CyberWire Daily - The Winnti Group is interested in Hong Kong protestors. The UK, the US, and the EU all look for a cooperative way forward into 5G. DDoS for hire hits an independent Serbian media outlet. Ransomware may have hit a US defense contractor. EvilCorp is back. T
Episode Date: January 31, 2020The Winnti Group is interested in Hong Kong protestors. The UK, the US, and the EU all look for a cooperative way forward into 5G. DDoS for hire hits an independent Serbian media outlet. Ransomware ma...y have hit a US defense contractor. EvilCorp is back. The Sodinokibi ransomware gang is running an essay contest. And the 2015 Ashley Madison breach keeps on giving, in the form of blackmail. Emily Wilson from Terbium Labs on the sale of “points” and “status benefits” on the dark web. Guest is Michael Sutton from Stonemill Ventures with insights from the cyber VC world. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/January/CyberWire_2020_01_31.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Winti Group is interested in Hong Kong protesters.
The UK, the US and the EU all look for a cooperative way forward into 5G.
DDoS for hire hits an independent Serbian media outlet.
Ransomware may have hit a US defense contractor.
Evil Corps is back.
The Sodinokibi ransomware gang is running an essay contest.
And the 2015 Ashley Madison breach keeps on giving in the form of blackmail.
Madison Breach keeps on giving in the form of blackmail.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, January 31st, 2020.
The Winti Group, for some time associated with the Chinese government and previously best known for financially motivated attacks and industrial espionage,
has turned its attention to Hong Kong.
Security firm ESET reports finding that Winti is using its eponymous Trojan
to drop the Shadowpad backdoor into machines at five Hong Kong universities.
The apparent purpose of the extensive campaign is to collect intelligence on protests of the mainland's role
in the city. Shadowpad has many modules well adapted to collection. One of them, for example,
is a keylogger. The universities have been prominent in the protests over the now-withdrawn
extradition law promulgated last year, and the security services have an obvious interest in
keeping a close eye on them. ESET says it notified the universities of what its researchers found.
The U.S. has welcomed the EU's decision on 5G network security, seeing it as amounting
to European acknowledgement of the unacceptable risks untrusted suppliers bring.
U.S. Secretary of State Pompeo said in a statement,
quote,
We call on our European allies and partners to implement the EU recommendations
by adopting strong risk-based security measures
that exclude high-risk suppliers from all parts of their 5G networks.
The statement twice mentions what makes a supplier high-risk.
They are companies based in third countries that lack democratic checks and balances,
and the EU has recommended that such suppliers should face restrictions that others don't.
The Secretary of State also notes, with gratification, that the European Union's
toolbox calls upon EU member states to exclude high-risk suppliers from critical and sensitive
parts of their 5G networks, which includes the radio
access network. How to use the tools in the EU's 5G security toolbox is up to the member states,
but they'll at least have to report to the EU on what they're doing.
German security officials have expressed unease over evidence the US has provided
that supports the contention that Huawei is engaged in espionage.
But Hargion Poupard, who directs France's cybersecurity agency ANSI,
told Bloomberg that as far as he was concerned, he hadn't seen any smoking guns.
Maybe elsewhere, but not in Europe, he said.
Still, French authorities have taken good care to keep Huawei away from Airbus headquarters in Toulouse.
Italy's industry undersecretary Mirella Luisi said this week that Italy wouldn't prevent
Huawei or ZTE from trying to play a role in Italy's 5G networks, that it wouldn't keep
them from the doorstep, but that they would exercise due caution.
Britain's confidence in its ability to exercise its own version of due caution
rests on the work of the Huawei Cybersecurity Evaluation Center, the HCSEC,
a 40-person unit in Banbury vetted by GCHQ
that's charged with checking Huawei equipment for security issues
before permitting it into the country's networks.
The HCSEC has been in operation for almost six years.
Its facility is a Huawei facility overseen by an NCSC-chaired board, whose members are drawn
from other elements of the British government. The vice-chair is a Huawei executive appointed
by the company. The oversight board reports annually. Its last report, rendered in March
of 2019, found that the HCSCC was for the
most part able to operate independently of Huawei, but some of its other conclusions were less
encouraging, such as this final one, quote, overall the oversight board can only provide
limited assurance that all risks to UK national security from Huawei's involvement in the UK's
critical networks can be sufficiently mitigated
long term. Computing reports that Secretary of State Pompeo is also confident the US and UK
will reach a mutually satisfactory understanding over Huawei. The British policy announced this
week will exclude Huawei from core elements of the 5G network, which would presumably include
the critical
networks the Huawei Oversight Board alluded to in its last annual report.
It will also cap the company's participation in the remainder at 35%.
The website of Serbian independent media outlet TVN1 has been disabled by distributed denial
of service attacks this week, possibly DDoS for hire purchased from operators in China.
The attacks come, says Balkan Insight,
during a squabble with state-owned media over broadcast rights.
But apart from some rumbling about a general hostility to independent media,
observers fall short of accusing Serbian state media with putting out a hit on TVN1.
short of accusing Serbian state media with putting out a hit on TVN1.
Electronic Warfare Associates, or EWA, a Virginia-based U.S. defense contractor,
has been hit with a Raijak ransomware attack, ZDNet reports.
Four sites associated with the company are said to have been affected.
EWA has so far offered no comment on the reports, ZDNet says, and the scope of the incident remains unclear.
Bleeping Computer reports that Microsoft has seen a resurgence of the Evil Core cybergang fishing with malicious Excel files.
Digital Shadows says that the Sodinokibi ransomware crew is offering a $15,000 prize for the best essay on a hacking topic. The researchers leave
open the question of whether this represents a serious sharing of expertise or just threat
actors showboating. Showboating or not, we can't recommend that you compete, friends.
Best leave this one alone. And finally, while the guilty flee when no one pursues,
we saw recently in the case of a completely bogus sextortion scam
that had absolutely nothing on the victims,
sometimes the guilty do indeed have pursuers.
Remember Ashley Madison?
The adultery facilitation site whose advertising slogan was,
and still may be, we wouldn't know because we don't hang out in those neighborhoods,
life is short, Have an affair?
Well, they were breached back in 2015, and the effects of that breach are being felt anew.
Researchers at Vade Security have found data stolen in the 2015 Ashley Madison breach
resurfacing in highly specific blackmail attempts against former customers of the online networking service.
The shakedown notes that Vade offers for your consideration are long. blackmail attempts against former customers of the online networking service.
The shakedown notes that Vade offers for your consideration are long.
They're filled with hideous, all-too-human details on credit card transactions,
interests the user checked when they signed up for Ashley Madison,
even notes on the chemical mail assistance products the user purchased.
We're not sure either what chemical mail assistance products are, such things not being our bag, but it doesn't sound like the kind of thing you'd like discussed around the water cooler at work. The blackmail is clever in that the ransom demand
is contained in a password-protected PDF attached to the email, the better to make it past filters.
So, the lesson here would seem to be that while life may indeed be short,
illicit pleasures are far more fleeting, but shame and guilt can last a lifetime.
Unless, of course, you're shameless, in which case the blackmail won't matter much.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of
new members discover they've already been breached. Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Emily Wilson.
She's the VP of Research at Terbium Labs.
Emily, it is great to have you back.
I wanted to touch base today about some things that I know you all are tracking
when it comes to account takeovers and this whole notion of access as a service.
What can you share with us today?
Sure, happy to be back.
So one of the things that we're
tracking here that we've been tracking for a while is the way that services are developing
in criminal marketplaces. We're all familiar with account takeover. We know that credentials are
being sold and marketed for fraudsters to then go take over accounts themselves. But there's
something that's been developing over the last couple of years and over the past few months in particular that I'm thinking of as access as a service. So instead of having
credentials to go take over an account yourself, for example, a vendor might offer what is
essentially a value-added service of saying, hey, what are you trying to do? Can I do that for you?
Can I get you there with some additional benefits or resources that I
have on my end so you can enjoy all of the fruits of the labor without taking on the risk yourself?
Can you give me an example?
So this is largely currently at least around travel or hospitality brands. So you could think
about transportation companies or perhaps hotels, for example. Say you want to
stay at a hotel and you want to have all of the benefits of someone who's been staying at that
hotel for 20 years and has the points and the tiered access and the platinum, diamond,
whatever you want to call it, tier of access. This would give you an opportunity to book a stay with them or perhaps book some sort
of travel using all of those benefits and points and tiered status without having to, for example,
take over an account that has those. Someone else is going to take care of that for you.
I would still be able to book it as myself, but then someone else would have a bank of stolen
points or whatever those sorts of
benefits are that they would apply to my stay, for example? That's one example. There are a few
different ways it can manifest depending on the vendor, but it could be that they're going to
bump up your account for you and maybe that they're going to book a stay using somebody else's
legitimate points. You know, this gets into really interesting questions about
the development of the insider
threat model, or is this a question of the malicious actor having ongoing access and
it's just trying to cause some havoc? It's a really interesting development. It's something
that I'm planning on keeping an eye on. What does this say in terms of the maturation of
the market here, that these things are available as a service?
One, I think it's interesting to see what sort of
brands are appearing for these kinds of services. What sort of brands that have points or status or
loyalty rewards are then trickling over, are then generating demand in these criminal communities.
We've seen it for a long time with things like beauty brands that have points, but then airlines and hotels
are a natural next step.
So then what comes after that?
Where is this going to go?
And I think that's a really interesting angle.
The other angle here is what other areas
are vendors going to take on additional risk
to offer a value-added service to their
fraud consumers? How does this fit into the maturation of the overall fraud economy and not
just the account takeover or account access wing of fraud? I'm curious to see where this goes.
Yeah, it's interesting how it seems like the barriers to entry continue to be lowered.
To be lowered, I think not only in the classic criminal communities as we might consider them, the ones that are on the dark web or in the deep web, but also as we see this kind of this fraud demand, this fraud marketing spillover into things like social media, how does that impact your buyer base? If you have previously had a buyer
base that's primarily cyber criminals on cyber criminal forums who are of a type, who are used
to engaging in this kind of activity, if you then take that and make it available to people who are
in a Facebook group or perhaps are on Twitter, is somebody going to be interested in dipping their toe into some of these,
what may seem like victim lists or sort of low-level frauds to say, yeah, I want access
to stream that TV show. Who am I harming? How does that begin to open up demand from a different
part of the market? And are there people who are going to see this and say,
yeah, you know, actually, if I can travel first class and I'm not going to get caught, which is a big question mark, maybe I'll try that.
And so I think we have a lot to watch play out here.
Yeah. All right. Well, Emily Wilson, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge
it's a necessity that's why we're thrilled to partner with threat locker the cyber security
solution trusted by businesses worldwide threat locker is a full suite of solutions designed to
give you total control stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant.
My guest today is Michael Sutton.
He's founder of Stone Mill Ventures, a venture capital firm primarily focused on cybersecurity companies at the seed stage.
Our conversation focuses on what kinds of things someone in his position likes to see and hear from prospective startups,
as well as some of the pitfalls to avoid.
I think it's a target rich environment right now.
There's a lot of money flowing in.
Cyber remains hot.
It's tough to rise above the noise in that there are a lot of startups out there, but there is money to be had.
And good entrepreneurs can actually be selective and make sure that they find the right investors. But what sort of recommendations do you have for people to make the most of that
time that they do have with you? Sure. I think it's important to, you know, by all means, like
talk to that entity up front. You know, you could be pitching to a lot of different people. It could
be an angel group. It could be a VC. It could be a family office.
And they're all going to want to see things a different way.
So understand, you know, hey, what is my time frame?
How many people am I speaking to?
Who is going to be in the room?
What is their background and expertise?
And do your own background research.
Like I'd say one mistake that I often see when I'm pitched to you,
like I have a technical background. You know, I spent the majority of my career building security
solutions. So don't spend three slides telling me why security is a problem. I fully understand
that. Let's save that time and, you know, use it for something else. Whereas those three slides
may be very important if you're going into, say, a family office that doesn't necessarily have a deep background in security.
So do your research, understand who you're speaking to, and tailor your deck accordingly.
You don't have to just have one deck.
Do people get second chances if I come in front of you and I'm not fully prepared or I make some mistakes?
Is it pretty much a one-and-done done affair or is there opportunities to come back?
Certainly for me, there is. Like most investors, I invest in a relatively small subset of what
is originally pitched to me. But I generally don't say, you know, you're not the right guy for me.
No, no need to talk further. That's not generally how it ends. It's me providing them with feedback
to say, hey, this isn't right for me or it's not right for me at this time, and here's why, and
here's the things that would make me be interested. It is pretty common that I talk to people six
months later, and sometimes I do have a different opinion at that point.
What sort of advice do you have for these folks who are hopeful in terms of the best things that
they can do in their preparation?
They're putting together their package for you.
What are some of the top recommendations you have for them?
Yeah, there's certainly a lot of stuff online in terms of draft or template pitch decks.
So you want to spend some time looking at good pitch decks and talk to fellow entrepreneurs. You know, no doubt,
especially in the security community, you're going to rub elbows with people who have been
successful and have gone on to raise capital and build strong companies and talk to them, say,
hey, you know, how did you go through this process? You know, it's a friendly community
and don't be shy to reach out and talk to people and,
you know, get feedback.
Because yeah, that, that, and, and your pitch deck is not done.
You should spend far more time than you realize narrowing it down.
You don't want it big.
I mean, Hey, if it's five slides and you're able to capture everything, fantastic.
That's really hard to do, but if you can pull it off, you've probably put an awful
lot of thought into it, but yeah, look at what has succeeded,
get advice from other people. How much does someone's personality play into this? In other
words, does it ever come to pass that someone comes in front of you with just an absolutely
fantastic idea, but you just can't get past the fact that there's, you know, there's something about them that puts you, you know, ill at ease. Well, I'll answer that from two angles. Like,
it absolutely is important that you develop some kind of rapport because back to the trust issue,
this is somebody that I'm entrusting with my money. But also, like for me, I like to be a
very active investor. You know, I don't want to just make my investment and walk away. I want to make sure that I'm always available to them, helping them out, whether that's as a
board member and advisory capacity, or I'm just, you know, on their speed dial. So that for me is
a really important part of the investment decision that this is somebody that I enjoy working with.
And, you know, I just enjoy spending time with them. Some investors may not feel as strongly
because they're not necessarily an active investor,
but at the same time, and I think that this is true,
especially in the security community
where you have some very brilliant technical people
that may not be great public speakers,
maybe they're not the best at giving a pitch.
But for me, I'm okay with that.
It's not, I'm okay with that. You know, it's not,
you know, I'm focused more on the content. And I'll probably, if they piqued my interest,
I'll probably have to spend time with them after that pitch meeting to dig a little deeper and get,
you know, some of the insights that maybe I would have normally wanted to get just directly from
that pitch meeting. But, but I'm okay with that. You
know, I don't think people should shy away from this just because giving a pitch in front of
people isn't necessarily their thing. We're used to that. That was Michael Sutton from Stone Mill Ventures.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
save you time and keep you informed. Listen for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Thanks for listening.
We'll see you back here tomorrow. Thank you. innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.