CyberWire Daily - This Woodcutter’s no Railsplitter. Operation Dream Job. COVID-19 phishing.
Episode Date: August 13, 2020NSA and FBI release a detailed report on a GRU toolset. North Korea’s Operation Dream Job phishes in Israeli waters. CISA warns of COVID-19 loan relief scams. Malek Ben Salem from Accenture with hig...hlights from their 2020 Security Vision report. Our guest is Mike Hamilton from CI Security, who clears the air on election security and the shift to absentee status. And crooks are using infection and job loss as retail phishbait. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/157 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Now at a special discount for our listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash N2K code N2K. North Korea's Operation Dream Job fishes in Israeli waters. CISA warns of COVID-19 loan relief scams.
Malek Ben-Salem from Accenture Labs with highlights from their 2020 security vision report.
Our guest is Mike Hamilton from CI Security, who clears the air on election security and the shift to absentee status.
And crooks are using infection and job loss as retail fish bait.
crooks are using infection and job loss as retail fish bait.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, August 13th, 2020.
The US NSA and FBI this morning released a report on droverube malware, a hitherto publicly unremarked strain deployed by APT28,
which of course is Fancy Bear,
Russia's GRU military intelligence service.
The report describes Droverube as a Linux malware toolset
consisting of an implant coupled with a kernel module rootkit,
a file transfer and port forwarding tool,
and a command and control server.
When deployed on a victim machine, the Droverube implant client provides the capability for direct communications with actor-controlled C2 infrastructure,
file download and upload capabilities, execution of arbitrary commands as root, and port forwarding of network traffic to other hosts on the network,
all of which is, well, a lot. McAfee CTO Steve Grobman commented in an email that
Droverube is a Swiss Army knife of capabilities that allows the attacker to perform many different
functions, such as stealing files and remote controlling the victim's computer.
Droverube can be detected, but the two agencies warn that, like other advanced rootkits,
the malware takes some pains to hide itself, and so it may be overlooked if you're not on the lookout for it.
The alert recommends updating to Linux kernel 3.7 or later,
which will enable users to take full advantage of kernel signing enforcement.
It also encourages administrators to configure systems so they will only load modules which will enable users to take full advantage of kernel signing enforcement.
It also encourages administrators to configure systems so they will only load modules that have a valid digital signature.
NSA and the Bureau don't say what they think Fancy Bear's objectives are with Droverube,
but they do scowl in the direction of the GRU's interest in election meddling.
Fancy Bear's been there before.
Still, with a Swiss Army knife,
you can do a lot. So why is it called droverube, you're probably wondering? The word means wood
cutter, wood chopper, or wood splitter. In this case, it's the GRU's own name. That's what the
hoods back at the aquarium call it. Nice touch, that NSA. You could Americanize the name as rail splitter, but
honest apes, they're not. Another question. The alert is detailed and specific. You can get it
from the NSA press room at NSA.gov, and it's a lively read that really put the G into GRU.
Why release it? The authors say, in an accompanying fact, we're sharing this information
with our customers and the public to counter the capabilities of the GRU-GTSS, an organization
which continues to threaten the United States and its allies. We continuously seek to counter
their ability to exploit our nation's critical networks and systems, end quote. That seems right to us.
It also seems likely that Fort Meade is letting the girls and boys over at the aquarium know
that NSA sees right through them, woodchips and all.
Fishing for job seekers.
The technique and the fishers aren't new, but the target set has shifted a bit.
The Jerusalem Post reports that the Israeli Defense Ministry says it detected and stopped a campaign
by North Korea's Lazarus Group to gain access to Israeli defense companies.
The Lazarus Group used a now-familiar tactic,
phishing in LinkedIn with a bogus job offer to targeted employees.
Researchers at security firm Clear Sky, where they've given the campaign the appropriate name Operation Dream Job, have details.
An approach may be initially made through a fictitious LinkedIn profile.
Once some contact is established and a degree of rapport achieved, and this is LinkedIn, so the rapport needn't be very strong,
the attackers can escalate through other forms of communication, like phone calls
and interaction over WeChat. Eventually, a spear-phishing email arrives, bearing one of a
small number of malicious payloads. The fake job offer is an obvious approach, Clear Sky points out,
and it's got a fair chance of being effective for several reasons. First, it's likely to draw
the victim's attention during a period when employment is uncertain.
Anxiety can render the mark more vulnerable to social engineering.
And the interactions one expects during recruiting can, as Clear Sky observes,
establish a personal connection and induce a false feeling of benefit from the conversation.
Employees are also likely to be loath to disclose to their colleagues,
and especially to their bosses, that they're considering a new job offer.
The less the marks say about the scam, the less likely they are to raise any red flags.
Discretion is expected, and the Lazarus Group asks for it.
It's useful, for example, if the threat actors can persuade the victim
that correspondence is better carried out over their personal email account as opposed to their corporate account, correspondence conducted this way is likelier to bypass corporate security measures.
Once the payload's in and the victim is compromised, the Lazarus Group has two goals, and these are always the same.
They want access to corporate networks where they can steal intellectual property, and they want access to financial networks where they can steal intellectual property,
and they want access to financial accounts where they can steal, well, money.
The U.S. election continues to heat up, and along with it, there's continuing concern for election security and integrity, especially as more states focus on voting by mail, thanks to safety concerns
from the COVID pandemic.
Mike Hamilton is founder and CISO at CI Security and former Chief Information Security Officer for the City of Seattle, Washington, where voting by mail has been an option for decades.
Our own Chief Analyst and Chief Security Officer Rick Howard got on the line with Mike Hamilton.
Here's their conversation.
Since I've lived here in Washington State, this is the only way we've done it.
And it was surprising at first,
but you get your ballot well in advance of the election.
In fact, so far in advance of the election,
some people voted in the presidential primary
and by the time they voted, it was already a done deal.
And they had voted, they voted early
and then found out,
well, you know, they voted for somebody that lost and then didn't have a chance,
you know, to modify that. So it takes a little bit of the drama out of it. But other than that,
it's a secure system. It is. We consider it to be. And, you know, there are a lot of controls
in place, you know, starting with how the ballots are printed. every one of them has a barcode
and that barcode is keyed to you
and it also is keyed to your signature on file.
Those signatures are checked by hand and by machine, right?
If the machine fails, says this doesn't look like a match,
it goes to a person, they will check it.
And then if they have to pull it out,
they'll give you a call.
Talk to me about that.
That sounds fascinating.
I've never heard of that before.
So you assign a barcode to a registered user.
To a balance, yes.
How do we make sure that no one can interfere with that?
Well, the barcode is key to you, right?
So there was a suggestion made recently that other countries could just print phony ballots.
And no, they can't.
They can't do that because it has to be coded to every voter.
And there has to be a signature match as well.
And multiple levels of all of these controls being checked for every ballot.
Washington state's been doing this for, what, 10 years?
Is that what you said?
Since the 80s.
Since the 80s.
So now there are states who have never tried this, right?
And now it's July.
Could they get up to speed quickly enough to make this work?
I don't know.
Honestly, Rick, if they didn't get in front of this a little before now,
part of the problem is going to be printing all those ballots with barcodes,
establishing a database
that has, you know, they already have copies of signatures, probably electronically, but now
they've got to be all keyed to a database corresponding to the barcode, and then have
ballots printed that are individual to each voter. And, you know, there's companies that do that, but
I think you needed to get into the queue pretty early. So you're anticipating that there's going
to be some disagreement about the results of all of these things,
regardless of if we do it by mail-in or the way we've always done it. And this might be a prolonged
election season. Is that what you're thinking? Yes, that is exactly right. I think a lot of
people are thinking that too. And so is there anything we can do to head that off, do you think?
And so is there anything we can do to head that off, do you think?
Well, you know, I think, you know, educating people on exactly the way this works, like you're doing right now, I think is probably the best thing we can do.
But there's just a lot of people that will reject any information that, you know, doesn't fit their kind of preconceived notion of reality.
You're right, Mike.
We live in interesting times. What can I tell you? Well, thank you, sir. Thank you for giving your insight.
And I guess we will see what happens. Yeah, we'll see what happens. Thanks for the conversation,
Rick. Thank you, sir. That's the CyberWire's Rick Howard speaking with CI Securities founder
and Chief Information Security Officer Mike Hamilton.
And finally, as if people didn't have enough trouble without crooks jumping up and down on them when they're down during a pandemic,
there are more COVID-19-themed scams out and about.
The U.S. Cybersecurity and Infrastructure Security Agency warned that an unknown malicious cyber actor is spoofing a U.S.
Small Business Administration COVID-19 loan relief site in phishing emails. By these marks,
shall ye know them? The subject line is SBA application. Review and proceed. The sender is
disastercustomerservice at sba.gov. Don't go there. There are also fishing expeditions going after
individuals, and these are baited with anxiety. So what are people worried about nowadays? A lot
of them are worried about getting sick or getting fired. And the crooks, of course, take notice of
popular fears. USA Today reports that people are getting spam telling them, hey, you've been infected with COVID-19 and, hey, you've also just been fired.
If you get one of these, take a deep breath and think about how likely it is
that you'd be notified of either infection or firing by email.
If you've still got a case of the yips, call your doctor or call your job for quick reassurance.
And then pick up the phone and call the Federal Trade Commissioner's Consumer Hotline.
Let's stay safe out there.
We're all in this together.
And I'm pleased to be joined once again by...
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages, it's easy to say so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Again, by Malek Ben-Salem.
She is the America's security R&D lead at Accenture Labs. Malek, it's always great to have you back. You and your team there at Accenture recently came out with a publication that we wanted to touch on today about some of your vision going forward for 2020. What are some of the things you wanted to share with us today? Thank you, Dave. Our security technology vision has focused this year on
continuous innovation through emerging technology adoption
and how organizations can adopt new technologies
and do that securely.
We've surveyed about 500
C-suite executives from companies covering 12 industries, about eight countries.
And these are big companies, so companies that have revenue of $5 billion or more.
And the questions we wanted to look at is how can enterprises be at the forefront of technology adoption, driving growth, but doing so securely?
And, you know, the main findings we've had based on this survey were actually surprising.
to find that these emerging technologies and the ones we focused on were AI, 5G, quantum,
and extended reality, XR. It seems that these technologies pose a major paradigm shift in security challenges. We found that the respondents to our survey believed that AI,
the most implemented emerging technology to date, as indicated in our study,
was perceived as the most significant security risk.
So 45% of our survey respondents believed that AI posed a significant security risk,
but less so with the other technologies.
So for 5G, it was 31% only who believed it poses a security risk.
Quantum computing, only 28%.
And XR, only 21%.
So this was surprising to us.
So this was surprising to us. So it seems that there is some lack of understanding or some underestimation of the security risk that these emerging technologies pose to organizations.
Now, there were some other interesting things you got from your results here.
What else can you share with us? Yeah, so we continue basically with the theme of underestimation.
In our second finding, we found that C-suite executives underrate the extent and timing of what they need to do to secure these technologies.
So when we asked about what do you plan on doing to secure AI or 5G, etc., these executives had several strategies in mind. So they thought about collaborating or partnering with organizations that have expertise, 73%. Hiring new talent, 73%.
Acquiring new business or startups, 49%.
But when we asked whether they started planning to secure these technologies, only 55% said so, that they are actively planning to secure AI.
55% said so, that they are actively planning to secure AI.
Only 36% mentioned that they started planning for 5G, 32% for XR, and 29% for quantum.
So while these executives are thinking about various strategies to secure these emerging technologies in the long run, it seems that
they're underestimating how long it takes to do that, how long it takes to secure these technologies.
We know that just bringing people on board and teaching them these technologies,
these innovative technologies, itself takes time, let alone teaching security professionals how to secure these technologies.
That takes even longer, right?
While courses exist and Coursera or, you know, online learning platforms,
we know that it takes much more to gain basic proficiency in securing an emerging technology.
So we urge these executives to start thinking about security now
as they're adopting these emerging technologies.
Yeah, interesting indeed.
All right, well, Malek Ben-Salem, thanks for joining us.
Thank you, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast
of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time
and keep you informed.
Listen for us
on your Alexa smart speaker too.
The CyberWire podcast
is proudly produced in Maryland
out of the startup studios
of DataTribe,
where they're co-building
the next generation
of cybersecurity teams
and technologies.
Our amazing CyberWire team
is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.