CyberWire Daily - Ups and downs in the cyber underworld. Enduring effects of COVID-19 in cyberspace. Safer online shopping. “Take me home, United Road, to the place I belong, to Old Trafford, to see United…”
Episode Date: November 23, 2020Qbot is dropping Egregor ransomware, and RagnarLocker continues its recent rampage. Cryptocurrency platforms troubled by social engineering at a third party. TrickBot reaches version 100. Stuffed cred...entials exposed in the cloud. COVID-19 practices may endure beyond the pandemic. Advice for safer online shopping over the course of the week. Malek Ben Salem from Accenture Labs has methods for preserving privacy when using machine learning. Rick Howard digs deeper into SOAR. And someone’s hacking a Premier League side. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/226 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Qbot is dropping Egregor ransomware,
and RagnarLocker continues its recent rampage.
Cryptocurrency platforms are troubled by social engineering at a third party.
TrickBot reaches version 100.
Stuffed credentials are exposed in the cloud.
COVID-19 practices may endure beyond the pandemic.
Advice for safer online shopping over the course of the week.
Malek Ben-Salem from Accenture Labs has methods for preserving privacy when using machine learning,
Rick Howard digs deeper into SOAR,
and someone's hacking a Premier League side.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, November 23rd, 2020.
Ransomware continues to occupy dreary pride of place in the realm of cybercrime with foreseeable evolutions in the criminal marketplace.
Group IB has observed Qbot dropping Egregor ransomware.
Egregor has been regarded as the criminal market successor to the now-shuttered Maze,
with which it shares an encrypt-and-dox strategy.
Qbot's operators had formerly been partial to ProLock ransomware, but they've moved on.
The FBI has distributed a flash alert on RagnarLocker,
the information-stealing ransomware strain that's been involved in several high-profile,
highly damaging attacks since April of this year,
and which achieved notoriety for its recent Facebook advertising.
Last week, several cryptocurrency platforms,
both exchanges and legitimate coin mining services,
sustained attempts to divert their email traffic
to domains under the control of unauthorized third parties.
Krebs on Security reports that the attempts at redirection
were facilitated by
social engineering of employees of the GoDaddy domain registrar. Some of those attempts coincided
with a widespread system outage at GoDaddy that interfered with the registrar's ability to respond
to reports of traffic diversion. The timing appears to have been fortuitous. GoDaddy says
the outages on November 17th weren't deliberately induced,
but cropped up during unexpected difficulties encountered in the course of planned system maintenance.
Sleeping Computer says TrickBot has reached a milestone.
It's now on its 100th version, now more evasive than ever.
TrickBot is used, you'll recall, to establish persistence
and download a range of other modules into the victim's system.
Those modules do such things as steal credentials and other information
and facilitate lateral movement across a targeted network.
TrickBot has also been commonly used by the operators of Rayuk and Conti ransomware.
When the cloud reigneth data, it reigneth upon the just and the unjust.
Criminals don't always excel at OPSEC.
The story of enterprises inadvertently leaving databases open to inspection
from the internet without snoopers needing so much as a buy-your-leave
is an old and familiar one.
It happens to the hoods, too.
CNET, citing research published by VPN Mentor,
reports that a crew engaged in credential-stuffing Spotify accounts
left their list of successfully-stuffed credentials exposed online.
Spotify is having its users change their passwords.
Silicon Angle has an interesting account of the way in which many organizations
have come to see what initially seemed to be temporary accommodations to the COVID-19 pandemic
as likely to endure in some form or another. It's particularly striking that some of this
sentiment comes from sectors that have been disproportionately hit by the effects of the
pandemic and who might be expected to wish for,
and so to expect, a return to the pre-COVID normal. So their statements also amount to an
admission against interest. 2020 has accelerated what we knew was coming, SiliconANGLE sums up,
especially the continued shift towards solutions offered as services,
and to the expansion of remote work in ways that make
the internet the new private network. So you've heard of this Black Friday thing, right? We would
like to apologize to the rest of the world for the way in which the American propensity to turn
holidays into sales has spread beyond these shores. We say we'd like to apologize, but we won't,
because rest of the
world, you too can enjoy bargains galore, and you're welcome. And besides, who says the Commonwealth
has to celebrate Thanksgiving? Anywho, this whole Black Friday and Cyber Monday thing are going to
unfold over the course of the next week, and some advice on how to shop safely comes from Britain's National Cyber Security
Center. The NCSC organizes its advice under six headings. Choose carefully where you shop.
Leon's Nuthouse of Bargains, the one with the Pyongyang IP address, is probably the kind of
place you want to pass up. Put your virtual hands in your digital pockets and walk on by.
Use a credit card for online payments, not a debit card.
You may have some protection against fraud with your credit card.
If the hoods get your debit card or direct access to your account,
then your funds are probably just gone, baby, gone.
Only provide enough details to complete your purchase.
The online shoe store doesn't need to know grandma's maiden name,
your social security number, or where you were born.
Keep your account secure with, for example, two-factor authentication by keeping your software up to date and by avoiding password reuse.
Watch out for suspicious emails, calls, and text messages, because the social engineers can be expected to be out in force.
And if things do go wrong, tell the appropriate
authorities. There's an appropriate authority for every jurisdiction. You may say all of this is
just common sense, and of course it is, but it bears repeating. So safe shopping to you all.
Manchester United was hit with an attempted cyber attack Friday, ESPN reports.
The English Premier League football, that is, soccer club,
said media channels and personal data were safe and that Man U had shut down affected systems to contain the incident.
The attackers have been described in the British press as subtle, sophisticated,
but beyond that and beyond their apparent lack of effort,
not much is known about
them. Man U has reported the incident to the Information Commissioner's office, and the
Manchester police are also investigating. It's worth noting in passing that nowadays almost
every attack is described as sophisticated, especially when the victim has a part in
framing the description. But some of the tabloid press, like The Sun,
have rumbled that the attack shows all the hallmarks of a Russian operation,
but espionage seems a bit far-fetched as an explanation.
So who was it then?
Supporters of another club? Arsenal, for instance?
Did the hack amount to a cyber way of shouting,
Up the gunners?
Oh no, certainly not, and not just because we don't think Arsenal supporters would stoop so low.
Ordinary cybercrime seems the likeliest explanation.
Man U may have been targeted on the simple Willie Sutton-esque grounds that there's money there,
it's one of the world's most valuable professional sports franchises,
and the hoods probably thought they had deep pockets.
Anywho, supporters, take heart.
Matches were played as scheduled on Saturday.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to welcome back to the show Rick Howard, the CyberWire's Chief Analyst and Chief Security Officer.
Rick, welcome back to the show.
Thank you, sir.
So last week, you and I were talking about SOAR, and you gave an overview of what exactly SOAR is
and why it's important within the Security Operations Center.
So after we were finished talking, it struck me that most organizations
have a SIEM tool already. So why would they need another tool just to weed out the noise from,
you know, the avalanche of alerts that they're getting from their security stack? Why not just
use their SIEM tool to do that? That's a very fine question, and the SIEM vendors know it, let me tell you. So SIEM stands for Security Information and Event Management,
and they first became available as a tool sometime around 2006.
They were essentially on-prem analysis engine databases,
that according to Stephen Gailey over at Cybersecurity Magazine,
that according to Stephen Gailey over at Cybersecurity Magazine,
quote, they combine a security event management system with a security information management system.
So in other words, there are security stack alerts plus intelligence.
Right, but I mean, that's kind of my point.
I mean, if they already have all the telemetry from all the devices
that are in their security stack,
why not just program them to get rid of the noise?
Yeah, so in those early days, since they were on-prem, the SIMs never really had enough
hard drive space.
We couldn't stuff enough information into them to make them useful.
So people like me kept having to make decisions about what not to collect in the SIM.
And for the stuff we did collect, we had to decide how long we wanted to keep it.
So typically two to keep it. So,
typically two to three weeks. So, it wasn't a really good long-term analysis tool.
So, in those early days, SIEMs were not that useful.
So, did the situation improve? I mean, these days, we've got cloud storage, you know,
storage is as much as you want, right?
Sure. You started to see SIEM vendors offer cloud storage sometime around 2017. So,
suddenly, network defenders had infinite hard drive space in the cloud at relatively cheap
prices. In the cloud, they could store everything they wanted. But the truth of the matter, though,
is those SIM tools have always been hard to automate. You know, their internal scripting languages,
they were proprietary and notoriously hard to use.
In one of my previous CISO gigs,
I hired a full-time guy just to be the SIM programmer.
And after a year of work, we had little to show for it.
Well, that must have caused just a little bit of frustration.
Yeah, I couldn't, you know, I'm just walking around going,
geez, this can't be this hard.
But, you know, that left the situation open for a new disruptor technology called SOAR
to come in and fill the gap.
And it left the SIEM vendors scrambling to stay relevant.
And, you know, the result is that the two capabilities
are collapsing into each other.
SIEM vendors are way better today at doing SOAR stuff
and SOAR vendors work more and more seamlessly with. SIEM vendors are way better today at doing SOAR stuff,
and SOAR vendors work more and more seamlessly with the SIEM vendors.
And I was talking to Kevin McGee about this
at the CyberWires hash table.
He is Microsoft's CSO for Canada,
and he thinks that the next-generation analysis tool
is some combination of SOAR and SIEM
delivered from the cloud.
Integrating SOAR, integrating other tools,
really to make the tool Sentinel
more than some of its parts.
I'm not sure if there's a term coin
for next generation SIM or whatnot,
but I'm sure it's coming at some point.
But I think that's where we're headed.
And cloud scales really allowing us to do that,
something we've never ever done before.
So in this week's CSO Perspectives podcast, we talk about all of that, plus an entire host of
things you can use with your SOAR tool that you probably haven't thought about yet.
All right. Well, that is over on CSO Perspectives. That is part of CyberWire Pro. You can check all
of that out on our website, thecyberwire.com.
Rick Howard, thanks for joining us.
Thank you, sir.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Malek Ben-Salem.
She is the America's security R&D lead at Accenture Labs.
Malek, it is always great to have you back.
You and I previously talked about some privacy attacks on machine learning.
Let's go at that from the other direction. Can you share with us some information about preserving privacy when it comes to machine learning?
Absolutely.
Yeah, there is a new trend, if you will, or a new approach for performing machine learning known as privacy-preserving machine learning.
And the goal of this approach is obviously to preserve privacy. Those techniques
can be categorized into two different category approaches. Number one are the cryptographic
approaches, where the party that is sharing data with other parties to perform the machine learning or uploading their own data to the cloud,
encrypts that data beforehand
and performs the machine learning on the encrypted data.
The way to do that is through homomorphically encrypting the data.
So homomorphic encryption or fully homomorphic encryption
enables the computation on encrypted data with operations such as addition and multiplication that can be used as the basis for more complex arbitrary functions.
There are other ways of performing or other cryptographic approaches to be used, such as garbled circuits and secret sharing.
But the main one is homomorphic encryption.
So that is one way of performing privacy-preserving machine learning.
The other general category or approach is known as perturbation approaches. And under that category,
there is differential privacy. Differential privacy basically is a randomized algorithm
by which the party can add some random noise either to the input data that is used to train the machine learning model,
or to the parameters of the machine learning model itself, or to the output of the machine
learning model, so that when the output gets shared, it has some random noise added to it,
and thereby protecting the privacy of the underlying data used to train
the model.
And then the other main approach under these perturbation approaches is dimensionality
reduction.
Dimensionality reduction basically is a technique by which the goal of which actually is to reduce the complexity of the input data
to the training model and to make the model itself much simpler and also a lot more robust.
But by reducing the dimensionality of the input data, when we talk about dimensionality, we're talking about, you know,
you have data with n features. So, you know, it can be,
it has basically n dimensions to it.
And you want to reduce that number
so that you rely on a more reduced set of features.
So the technique basically projects that data
into a lower dimensional hyperplane or space.
But by that transformation, there is some loss of information.
And it's assumed that that loss of information basically removes some of the private information and therefore protects privacy.
of the private information and therefore protects privacy.
This is more of an assumption.
I think it has to be mathematically proven.
We have to prove how much privacy is,
what are the privacy guarantees, if at all.
But that's a second type of approach that can be used to preserve privacy.
Now, are these computationally expensive?
I know homomorphic encryption was something that
it seemed like for a while it was just out of reach.
And now I know there are a lot of, or not a lot, but there are certainly organizations who are
implementing it successfully these days. Yeah, absolutely.
So homomorphic encryption is very computationally expensive.
Obviously, it depends on the use case
and the type of computation and the model being applied.
But you can assume that on the order of magnitude
is that it's 1,000 times more expensive computationally than the regular addition or multiplication operation.
So the use cases for it have to be carefully selected.
But we have, with an Accenture, for instance, for our clients, we have successfully been able to implement it for specific use cases.
Interesting.
So it's in the list of options that are available if it's something that folks think they might need.
Exactly.
And we're going to see it being more used with the advances that we see in hardware.
Right.
Right.
All right.
Well, Malik Ben-Salem, thanks for joining us.
Thank you, Dave.
My pleasure.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Solutions for a small planet.
Listen for us on your Alexa smart speaker, too.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular
segment called Security Up.
I join Jason and Brian on their show for a lively discussion of the latest security news
every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
And check out the Recorded Future podcast, which I also host. The subject there is threat
intelligence, and every week we talk to interesting people about timely cybersecurity topics.
That's at recordedfuture.com slash podcast. The Cyber Wire podcast is proudly produced in
Maryland out of the startup studios of Data Tribe, where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is
Thanks for listening. We'll see you back here tomorrow. Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. AI and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.