CyberWire Daily - Updates on the cyber ramifications of the coronavirus pandemic. Saudi surveillance program. Ransomware developments. Lost USB attacks are in progress.
Episode Date: March 30, 2020Updates on the coronavirus and its effect on the cyber sector. Criminals spoof infection warnings from hospitals. The country of Georgia’s voter data has been exposed online. The Kingdom of Saudi Ar...abia seems to have conducted extensive surveillance of its subjects as they travel in the US. The Zeus Sphinx Trojan is back. Dharma ransomware’s source code is for sale in the black market. And beware teddy bears bearing USB drives. David Dufour from Webroot on differences between privacy and security, guest is Daniel dos Santos from Forescout on Ransomware, IoT, and the impact on critical infrastructure. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_30.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Updates on the coronavirus and its effect on the cyber sector.
Criminal spoof infection warnings from hospitals.
The country of Georgia's voter data has been exposed online.
The Kingdom of Saudi Arabia seems to have conducted extensive surveillance of its subjects as they travel in the U.S.
The Zeus-Sphinx Trojan is back.
Dharma Ransomware's source code is for sale in the black market.
And beware teddy bears bearing USB drives.
bears bearing USB drives.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Monday, March 30th, 2020.
Companies across essentially all sectors
are feeling the effects of the pandemic
and neither the cybersecurity
nor the larger tech sectors are immune.
VentureBeat has some crowdsourced charts from Candor that offer an overview of how COVID-19
is affecting employment, including both hiring freezes and layoffs.
One area that's so far performing well, according to the Wall Street Journal,
is cloud computing. In general, the cloud has held up well, and cloud providers are emerging as the
few corporate winners during the crisis. The Journal quotes Matthew Prince, CloudFlare's CEO,
to the effect that, quote, if we think of the cloud as a utility, it's hard to imagine any
other public utility that could sustain a 50% increase in utilization, whether that's electric
or water or sewage system, and not fall over.
The fact that the cloud is holding up as well as it has is one of the real bright spots
of this crisis.
End quote.
Zoom isn't a cloud provider, but rather a company whose products facilitate telework.
Its service has seen dramatically increased usage during the pandemic state of emergency,
and with that increase in usage came increased attention,
both from hackers and from privacy advocates, from bad types and good types.
Zoom has sought to address both.
First, it's removed the code that Motherboard reported was sharing analytical data with Facebook.
This is the sort of app behavior that's been found objectionable
when other products have been caught doing it.
Second, the vulnerabilities that Checkpoint last week reported finding in Zoom,
vulnerabilities whose exploitation could render Zoom sessions susceptible to eavesdropping,
turn out to have been patched, so those particular issues should be addressed.
Various cybersecurity companies continue to offer services for free or at sharply discounted rates.
Computer Weekly has a rundown of some of the recent offers. One timely and notable instance
of expertise applied to direct aid of pandemic relief efforts comes from our partners at CenturyLink,
who donated and installed high-speed connectivity for the hospital ship USNS Mercy, now on station
in Los Angeles to provide the region with increased
emergency medical capacity an unusually loathsome bit of fishing is in progress bleeping computer
reports that criminals are sending spoofed emails that pretend to be from a local hospital
they warn the recipient that they or a family member may have been exposed to covid19
an attachment offering more information contains
a malicious executable. The samples displayed in the report involve a hospital in Ottawa,
but it seems inevitable that the scam won't find itself contained in Ontario.
A database containing information on essentially all the registered voters in the country of
Georgia, nearly 5 million, appeared in a hacker
forum over the weekend, ZDNet reports. Georgia's Central Election Commission says that the database
contains information it doesn't normally collect and that it doesn't have any evidence that it
sustained a cyber attack. The Central Election Commission suggests that the data might have
come from or been assembled from another source. Investigation continues.
An unnamed whistleblower has provided The Guardian with information that suggests
Saudi Arabia has been engaged in extensive surveillance of Saudi citizens in the U.S.
The three major Saudi mobile operators, Saudi Telecom, Mobily, and Zain,
sent a U.S. mobile carrier a combined monthly average of 2.3 million
tracking requests, provide subscriber information, PSI messages, over the global SS7 message system
from November 1, 2019 to March 1, 2020. Many of the PSIs were blocked by U.S. carriers.
The SSS protocol, Signaling System 7, enables calls to be routed among
different carriers' networks, and PSIs have legitimate uses, like ensuring proper billing,
but as TechCrunch points out, the high rate of Saudi PSIs far exceeds anything one might expect
from such legitimate use. Members of Congress complain that the apparent surveillance was enabled by
the U.S. FCC's inaction on cleaning up known issues with SS7. IBM's X-Force says that the
Zeus-Sphinx trojan, quiescent for the last three years, resurfaced this month after an apparent
period of low-level testing that began in December. As it had before, Zeus Sphinx is disseminated by malicious documents attached
to emails. The fish bait is, of course, coronavirus. The targets are bank accounts,
mostly in the U.S. and Canada. ZDNet reports that the source code for Dharma ransomware is now being
sold in Russian-language underground markets, with the going rate for the code running about $2,000.
underground markets, with the going rate for the code running about $2,000.
Dharma has been used in various forms since it debuted in 2016 under the name Crisis.
Since then, it's become one of the biggest turnkey ransomware-as-a-service solutions on offer.
The insurance company Chubb, which in addition to its other businesses is a prominent underwriter of cyber risk, continues to investigate the cyber attack it sustained last week.
In the meantime, according to InfoSecurity magazine,
the operators of Maze have posted in their news site
the claim that they're the gang that successfully infected Chubb with its ransomware.
Insurance Journal quotes Chubb as saying that, so far at least,
it seems that the company's networks were unaffected.
One of the challenges security teams face is keeping track of all the devices that touch
their networks. Having an accurate inventory of all that stuff and what it's up to can be
a daunting task. Daniel Dos Santos is a security research lead at device visibility firm Forescout.
We caught up at the RSA conference.
So we really focus on this hyper-connectivity on connected devices like IoT and some of the things that we looked at were specifically building automation systems and smart buildings
and how the IoT enters these kinds of legacy systems. We also moved to collaboration systems and smart TVs and meeting and remote working
systems. We have been looking at medical devices and some other things. So it's really like a wide
range of devices that basically affect our daily lives nowadays. And we just want to see what is
the overall security status when it comes to these devices. Are we heading towards having some standards,
some frameworks when it comes to these devices
of baseline that we can
count on as consumers of them?
Yeah, I think there is
some initiatives in that way.
Not that I know so far anything that's
been extremely successful that is being
picked up by industry and
by everybody, but there are some
initiatives in this direction and I would hope so.
Again, as I mentioned before, I think that just the multitude of vendors,
it's something that is very complicated in the IoT space, right?
Because of all supply chain issues that we have nowadays,
also vendors from different countries, different geopolitical reasons and so on.
So that's one of the main issues, yeah.
Are you optimistic as you look forward? Do you think this is a situation that we're gaining
ground on? I think so. I think there's a lot of people working towards solutions. I think there
is a lot of work still to be done. And I think that something like perfect security is probably
unachievable. But as I said, there's a lot of smart people
working towards very smart solutions,
and we can always try to implement these solutions
and try to be one or two steps ahead of the attackers,
or at least one or two steps ahead of some other targets.
That's, in the end, what you have to do in terms of security.
What's your advice for folks out there?
I'm thinking particularly of the folks in enterprise who have all of these devices deployed
around their network.
Are there any areas that aren't getting the attention you think they deserve?
Yeah, like I mentioned, I think the basic steps are network visibility.
So visibility into the devices that you have that are connected into your network, that's
like the basic security control on top of which you can build other things.
So you just need to know everything that's connected to your network and to be able to monitor.
So network visibility and network monitoring are definitely the basis.
And then on top of that, implementing proper segmentation, proper control of these devices, manageability on the devices that you can manage.
Now, there's a whole problem with IoT devices that cannot be managed,
but at least on those you can also have monitoring and segmentation and so on.
So I think those are the main areas that definitely can be improved, yeah.
That's Daniel Dos Santos from Forescout.
We heard last week that people had been receiving malware loaded onto USB drives
mailed to them in conjunction with a phony Best Buy gift card offer.
It turns out, according to Bleeping Computer, that there are other scams in progress,
also delivered by the U.S. Postal Service.
The FBI identified the Fin7 gang as the outfit behind the campaign.
The scam is a variation of the familiar
lost USB technique long used by pen testers. The FBI says that the USB drives are being
distributed in the company of usual bits of swag, teddy bears among them.
As we near the close of this podcast, we return to the coronavirus and its effects on our sector, and we're happy to
report some good news. It's about Exabeam's Chris Tillett, an early COVID-19 patient who had a
severe case of the virus. He's now out of his medically induced coma, back with his family,
and on the way to recovery. May he continue to do well, and may all those similarly afflicted And finally, a new social phenomenon emerges as people stay home during the COVID-19 outbreak.
EDS, or Exhausted Dog Syndrome, observed as people take their dogs for many more walks than usual just to get out of the house.
their dogs for many more walks than usual just to get out of the house.
There's a lot of up-and-at-em pooch, particularly in the teleworking tech sector.
To give credit where credit is due, the discovery of EDS must be credited to James Stravitas, Admiral, United States Navy, retired.
And all we can add to this news is, Admiral, hello, Nobel.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com
slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by David DeFore.
He's the Vice President of Cybersecurity and Engineering at Webroot.
David, it's always great to have you back.
I wanted to touch base today on this notion of privacy versus security.
I think a lot of people conflate the two, but you point out that they're not really the same thing. That's absolutely right. And, you know, I think several years ago, David,
it was safe to say that they were the same in the essence of, you know, you see the TLS connection,
your HTTPS, and you're communicating securely to your bank. You can enter your banking information.
And that was great. Obviously, you don't want someone, you know, wiresharking your bank. You can enter your banking information. And that was great. Obviously,
you don't want someone, you know, wiresharking your bank account login or sniffing that.
But what's happened is all websites now, typically, we're seeing about 90% of the time spent on websites is on our own websites with HTTPS pages. So the bulk of web traffic now is HTTPS.
HTTPS pages. So the bulk of web traffic now is HTTPS. There's a proliferation of sites that will give away certificates for free, so that allows you to have that free HTTPS. And it sounds good
on the surface. You know, hey, I want everything to be secure. Why wouldn't we, David, right? I
mean, that sounds great. Sounds good to me. Well, so what's really happening is HTTPS secures the
connection from your machine to the actual server you're communicating with.
And there are sometimes some very complicated things we can do to break that connection and see the data traffic, but it's getting harder and harder.
And again, you may be thinking to yourself, well, that's great.
Now, you know, my problem is the cyber criminals have realized if we can land on the endpoint and we can do bad things on the endpoint and make a secure connection need to be able to see the traffic,
to make a determination if you're communicating
with a country you don't want to communicate with,
to make a determination if you're communicating
with a known bad website,
to make a determination if the data flowing down to you
is malware.
If you're not able to see that network traffic,
a lot of the tools that have been built
by this industry don't work. And so what ends up happening is you should feel very good, David, that you are now
privately connected to that malware deliverer and you will privately get that delivered to you.
Yeah. Well, so what's the solution here? It seems like be careful what you ask for.
Well, it is a little bit, be careful what you ask for. And to go back and say, you know, to the industry, let's all stop HTTPS, that's not going to happen.
And I always like to have an answer because I like to, you know, pretend like I know a lot.
But in this case, I think, David, what we really need to be aware of is this is becoming more and more of a problem.
And right now, the answer is to ensure you have a secure, safe endpoint. But I
think that's only a short-term answer. And that over time as an industry, we've got to be putting
in tools that allow us to do filtering on the endpoint of websites to make sure people are
browsing to where they want to go to. Potentially, we're able to rate these certificate sites. A VeriSign is probably a
better, more reliable security token than Dave Dufour SSL certificate. And so we might want to
start ranking where people get these certificates. And I'm sure there's a lot of people out there
who are coming up with ways to understand and view how we can be more secure with this encrypted communication. It's
just something that the industry really needs to be aware of and start thinking about because a lot
of our tools, at least on the network layer, are going to become antiquated over time.
How does this affect consumers?
So if you're a consumer, again, it's a big deal that if you're going to a site that is your bank
or something like that, you definitely want to see that green lock in your browser because that does mean at the very least the connection is secure.
But again, people send down phishing sites that might be your bank, but it's pretending to be your bank and they're going to have the green lock now as well.
So you have to be more vigilant. And I always like to say, consumers, it's better to not click something or not receive a phone call.
It's better to reach out. So if you get an email and it says, click the link here and enter your
account information, don't do that. Either call your bank, call the financial institution,
or browse by typing it in the address bar to where you want to go,
just to be aware of these type of attacks. And, you know, just we've got to be vigilant, David.
Yeah, yeah. All right. Well, good advice. David DeFore, thanks for joining us.
Great being here.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too. Thank you. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.