CyberWire Daily - The return of Turla. Data exposure incidents disclosed. Beijing accuses Taipei of waging cyberwarfare against the PRC. Coronavirus disinformation.
Episode Date: March 12, 2020Turla’s back, this time with watering holes in compromised Armenian websites. Data exposures are reported in the Netherlands and the United States. China accuses Taiwan of waging cyberwarfare in an ...attempt to disrupt Beijing’s management of the coronavirus epidemic. The US and the EU separately undertake efforts to suppress COVID-19 disinformation. And the ins-and-outs of teleworking. Mike Benjamin from CenturyLink with Emotet updates, guest is Tom Pendergast from MediaPRO on their State of Privacy and Security Awareness Report. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_12.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Turla's back, this time with watering holes in compromised Armenian websites.
Data exposures are reported in the Netherlands and the United States.
China accuses Taiwan of waging cyber warfare
in an attempt to disrupt Beijing's management of the coronavirus epidemic.
The U.S. and the EU separately undertake efforts to suppress COVID-19 disinformation
and the ins and outs of teleworking.
and outs of teleworking.
From the CyberWire studios at Datatribe,
I'm Dave Bittner with your CyberWire summary for Thursday, March 12th, 2020.
Bleeping Computer reports that Turla,
also known as Snake or Venomous Bear,
appears to be back.
ESET reports two previously unrecorded malicious tools,
one a downloader, the other a backdoor, in a watering hole staged from compromised Armenian
government and government-related sites. CyberScoop says the compromised sites belong to the consular
section of Armenia's embassy in Moscow and an Armenian foreign policy think tank. The register
observes that one reason the operation has gone unremarked for so long
is the campaign's patient and discernment.
Turla won't install its malware, for example,
until it's determined that the victim is a sufficiently high-level target.
Once it decides the target is worthy, the infection proceeds along familiar lines,
posing as a fake Adobe Flash Player update.
Terla is generally regarded as a unit
belonging to one of Russia's intelligence services,
probably the FSB Foreign Intelligence Service.
That's consistent with its quieter, less obtrusive performance,
which has become recognized as a hallmark of an FSB operation.
Contrast that with the heavier hand of the GRU.
Fancy Bear, for example, tends to come in fast and loud.
Turla has also been associated with false flag operations in the recent past,
including a campaign that convincingly represented itself,
for a while anyway, as an Iranian operation.
Two significant data breaches have come to light.
According to ZDNet, the Netherlands government has lost hard drives
containing the personal information of almost 7 million organ donors.
The drives stored electronic copies of all organ donor forms
filled with a Dutch donor register between February 1998 to June 2010.
The two drives were placed into secure physical storage back in 2016,
pending eventual disposal as authorities migrated to newer storage systems.
But earlier this year, when the donor register went looking for the drives, well,
they were nowhere to be found. And they haven't turned up yet, either.
The personally identifiable information on the missing drives includes first and last name, gender, date of birth,
address at the time of the form, choice for organ donations, ID numbers, and a copy of the user's signature.
Dutch authorities say there's been no sign that anyone's actually used any of the lost information,
and that since the data falls short of what would count as FULs in the Netherlands,
no official identification documents, for example,
it's highly unlikely they'd be used for fraud or identity theft.
Well, okay then, but that reassurance sounds a little like whistling past the graveyard.
Or whistling past the transplant center.
The team at MediaPro recently published the latest version of their State of Privacy and Security Awareness Report.
Tom Pendergast is Chief Learning Officer at MediaPro.
One of the things we've always tried to do is combine cybersecurity and privacy,
because we think that for most people, those kind of go hand in hand. They may not for professionals,
but they do for the general employee. So one of the intriguing things we found is that like 20 months after GDPR's implementation,
and that's the European General Data Protection Regulation, most employees do not know whether
their organization needs to comply with GDPR or not.
And I think we're going to hit the exact same thing with this new California law, the California
Consumer Privacy Act, which went into effect on January 1.
62% are unsure about CCPA. So we've got these, what professionals are calling the most sweeping
privacy laws ever in history, and you've got a majority of population that doesn't know a thing
about it. So that's pretty interesting to me.
What do you suppose the disconnect is there?
I think that general employees don't yet really understand that these regulations impose
obligations on their companies that they need to know about. So, you know, if you're working in a
call center, it may just not connect up with you that you have a role to play in not asking for information that you don their jobs and these laws and regulations that companies are really highly attuned to.
And so what are the take-homes for you in terms of recommendations that came out of the information you gathered?
What can you share there?
The take-homes for me are actually relatively simple.
And it comes down to this.
The first thing I think people who are trying to improve their risk profile as a company,
they need to understand where their employees are with regard to risk. Let me give you an example
there. You may, as a company, have rolled out a password manager to all of your employees and done a lot of
education there.
And maybe they're really good about managing their passwords.
But you may have a really poor understanding in your population about the importance of
reporting incidents or even suspected incidents right away.
So the only way you get to understanding the risk profile in your organization is if you do some things to understand your employees and your culture's particular susceptibility to risk.
So we recommend phishing simulation to identify the phishing risk, tracking other kinds of forms of data in your environment, and doing surveys like this one in your employee population to understand your risk.
So once you understand it, now you've got a good roadmap to the kinds of things that you need to work to correct.
And contrary to what may have been the old belief, it's not enough to release a kind of once-a-year security awareness training
where you make sure to cover the stuff
that your employees don't know about. You've got to be regularly communicating to employees
in a variety of different ways about the risks that they face if you're going to slowly,
gradually nudge them in the direction of really cyber secure behavior.
It strikes me also that there really is an important culture component here that organizations
have to, instead of, I guess they have to get rid of that fear of getting a slap on
the wrist for clicking the wrong thing or going to the wrong website, that the folks
who report these things, they should be recognized as being champions looking out for the organization's
security. You're right on the mark, Dave. And especially when you said it's about creating
a culture. When people are trying to create an awareness program, they've got to think not of
creating a training module, but about creating an ongoing and sustained conversation in their
company about how to better protect the data that flows through the company. And that's a
culture change initiative. Too often, our security and privacy programs have originated with people
who don't necessarily understand how to move a long-term culture change initiative along. And that's what
we're trying to do with this survey. It's just help people understand that it's complicated.
Humans are, as you probably know, paradoxical, sometimes contradictory creatures, and you've
got to do a variety of things to try to get them to function more effectively. So one of the things
that we always recommend to people
is to recognize that your employees
all kind of learn and process this stuff different ways.
So it's important that you communicate to people
in a variety of different ways.
Some people are going to get the picture
and kind of switch over to more data protective behaviors
when they watch a funny video
that might be making fun of somebody who uses the same password every time. But other people just
don't tune in to that kind of message. And they may be better off with kind of a lunch and learn
session where you bring somebody in from the FBI to talk to your company. Or, you know, just imagine
any of the other ways that you might communicate.
It's important never to rely on one,
but to use multiple channels of communication
on a regular cadence to kind of meet your objective.
That's Tom Pendergast from MediaPro.
In the U.S., Ars Technica reports that Comcast inadvertently published
some 200,000 unlisted phone numbers.
These are phone numbers whose users pay a monthly fee to keep them generally unavailable to searches,
a throwback to the old days when an unlisted number didn't appear in a phone book.
Comcast mistakenly put the unlisted numbers into its Ecolisting directory,
from where third-party directories obtained them.
Comcast has shut down Ecolisting and apologized to the affected customers.
The company is offering those whose purchase of an unlisted number was less than fully successful
$200 in compensation and the opportunity to change to a new number,
which one hopes will remain successfully unlisted.
This has happened to Comcast at least once before.
In 2015, the company paid a $33 million settlement in a similar case.
In what appears to be a two-quo-quay response to earlier charges from Taipei,
China has accused Taiwan of using the current COVID-19 epidemic
as an opportunity to wage cyberwar against the People's Republic, says Taiwan News.
Last month, Taiwan's foreign minister, Joseph Wu,
complained publicly that Beijing was attempting to disrupt the island republic's efforts
to contain the novel coronavirus,
and that it was also running a disinformation campaign
intended to erode public trust in the country's governing party
with online claims that members of the Democratic Progressive Party
were getting priority for receiving surgical masks.
There's lots of COVID-19 myths and disinformation circulating online,
from state propaganda of the kind crossing the Formosa Straits
to criminal fish bait.
As American Banker notes,
this famously includes a maliciously crafted map of coronavirus infections
as well as other forms of clickbait.
There's also a lot of direct fraud like as well as other forms of clickbait. There's also
a lot of direct fraud, like bogus colloidal silver cures. Don't bite. The U.S. administration is
seeking to enlist big tech in a coordinated effort to correct these forms of misinformation.
Facebook, Cisco, Google, Amazon, Apple, Microsoft, IBM, and Twitter have all been asked to help,
as the Washington Post and Politico report.
The hope is that some technical solution or solutions might help,
but it's unclear that anyone has any idea of how to do this at scale.
And colloidal silver is Exhibit A for the persistence of manifest nonsense.
The European Union is also reviving the self-reporting system it established with U.S. Big Tech
in the hope of finding some way of muting disinformation on the coronavirus.
Twitter is the latest big tech company to mandate working from home in response to the COVID-19 pandemic,
TechCrunch reports.
Organizations considering making a similar decision might consider a white paper from Hycelate
that offers a systematic consideration
of how to make the shift to temporary telecommunications.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving
customer challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io. And I'm pleased to be joined once again by Mike Benjamin.
He's the head of Black Lotus Labs at CenturyLink.
Mike, it's always great to have you back.
Black Lotus Labs at CenturyLink. Mike, it's always great to have you back. You and I were joking before we started rolling here that Emotet seems to be the gift that keeps on giving in terms
of providing you and I something to talk about here. It keeps bubbling back up and has a way
of keeping itself in the news. It's been on your radar along with your team. What's noteworthy lately with Emotet? Yeah, thanks, Dave. So Emotet, as many are familiar with, is really, really one of the
more dominant malware distribution methods in the internet right now. It's being used as part
of the supply chain to distribute a variety of threats. Of course, ransomware being one of the
more frightening ones that people have been affected by. But realistically, the team behind
it's been very effective
at how they update and maintain their infrastructure and deliver things.
So I always like to note when they make changes in their behavior.
So at the beginning of this month,
they started distributing a new version of their binaries.
They have done this a few times before, so this is not the first time.
However, it's realistically then about a week later,
tends to stop their spamming.
So right now as we speak, Emitat is not sending spam emails, and that is a change in behavior.
And so what we really like to point out to people is during these times, the actors are reassessing how they distribute their malware, how the malware runs on a host, and they're changing things and protocols and other things that for a time will make it a little more difficult to detect and block.
So right now is really the time to go through an infrastructure, look for those network available
data points for the callbacks, and look for the host-based forensics to look for the installed
malware and remove them. It's a great time while the actors aren't focused on building up their war chests of infected points to go remove some of them
from infrastructure. Now, once they are back at it and they're sending out Imhotep again,
what sorts of things should folks have in place to defend against it?
Well, Imhotep's been really effective from a few different points.
First off, they attack existing infrastructure
for their distribution.
So both the malware distribution itself,
as well as command and control,
they're hacking into hosts,
they're breaking into hosts
and using things that already exist.
And so some of those things around
how good is a site cannot, in some cases,
be that effective against Emotet. Of course,
they're not breaking into major websites as they do that. So they do still tend to be things like
smaller businesses with WordPress and things that are being compromised, but they do have a
reputation on the internet that's not negative to start with. So realistically, looking at where
email is coming from, what it contains, and those tried and true things that we've tried to do for many years to stop email distribution of malware all come into play here.
That's their primary vehicle. Next, when they are dropping the malware, they're using multi-stages
of install, secondary payload, download, and other things that do tend to get caught by most
endpoint software. So keeping those things updated,
making sure that there's diligence.
And then last, where we spend a lot of our time is looking at the network layer,
trying to find where those callbacks exist.
And should something get passed an early check
on an endpoint agent,
being able to then detect that the network
can go remediated on that individual host
before it spreads more.
Now, in terms of them altering their
binaries, I mean, I suppose, I mean, that makes it, that changes the signature of those binaries.
So you need to be aware of that. Does the actual behavior change for the defenses that are looking
for a particular type of behavior? Would that be altered as well? So the changes have occurred a few different times one
of the big changes that we saw a couple versions ago is they started using infected hosts as part
of their command and control proxy layer this makes it a little bit easier for them to persist
over time less pressure on how many wordpress sites they happen to hack into for their their
second tier of c2 there um so that was a big shift in behavior that we saw.
However, most of the basics of primary maldoc driven
through secondary payload download,
those kinds of steps look pretty consistent across time,
but they are a gang of folks that do know how to do
the more smaller changes to their malware
to try and evade particular checks along the way.
We see them constantly changing their obfuscation methods
and their maldocs because they begin to be detected
with greater efficacy across the industry.
They do change things like the encryption keys
on their command and control protocol on a monthly basis.
So they're very diligent about changing things over time.
But you're right, the core of what they're doing
has been pretty consistent over time. All right. Well, Mike Benjamin, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Alexa Smart Speaker 2.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next
generation of cybersecurity teams and
technologies. Our amazing Cyber Wire
team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.