CyberWire Daily - TV program swap-out. Cyber espionage out of Beijing. US Congress in a mood to sanction. Emotet phishing spoofs Germany’s BSI. A Dark Overlord pleads not guilty.
Episode Date: December 19, 2019Spanish TV is temporarily replaced by Russian programming. APT20, Violin Panda, is back, and playing a familiar tune. Rancor against Cambodia. The US Congress gets frosty with China and Russia. How Ze...ppelin ransomware spreads. Due diligence in M&A. Germany’s BSI warns of an Emotet campaign. A suspect in the Dark Overlord case is arraigned in St. Louis. The FBI collars a guy who ratted himself out over social media. David Dufour from Webroot with a review of their 2019 mid-year threat report. Guest is James Ritchey from GitLab with lessons learned on the one-year anniversary of their bug bounty program. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/December/CyberWire_2019_12_19.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Spanish TV is temporarily replaced by Russian programming.
APT-20, Violin Panda Panda is back and playing a familiar tune.
Rancor against Cambodia. The U.S. Congress gets frosty with China and Russia.
How Zeppelin ransomware spreads.
Due diligence in M&A. Germany's BSI warns of an Emotet campaign.
A suspect in the Dark Overlord case is arraigned in St. Louis.
And the FBI collars a guy who ratted himself out over social media.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary
for Thursday, December 19th, 2019.
Spain's state-owned broadcaster TVE says that a portal they'd inadvertently left open was exploited last week by parties unknown to air an RT-produced interview with self-exiled Catalan separatist leader Carles Puigdemont.
Reuters asked, and RT says they didn't do it.
Furthermore, RT, which is short for Russia Today, a Kremlin-controlled media outlet, says they don't know who did it.
I give you my word, said RT's editor-in-chief, Margarita Simonyan.
In fairness to RT, anyone can waltz through an open portal.
Fox IT has been looking at an operation they call WOCOW,
a China-based collection effort that's prospecting energy, technology,
and healthcare targets in at least 10
countries, including France, the UK, the US, Germany and Italy. They've concluded with medium
confidence that the group behind Wokow is APT20, a Beijing controlled hacking crew that had been
relatively quiet for the past few years. Also known as Violin Panda, APT20 was particularly active between 2009 and 2014, specifically against universities, healthcare and defense targets.
It's now resurfaced, Fox IT says, and has resumed industrial and economic espionage.
Wokow is said to be a mildly indelicate Chinese epithet which will translate to nuts, not only because we're a family show,
but also because tomorrow marks the 75th anniversary of the beginning of the siege of
Bastogne. And that's what General McAuliffe said to his German opposite number when he was approached
with a demand for surrender. Palo Alto Network's Unit 42 has released a follow-up to its earlier
report on Rancor, a Chinese cyber espionage unit that pays particular attention to targets mostly in Cambodia.
Rancor is unusual in that it's taken some pains to craft novel strains of malware that hadn't been seen before.
Unit 42 doesn't say which organizations within the Cambodian government were targeted,
beyond saying to CyberScoop that the targets are the sorts of agencies you'd expect an intelligence service to take an interest in.
Unit 42 tells CyberScoop that there's an irony beneath the apparent persistence,
the expenditure of resources, and the care taken to craft bespoke malware.
None of the efforts to penetrate Cambodian networks have been fully successful.
The U.S. Congress is in a stern mood with respect to China and Russia.
The Washington Post reports widespread skepticism on Capitol Hill that Beijing can be trusted to
live up to the explicit security guarantees, still less the implicit ones, in any trade accords so
far negotiated. And Reuters notes that an unusually stiff sanctions bill directed against Russia
cleared the Senate Foreign Relations Committee yesterday.
BlackBerry's Silance researchers announced the discovery of Russia-connected Zeppelin ransomware last week.
Yesterday, Morphosec offered some fresh insight into how Zeppelin is propagated by leveraging the ConnectWise remote desktop application.
With all the recent attention to ransomware attacks that have been
hitting municipal governments and healthcare companies lately, and especially with the
recent trend of such attacks being accompanied by information theft, it's now considered prudent
to regard yourself as a breach victim if you've found yourself infected with ransomware.
There's another disturbing ransomware trend too, this one noticed by Radware. When a private equity firm acquires a company, it, of course, issues a press release and announces the acquisition to the world.
This is in the natural economic order of things.
It appears, however, that such announcements are also alerting extortionists to the probability that the new portfolio company is also probably newly cash-rich,
and a ransomware attack has often
followed in the wake of such an acquisition. It happens on familiar Willie Sutton-esque grounds.
That's where the money is. Radware advises PE firms that they should take this as an incentive
to perform effective due diligence on the companies they plan to acquire.
The team at GitLab are celebrating the one-year anniversary of their bug bounty program.
Along the way, they've learned a thing or two about running a program like this,
calibrating incentives, response times, and so on.
James Ritchie is security manager for application security at GitLab.
When we first opened it back in December 12, 2018,
we got a huge response from the community.
I think we received over 1,300 reports from over 500 security researchers.
We awarded over $500,000 in bounties since going public in the past year.
So, yeah, we definitely learned a lot, a lot of lessons for sure.
Any bumps in the road along the way that you can share?
Yeah, absolutely.
I mean, one of the biggest things we learned was that, you know, we needed to scale.
You know, there's so many reports and reporters and there's only a handful of us on the GitLab side.
So if we didn't scale, then we'd definitely be smothered by the volume of reports that we receive.
1,300 is quite a lot.
And our answer to that was to develop as much automation as possible, specifically scaling our communication and our procedures.
For example, we were able to reduce our average time to first response from over 48 hours to less than seven hours. Besides scaling,
another big lesson we learned was that, you know, we needed to increase HackerOne engagement and
keep it at a high level. There's so many programs for the reporters to choose from on HackerOne.
So why should they come to ours? You know, why should they stick with it? You know,
you're competing for the attention of reporters from over like a thousand other programs on HackerOne for them to choose from.
An important thing we learned was to listen to the feedback from reporters that are currently engaged in our program.
One of the top suggestions from them was to basically they wanted to speed up bounty payouts.
And so, you know, previously we were awarding bounties once an issue was resolved, which that could be, you know, one month.
That could be three months.
It really depended on the severity of the issue.
And so after listening to that feedback back in September, we changed how we reward bounties.
So now we pay a partial bounty of $1,000 up front at the time of when we triage the report. And then the
remainder would be paid once the report's resolved or 90 days had passed, whichever had came first.
You all recently made some adjustments to the bounty price. What drove that decision?
Over time, the security of our product has strengthened. And so essentially,
we wanted to incentivize seeing more high and critical severity reports in the program.
So back in November, we raised the bounties specifically for high and critical vulnerabilities.
So I think for criticals, we raised it from 12K to 20K, and then for highs from 7K to 10K.
and then for highs from 7K to 10K.
And, you know, it wasn't much of a surprise,
but, you know, higher bounties is one of the biggest factors for increasing hacker engagement in the bug bounty program.
Yeah, money talks, I guess.
Get their attention.
Absolutely.
Yeah.
What does having a program like this say about GitLab itself,
the way that you choose to communicate and take on a project like this say about GitLab itself? The way that you choose to communicate
and take on a project like this. Our mission statement at GitLab is that
everyone can contribute. And that doesn't only mean through
contributing code to GitLab itself. That also means contributing
by submitting vulnerabilities to our program. So that's
a big part of we want to be open and public for everyone to contribute.
Looking back on the past year, are you satisfied with how it's going overall?
Do you feel like it's been successful? Oh, I would definitely say so. Yes. I mean,
considering the amount of volume of reports we received received and then also the depth of those reports as well.
We've received so many good findings.
The level of technique has really surprised us on many of the findings.
And many of those were from new reporters as well.
So I think it's been a success overall.
What are your recommendations for other organizations who may be considering heading down a similar path?
I would say start it earlier than later.
Definitely have a bug bounty program.
And I also encourage them to be transparent about those security issues as well.
I think it's an important thing to show, though it's not an easy balancing confidentiality
and transparency, but a lot of it comes down to time, like when
they release the details. For example, at GitLab, we released the vulnerability details 30 days
after a patch has been published, essentially. The thing is that no one product or application
is 100% secure. But I believe that by being transparent, it illustrates our commitment to
securing the product and the company. You know, you can see how many resources we've invested in
security. You can see the vulnerability details 30 days after it's been released. You can see,
you know, how we fixed it, when the issue was reported, how long it took us to fix it.
You know, maybe other companies by staying secret about all of these things,
A, they're not being kept accountable,
and B, we don't know how committed they are to securing their products.
I think being transparent about security issues, you know,
truly illustrates how invested we are in securing GitLab.
That's James Ritchie from GitLab.
Germany's BSI Security Agency,
the Federal Office for Security and Information
Technology, has issued a warning that criminals misrepresenting themselves as BSI operators
are distributing the Emotet banking trojan in a spam campaign. The phishing emails contain either
malicious attachments or malicious links, and they arrive as replies to emails the user had sent earlier, which the BSI says tends
to lend them credibility. Emotet is attributed to the gang Proofpoint tracks as TA-542 and CrowdStrike
as Mummy Spider, but that gang is also active in the criminal-to-criminal market and is willing to
rent the Trojan to other operators. Nathan Wyatt, a British subject accused of being part of the Dark
Overlord gang, was extradited to the U.S. and arraigned yesterday in the St. Louis courtroom
of the U.S. District Court for the Eastern District of Missouri. He was charged with
aggravated identity theft, threatening to damage a protected computer, and conspiring to commit
those and other fraud offenses. Mr. Wyatt entered a plea of not guilty.
The Justice Department describes his alleged offenses as
remotely accessing the computer networks of multiple U.S. companies without authorization,
obtaining sensitive records and information from those companies,
and then threatening to release the company's stolen data unless the company's paid a ransom in Bitcoin.
So, the Dark Overlord is, to sum up, an extortion gang.
So how are suspects collared?
Well, often someone snitches.
But nowadays, if the crook, the alleged crook, we hasten to say,
wants to know why he or she has come to the attention of John or Jane Law,
alleged crook needs look no farther than the mirror,
or more accurately, that
elaborately composed mirror that is their presence on social media.
For your consideration, one Orlando M. Henderson, a presumably now former employee of Wells
Fargo, resident in California, was apprehended by the FBI on suspicion of robbing Wells Fargo.
What clever CSI-style scientific inferences led the
bureau to Mr. Henderson? DNA? Drone surveillance shots? Matching biometric heartbeat signatures?
Nope, nope, and nope. They just happened across his rap performance on Instagram,
in which Mr. Henderson disported himself with a big stack of cash and a Kalashnikov battle rifle.
And if the Benjamins and the AK weren't enough, there was also the Facebook posting of himself posing in front of an expensive, if admittedly sort of vulgar, Mercedes ride.
Also, cash was missing from a local Wells Fargo's vaults.
You don't have to be Sherlock Holmes or even Columbo to put those three together and conclude that a conversation with the gentleman might be in order. Calling all sellers. Salesforce is hiring account executives
to join us on the cutting edge of technology. Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by David DeFore. He's the Vice President of Engineering and Cybersecurity at Webroot. David, it's always great to have you back. You and your team at
Webroot recently published a mid-year threat report for 2019. Can you take us through what were some of the key findings there?
David, as always, great to be back. One of the first things we saw is trusted domains.
The HTTPS in your browser, everybody sees the green lock in all the major browsers that
shows that you're on a secure connection. Well, just because you're on a secure connection doesn't mean you're on a secure site. So a lot of hackers are starting to
really use HTTPS heavily. I mean, it's been in use by malicious folks for a while, but it's
becoming more and more prominent. And so basically, I like to kid, but just to put it out there,
people are securing through HTTPS the hacks that they're implementing on you.
So you're getting securely hacked, which I don't know if that makes you feel better or not.
Right. While the hack's going on, your data is safe in transit.
Exactly. You can rest assured that the hacker is making sure your data can't be compromised.
Right, right.
making sure your data can't be compromised. Right, right. But what we saw, nearly 25% of malicious URLs, you know, URLs are, the domain is the, you know, davidbittner.com or daviddufour.com.
That's the domain. We saw that 25% of malicious URLs, which are like that.com slash sports slash
video games, those 25% of malicious URLs are hosted on
trusted domains.
So you can actually look at the domain and believe the website is good.
But a hacker has actually accessed the back end of that domain and deployed malicious
software there that if you click on that, it's going to infect your machine.
So it's something you've really got to be aware of.
Not all trusted domains equate to trusted URLs. Now, you were also tracking some stuff here with Windows 7.
Oh, yeah. Windows 7. Look, Windows 7 was a great operating system. It's just very antiquated.
Lots of malware on Windows 7. It's really time for folks to start thinking about upgrading to
Windows 10. It's a great operating system as well. I'm really time for folks to start thinking about upgrading to Windows 10. It's a great
operating system as well. I'm not advocating for Microsoft, but we are talking about
the Windows platforms here. We are seeing the exploits in Windows 7 have grown over 75%,
and we continue to see malware taking advantage of those vulnerabilities in Windows 7.
What do you say to those folks who are in a situation where it's not
necessarily easy to upgrade? I'm thinking of people in industrial situations, those kinds of
things where that Windows machine may be tied to other devices. That is always a great and tricky
question, David, because if it is an industrial machine that potentially can't be upgraded
because of the fact that it's running
equipment, you have to evaluate your risk allowance. Can you take it off of a public
network so that people can't get to it through the internet or through your network and some
other mechanism and make those determinations? Maybe you have to work with your vendor to get
it upgraded because you are exposed because it does need to be online.
But you need to evaluate that and be very knowledgeable of the risk that you're open to.
And that's a point I want to make there.
A lot of times people just kind of put their head in the sand.
Okay, so you've got a Windows machine.
It's running Windows 7.
There's potential for exploits.
But you've got a business decision because you've got to run your business that you're going to let that potential sit there.
Well, maybe you need to invest in some tools that monitor that machine at a higher level
to make sure it's not being exploited.
So those things you can do.
But the number one thing is evaluate your situation.
All right.
Well, it's the Mid-Year Threat Report.
You can find it on the WebRoot website.
David DeFore, thanks for joining us.
Great being here, David.
Thanks for joining us.
Great being here, David. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data, and ensuring your organization
runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
And that's the CyberWire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep
you informed. Listen for us on your Alexa smart speaker too. The CyberWire podcast is proudly
produced in Maryland out of the startup studios of DataTribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.