90 days, over 10 per day. And so a lot of these folks are in the gaming community. They
may be what a lot of security community people would categorize as script kiddies or teenagers
focused on bravado with their friends. But realistically, these things can cause
substantive damage to businesses. They can take down infrastructure. They can really break things. And so the IoT space, the devices people have
plugged in their homes, there's still a massively large vulnerable pool. Exploits are still being
released. And we do see actors, including those new exploits in their scanners and in their
distribution methods. So these things are still there.
Thankfully, however, for the most part,
they don't, on an individual case basis,
build enough firepower to take down major infrastructure.
So a few years ago, there was a lot of discussion in the world about DDoS attacks exceeding a terabit a second
out of some of these botnets.
We're not seeing the install base that can yield that amount of bandwidth.
However, it's really interesting,
just in the last couple weeks,
we've been working with some folks around a botnet
that's hit about 200,000 nodes,
and we have an attack that was sending
over 1.2 million HTTP requests a second.
That particular botnet's based on the Chalubo malware,
which does incorporate code from Mirai, as well as XOR.DDoS.
But it's a relatively different mechanism in the fact that its callback protocol is actually downloading an encrypted LUIS script.
It's not using a persistent TCP socket with real-time communication for commands.
So it's a little different than those other ones we've looked at.
But it's a really important thing to note that that pool of devices is still being abused. People still are compromising. They still are building
DDoS botnets. It's something that we all need to be aware of and continuing to clean up and monitor
for in our homes and in our infrastructure. Now, for folks like you and your team there at
CenturyLink, what sort of view do you have into this? Specifically, can you tell when the
botnets are gathering before they go and execute and do what they're going to do? Can you tell
when someone is starting to assemble a botnet for themselves? Absolutely, yeah. And so, you know,
as I mentioned, that 900 number, a lot of that's based on a view of network communication data
from what were all
the devices participating in these things over the last few weeks, and now what are they all doing
behaviorally? So we will see clusters of communication towards new hosts. Often we can
actually speak the malware's C2 protocol to that host, identify it, and then send it off to either
the data center provider or the network operator
who's hosting it and get it cleaned up. And so a lot of these botnets are being taken down
through mechanisms that we've been operating, as well as a number of our other peers that we often
work collaboratively with in this space. But from time to time, we do see these concentration and
clusters pop up where we can't speak the C2 protocol. We do see actors modifying the really well-known botnets
as well as standing up new things on new code bases.
And so it's a constant battle of staying on top of it.
But realistically, once you start to see things
in the hundreds of thousands, it gets a lot of attention.
It's a lot of collaboration across the industry.
And a lot of groups that we work with collaboratively
as well as ourselves will go hunt it down,
add it to the pool of visibility we have
and make sure that doesn't grow to that size and scale again.
So it sounds to me like in terms of mitigation,
we're in a pretty good place.
There's a lot of collaboration and capacity
to handle these sorts of things.
I'd say yes, but realistically,
we'd love the help of everyone in patching those IoT
devices, never connecting a open socket to the internet in the first place, cleaning up things
when victim notifications are sent. And so really, the community of the rest of the internet can make
it so there's not enough devices to really even make this worth anyone's time to go attack.
All right. Interesting insights.
Mike Benjamin, thanks for joining us.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Vaughn,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Volecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick,
Jennifer Iben,
Rick Howard,
Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.