CyberWire Daily - Transparent Tribe upgrades Crimson RAT. More countries interested in influencing US elections. University pays ransom.
Episode Date: August 21, 2020Transparent Tribe upgrades Crimson RAT. Cuba, North Korea, and Saudi Arabia are also interested in influencing the upcoming US election. The University of Utah restored from backups after a ransomware... attack, but paid the ransom to prevent the crooks from publishing stolen data. Uber’s former CSO has been charged with allegedly covering up a hack the company sustained in 2016. Justin Harvey from Accenture on how the pandemic has affected Incident Response. Gerald Beuchelt from LogMeIn on how secure remote access may or may not be. And a popular fertility app was found to be sharing data with advertisers without users’ permission. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/163 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Transparent Tribe updates Crimson Rat.
Cuba, North Korea, and Saudi Arabia are also interested in influencing the upcoming U.S. election.
The University of Utah restored from backups after a ransomware attack,
but paid the ransom to prevent the crooks from publishing stolen data.
Uber's former CSO has been charged with allegedly covering up a hack the company sustained in 2016.
Justin Harvey from Accenture on how the pandemic has affected incident response.
Gerald Buscheld from LogMeIn on how secure remote access may or may not be.
And a popular fertility app was found to be sharing data with advertisers
without users' permission.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, August 21, 2020. Kaspersky has released a report on the continuing activities of Transparent Tribe,
also known as Project M and Mythic Leopard,
a cyber espionage group actively deploying the Crimson Rat against its targets.
Crimson Rat has been upgraded for the current campaign
with server-side management of infected machines
and a newly discovered component dubbed USB Worm that infects and steals files from removable drives.
Attribution of Transparent Tribe, which has been active since at least 2013, remains murky,
but Palo Alto Networks and others have seen signs of an association with Pakistan.
In the past, the group has primarily targeted Indian military and government personnel,
but Kaspersky says this recent campaign shows an increased interest in targets in Afghanistan.
William Evanina, the director of the National Counterintelligence and Security Center
at the Office of the Director of National Intelligence,
has added a few governments to the list of those who appear interested in influencing U.S. elections,
CyberScoop reports.
He said Cuba, North Korea, and Saudi Arabia want to be able to provide their optics
for discord in the United States.
Evanina added that efforts by those countries aren't rising to the level of the big three,
namely Russia, China, and Iran. His comment about discord is suggestive.
After a ransomware attack that hit its College of Social and Behavioral Sciences on July 19th,
the University of Utah paid its extortionists, Bleeping Computer reports. The university said
in its disclosure that the decision to pay was
reached in close consultation with its insurance carrier and that the amount it turned over to the
attackers was $457,059.24. ZDNet says the university was able to restore systems and data from backups,
but that it decided to pay the ransom to prevent the criminals from releasing the personal data they'd stolen in the course of the attack.
The disclosure said in part, quote,
The university's cyber insurance policy paid part of the ransom and the university covered
the remainder.
No tuition, grant, donations, state or taxpayer funds were used to pay the ransom, end quote.
Which ransomware gang was behind the attack remains undisclosed,
but Emsisoft told ZDNet that the attack looked like the work of Netwalker,
which has made a specialty of hitting universities.
It's hard to see how paying the ransom would keep criminals from releasing data.
The agreement seems unenforceable.
After all, it's not really the sort of contractual transaction one could enforce in civil court,
and stolen data can quickly find their way into other hands,
so there's a great deal of hope behind the decision.
Emsisoft called the agreement a pinky promise made by criminals.
How this high degree of uncertainty and forced misplaced trust figured into the cost-benefit calculus is unclear. There's also the problem that paying ransom encourages the growth of a
economy. But on balance, the insurer's involvement seems a positive sign.
Security informed by actuarial insight is likely to be better security. Good building fire codes,
for example, came more from the insurance industry
than from government action. Government action was the final result, but it followed the underwriter's
lead. The U.S. Attorney for the Northern District of California has filed a criminal complaint
charging Joseph Sullivan with obstruction of justice and misprision of a felony in connection
with the attempted cover-up of the 2016 hack of
Uber Technologies Incorporated. When he was chief security officer of Uber, Mr. Sullivan is alleged
to have paid hackers a six-figure payment in exchange for their silence about their undisclosed
theft of personally identifying information connected to some 57 million Uber drivers and
passengers.
Mr. Sullivan is said to have channeled the payments through a corporate bug bounty program with a view to concealing information about the breach from the Federal Trade Commission.
The payment is reported to have been $100,000 in the form of Bitcoin, the criminal recipients
of which were asked to enter into a non-disclosure agreement that included a false representation that the hackers did not take or store any data. The two hackers were
eventually arrested and prosecuted, and they accepted guilty pleas. Mr. Sullivan is also
alleged to have kept information about the hack from the new management team that arrived at Uber
in 2017. Android Headlines reports that Mr. Sullivan's attorneys
say the charges are without merit and that any decisions about disclosure were reached
collaboratively by the company's leadership as a whole. Himself a former federal prosecutor,
Mr. Sullivan is currently chief security officer of Cloudflare. This case is believed to represent
the first prosecution of a CSO
on charges of concealing a data breach. The Washington Post reports that the popular
fertility app Premom was sharing customer data with three Chinese advertising companies without
users' permission or knowledge. Researchers at the International Digital Accountability Council,
Researchers at the International Digital Accountability Council, IDAC,
found that Premam was sharing IP and MAC addresses, Android IDs, hardware identifiers,
Bluetooth information, and geolocation data.
IDAC said in a letter to the U.S. Federal Trade Commission,
quote, non-resettable hardware identifiers are personally identifiable information because they are tied to a user's device,
and it is almost impossible for a user to reset them or erase their digital footprint,
thereby allowing companies with this information to infer who the individual users are.
Additionally, by sending multiple device identifiers and geolocation data together,
third parties can infer who Premom's users are."
Premom told the Post that it does not currently use two of the advertising companies, end quote.
Premom told the Post that it does not currently use two of the advertising companies,
and it said on August 6 that it was in the process of removing the third company's access to the app.
IDAC confirmed that the data transmissions had ceased after the app was updated on August 7.
The researchers note that users who haven't updated the app may still be sharing data. Researchers at Matiga identified crypto mining malware embedded in a
community Amazon machine instance, or AMI, used to spin up an AWS EC2 server. The malware had been
running for years on a server owned by a financial institution.
The researchers say the incident highlights the risk of using community AMIs,
which can be created by anyone and placed in the AWS marketplace.
ThreatPost notes that Amazon itself urges caution when deploying community AMIs, saying,
Matiga similarly notes that AMIs provided by trusted vendors on the AWS marketplace
do not present any such risk.
do not present any such risk. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
The folks at identity and access management firm LastPass recently released the results of their study
looking at the security of remote access,
which, of course, has received increased scrutiny
since the pandemic.
Gerald Buschelt is CISO at LogMeIn, parent company of LastPass,
and he joins us with their findings.
We found that about 96% of all IT decision makers that we were able to work with
found that there is a huge impact of their IAM strategy with the recent requirements to fully support a remote workforce.
Pretty much every organization has started to look at their identity and access management strategy across the board
and wanted to make sure that they are doing the right things by their employees,
but also obviously for their own interest as an organization.
I think what's really interesting in this kind of context is that once you start to go into a highly scalable,
zero trust kind of environment where you're leveraging software as a services,
where you're managing remote proxies in order to move forward, and really de-emphasizing the file, the traditional perimeter, the traditional firewall around
the organization. It is the identity of the user that interacts with the services that ultimately
is the last and best way of defending what is going on
and making sure that folks are properly authorized.
So I think what we're seeing here is the renewed interest,
the renewed high interest in optimizing IAM strategy
is really born out of the need that traditional network-based segmentation
for users, parameters, trusted parameters, et cetera,
really have crumbled now.
It's like they're no longer crumbling,
they have crumbled.
And we have to adopt to this new situation
that we're facing ourselves
and that we've been moving to for quite a few years,
to be honest with you,
now through much strengthened and improved IAM programs.
Now, one of the findings here that caught my eye
was that 62% believe multi-factor
authentication is the most effective way to secure a remote workforce. Two thoughts there. I mean,
obviously good that multi-factor is on people's minds, but I guess I was a little surprised that
the number was that low. Yeah, it's kind of hard to really wrap my head around, especially since we've seen in other reports that the adoption of multi-factor authentication technology in the workplace versus private activity actually lacks.
So there's less businesses that have enabled MFA versus individuals securing their banking accounts or their other important accounts across the board.
So I think it's just still taking time.
The idea that business leaders have not fully embraced MFA
is an unfortunate reality at this point in time.
And I think it dates back to the days when rolling out MFA was really hard.
If you think back, it's like setting up like a secure ID
or something like that.
It requires server infrastructure.
It required distribution of physical tokens,
et cetera, et cetera.
And I think that is still burned
into the back of a lot of IT decision makers' mind
that it's like MFA is hard, it's costly,
that it is not easy to do.
It's like we have now technologies that we offer from Longview Inn, actually,
that do make it very easy for IT departments, even small ones,
to roll out multi-factor as a service and, as such, get running very quickly.
So I would hope that these types of technologies really are going to be aggressively being adopted across
industry very soon so that we're getting from 62 to similar for the other questions like too close
to 100. Yeah, it strikes me that it's an opportunity to, I don't know, instill a sense of ownership in
your users that, you know, you're working from home now, you know. You can't rely on the physical building
that you used to come to
to be your defensive framework.
We're relying on you to help us here.
I think just from a mindset point of view,
that's an opportunity, it seems to me.
I totally agree.
It goes back to the old bad adage that users are the weakest thing in the chains. Like,
I disagree with this wholeheartedly. A badly trained user is probably the weakest thing in
your chain, but a well-trained user or somebody who's just reasonably aware of what's going on
in their world, they're actually your strongest assets that you can have because ultimately they know best what is okay and what is not okay. And starting from that point, I think you really
need to structure your overall security program around those kind of like educational tasks and
making sure that everyone gets the right level of understanding about how their respective work
ultimately can affect the overall security posture of the company, whether it's an end user that really does not have a lot of technical responsibility
or background, or whether it's somebody who is architecting or managing a large complex
environment.
Having those folks properly enabled and making sure that they understand what kind of expectations
we would have for them from a security posture perspective, ultimately makes the overall program so much stronger
than just relying on traditional kind of controls
or centralized teams that are aiming to do everything
but really can't due to resource constraints.
That's Gerald Buschelt from LogMeIn.
There's an extended version of our interview
available on CyberWire Pro.
Check it out on our website, thecyberwire.com.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're
thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And I'm pleased to be joined once again by Justin Harvey.
He is the Global Incident Response Leader at Accenture.
Justin, it's always great to have you back.
I wanted to check in with you to see how and your incident response team have had to adjust the work you're doing since so many of us are working remotely now when it comes to this pandemic.
What's going on with you and your team? Well, luckily, we had a head start because we were
already a remote team. So globally, we do have cyber fusion centers in DC and London and in
various other cities around the globe where our incident responders would occasionally go into.
And I'm sure we had some full-time employees there going in and out.
But for the most part, our incident response team was already working from home.
But that doesn't mean that the industry has all gone to virtually remote incident response.
I know that previously, before the pandemic, we would go on site probably about 20% to 30% of the time.
Of course, that 20% to 30% now has gone to zero. We haven't gone on site anywhere globally since
the pandemic began. But we've seen a huge uptick in ransomware and various other types of attacks
over the last few months. It's been a challenge adapting to this, not because
of our work environment, but because we do send equipment out. We have a network sensor and we
have various other system type tools that we typically send to our clients in the event of
an incident. And that's more difficult because previously we've stockpiled those
in our cyber fusion centers, and lo and behold,
we don't have anyone at those cyber fusion centers.
So if we do need to ship something, then it takes a little bit longer
to get someone into the office.
And I think because of that, we've had to make do.
We've been more reliant upon the cloud and on virtual machine technologies with our clients.
And I think that's actually been turning out pretty positively.
Have you been given any insights on how you might approach things even when the pandemic is over?
Does this inform any adjustments that you might make on the other side?
I believe so, yes. We're probably looking at moving toward a completely virtual model where
we can actually use a supplier that has an imaging facility. So if we want to send a network sensor
out to the other side of the country, we could just pick up the phone or go on the web and do a virtual order
and then have our image burned onto a drive,
which then would go into another piece of hardware that this other company
would maintain.
So I think it's forcing us to address
a more layered approach to our supply chain.
I also know that previously our clients many times would have
physical war rooms and have everyone there on site for some of the larger investigations. And
we've done a few of these major type operations over the last few months, not only in the United
States, but in Brazil, in Italy, in Germany, particularly around critical infrastructure.
And it's been harder on our clients adjusting to a fully remote environment than we have.
And I think that's probably easing a little bit now. Everyone's kind of understanding how to work
from home and all of the difficulties like coming off of mute on a conference call.
Right, buying good microphones and headphones and all that stuff.
Yeah, I can't tell you how many times I get nailed with that because I've got two mutes,
one on my speakerphone and one on my Microsoft Teams. And it's a little embarrassing with
clients occasionally. But I think that more enterprises are going to be fully remote on IR,
and I think it's just going to be part of the new normal, Dave.
All right. Well, Justin Harvey, thanks for joining us.
Thank you. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
If you're looking for something to do over the weekend,
be sure to check out Research Saturday.
This week, I speak with Craig Williams from Cisco Talos
on adversarial use of current events as lures.
That's Research Saturday. Check it out.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is
Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Vaughn,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Valecki,
Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie, Thanks for listening.
We'll see you back here next week. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.