CyberWire Daily - Turning good words into bad. Crooks push those exploits through aging software while they still can. A big OSINT DB out of Shenzehn. TikTok’s fate grows narrower but murkier. Wildfire misinformation.
Episode Date: September 14, 2020Social engineers use text from legitimate recent warnings. Cybercrooks go for whatever they can get from software about to reach the end of its life. A big database filled with individual information ...is leaked from a Chinese government contractor. In the race to do whatever it is US companies hope to do with TikTok, Microsoft is apparently out, but Oracle is apparently in. Rick Howard looks at red versus blue. Our gust is Colby Prior, Infrastructure Engineer for AusCERT, on running honeypots. And the FBI wants you to know, contrary what you may have seen online, that Oregon wildfires are not extremist arson. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/178 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Now at a special discount for our listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash n2k code n2k. Social engineers use text from legitimate recent warnings. Cyber crooks go for whatever they can get from software about to reach the end of its life.
A big database filled with individual information is leaked from a Chinese government contractor.
In the race to do whatever it is U.S. companies hope to do with TikTok,
Microsoft is apparently out, but Oracle is apparently in.
Rick Howard looks at red versus blue.
Our guest is Colby Pryor, infrastructure engineer
for Aussert on running honeypots. And the FBI wants you to know, contrary to what you may
have seen online, that Oregon wildfires are not extremist arson.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, September 14th, 2020. A couple of stories illustrate the ways in which cybercrime continues to be a lagging indicator of vulnerabilities.
The first deals with phishing over Twitter, using old communications to lend plausibility to the phish bait.
You'll recall the mid-July case in which some high-profile Twitter accounts were briefly hijacked by, allegedly,
case in which some high-profile Twitter accounts were briefly hijacked by, allegedly, some misguided youths interested in, among other things, noodling original gangsta accounts. That incident has
spawned predictable copycats that have nothing to do with the original hackers. The text of the
warning Twitter distributed after the July 15th hijacking of high-profile accounts is being repurposed, Hackreed reports, into bogus tweets containing malicious links.
The text in question reads,
quote,
We detected what we believe to be a coordinated social engineering attack
by people who successfully targeted some of our employees
with access to internal systems and tools.
End quote.
That sounds legit, because after all, it was legit, coming directly from Twitter just
two months ago. But of course, the verify your account link that follows might put you on your
guard, as it should. The link will direct the unwary to a site designed to harvest credentials
and other personal information. The other story has to do with malvertising and the criminal disposition
to get the most out of near-end-of-life software before such software finally crosses its virtual
river Styx. Users of adult sites who navigate there with Internet Explorer 11 and view content
with Adobe Flash Player are being served malvertising. Malwarebytes has described a group called Malsmoke,
which ZDNet says has operated on a scale far above similar other cybercrime operations
and has abused practically all adult ad networks.
The malvertising redirects users to a site that hosts an exploit kit
designed to use vulnerabilities in Adobe Flash Player or
Internet Explorer to install malware on the device belonging to whoever was looking for
this particular kind of action. The payloads most commonly served up have been Smoke Loader,
Raccoon Stealer, and Z-Loader. Ars Technica, in noting that the aging systems are being used to
infect site visitors with various forms of spyware and information stealers,
manages to suggest that the real shameful secret here
is that visitors to the sort of online naughtiness recently liked by the Twitter account
formerly belonging to the Chinese ambassador to the court of St. James are,
well, it's hard to say this, but they're using an aging version of Internet Explorer.
Don't tell their families, friends, or colleagues.
The Australian Broadcasting Corporation has obtained what appears to be a leaked database
showing individuals against whom Chinese intelligence services is developing detailed target profiles.
Some 24 million people are on a list maintained by Shenzhen-based
Shenhua Data, believed to be a Ministry of State Security contractor. The Washington Post's account
of the database focuses on collection of social media posts and other open-source intelligence
on U.S. military, diplomatic, and government personnel. The Post puts the take at some two million individuals,
an order of magnitude less than ABC's tally, but then the Post may be counting only the Americans
who were targets. ABC explicitly calls out all five eyes, Australia, Canada, New Zealand,
the United Kingdom, and the United States, as well as Malaysia, as figuring among the countries targeted.
The database is called the OKIDB for Overseas Key Information Database,
and it claims to offer insight into the individuals who figure in it,
as well as information about their families.
That's chilling, but that's espionage.
It's not the first time China has collected against friends and family.
One of the less commonly remarked features of the 2013 and 2014 compromises
of the U.S. Office of Personal Management data
was the extent to which Chinese theft of Standard Forms 86,
completed questionnaires people with U.S. security clearances have to fill out,
also revealed information about family members, friends, colleagues, and neighbors.
So it's not too surprising that the OKIDB would exhibit a similar pattern of collection.
The Post observes that the material may be relatively old,
and that it's not entirely clear that it's being used by the Ministry of State Security,
but that in any case, Genua Data calls itself a patriotic company and numbers Chinese military and government
agencies among its customers. Xinhua Data's product may be an aspirational one they hope to sell,
or it may be in use. In any case, several lessons might be reasonably drawn from the reports.
In any case, several lessons might be reasonably drawn from the reports.
First, intelligence collection very often outruns immediate needs.
When it comes to information, well, after all, you never know, or such at least is a common mindset among the spooks.
Second, a lot of good information can be had from open sources.
Just because it's inexpensive doesn't mean it's not valuable.
Value isn't the same thing
as cost. Third, there's a kind of convergence of OSINT with market research. A lot of the data
gathered by Genois might well be collected by a marketing firm interested in targeting ads.
Microsoft announced yesterday that ByteDance had turned down Redmond's offer to buy TikTok's U.S. operations.
Oracle is the apparent winner in the competition for some form of control over TikTok in the U.S.,
but such control would appear to be more along the lines of a partnership structured to allay U.S. security concerns
than it would be an outright purchase, according to the Wall Street Journal.
Computing says that ByteDance has no interest in selling the social media platform.
The Committee on Foreign Investment in the United States will now review the proposed Trusted Tech Partnership
to see if it meets the requirements of the relevant executive order.
In any case, algorithms sold separately, as they might say in a TV commercial for the deal.
And finally, the FBI said last Friday that it had investigated reports that Oregon wildfires had been set by extremists and determined them to be completely unfounded.
Wildfires are endemic on the Pacific coast, and while this year's round has been unusually unpleasant, there's no evidence
that the fires have been deliberately set. While scare stories in circulation have imputed the
arson that wasn't to all varieties of extremists, left, right, and center, a preponderance of
misinformed suspicion has been directed toward Antifa, possibly because of the leftist group's alleged involvement in incendiarism during some
urban rioting. But again, that's urban, and on a smaller Molotov cocktail scale than a coastal
wildfire would be. Gizmodo reports that Facebook, where much of the misinformation has landed,
began taking measures Friday to stop the spread of this particular rumor. We could book a vacation. Like somewhere hot. Yeah, with pools. And a spa. And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat.
Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their
controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital
executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And it is my pleasure to welcome back to the show the CyberWire's chief analyst and also
chief security officer, Rick Howard. Rick, always great to have you back. Hey, Dave. On this week's edition of CSO Perspectives,
you are tackling red teams and blue team operations. There is a lot to get into with that topic.
How are you coming at it? Well, I have to admit that, you know, pundits like me and,
you know, practitioners like CISOs and things and network defenders, we threw a lot of terms around about red teaming and penetration testing, and they all kind of merge and mingle, and they're not the same.
So I thought it might be useful just to kind of go through the four of them.
What do you think?
Yeah, sounds good.
Let's do it all right so penetration testing is really a team of folks in
your organization whose sole goal is to find holes in your defensive posture they're not trying to
emulate any kind of adversary they're just trying to see if you've patched everything or you're
vulnerable to a specific kind of technique so that is penetration testing. And the difference between those teams and, say, a red team
is that the red team is trying to emulate a known adversary campaign sequence.
Like I looked up on MITRE ATT&CK Framework today a cool one called Cobalt Spider.
Those guys have 34 tactics, techniques, and procedures that they use and four software packages.
So a red team trying to emulate Cobalt Spider can only use those TTPs and software programs.
And the purpose is to make sure that you are protected against that attack campaign.
Right.
So if you're in a particular vertical and you know that there are some bad guys who are aiming at you, you can say, hey, we need to be protected against this type of adversary. Right. So if you're in a particular vertical and you know that there's some bad guys who are aiming at you, you can say, hey, we need to be protected against this type of adversary.
Right. You know me, I'm a first principle thinker. I'm always trying to find ways to reduce the probability of material impact.
And if you know that an adversary like Cobalt Spider is coming after you, this is one way you can have more confidence that your defensive posture is working, right?
Okay.
All right.
So blue team on the other side of that is your defensive folks.
These are your day-to-day operational folks in the SOC on your InfoSec team.
They're the ones trying to defend your enterprise, right?
And so that's kind of basic.
Then the one that always gets kind of confused is the purple team.
It's when you combine the red team operations, trying to emulate cobalt spider,
with the blue team trying to detect that activity and prevent it from working. So it's kind of a op four exercise, right? And it serves a couple of purposes. One is it helps you figure out if
you're protected, but also that kind of purple exercise trains your people on their incident response procedures
and gives you a way to train your newbies and maybe second-tier analysts about how cybersecurity
really works. So it took me a while to figure all that out, but that's what I think it is.
All right. So we got pen testers, we got red teamers, blue teamers, purple teamers.
That's a lot of people. And I mean, can I have a plaid team?
Can I just combine them all?
Can I save some?
Can I buy like one really talented guy or gal who can handle all this?
I mean, how do organizations come at this when it comes to dialing it in, in terms of
funds and resources?
Yeah, it's a great question.
I was talking to Tom Quinn about this very thing this week. He is the CISO for T. Rowe Price. And I sat him down at the hash table and
asked him if the red team and blue team operations were essential, do we need to spend all this money
and resources to get that done? There is no doubt. I look at the recent ransomware attacks that have made the news and what industry those
companies are in and alike.
And I wonder out loud how many of them had red team and blue team capabilities and investments
in place.
There's a phrase called cyber poverty line.
If a company is unwilling or unable, it could be either, to make an investment in that
space to have a red team in place or a blue team. I think part of this dialogue is it may not matter.
I mean, sometimes this feels like rarefied air when we're talking about things like red team
and blue team, because your local bank or your local credit union,
they're not having that conversation. They're struggling with just getting their computers to
work. So the way I understand it is red team operations are the only way to know for sure
if your network can withstand an attack against a specific adversary campaign.
So what we're saying here is that red team and blue team operations are indeed essential,
but if you're a smaller or medium-sized organization, then what do you do? I mean,
are there haves and have-nots? Yeah, there absolutely is. And I'm not quite sure,
I'm not convinced that red teaming is essential. Now, Tom thinks it is, and he's probably right. He's way smarter than I am,
all right? But they are absolutely another lever to pull to reduce the probability of a material
attack. I do know that for most network defenders, red team and blue team operations are not the
first lever they reach for, right? If I was doing it, I would prioritize resilience first,
then zero trust, intrusion, kill chain prevention, stuff like that.
And then if I got all that working smoothly, I might go to red team, blue team operations.
All right.
Interesting stuff for sure.
If you want to hear all about this, hear more about this, check out CSO Perspectives.
That is part of CyberWire Pro.
Go to our website and check it out.
Rick Howard, great talking to you. Thank you, sir.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
The OSSERT 2020 Cybersecurity Conference kicks off this week with a variety of speakers, tutorials, workshops, and networking events.
The Cyber Wire is a media partner for the event,
and joining us today is Colby Pryor,
infrastructure engineer for OSSERT,
with a preview of a presentation he'll be making at the conference
on running honeypots.
So I'm covering three different honeypots
in the workshop of kind of getting people some hands-on experience
of pretty different types of honeypots.
One of the common ones that you always come across is cowrie.
It makes a lot of sense when you think about it.
You're opening up SSH like a management interface into your server.
When people get in, you give them this fake bash shell
to go and play around and do stuff and pull down malware
and try to execute it, and you get a copy of all of that.
So that's kind of like the honeypot as I think most people know it.
I'm also teaching people about a web-based honeypot,
which is Snare Antenna, which it's not really what you think about
when you think about a honeypot, which is like a website
which is pretending to be vulnerable to different kinds of attacks like SQL injection
and it'll even go through and emulate that
into a local SQL-like database and things like that.
And the third one is a client-based Honeypot
which is really starting to stretch the terms
of what Honeypot means in my opinion.
But it's all kind of based around things like JavaScript.
So in a client-based Honeypot, the malicious code is executing on the client's machine.
You're reaching out to a malicious website and you're pulling down that JavaScript and
most people's web browsers will happily go and execute that.
And you don't really know what it's going to do.
And it's like a useful way of running it in a sandbox environment
to kind of crack it open and find out what actually makes that malware tick.
And the folks who attend this, what do you hope that they walk away with?
What sort of things are you hoping to impart
them with? I guess if I think about from my first experience when I started to get a little bit
hands-on with honeypots and stuff like that is they were always a little bit intimidating to me.
The idea of running this fully sandbox environment where you're letting malicious attackers into your network to do these things is very intimidating.
But people have gone a long way to make running all of this stuff really, really easy.
And, you know, I don't want to say it's trivial, but it's a lot more approachable than what I thought it was originally.
And that's the kind of thing that I want to show to people, that this is a thing that they can utilize.
But it does take a little bit of experience.
When you get it up and running and you're able to observe what's going on
and you see folks from out there in the world hitting that honeypot,
I mean, it sounds to me like it must be gratifying. It must be kind of fun.
Oh, it's really fun. That's kind of like the easy bit, which I wasn't fully expecting myself,
of getting it up and running, seeing people coming in and doing, it'll be mostly just
automated attacks and seeing the different
like real life attacks that they're performing is just really fun.
Actually taking that into useful intelligence is kind of the hard part.
That's Colby Pryor from OSSERT.
The OSSERT 2020 Cybersecurity Conference runs throughout this week. And that's the Cyber Wire. For links to all of today's
stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time, keep you informed, and it wicks away moisture.
Listen for us on your Alexa smart speaker, too.
Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment called Security Ha!
I join Jason and Brian on their show for a lively discussion of the latest security news
every week.
You can find Grumpy Old Geeks
where all the fine podcasts are listed
and check out the Recorded Future podcast
which I also host.
The subject there is threat intelligence
and every week we talk to interesting people
about timely cybersecurity topics.
That's at recordedfuture.com slash podcast.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Thanks for listening. We'll see you back here tomorrow. Thank you. practical, and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.