CyberWire Daily - The difference between a breach and, well, a public record. Pioneer Kitten’s lucrative bycatch. Malware gets past Gatekeeper. A gamer’s bandit economy. And happy birthday, Cyber Branch.
Episode Date: September 1, 2020An election hack that wasn’t. More DDoS in New Zealand’s stock exchange. A look at how Iranian cyber contractors make money as a byproduct of cyberespionage. Malware sneeks past Apple’s notariza...tion process. The bandit economy that’s grown up around Fortnite. Ben Yelin looks at how the upcoming US elections could direct the nation’s cybersecurity strategies. Our guest is Julian Waits from Devo with highlights from their 2nd annual SOC performance report. And the US Army’s youngest branch celebrates a birthday. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/170 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
An election hack that wasn't.
More DDoS in New Zealand's stock exchange.
A look at how Iranian cybercontractors make money as a byproduct of cyberespionage.
Malware sneaks past Apple's notarization process.
The bandit economy that's grown up around Fortnite.
Ben Yellen looks at how the upcoming U.S. elections could direct the nation's cybersecurity strategies.
Our guest is Julian Waits from Devo,
with highlights from their second annual SOC performance report.
And the U.S. Army's youngest branch celebrates a birthday.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, September 1st, 2020.
Was it a hack or just some matters of public record?
We're betting public record. This morning, the Russian-language newspaper Kommersant
aroused a Twitter flurry with a report that data
on 7.6 million Michigan voters,
as well as millions of voters in other states,
Connecticut, Arkansas, Florida, and North Carolina,
had appeared on Russian dark web sites.
The data were said to include name, date of birth, gender, date of
registration, address, postal code, email, voter identification number, and polling station number.
But as Dmitry Alperovitch tweeted in an update, there's probably a lot less here than meets the
eye, since in many states, all that information is considered a matter of public record and can be supplied in response to ordinary
information requests. So really, nothing to see here, let's all just move along. But one aspect
of Kommersant's story is interesting. It says that the dark web hoods with the data on their hands
were thinking of turning the information in to the U.S. State Department in exchange for a payout under the Rewards for Justice program.
We doubt that will work, but give the hoods credit for thinking outside that old box,
if, of course, the whole thing happened at all.
The New Zealand Herald reports that after a good start yesterday,
New Zealand's NZX stock exchange again sustained a disruptive distributed denial-of-service attack.
The exchange was able to work through the attack and continue trading
by deploying a range of workarounds and alternative procedures.
The incident remains under investigation by GCSB and law enforcement authorities.
We've had occasion before to mention signs that some Iranian threat actors
had made an appearance in criminal markets.
Security firm CrowdStrike has some new information on the development.
CrowdStrike researchers have released a report on Pioneer Kitten, also known as Fox Kitten or Parasite,
an Iranian threat actor believed to be a contractor providing cyber espionage support to the government of Iran.
a contractor providing cyber espionage support to the government of Iran.
Last month, Pioneer Kitten was observed in various black markets offering to sell access to compromised networks.
CrowdStrike thinks this represents an attempt on the group's part at revenue diversification.
The researchers say that Pioneer Kitten's operations are marked by
a profound reliance on exploits of remote external services
that attack their target's internet-facing assets for initial access.
They also see an almost total reliance on open-source tooling during operations.
Pioneer Kitten is especially interested in VPN and network appliance exploits,
notably CVE-2019-11510, CVE-2019-19781, and most recently CVE-2020-5902.
CrowdStrike thinks that this particular bent lends itself to opportunistic attacks.
Finally, Pioneer Kitten relies on SSH tunneling achieved with open-source tools like Ngrok
and a custom tool SSH Min, to establish communication with implants and
keyboard activity through remote desktop protocol. Pioneer Kitten's espionage targets have for the
most part been in Israel or North America. The sectors they've been seen hitting include
technology, government, defense, healthcare, aviation, media, academic, engineering, consulting,
and professional services, chemical, manufacturing, financial, engineering, consulting and professional services,
chemical, manufacturing, financial services, insurance and retail.
The network access they're selling appears to be just bycatch of their espionage take,
which is to be expected given the threat group's opportunistic mode of operation.
ZDNet observes that the biggest customers of such initial access brokers tend to be ransomware gangs.
TechCrunch reports that Apple's well-regarded notarization process,
designed to help its gatekeeper to exclude malware from its app store,
has permitted some malware to slip into approved software.
The malware in question was disguised as an Adobe Flash installer.
That's a common enough design for malware,
but the point is that earlier Flash exploits had been kept out of the notarized walled garden of Apple's App Store.
Security firm Malwarebytes this morning argued that this ought to shake Mac users out of security complacency.
Mac security is good, but like everything else, it's not infallible.
Mac security is good, but like everything else, it's not infallible.
Night Lion Security has taken a look at the ways in which cybercriminals monetize exploitation of online games like Fortnite.
It amounts in the aggregate to a billion-dollar black market in accounts and in-game commodities.
Fortnite, Roblox, and Minecraft are among the most popular targets,
and some well-known gangs are involved in the criminal trade,
including the Gnostic players and the Shiny Hunters.
The underground market is as sophisticated as such criminal economies often are.
Distributors sell to resellers who then sell to consumers.
Some resellers maintain their own gray market shops.
The sale of accounts is obvious, but what kinds of in-game purchases are in demand?
Skins, mostly. That is the appearance of the characters you use as your avatar.
Maybe you want Joker makeup, a sombrero, and a cocktail dress worn with a pair of Uggs.
We're not saying you would, but it might be something someone would like.
Anywho, if you're unclear on the concept of a skin, ask any middle schooler.
And finally, today is the sixth birthday of the U.S. Army's Cyber Branch. The Army describes its youngest tribe as
a maneuver branch with the mission to conduct defensive and offensive cyberspace operations.
Cyber is the only branch designed to directly engage threats within the cyberspace domain.
So congratulations and happy birthday to Uncle Sam's cyber warriors,
as they say around Fort Gordon, defend, attack, exploit.
And we'll add, best wishes, cyber branch.
Thanks for your service.
Stay safe and good hunting.
Thanks for your service.
Stay safe and good hunting.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000
off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks,
and connected lives. Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
The team at real-time analytics firm Devo recently released the second annual version of their SOC performance report. Julian Waits is GM of Devo's cyber business unit,
and he joins us with highlights from the report.
When we originally started the report, it was because over and over again,
we'd go into large corporations or large government entities.
We talked to the security analysts, and in general, they all seemed to really not like their jobs much.
In the field that you would think is very exciting with the amount of things that change,
especially with cyber defense, you know, defending your corporation or a country would have it.
You would think people would be more enthused about their work.
And what we found over and over again is there were just so many issues that start with, you know,
internal politics, but really leads itself more to just people being overworked.
Process is not defined well, way too many tools. internal politics, but really leads itself more to just people being overworked,
processes not defined well, way too many tools, and this constant fear of, you know,
what am I missing because of lack of visibility into everything that's going on in their environment.
Well, let's go through some of the details together.
Can you share some of the insights from the report?
Sure. So, you know, I just touched on one of them.
One of the things the report talked about was, you know, 70% of the people that we surveyed complained of a lack of visibility into their IT infrastructure.
And that number last year was 65%. So rather than decreasing, it's actually increasing.
decreasing, it's actually increasing. Another 64% of the respondents talked about internal turf battles, generally between the security group and the IT group. Who owns what? Who's responsible for
what? In general, security groups are responsible for defining the policies around how things are
configured in the environment, but the IT group is responsible for changing the configuration.
If the security group says, hey, we need to patch these servers,
but the patch doesn't get done and there's a breach,
well, whose fault is that, right?
So there's just a lot of confusion.
Is there a certain amount of resignation that this is a position
that's going to be tough, that it's going to be stressful,
and as a result, people are going to sort of flow through?
Correct. that's going to be stressful and you know as a result people are going to sort of flow through correct so um i would tell you overwhelmingly when i talk to many chief information security officers
and senior security executives it's kind of understood before they start hey i'll get a
group of people in maybe even provide them a certain level of training for 18 months to two years.
And then, you know, they're going to be able to get a better job, which pays more than what I'm
going to be able to pay. And so I'm basically training them for a while, understanding that
it's going to be a very hectic environment because they're constantly rotating, especially
through, you know, there's three tiers of sock analysts where tier three is the most advanced,
you know, your threat hunters. And the goal is to get those tier one people as close to tier three as you can.
And the more forward looking CISOs are the ones who try and be creative about how am I going to keep these people
once they have the knowledge to be able to go somewhere else and potentially get more money.
And I've seen some things that have worked very well, like rotation around multiple disciplines within the SOC, because there's so many different things that people can do and learn from.
But it is a well-accepted problem, and I wish the industry would change on that.
That's Julian Waits from Devo. Thank you. cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And joining me once again is Ben Yellen. He is from the University of Maryland Center for Health and Homeland Security. Also my co-host over on the Caveat podcast.
Ben, always great to have you back.
Good to be with you again, Dave.
I want to talk about this article written by Eric Geller over on Politico.
Eric always does good work over there.
And it's titled, Biden Prepping to Ramp Up U.S. Cyber Defenses While Keeping Some Trump Policies.
I mean, we are hot and heavy into
the campaign mode here. Both parties have had their conventions. And this is really an outline
of what Joe Biden's planning on doing when it comes to cyber defenses. What's your analysis
here, Ben? Well, first, I was looking for the sentimental video at one of these conventions
on cybersecurity issues, and I just didn't find it. I wanted to be
shedding some tears here, but apparently that's not what gets the eyeballs. The fields of flowing
wheat and the sun rising over the server farms. Yeah, the dramatic music. Yeah, we were not lucky
enough to get that. And that gets to an actually serious point, which is that cybersecurity as a policy issue
is pretty under the radar.
And I think that's the nature of the campaign.
This is a campaign happening during several crises.
We have the coronavirus crises,
the economic crises emerging from that coronavirus pandemic,
and then obviously the past few months,
these protests related to
police violence. So it's just been an issue that hasn't gotten the full attention of the political
press. But it seems like behind the scenes, the former vice president is preparing a team
of partially veterans from the Obama administration, but some private sector players to develop
his own cyber policy. A lot of what he's proposing to do isn't actually that different from what the Trump
administration has done over the past four years. You know, I think a lot of the Trump administration's
cyber policies have been, you know, nominally nonpartisan. I think, you know, the directive
that gave the military greater authority to hack
our adversaries, that's not something that the former vice president would get rid of.
In terms of personnel, I think a Biden administration would make some changes. They'd
probably restore the key White House cybersecurity posts that we saw in the Obama years.
And in some of the policy plans,
which you really have to dig deep into his website to get,
they talk about some of their more specific proposals.
Imposing substantial and lasting costs on countries that interfere with our elections was one of the examples.
Defending against attacks that would impact our economy, our critical
infrastructure, national security, etc. So you see the hints of, you know, sort of a cohesive
cybersecurity agenda. You know, in terms of the Trump-Biden contrast, I'm not sure the discrepancy
in their viewpoint on this issue is as wide as it is in other political areas. But certainly,
there might be a reordering of priorities.
Yeah, I mean, that's the thing here is that, to me,
cybersecurity is really something that has unusual bipartisan support in these days.
It's not very controversial, so there's not a whole lot of fighting to be done over it.
There's not a lot of, I don't know, political points to be scored by having differences of opinion.
It seems like everybody pretty much agrees that this is an issue.
Yeah, I mean, I put one warning there in that things can become polarized very quickly.
If people you don't like politically take a stand on an issue, your natural instinct is going to be to take the
opposite position. We saw that politicization this summer with mask wearing. We've seen it with all
other types of issues where it seems like they are nominally nonpartisan, but they can become
partisan in certain circumstances. So, you know, I'm always watching out for that. And certainly
some aspects of cybersecurity policy, particularly related to election interference, have been caught up in partisan warfare. But you're right, in terms of,
you know, the meat and potatoes of our cybersecurity policy, you know, going after,
more proactively after our adversaries, protecting our critical infrastructure,
those are things that you really do see a lot of bipartisan support for.
Yeah, I wonder if we'll see more stability with some of these positions. It seems like
the folks in cybersecurity positions at the White House and at that level, it's sort of been like
the defense against the dark arts teacher. There's a lot of turnover there.
Yes, there always is a lot of turnover.
You know, I think a lot of the career folks who are in government,
you look at the people at the National Security Agency,
even when we have a major ideological change in administrations,
some of those career folks, or as you might call them, the deep state,
are still going to be there making policy.
So I think there is going to be more continuity than people might think,
especially in the first couple of years of a new administration.
I mean, you have this level of path dependency where so many initiatives that will have come from the Trump administration
would continue in a potential Biden administration
just because the projects have already started.
And unless you put your tentacles into all levers of the federal government to try and change
policy, there is kind of a lot of inertia there.
So I think that's definitely something to look out for.
Yeah.
All right.
Well, again, it's an article by Eric Geller.
It's titled Biden Prepping to Ramp Up U.S. Cyber Defenses While Keeping Some Trump Policies.
It's over on Politico.
Worth a read.
Ben Yellen, thanks for joining us.
Thank you.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders
who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time, keep you informed,
and it smells April fresh.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.