CyberWire Daily - The evolution of malware, both criminal and state-run.
Episode Date: May 26, 2020Turla tunes its tools. The commodity Trojan AnarchyGrabber is now stealing passwords. A new iOS jailbreak has been released. The UK reconsiders its decision to allow Huawei into its 5G networks. A tec...h group lobbies the US House against warrantless inspection of searches. Remote work’s regulatory risk. COVID-19 conspiracy theories. Hackers say they’re vigilantes. Our own Rick Howard on intrusion kill chains, his latest episode of CSO Perspectives. Our guest is Nico Fischbach from Forcepoint on deepfakes expanding outside of disinformation campaigns to the enterprise. And too many remote workers appear to have too much time on their hands. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/101 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Turla tunes its tools.
The commodity Trojan anarchy grabber is now stealing passwords.
A new iOS jailbreak has been released.
The UK reconsiders its decision to allow Huawei into its 5G networks.
A tech group lobbies the US House against warrantless inspection of searches.
Remote works regulatory risk.
COVID-19 conspiracy theories.
Hackers say they're vigilantes.
Our own Rick Howard on intrusion killchains, his latest episode of CSO Perspectives,
our guest is Nico Fischbach from Forcepoint on deepfakes expanding outside of disinformation
campaigns to the enterprise, and too many remote workers appear to have too much time on their hands.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, May 26, 2020.
ESET reports a development in Turla's tactics.
The Russian threat group, also known as Snake, has updated its old comrade backdoor, also known as Agent BZT or Chinch, and probably in use since 2007.
It now uses the Gmail web user interface for command and control,
and many security systems interpret Gmail traffic as innocent.
It's also adopted the practice of collecting antivirus logs,
the better to evaluate whether it's being detected.
ZDNet says that the targets of Turla's recent campaigns
are non-Russian military and diplomatic organizations.
The freely distributed commodity Trojan Anarchy Grabber, known for its use in stealing Discord tokens, has been updated with new functionality.
According to Bleeping Computer, the latest version, Anarchy Grabber 3, steals plaintext passwords and commands an infected device to
spread the malware to the user's Discord friends. The stolen passwords are thought to be destined
for use in credential stuffing attacks, another reason, as if any more were required, to avoid
reusing passwords. Hackers at Uncover have developed a jailbreaking tool for iOS devices, The Verge reports.
Vice says the jailbreak uses a kernel zero-day that Apple's been unaware of.
Jailbreaks give users more control over their devices.
They can also expose those devices to exploitation.
Jailbreaking a device should be approached with caution.
It's not known yet what zero-day Uncover found in iOS.
Doubtless Apple and others will be looking for it.
Under parliamentary pressures from the ruling Tory majority
and diplomatic undertakings from the US and Australia,
the British government is reconsidering its decision to allow Huawei
to participate in the country's 5G build-out, TechCrunch reports.
The government is now drawing up plans that would remove Huawei
from the country's 5G infrastructure by the year 2023. The government had formerly planned to cap
Huawei's share of the British market at 35% and to exclude the company from participation in core
infrastructure. Under the new plans, at least three of the five eyes are now relatively closely
aligned in their approach
to the risk of infrastructure being compromised by Chinese intelligence services.
The U.S. had suggested that allowing Huawei and similar companies into a country's networks
would gravely limit the amount and quality of information the U.S. would be willing to share with its allied counterparts.
The British move comes after a week in which the U.S. announced
stiffer export controls that would effectively keep U.S.-developed semiconductors out of Huawei's
hands. Huawei acknowledges that the latest export controls would impose a hardship on the company.
They're also expected to drive Chinese hardware in the direction of greater independence.
A tech industry group has written the U.S. House of Representatives
urging explicit prohibition of warrantless collection of Internet search and browsing history
in the USA Freedom Reauthorization Act.
There's another self-described vigilante campaign underway.
The hackers Cyberware have told Bleeping Computer
that they're punishing scammers with Milkman Victory ransomware.
As they told the publication, lapsing into a brief shadowbroker-esque uncertainty about articles,
quote, the victims are saying they give loan, but you first have to pay and then you get nothing, end quote.
In this case, Milkman Victory is really functioning as a wiper, since Cyberware isn't offering a decryption key.
When a target is infected, it displays a note from the attackers.
Hello, the cheery message begins.
This computer has been destroyed with the Milkman Victory ransomware
because we know you are a scammer.
And it's signed with a punctuational smiley, a colon, a hyphen, and a right parenthesis.
Cyberware says it's gone after one particular German loan company
that's also been hit with a distributed denial-of-service attack.
Let's remain agnostic about whether the target had it coming.
Hackers, even vigilante hackers, aren't entitled to a presumption of righteousness.
Remote work of the kind so many organizations are currently using involves
exposure to some forms of legal risk. The Information Commissioner's Office in the UK
has offered guidance on how it intends to treat data protection regulations during periods of
widespread remote work. Computer Weekly's gloss on that guidance is simple. Quote,
in practice, this means that remote working is not an excuse to implement less stringent
security measures than you would have otherwise had in place.
The standard remains that organizations must ensure that an appropriate level of security
is applied to the personal data that they process.
Nico Fischbach is global CTO at security firm Forcepoint.
He explains the potential for deepfakes to expand outside of disinformation campaigns to the enterprise.
So I think today, you know, most people understand what a deepfake is.
And the level of awareness has really changed because, you know,
they've been a little bit used and abused late last year and early this year,
especially on social media.
And it also made kind of the news, you know, the more regular newspapers.
And I think the fact that many large social media and platform players have come up with ways to detect some of them
and, you know, even help maybe mitigate the spread of them.
You know, I think the awareness has really changed.
Funnily enough, though, I was expecting, you know, many more.
Obviously, the topic, you know, was the 2020 U.S. election coming up.
And I was expecting, you know, COVID and the noise around COVID also to be used,
you know, in a deepfake arena.
But I haven't seen many, you know, most of them were to make fun, you know, sadly of things.
But, you know, not that many to actually, you know, attack the enterprise using, you know, the COVID themed messaging.
So where do you suppose we're headed then? What are the concerns for enterprise?
I think the concern is that it's another tool in the arsenal of the bad guys.
Clearly, with the stress level and the social engineering happening when it comes to phishing,
enterprises, especially the chief information security officer,
they need to start or to continue to educate the users about this new way or this new medium
that's being used by the bad guys
to try to break in,
be it into your account to compromise your credentials
or to get somebody inside an enterprise
to do an action like wire money to an external account.
So basically explain to their user base that it's not a form of trickery
that's being used to get you to do something under pressure
or by creating this need that really doesn't exist.
What are your recommendations for people to defend themselves?
How can we detect these sort of things?
It is a combination of using security hygiene tools.
Think of anti-spam, anti-phishing technologies, cloud security to make sure that the websites that host those videos sometimes get blocked.
I think that's the technology side of things. I think user education
and security awareness is key. And I was just reading some stats yesterday. Those type of SaaS
offerings when it comes to security awareness and training have grown. It's not just the Zooms and
the collaboration tools, but it's also those type of tools. So I think the CISOs recognize that there's a technology element to it,
but also there's an education item that needs to be addressed.
That's Nico Fischbach from Forcepoint.
Among the lamentable cultural artifacts of the pandemic
are the various conspiracy theories that have gurgled to the cultural surface.
A BuzzFeed piece outlines the form
the imagined conspiracies are taking in sections of the popular imagination. It's a familiar shape.
Wealthy forces operating behind the scenes are manipulating world events with a hidden hand for
their own malign purposes. Historically, the conspiracy has usually involved the Illuminati
or the Rothschilds, but in this case, the maligned force the theorists perceive is Microsoft co-founder Bill Gates,
who's held by many to be lashed up with the traditional bugaboos.
So what's everybody been doing with all these hours at home?
Spending time with the family, improving themselves through edifying reading,
learning a new craft, scrapbooking,
watching cooking shows for recipes that would help them prepare a nice meal for the loved ones with whom they're sheltering,
tending a victory garden.
Well, probably not, at least if the telegraph is to be believed.
Mostly, they're consuming adult content, consumption rate up a whopping 292%,
streaming TV up as much as 179% on some services.
And of course, playing online games, up 98%.
That's in the UK, of course, and the study is based on observations of people who use Generate's browser add-on.
But it seems reasonable to assume that things aren't much different elsewhere, however your system is configured.
But it seems reasonable to assume that things aren't much different elsewhere,
however your system is configured.
Organizations may have to deal with some less-than-seemly habits that have developed during this period of self-isolation.
We have it on the good authority of Baltimore Sports Talk Radio
that people are actually so out of whack
that there's a brisk betting traffic in Russian ping-pong.
Trust us, the Illuminati have nothing to do with that.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning
with purpose, and showing the world what AI was meant to be. Let's create the agent-first future
together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Rick Howard. He is the CyberWire's chief analyst. Rick,
welcome back to the show. I wanted to touch base with you about something that I know
you've been spending some time on, and that's taking a look at some of the first principles
that we have in cybersecurity and some of the first principles that we have
in cybersecurity and some of the long-term implications of that. What do you have to
share with us? Yeah, it's one of my pet peeves, Dave, for, geez, forever now. You know, I started
back in the day like you did, and we made a bunch of assumptions as far back as the early 1990s
about how we should do cybersecurity. And, you know, it's 2020 now.
And the question is, were those early decisions the right ones? And I've been fascinated with
the idea that we could apply some first principle thinking to cybersecurity to see if we could
prioritize what we've been working on and maybe discard some of the old stuff that doesn't really
work that well. Well, give me some examples here. What kind of stuff do you have on your mind?
Well, it's interesting. If you think about if I'm trying to protect, let's say, the CyberWire's
infrastructure, what is the most important thing that we should be worried about? And if you ask
that question to any network defender out there, I bet we get about a hundred different answers. And I've been
thinking about this for a long time and I've gone through lots of gyrations. So should I hit you
with it? It's pretty simple. It's like you could fit it on a Twitter. Well, I mean, my, my first
reaction was tasty snacks in the break room, but I'm guessing that's probably not at the top of
your list. So please go ahead. It's the second one. Okay. But not the first one. All right.
at the top of your list. So please go ahead. It's the second one. Okay. But not the first one.
So if you think about what we're trying to do, okay. A lot of people think we should stop all breaches or prevent all attacks or react quickly to an attack. And none of that is good enough,
right? That is not what we're trying to do because it's really hard to convey that kind
of information to your senior leaders or even to the board.
So here's what I think it is. We're trying to reduce the probability of a material impact to our organization
due to a cyber event.
And I want to parse that a little bit, okay?
Because I'm not trying to stop all attacks, all right?
What I'm doing is reducing the likelihood that something like that will happen.
So what do you think?
Am I getting you with this at all?
Yeah, you are.
I mean, I find it helpful to think about a lot of this stuff in terms of comparing it to public health policy.
And in other words, you're never going to keep everybody from getting a common cold.
But there are many things we can do to cut down the likelihood
that someone will get a common cold.
And is that along the lines of what you're talking about here?
It's exactly right.
And it goes to how we talk about this with our board members, right?
Because if you go to them and say,
I need a gazillion dollars to do my pet cybersecurity project this year,
they have no way to judge whether or not that's good
unless they're scared to death and they may give you the money or they may not.
But if I, instead, I can go to them and say, we can do these three things and reduce the
probability that we will be materially impacted. And that's a decision they can weigh and weigh
it against all the other risks that they are dealing with in their, you know, and when they
do their daily jobs. Does that also help sort of spread out that responsibility that, you know, it's not all
on the security folks that you're putting some of that decision making of where we're
going to apply our resources and where we're going to dial in different amounts of risk?
You're moving that up the food chain, as it were?
Yeah, it absolutely is.
I think we made a mistake early on in, you know, this network defender community by trying to hold all that responsibility on our own, right? And really,
the mistake we made is assuming or trying to convey the idea that cybersecurity risk is somehow
different than all the other business risks that, you know, senior leaders have to deal with. And
after 25 years of doing this, it's just not true, Okay. It's just another risk, right? And so if I go to the boss and say, hey, here's some,
I need some money to do X, the boss is going to weigh, okay, that risk compared to all the
other things he's got to spend money and resources on. And so I think we've made that mistake as a
community. Yeah. All right, Rick. Well, thanks for joining us. You can check out the latest episode of Rick's podcast, CSO Perspectives, when you sign up for Cyber Wire Pro. The most recent episode is about intrusion kill chains. Rick, always great to have you on the show.
Thank you, sir.
Thank you. give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Thanks for listening.
We'll see you back here tomorrow. Thank you. you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.