CyberWire Daily - US Executive Orders against TikTok, WeChat. Chimera takes chip IP. Intel data leaked. Texting Rewards for Justice. Coordinated inauthenticity. Magecart’s homoglyph attacks.
Episode Date: August 7, 2020President Trump issues Executive Orders restricting TikTok and WeChat in the US. A Chinese APT has been active in industrial espionage against Taiwan’s semiconductor industry. Intel sustains a leak ...of sensitive company intellectual property. Rewards for Justice communicated to Russian and Iranian individuals by text message. Coordinated inauthenticity from Romanian actors, probably criminals. Magecart moves to homoglyph attacks. Craig Williams from Cisco Talos on ransomware campaigns making use of Maze and Snake malware. Our guest is Monica Ruiz from the Hewlett Foundation Cyber Initiative on the potential for a volunteer cyber workforce. And, sorry Fort Meade--there are limits to telework. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/153 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Now at a special discount for our listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash n2k, code n2k. Thank you. Cisco Talos on ransomware campaigns making use of maze and snake malware. Our guest is Monica Ruiz from the Hewlett Foundation Cyber Initiative on the potential
for a volunteer cyber workforce.
And sorry, Fort Meade, there are limits to telework.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Friday, August 7th, 2020.
U.S. President Trump yesterday issued two executive orders that impose new limitations
on Chinese-owned social media apps TikTok and WeChat.
WeChat is a subsidiary of Tencent, TikTok of ByteDance,
and both parent companies are mentioned in the orders.
The Wall Street Journal summarizes the effect of the orders as prohibiting anyone in the United
States or subject to U.S. jurisdiction from conducting transactions with the owners of the
two services. The ban will become effective 45 days from the date of the executive orders, which,
unless we've miscounted, puts the deadline on
September 20th. This could prevent U.S. citizens from downloading the apps from such sources as
Google Play or the Apple Store. It also puts a deadline on Microsoft's possible acquisition of
TikTok. Both executive orders stated as an official finding that, quote, additional steps must be
taken to deal with
the national emergency with respect to the information and communications technology
and services supply chain declared in Executive Order 13873 of May 15, 2019, securing the
information and communications technology and services supply chain, end quote.
Both of the apps represent a threat because they automatically
capture vast amounts of information from their users, and the data they collect are in principle
accessible to the Chinese Communist Party and Chinese government intelligence services.
Both social platforms, the orders say, actively censor domestic dissent in China, and TikTok has
been active in spreading COVID-19 disinformation
on behalf of the Chinese government. The order affecting WeChat in an aside cites restrictions
India and Australia have placed on the app as an indication that the U.S. isn't alone in seeing a
problem with Chinese data collection practices. The Secretary of Commerce will be in charge of
implementation and enforcement. TikTok, which
has moved data formerly held in U.S. servers to servers in Ireland, objected to the executive
order in a strongly worded statement it issued this morning. The company sees what it views as
a lack of due process as most objectionable. Quote, we are shocked by the recent executive
order which was issued without any due process. For nearly a year, we have sought to engage with Unquestionable, quote, facts, dictated terms of an agreement without going through standard legal processes, and
tried to insert itself into negotiations between private businesses.
End quote.
The statement also includes an explicit denial of the specific accusations of the order.
Quote, we have made clear that TikTok has never shared user data with the Chinese government
nor censored content at its request.
End quote.
And of course, the statement urges all of the American users and creators
who've been engaged with TikTok to write their elected representatives.
We found no comparable statement from WeChat.
At Black Hat yesterday, researchers at security firm Psycraft
described a Chinese government threat group, Chimera, that successfully targeted Taiwan's semiconductor industry,
or pillaged the industry, as Wired puts it.
Their goal was source code, chip designs, software development kits,
and similar intellectual property.
SciCraft calls the action against chip manufacturers Operation Skeleton Key
after its use of Skeleton Key Injector,
which implanted a skeleton key into domain controller servers to enable persistence and
continuous lateral movement. Its ability to make direct syscalls enabled it to bypass security
systems. Additionally, by making direct syscalls, the malware could bypass security systems dependent on API hooking.
The operator's principal remote access trojan was Cobalt Strike, used to establish a backdoor into victim systems. For exfiltration, Chimera uses what Sycraft called an old and patched
version of RAR. There was also a significant loss of IP from California-based Intel.
The company has suffered a breach that cost it 20 gigabytes of sensitive corporate intellectual property from Intel X Confidential Lake.
CyberScoop says Intel is investigating, but that a corporate representative said, quote, we believe an individual with access downloaded and shared this data, end quote.
with access downloaded and shared this data.
End quote.
The data dump was announced in a tweet by an IT consultant who goes by the handle Tilly1312Kotman, hashtag BLM.
Tilly1312Kotman, BLM, a software engineer based in Switzerland,
has some role in the incident, discoverer, leaker, security researcher,
or middle person, but exactly what isn't clear.
According to Ars Technica, Tilly 1312 Cotman promised that there would be more leaks to come.
Security Week says that the same person has been connected with other earlier leaks of
proprietary source code from well-known companies including Microsoft, Adobe,
Disney, and Nintendo, to name a few. Most of the information Tilly 1312-Kotman said
comes from improperly configured or exposed DevOps infrastructure.
Much of the incident has called the material lost classified or confidential or secret.
Some clarification is in order.
The information is corporate proprietary and sensitive,
but not apparently
classified in the formal governmental sense. The U.S. State Department reward being offered
for information concerning attempts to hack U.S. elections has been communicated in some surprising
places. Reuters reports that text messages communicating the offer and link to rewards
for justice have been turning up
in Iranian and Russian devices. Who sent the texts isn't clear, but there's speculation that
the messaging was done on behalf of the U.S. government. U.S. Cyber Command referred Reuters
to the State Department, and State had nothing to say. According to the Washington Post, Facebook
has disabled a Romanian network that was sending inauthentic messages expressing implausible support for President Trump.
One would have to be naive, indeed, to uncritically swallow a report that former President Obama and former First Lady Michelle Obama had thrown their wholehearted support to the re-election of President Trump.
The motivation is as likely to be financial fraud as it is influence.
Malwarebytes reports an ongoing series of homoglyph attacks,
which substitute similar characters into familiar domain names.
The activity appears linked to Magecart,
and it shows the gang evolving to take advantage of similarities
among Turkish, Cyrillic, and other international character sets
with the, to us, more familiar Roman letters.
And finally, as remote work increasingly looks likely to become an important part of the new normal,
the U.S. National Security Agency has said that it's expanding its telework capabilities
with the 2021 adoption of Microsoft Office 365 to support unclassified work, FCW reports.
But to rumors that NSA is going to open up its top-secret cloud to remote work,
the agency's CIO, Gregory Smithberger, said, no, that's just not a thing.
And why not? Because, come on, friends, there's just some kinds of work that you can't
phone in transat presents a couple trying to beat the winter blues we could try hot yoga
too sweaty we could go skating too icy we could book a vacation. Like somewhere hot. Yeah, with pools. And a spa.
And endless snacks.
Yes! Yes! Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for
cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home? Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with
Black Cloak. Learn more at blackcloak.io. My guest today is Monica Ruiz. She's a Cyber Initiative
and Special Projects Fellow at the William and Flora Hewlett Foundation, who are financial
supporters of the Cyber Wire. Our conversation explores the notion of a common volunteer cyber workforce, the idea
that citizens with expertise in cybersecurity could volunteer or be called upon to respond
to cyber incidents, much the same way a volunteer firefighter brigade functions.
Some suggest it could be modeled after the old Merchant Marine, where civilians with
specific expertise could be temporarily called in by their government to support the common good.
One of the things that I oftentimes say when I explain this concept of cyber volunteer units is the fact that there are complex challenges in cyber defense.
So, you know, we have resource and talents constraints in the public sector.
We have competitive private sector salaries that impede government recruitment and retention.
And we have poor cyber hygiene or awareness in our societies.
And so all of those realities that have existed for years have really brought to bear the need to integrate outside talent into public sector cyber defense.
You know, when I think about volunteer organizations in communities, there's
several things that come to mind. I think of volunteer firemen. I think of things like the
National Guard, which isn't a volunteer necessarily, but I also think of things like the ham radio
operators who come in times of, say there's a hurricane or something like that. They step up
and provide communications.
Are any of those models along the lines of the possibilities here with cyber?
Yes, I think so, Dave. And just to add two more models to that, for example, we have the
17th century U.S. Minutemen, right, which were civilian colonists who formed militias during
the American Revolutionary War, and they were known as
being ready at a minute's notice. Or you have the Civil Air Patrol that was created in 1942 that was
initiated by roughly 150,000 aviation enthusiasts who convinced the government to incorporate them
formally. And so all the models that you just made reference to, and these two past examples that I just said really goes to the root of all this,
which is someone's need to serve their country and appealing to someone's sense of duty.
And I do think that applies in a cyber context. If you're an individual that has the skill sets
and you want to help, there needs to be a way to allow you to do that. And I think an example of that was,
for example, in 2012, following Hurricane Sandy, more than 900 people from New York startup
communities signed up to coordinate efforts online. But a lack of a framework really
prevented them from getting involved and being more effective in their efforts. And so I think
the overlying, you know,
the common denominator in all of the examples that we just made reference to is, you know,
appealing to someone's sense of duty and building the infrastructure for them to be able to be operationalized for the good. Are there any examples out there of communities that are
already doing this, some good samples that you can build on?
Sure.
So I've written extensively
about the Estonian Defense League Cyber Defense Unit.
So that's more of an international model,
but it's probably best to highlight
some of the models that have already been put in place
in a US context.
And so one of the earliest ones that I found
that shares many similarities with the Estonian Defense League Cyber Defense Unit put in place in a US context. And so one of the earliest ones that I found
that shares many similarities
with the Estonian Defense League Cyber Defense Unit
is the Michigan Cyber Civilian Corps
that was created in 2013.
And this model is essentially a group
of trained civilian technical experts
who volunteer to provide rapid response assistance
to the state of Michigan
in the event of a critical cyber incident.
And its mission is essentially to provide mutual aid in the event of these incidents at all levels of government, education, and business organizations. And so that's one of the models that has really
informed what other states are doing. You also have the Ohio Cyber Reserve, which was created in 2019.
And what was interesting about what Ohio did is that
they set up the Cyber Collaboration Committee to determine what the state needed in order to
improve its cybersecurity and training. And it was interesting because this mapped the current
cybersecurity gaps in the state so that then the Ohio Cyber Reserve Force can help serve as an extended response capability to fill those gaps.
Can you point us in the direction of some resources?
If folks want to see what's available in their community or take a leadership role, try to get things started,
where's a good place for them to find out how to go about doing that?
Sure, Dave. So I would recommend individuals to contact their National Guard
offices. One of the issues that I've also been researching is potentially having the National
Guard serve as that vehicle that integrates outside talent, given that it's uniquely
positioned to do so because it has dual constitutional authorities. And so I've seen
a couple of states start using their National Guard
to start building these models. So depending on what state you're in, contact your National Guard.
Learn whether they are also exploring these options and how you can get involved.
Cyber threats are ongoing and increasing, especially as COVID forces everyone into
virtual settings. And so the three takeaways
that i would love to leave everyone with is that one we need to tap into diverse civilian talent
second is that we need to find a way to integrate that talent for societal benefit and third is that
we need to focus on the long term of these efforts so so training and cyber education. And I do think cyber civilian
units are uniquely positioned to address those three needs that I just laid out.
Our thanks to Monica Ruiz from the Hewlett Foundation for joining us.
There's an extended version of our interview available on CyberWire Pro.
Check it out on our website, thecyberwire.com.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Craig Williams. He is the head of Talos Outreach at Cisco. Craig, always great to have you back. You and your team have been tracking some ransomware
campaigns that have been making use of the maze and the snake malware.
Can you give us some insights? What's going on here?
Yeah, so this is just one of the trends that our IR team has been tracking
across the internet, across data that they have ability to monitor.
And it's something we became more and more concerned about
due to the recent pandemic,
because we know a lot of people are working from home.
And so just to cut to the meat of it,
really what's happening is we're seeing attackers compromise systems,
but instead of immediately deploying ransomware,
many are doing reconnaissance and waiting.
And if you think about that, it does make some sense.
If you think about the way businesses are right now,
they may have security on the endpoint
or limit the things that the endpoints can access.
However, maybe in 30 days, six months, 90 days,
they may go back into the office.
They may reconnect those machines.
They may remove some of those security restrictions to help business.
And so these attackers are not just immediately deploying ransomware.
They're doing some additional reconnaissance.
They're collecting credentials.
They're collecting data.
And then 30 days in the future, or whatever floats the attacker's boat,
they're then deploying the ransomware
and then ensuring they can cause
the most damage possible. That's fascinating. So the notion being here that if I'm able to
hit your computer while you're working at home, let's say your laptop, at some point, odds are
you may go back to the office, reconnect to that corporate network. Is that what we're tracking
here? Well, that's our concern, right? This isn't necessarily a new thing, but we're definitely
seeing an increase of it. Now, that could be due to the fact that COVID-19 lures are just simply
more effective, right? That could account for it. But I'm also concerned that the attackers could
be making more of a push towards getting into those data centers
a little bit more effectively
by collecting more information ahead of time.
And so I think this is something that we need to make sure
that IR teams and security response teams are looking for.
Look for people compromising those endpoints.
Assume credentials may be compromised
a little bit more often than usual.
Maybe even up your rotation a little bit if you have the ability to do that.
You know, it's definitely something people need to worry about.
And if you don't have visibility onto the end point,
it's something you need to start considering.
Does this reflect an increase in the professionalism of these bad actors,
their ability to have more patience here,
to bide their time?
I think it does.
I don't know that that's necessarily a recent thing.
I think this has been going on for a while.
But I think the way that the lures are becoming more effective,
the way that users are working from home,
the way that security policies may have to be modified
to facilitate working from home, are definitely all going policies may have to be modified to facilitate working from
home, are definitely all going to combine to make industry more vulnerable. So as folks are planning
for their workers to come back to the office, to re-engage, to plug those systems back in, to connect
to that corporate Wi-Fi, what sort of things should be top of mind? Well, I think segmentation is key, right?
If there's no reason for users to be able to connect to certain machines that are sensitive, right,
like your backup servers, don't let them, right?
Set up the access restrictions you need to prevent that from happening.
And even go one step further and try and make sure you have visibility into what's going on in the endpoints.
All right. Well, Craig Williams, thanks for joining us.
Thank you.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving
field, sign up for Cyber Wire Pro. It'll save you time and keep you informed. Listen for us on your
Alexa smart speaker too. The Cyber Wire podcast is proudly produced in Maryland out of the startup
studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.