CyberWire Daily - Tories delay leadership vote over security concerns. Cyber phases of Russia’s hybrid war. CHinese patriotic hacktivism vs. Taiwan. Malware designed to abuse trust. Putting a price on your privacy.
Episode Date: August 3, 2022Tories delay a leadership vote over security concerns. A summary of the cyber phases of the hybrid war. Cyberattacks affect three official sites in Taiwan. Malware designed to abuse trust. Gunter Ollm...ann of Devo to discuss how Cybercriminals are Winning the AI Race. Renuka Nadkarni of Aryaka explains enterprises can recession proof security architecture. Plus, putting a price on your privacy. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/148 Selected reading. Tory leadership vote delayed after GCHQ hacking alert (The Telegraph) Nozomi Networks Labs Report: Wipers and IoT Botnets Dominate the Threat Landscape – Manufacturing and Energy at Highest Risk (Nozomi Networks) Those Pelosi-inspired cyberattacks in Taiwan probably weren't all they were cracked up to be (Washington Post) Increase in Chinese "Hacktivism" Attacks (SANS Internet Storm Center) Cyberattacks crashed several Taiwanese government websites hours before Pelosi’s visit. (New York Times) Taiwan presidential office website hit by cyberattack ahead of Pelosi visit (POLITICO) Taiwanese government sites disrupted by hackers ahead of Pelosi trip (The Record by Recorded Future) Deception at a scale (VirusTotal) The Price Cybercriminals Charge for Stolen Data (SpiderLabs Blog) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Tories delay a leadership vote over security concerns.
A summary of the cyber phases of the hybrid war.
Cyber attacks affect three official sites in Taiwan.
Malware designed to abuse trust.
Gunter Ohlmann of Devo is here to discuss how cyber criminals are winning the AI race.
Renuka Nadkarni of Ariaka explains how enterprises can recession-proof their security architecture, plus putting a price on your privacy.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, August 3rd, 2022.
GCHQ's National Cybersecurity Center advised the UK's Conservative Party that its upcoming vote for a new leader could be vulnerable to interference, specifically manipulation, and the Tories have decided to postpone the vote of Prime Minister Boris Johnson's successor until the issues can be satisfactorily addressed. The Telegraph quotes the NCSC on its role in election security, stating,
Defending UK democratic and electoral processes is a priority for the NCSC,
and we work closely with all parliamentary political parties, local Authority, we provide advice to the Conservative Party on security considerations for online leadership voting.
There was, the Telegraph reports, no specific threat from any state,
but NCSC alerted the party to vulnerabilities in its plans for online balloting
that could have interfered with credible voting.
Paper ballots will be delivered to party members later this month.
Nozomi Networks this morning published its OT-IoT security report,
and in that report details what it's observed during Russia's war against Ukraine.
While others have expressed surprise at the relatively ineffectual character
of Russian offensive cyber operations,
Nozomi's report highlights the attacks that Russia is known to have carried out in cyberspace.
It concludes that cyber operations have now clearly established themselves as a force multiplier,
that is, a factor in combat power that gives a force greater capabilities
than its unaided numbers would
enable it to achieve in contemporary combat. The report draws three major lessons from the
hybrid war. First, war increases cyberactivity. Of the varying threat actors and motives,
nation-state advanced persistent threats are the most active during wartime. They are less financially motivated
and more focused on cyber espionage, spying and disrupting communications and other critical
enemy systems. Some companies become incidental casualties of cyber war as a result of threat
actors' attacks on their targets. Second, private companies are stakeholders in war.
In addition to military and government entities, private companies are stakeholders in war. In addition to military and government entities,
private companies, especially critical infrastructure companies,
are also prime targets during wartime.
Companies should maintain a heightened security posture
and cooperate with their governments to safeguard assets in the event of a war.
And finally, wartime contingency and data security strategies are necessary.
Ukrainians relocated their sensitive servers out of the country in case a physical attack was launched on their communications infrastructure.
An attack on in-country servers could prevent Ukrainians from organizing efforts with domestic troops and even allies, putting them at a disadvantage during war.
troops and even allies, putting them at a disadvantage during war.
Both sides have been active in cyberspace, but Russia has been responsible for the preponderance of offensive cyber action.
Nozomi describes Russia's use of wiper malware as a distinctive and characteristic feature
of its cyber operations.
The effects of the attacks haven't been either massive or widespread, but that apparently isn't for want of trying.
Yesterday, as the U.S. Speaker of the House, Representative Nancy Pelosi,
a Democrat of California's 12th District, prepared for her visit to Taiwan,
cyber attacks briefly took down at least three Republic of China websites.
The New York Times reports,
the official website of Taiwan's
presidential office was attacked around 5 p.m., according to a statement from the office,
several hours before Ms. Pelosi's landing. The site's traffic shot up to 200 times that of a
normal day, leaving the website unable to display any content for 20 minutes. It resumed normal
operation after the problems were fixed,
according to the statement. Taiwan's foreign ministry website and the main portal website
for Taiwan's government also experienced cyber attacks on Tuesday, according to Joanne Oh,
spokeswoman for Taiwan's foreign ministry. Early Wednesday, the websites appeared to have resumed
operation, although Ms. Oh said they were still fixing the problems.
The incidents were all distributed denial-of-service attacks, and Politico cites various experts who assesses them as patriotic hacktivism, not operations carried out directly by the Chinese government.
The attacks were consistent with official Chinese expressions of strong and clear disapproval of the speaker's visit to Taipei and of vaguer threats of retaliation, but that's also consistent with patriotic hacktivism,
as the Sands Internet Storm Center points out.
The Washington Post dismisses the incidents as no big deal,
saying that the attacks were probably not all they were cracked up to be,
and that's about par for the patriotic hacktivist course.
Virus Total has released its report titled Deception at Scale, How Malware Abuses Trust,
which details abusive trust approaches threat actors use to spread malware, avoid defenses,
or improve the success of social engineering.
Researchers discovered that 10% of the top 1,000 Alexa domains have distributed suspicious samples,
with 0.1% of legitimate hosts for apps having distributed malware.
Researchers have also noted a continuous increase in malware that mimics legitimate applications,
with Skype, Adobe Acrobat, and VLC as the top three.
In terms of social engineering,
4,000 samples either executed or were packed with legitimate app installers.
And finally, what is your personal data worth?
Really, on the market.
And of course, we mean the criminal market. What would your personal data worth? Really, on the market. And of course, we mean the criminal market.
What would your digital information fetch?
Trustwave's Spider Labs has done some window shopping, so you don't have to,
and they found that prices are pretty low,
which as usual suggests that the hood's secret, if they have one, is like Crazy Eddie's.
Volume.
Spider Labs puts it in terms adapted to
the meanest understanding. They say, for the price of a Starbucks caramel frappuccino grande
and a cheese danish, about $8, a cyber criminal can obtain all the information needed to max out
a person's stolen credit card and possibly steal their identity. The crooks sell the personal data
they collect because it's easy and because it gives them quick cash. Admittedly, the common
stolen pay card fools, and fools means the basic card info comes with enough ancillary data like
name, address, social security number, driver's license, bank account credentials, and sometimes
even medical records to give the user the verisimilitude necessary to put the scam over.
The common stolen pay card fools, Spider Labs says, is at the low end of the price range.
Classier cloned cards will bring a lot more, say $50 to $1,000, depending on the card's credit limit. And access to a bank account suitable
for draining can be had for the low, low price of $100 to $3,000. And who could turn that down?
It's like the boss is on vacation and they've all gone crazy in wacky Ivan's Nuthouse of criminal
bargains. Some of the C2C offerings are clearly designed for the discriminating goons who are playing for bigger high-rolling stakes.
Access to a virtual private network goes for $2,500, and Spider Labs found an ad for an entree into a corporate network priced at a cool $5,000.
So our advice is, well, be careful. Don't get your data, like, stolen, you know?
And that advice and eight bucks will get you a venti latte at your local Starbucks,
plus a decent selfie of you holding your forged documents,
like that license that says you're 21 and your name is McLovin.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Just a few years ago, artificial intelligence and machine learning were the hottest buzzwords in cybersecurity,
the must-have features that no marketing team could resist bragging about.
Thankfully, in the intervening years, things have settled down a bit,
with the true utility of AI and ML unencumbered by so much marketing hype. Gunter Ohlmann is chief
security officer of security firm Devo, and he and his colleagues recently released research
tracking the use of artificial intelligence by cyber criminals, and that for the moment,
they may have the upper hand. AI was certainly the buzzword. It was plastered everything. I think
this year, I made the joke that this year,
it's X is the new NG in front of everything.
There you go.
But I think there's been, you know,
it's good that AI has sort of shifted out of the marketing pen
and into the hands of the coders and the engineers, right?
What we're seeing is that the AI actually genuinely being applied
into the security technologies that are making the hands of customers
and SOC teams and security analysts for the first time.
And so along with that, I suppose this is falling into the hands
of the bad folks as well.
Unfortunately, yes, right?
And I see it in two ways.
So one is the bad guys
are leveraging smart codes,
smart AI systems
to understand their adversary
and to data mine their adversaries.
And the other side is
attacking the AIs
that the good guys
or the targets actually use
to extract confidential and personal
information out and maybe influence the AIs that are out there in a positive or negative
manner, depending on what the adversary's goals are.
And so where do we find ourselves now in terms of this arms race?
Is there any clarity on who might have the high ground here?
I think the key part there would be the adversaries have been leveraging public AI
and have been influencing many of the chatbots and extracting data from that external surface of AI. But I think the good guys are doing much better in leveraging AI and subsets of machine learning
and data lake analytics to better understand the threats and the attack surface, which
has meant it's become a lot easier to identify, track, and provide attribution to their adversaries.
One of the things that caught my eye in the research that you all shared
was that a lot of organizations seem to be struggling
when it comes to implementing AI.
What were some of the findings there?
I think it may tie back to your first question there
about the marketing pitch.
It was plastered on everyone.
So I think expectations were very, very high
and that AI was sort of seen as the silver bullet
for want of a better term, right?
And the reality is that AI isn't going to displace the human today.
AI isn't the thing of other movies.
And where the technology is today is really, you know, using and harnessing AI to augment the human analyst and to increase the automation, you know, and speed up the workflows of those humans, you know, and the monitoring systems behind the scenes.
flows of those humans and the monitoring systems behind the scenes. Are there particular areas where
organizations are finding AI to really slot in and be
an effective tool? I think the key parts that we're seeing there has
really been in the security analytics space. The ability to
finally make use of that data, in particular
logs and events
that have been collected in streaming and over the years,
those terabytes or petabytes of data to actually harness the value out of it.
So what we're seeing is the use of AI is being used as that transition
from storage of data as a compliance tick box
from storage of data as a compliance tick box into the ability to deliver a return on investment
for actually keeping hold of those logs
and we're actually seeing them identify new threats.
But it does sort of change the paradigm
of previously the human analysts
were looking at that data
and there'd be a lot of cheering and whooping
when they found something in there.
It'd be literally hunting for the needle in the haystack.
Now with the AI and the AI systems that they have involved
in these processes, they're now finding haystacks of needles
and so they're moving into a new paradigm
of how to manage haystacks of needles.
They need to throw some AI at that problem, right?
That's correct.
Based on the information that you all have gathered here, what are your recommendations?
What sort of take-homes are there here?
There are multiple ones.
I think one of the key things really is, in the classic sense of security, it's better
to not roll your own.
There's a lot of very smart people
and there's a lot of great research going on in the community.
So best harness that collective wisdom,
that collective contributions to AI and machine learning systems
is one key part.
The second part in my mind really is that many and much of the advanced AI
is actually embedded inside the cloud services
that security vendors are now providing,
as opposed to the endpoint of the software
that you're installing on-premise.
And I think one of the key parts is becoming more and
more important, which is that those vendors need to be able to explain in detail to the
purchasers and the operators how these systems actually genuinely work and to provide real
metrics of true positive, false positive, and other operational considerations that help
elevate the trust of these AI systems. That's Gunter Ohlmann from Devo.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant. Economists may not all agree whether or not we are actually in or unavoidably headed toward a recession.
But there's no question we are in the midst of serious inflation, with many organizations calling on managers to tighten their belts or do more with less.
But of course, the cyber threats aren't slowing down.
For insights on where we're headed, I checked in with Renuka Nadkarni, Chief Product Officer at cloud and SASE provider, Aryaka. So what we are seeing is there is multiple factors
happening at the same time,
and the macro trends, as we all know,
have been changing dramatically.
So the first and the foremost,
the umbrella that we talk about
is the whole concept of digital transformation.
And what's happening is enterprises are going through
this major shift in terms of digital transformation because of the factors like COVID and how the way people do business, how the way consumers consume different services, that's changing dramatically.
level there is a existential need to change the way people do business by using technology by enhancing and advancing the you know the technological aspects the networking aspects
that customers have within that what we are seeing is there is a tremendous focus on agility which is
how do I do things faster and what that means is the organizations are under tremendous stress to, A, go through
a massive change, but B, they also need to do it fast, agile, in a simple, convenient
way.
And among all these things, there is another big shift that's happening on the attacker
or the security side of things, where attackers are also now getting much more sophisticated. The kinds of things that we saw back in the day,
like advanced threats, which were sort of reserved for privileged financial and federal customers,
are now become commonplace. And attackers don't discriminate. They actually go after
certain kinds of things that they see a pattern. And basically, no matter which
industry you are, no matter what the size of your business is, they actually are equally susceptible
and equally vulnerable to these new kinds of attacks and threats. So we are seeing a lot of
changes in the macro trends on both sides. One is the tremendous pressure our customers are
under to make their business run. And on the other side, the attackers also getting more
sophisticated. And in the midst of all of this, we are going through, as we all believe, some kind
of a recession. The US inflation is at 8.5%. It's the highest over the last 40 years. And there is also tremendous pressure
in the job market with shortage of skills. So you're trying to cope with all these moving parts,
but you don't have actual ability to hire people, A, because of the capital, but B, also
shortage of skillset. It's like a perfect storm. There's too many moving parts. Everything is
coming together almost at the same time.
And taking us through this requires a lot of persistence and, you know, good technology that can help us through this process.
Yeah, I mean, you know, we hear this phrase that, you know, we're going to have to do
more with less.
And I think more organizations are hearing that right now.
As you say, belts are tightening, the flow of money is perhaps
slowing down. What sort of things do you think can ease some of the pressure that organizations
are feeling? So as I was mentioning, there is two very big trends. The security attacks,
they are becoming so prevalent. There is tremendous pressure on the organizations this is a boardroom conversation where security is paramount if there is a breach or a ransomware it takes a big toll on the business
so it's absolutely something you know our customers are feeling pressure while there is a need to
tighten the belt there is also this tremendous pressure to get better at what we do get get
digital transformation done get it done in a secure way.
So the challenge there is,
how do you survive in those
both opposite sort of requirements?
And how do you address those?
And what we see is that
when people think about this,
the first instinct is to buy new security products,
try to get them work and run.
But clearly, one of the things where we see our customer base tell us is the challenge is,
even if you buy the best security product, unless you can enforce it consistently and ubiquitously, it's actually ineffective.
So there is this race going on,
which is which security product should I implement in my network?
And it has caused tremendous confusion
because of the fragmented solutions that are out there.
So it's not just the matter of like,
I already know I need to secure,
but now I don't even know where to begin
because the whole offerings are fragmented which
by themselves introduce new attack surfaces. It has sort of two phase effect. One is A, I need to
choose what kinds of security to put where for it to be effective and then the second problem is
I don't have skilled labor. I don't have workforce. I don't have people who can actually manage it on
a day-to-day basis.
So even if I do manage to get something in my network, how do I get the right skill set? How do I make sure that I can manage it on a daily basis? So it's a very pronounced sort of a
challenge. And I think that's where some of the things that we talk about as solutions come into
play. You know, for that person who knows that they have a meeting with their board
of directors coming up and they see these economic headwinds coming, you know, the money is going to
be tighter. What are your recommendations? How do they go about prioritizing the decisions that
they make? First and foremost is looking at any solution that we're talking about holistically.
I think that's the most important thing that you need to consider.
And what I mean by that, it's not a one-time installation.
It's not like set and forget because security is something that you need to constantly watch, monitor.
And that is really important.
And that is really important.
So at Ariaka, we are actually a big fan of integrated networking and security, as we call it.
And it solves a multitude of problems that I described earlier, including the challenge of fragmented security solutions, including the management of the first-time configuration, ongoing monitoring, as well as incidence response if something happens. It also ensures that this is a holistic solution that customers can actually
implement and can take care of from a networking as well as from the security needs perspective.
And it really gives you a consistent and ubiquitous security controls, which can be
applied globally for global connectivity, no matter where the users are and no matter where
the applications are. That's Ranuka Nadkarni from Aryaka.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Trey Hester, Brendan Karp, Eliana White,
Puru Prakash, Justin Sabey, Liz Irvin,
Rachel Gelfand, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Thank you.