CyberWire Daily - US attributes Taidoor RAT to China’s government. Pegasus spyware in Togo. The TikTok affair. More fallout from the Blackbaud ransomware incident.
Episode Date: August 4, 2020The US attributes the Taidoor remote access Trojan to the Chinese government. Sources tell Reuters that documents used in an attempt to influence the last British general election were taken from the ...compromised email account of the trade minister. Pegasus spyware is found deployed against churchmen and political opposition figures in Togo. China denounces the American smash-and-grab of TikTok. Ben Yelin looks at international law and attribution. Our guest is Ameesh Divatia from Baffle on misconfigured databases being attacked within just hours after coming online. And the Blackbaud ransomware attack continues to affect new victims. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/150 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The U.S. attributes the Tidal remote access Trojan to the Chinese government.
Pegasus spyware is found deployed against churchmen and political opposition figures in Togo. China denounces the American smash and grab of TikTok. Ben Yellen
looks at international law and attribution. Our guest is Amish Devatia from Baffle on
misconfigured databases being attacked within just hours after coming online.
And the Blackbaud ransomware attack continues to affect new victims.
And the Blackbaud ransomware attack continues to affect new victims.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, August 4th, 2020.
The U.S. Cybersecurity and Infrastructure Security Agency, that's CISA, has published a malware analysis report on TIDOR, a remote-access trojan that Chinese intelligence services have deployed against collection targets since 2008.
The FBI and the Department of Defense concurred in the analysis, and U.S. Cyber Command has
uploaded samples of TIDOR's code to VirusTotal. It's been used against government agencies,
corporations,
and think tanks, mostly organizations with an interest in Taiwan. The FBI says it has
high confidence that Chinese government actors are using malware variants in conjunction with
proxy servers to maintain a presence on victim networks and to further network exploitation.
Both FireEye and CrowdStrike have tracked TIDOR
for some time, with FireEye publishing a study in 2013 and CrowdStrike in 2014,
so TIDOR hasn't suddenly emerged from nowhere. But the news in this latest report is its formal,
explicit attribution of the rat to the Chinese government, and the urgency with which the U.S. government
urges organizations to apply against Tidore. NSO Group's Pegasus spyware is said by the
University of Toronto's Citizen Lab to have been deployed against a Roman Catholic bishop and a
priest who had advocated human rights reforms in the West African country of Togo, as well as
against two members of the
political opposition. Pegasus is believed to have been installed through a WhatsApp exploit.
This is the most recent case in which NSO group tools have been found in use by governments for
domestic surveillance that appears to go beyond law enforcement or counterterrorism investigations.
No government is flawless, of course, and an argument could be made that the sale of Pegasus to Togo
is a legitimate case of lawful intercept technology
being delivered to a legitimate customer.
NSO Group has declined to comment.
But Citizen Lab thinks that's a tough case to make.
Togo is not the worst regime on the planet,
but if your standard is, say, North Korea, you're probably missing the mark.
Citizen Lab describes Togo as a flawed democracy ruled by a single family for 57 years with a long track record of human rights abuses, including reports that torture is routine in the country's prisons.
country's prisons. And they go on to say that the four individuals targeted are clearly neither criminals nor terrorists by any international human rights respecting standards. NSO Group
emailed a statement to Vice. The vendor said, quote, as NSO has now stated on several occasions
due to strict contractual and legal confidentiality requirements, we cannot confirm or deny who our customers are.
As we have also made clear before, we are not privy to who our authorized and verified
sovereign government clients target using our technology, though they are contractually obliged
to only do so against terrorists and criminals, end quote. Citizen Lab says it doesn't have
conclusive evidence that the spyware was deployed by Togo's security forces,
but it does think that the timing and target selection amount to a strong circumstantial case that it was.
China Daily, an outlet for the Chinese Communist Party,
has announced the party line on Microsoft's interest in buying TikTok's operations in the U.S., Australia, New Zealand, and Canada.
The U.S. administration's smash-and-grab of TikTok will not be taken lying down, the paper's headline declared,
although what the implied retaliation might be is left unspecified.
It's a lot of shilly-shallying out of the art of the deal, the same stuff Beijing endured during trade negotiations with the U.S.
But Forbes thinks this is more smoke-blowing than fire-breathing.
TikTok isn't Huawei, and reading between the tough lines are avowals of determination to be measured and responsible,
which suggests that China is signaling that it doesn't intend to retaliate against U.S. software shops.
There are, after all, companies, and there are companies.
And TikTok, while splashy, isn't Huawei.
It has become all too routine for us to report on misconfigured databases being left open to the Internet.
But how much time does it take for a misconfigured database to be discovered and exploited? Amish Devatia is co-founder and CEO at data-centric encryption firm
Baffle, and he joins us with some findings. Cloud databases are certainly becoming a very
important aspect of the value proposition that customers look for when they move to cloud.
Databases tend to be a very big cost item for customers to deploy on-prem.
So they look for those services very often when they go to cloud.
You know, RDS is Amazon's probably fastest-growing service.
So when that happens, there's a couple different things that customers run into.
The first one actually is just in the migration process itself.
One of the things that is not very well known is when the migration happens,
when the data goes from on-prem environments into cloud,
it actually shows up in the clear in the cloud first.
The second one has to do with just cloud native databases
where you're just creating a database in cloud.
There's some checks and balances there.
Amazon makes sure that you have a certain password and makes sure that you are setting up some basic security.
But as you know, most of the vulnerabilities that happen with hacks is user error.
Yeah, I mean, I think it's,
I suppose it's probably not too surprising these days
that it doesn't take very much time
for the bad guys to find a misconfigured database.
Exactly.
So one of the big issues that we're running into
is that the convenience of being able
to actually set up these databases,
you know, makes it really easy to make the mistake and keep it open. It's a little problematic to put in lots of security controls which are difficult to implement.
So what happens is operators tend to take shortcuts, and that's predominantly one of the reasons why some of these things get hacked.
This is the new norm, right?
We are going to be using cloud environments for data storage and data analytics.
And it's databases to start with, but eventually it's going to evolve into data lakes.
lakes. And what is very important is that the data pipeline that you create as you put sensitive data in cloud has to be protected. So it is really about securing the data analytics pipeline.
The storage could be databases, it could be data lakes, or it could be just straight object storage
like S3. But the utility of the data improves as it moves into
these various types of data stores. And that's the future. I think data is the new oil, right?
Everybody says you've got to have data in order to function. You just have to make sure that it
does not become the new asbestos as well, right? I was just going to say, yeah, make sure it's not
radioactive, right? You get too much of it in one place and you reach critical mass and things go
bad in a hurry. That is exactly what is happening, right? When you find $100 to $750 per record
by regulations like CCPA, it is by all means asbestos. That's Amish Devatia from Baffle.
And finally, the effects of the Blackbaud ransomware incident continue to ripple through
the educational, political, and not-for-profit sectors, affecting the sorts of businesses that
have donors as opposed to customers. It's a significant example of third-party risk.
In the U.S., a new set of universities are now known to
have been affected. The universities of Texas and Oklahoma have both warned donors and alumni that
their information may have been accessed by the attackers. And after a coy, slow reveal from
California State University Northridge, EdScoop reports that the California State University
system is now investigating the
possibility that the black-bought attackers successfully compromised all 23 institutions
in the system. The California State University system is a public higher education institution
distinct from its sister system, the University of California. There have been other victims in
the United Kingdom, too. Third Sector reports
that more than 30 British charities have been affected. And it's not just charities, either.
The Labour Party has disclosed that personal information about thousands of its donors was
exposed in the incident. Labour had been using Razor's Edge, a fundraising and donor management
solution from Blackbaud.
Blackbaud has said that it believes its payment of ransom to the attackers has foreclosed the possibility that the exposed data would be abused or exploited.
One can always hope, but the customers affected by this third-party breach would do well to
look to their mitigations, and the donors should keep a close eye on their accounts
and identities.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Breaking news happens anywhere, anytime.
Police have warned the protesters repeatedly, get back.
CBC News brings the story to you live.
Hundreds of wildfires are burning. Be the first to know what's going on and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know.
Download the free CBC News app or visit cbcnews.ca.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Ben Yellen. He is from the University of Maryland Center for Health and Homeland Security.
Ben, always great to have you back.
We have an interesting article.
This is from the Just Security website.
And this is, I think, the perfect thing to dig in with you on.
It's titled Cyber Attack Attribution and International Law.
I have to say I have a personal interest in this.
The whole notion of attribution is fascinating to me as to some people think it's really important,
some people don't. Can you take us through what they're getting at here in this article?
Sure. So it's a fascinating article. I highly recommend all the listeners read it. It's really a good academic analysis of international law and the
issue of attribution. So the impetus for this article is very recently the U.S. Department
of Justice unsealed an indictment accusing a couple of individuals linked to China, to the
Chinese government, of a decades-long campaign of hacking dissidents,
human rights activists, and a variety of private sector targets.
I'm quoting the article here.
More recently, they've accused the same actors
of trying to hack information on tests and vaccines
related to the COVID-19 pandemic.
And this comes also in the wake of a notice issued by the United States government in
coordination with our allies in the UK and Canada about Russian cybercriminals trying
to steal intellectual property related to COVID-19 vaccine development. So at issue here is how to establish a just and uniform system of attribution
that fits with international law. And her proposal is to require standards that states have to abide
by to make attribution claims. You know, I think in the past, some of these attribution claims
haven't been backed up by on-the-record data, you know, exactly what happened, why it happened, what the evidence is that a particular state actor was behind a particular hack.
We are getting better at being more precise in our indictments and our allegations.
and our allegations. But the only way that we're going to be able to foster international agreements and legitimacy to some of these attribution charges, in her view, is to require evidence-based,
fact-based allegations that meet a certain elevated standards. It should be something
that's codified to the extent that anything can be codified in international law. So I think it's a really interesting and valuable proposal.
And I think it gets to the idea that if we are going to try and maintain our legitimacy
in making accusations against other state actors,
we should make sure that we're doing so based on specifically identifiable evidence and information.
And I should point out, when you say her, we're speaking of Kristen Eichenser.
She's the author of this article, and she's the one making these suggestions, putting
out this proposal.
Yeah, a very persuasive writer.
I mean, I think one thing she pointed out that really stuck out to me is, you know, in the past, attributions have sort of been on a trust us basis.
You know, for example, with the Sony hack, we said we have evidence that it's North Korea.
We don't want to give you too much information because that might divulge some of their methods.
It might expose some of our own vulnerabilities.
some of their methods. It might expose some of our own vulnerabilities. But I think the allegation doesn't carry the same weight in the international community if it's not backed up by
robust evidence. And that's something that has been improving recently. We've seen it in some
of the more recent prominent indictments that we've discussed. But it's something that's not well settled so far
in international law,
and it's something that we can strive for.
A lot of this is governed by custom.
It's just what we've always done informally
with our allies.
Custom is not enjoying a whole lot of backing at the moment, right?
Internationally.
No, it certainly is not.
I feel like we're in a period where we love to violate all sorts of international customs.
Right.
Could we see something like an international court to handle these things?
I'm thinking of the Hague.
The Hague for attribution.
I mean, the regulating bodies
are going to be set up by work
that's already happened.
So, you know, we do have
multilateral agreements in this area
between us and some of our allies.
There are UN groups.
There's a UN group of governmental experts
who have tried to apply rules to cyberspace.
I'm probably not the most foremost expert
in international law, but I can say
when you don't have those same types of institutions
already set up, it's hard to develop these types
of actionable standards.
And so, in a sense, it might be most useful
for us to get the institutions working first
before we start to come up with
more of these substantive reforms.
Yeah. Well, as you say, it's a very thought-provoking,
well-written article. It's
over on Just Security. It's titled Cyber Attack Attribution and International Law, written by
Kristen Eichenser. Highly recommend it, so do check it out. Ben Yellen, thanks for joining us.
Thank you. a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care
at Starbucks.
And that's the Cyber Wire.
For links to all of today's stories, check out our
daily briefing at thecyberwire.com.
And for professionals and cybersecurity
leaders who want to stay abreast of this
rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
teams, and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.