CyberWire Daily - US warns of DPRK cyber activity. Replacing Huawei. COVID-19-themed cybercrime and state-directed activity. Telework notes.
Episode Date: April 16, 2020The US Government issues a major advisory warning of North Korean offensives in cyberspace, most of them financially motivated. Ericsson will provide BT the equipment to replace Huawei gear in its net...works. Notes on COVID-19-themed cybercrime. Some temporary telework may become permanent. Disinformation from Tehran; domestic phishbait from Damascus. And to Zoom or not to Zoom? Rob Lee from Dragos with a summary of his RSA keynote, guest is Gregg Smith from Attila on cybersecurity concerns for employees working from home during the COVID-19 pandemic. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_16.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The U.S. government issues a major advisory warning of North Korean offenses in cyberspace.
Ericsson will provide BT the equipment
to replace Huawei gear in its networks.
Notes on COVID-19-themed cybercrime.
Some temporary telework may become permanent.
Disinformation from Tehran.
Domestic fish bait from Damascus.
And to Zoom or not to Zoom.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your Cyber Wire summary for Thursday, April 16, 2020.
In what the New York Times sees as a sign that deterrence of North Korea in cyberspace is beginning to fail,
the U.S. government has issued an unusually comprehensive advisory about Pyongyang's cyberspace offensive.
The joint advisory, to which the Departments of State, the Treasury, and Homeland Security,
and the Federal Bureau of Investigation contributed, and which they approved,
concentrates on the threat North Korean hacking poses to the international financial system.
The DPRK's activities are grouped under three main heads.
First, cyber-enabled financial theft and money laundering.
A great deal of this activity involves stealing altcoin, cryptocurrency.
Second, extortion campaigns, that is, ransomware.
One unusual form of extortion is the DPRK's use of long-term paid consulting arrangements
to ensure that no such further malicious cyber activity
takes place.
That is, they run cyber protection rackets.
Nice data you got there.
Shame if something happened to it.
And last, cryptojacking, which still affords some prospect of a modest return, and Pyongyang
needs all the financial help it can get.
The unusually long public advisory includes advice on how to defend
oneself against North Korean attacks. The U.S. government is also offering rewards of up to
$5 million for tips about illicit DPRK cyber activities, which you can submit to the State
Department's Rewards for Justice website. To the New York Times observation that deterrence may be
failing, in all fairness, it should be noted that cyber deterrence of Pyongyang has been for decades at best a work in progress. Deterrence
is always at some level a counter value proposition, and the less of value you've got to
lose, the harder you may be to deter. Ericsson has won the contract to provide BT with the equipment
it will need to replace Huawei gear in the big British telco's networks, SDX Central reports.
The BBC says BT complains it will take until 2023 to purge Huawei kit.
This suggests that the British decision to ban Huawei from its core networks, widely
seen as wishy-washy appeasement at the time, may be biting harder than it was generally
expected to do.
There will be costs for Huawei's partners as well as Huawei.
CPO Magazine notes that the U.S. FBI has stepped up its efforts to notify the public of criminal attempts to take advantage of the coronavirus emergency.
The bureau has increased the frequency of its alerts.
It only issued nine during all of last year.
It's already issued four during March and April.
Not all of these deal directly with COVID-19,
but it does seem that the tempo of cybercrime engendered by the pandemic
has moved the FBI in the direction of more frequent public engagement
than had been the norm.
One of the things organizations are learning
is what sort of work can be done remotely.
It's likely that some of the habits being built up now will persist beyond the current emergency.
FCW, for one, thinks that a great deal of the surge in telework the U.S. Department of Defense is seeing may well turn into a permanent way of doing business.
Chinese operators have been the most active purveyors of disinformation during the COVID-19 emergency,
but other actors haven't been idle either.
Grafika reports that an Iranian threat group, the International Union of Virtual Media,
IUVM, a front operation, has been active in pushing the line that the coronavirus had its origins in a U.S. bioware program.
Quote,
The IUVM operation is significant and mannered by a well-resourced and persistent actor,
but its effectiveness should not be overstated.
End quote.
Their reach has been limited, attracting only about 3,000 followers, The Verge notes.
But persistent they have been.
The group's accounts have been the repeated targets of takedowns by Facebook, Google, and Twitter, but they continue to reappear.
Their line is generally pro-Iranian and pro-Palestinian, anti-US, anti-Israel, anti-Turkey, and anti-Saudi.
Like much Chinese disinformation, and unlike much Russian disinformation, the Iranian efforts aim at persuading the audience to specific set of views
and not merely at disruption. On the principle of the enemy of my enemy is my friend,
the IUVM has been heavily engaged in repeating stories that tend to Beijing's advantage.
They generally praise China's response to the epidemic, dismiss criticism of Beijing as
psychological warfare, commend China's contributions to international emergency relief,
and even praise China's business acumen in using the crisis as an opportunity to buy low and sell high.
For many, part of the new normal in shoring up your work-from-home cyber defenses involves running a VPN.
But not all VPNs are created equal, and they vary in both
security and ease of use. For more on that, we checked in with Attila Securities' Greg Smith.
Well, I think today, Dave, what you're seeing is a significant amount of people who have been bound
to their office desk are all being asked to move home. Very often, the enterprise or the government agency that they
work for does not have the capabilities of providing all these employees that are forced
to work at home with government-issued or enterprise-issued computers. So one of the
challenges that's facing the CIO today is the fact that these employees are using their home computers to connect back into the network.
And, of course, that presents an awful lot of challenges, especially as it relates to the secure communications from their home back into the enterprise itself.
Well, let's go over, I mean, just some of the basics here.
What are the issues there?
What's the stuff that we should be worried about that could be being sent in the clear?
Well, certainly any government agency or enterprise employee is working with sensitive
information. In the case of the enterprise, it could be just enterprise data, but it also could
be the intellectual property of that particular entity itself. There was a resort here locally in Maryland that sent their workers home last week.
And lo and behold, someone did not have a VPN. They were using their home computer.
Their home computer was attacked. The attacker moved laterally into the payment system of this particular resort.
And the resort the next day realized that they had lost $23,000.
So as a starting point, communicating in the clear from a home computer can create a lot of problems just from the use of unsecured Wi-Fi, not having a VPN, a potential eavesdropping event,
a man-in-the-middle attack, and again, the advent of insecure Wi-Fi being the most prominent
situation that's out there today. Can you walk me through it sort of one level at a time? I mean,
starting from the least secure to the most secure, the various options and things that people can put in place?
Certainly, I think that at a minimum, having a VPN is a really good starting point.
Typically, what you'll find is that on government or enterprise-issued computers, they already have a VPN installed.
But in many cases, especially with the user using his personal computer,
that VPN is not compliant with the enterprise VPN.
And that is sort of the basic issue that's out there today.
And if an employee happens to go to a Starbucks or another
area where there is free Wi-Fi, you know, very often the captive portal that allows you to connect
into the internet from that Starbucks or from that location has malicious JavaScript in there.
And as soon as you click accept on the terms and conditions page, very often that
malicious JavaScript gets downloaded onto your computer and the adversary owns your computer
at that point. That's Greg Smith from Attila Security. Researchers at Lookout have seen a
change in approach on the part of a group that appears to be operated by the Syrian government's domestic security apparatus. It's been active since 2018, at least, and recently
it's been prospecting Syrians with COVID-19 fish bait to induce them to install Spynote,
SandroRat, AndoServer, or SLRat surveillance tools. Some of the bait takes the form of bogus apps.
One is a bogus digital thermometer because
what better to have on a worried person's phone than a thermometer that can warn them of the
onset of a fever. More large companies have banned the use of Zoom. TechRadar reports that Siemens
has joined Standard Chartered Bank in telling its employees to avoid using the teleconferencing
service. Zoom hasn't been idle.
In its latest move to shore up security,
the company has brought in Luda Security to run a revamped bug bounty program.
ZDNet observes that Luda's Katie Masouris has tweeted a greeting to others.
She indicates her joining Zoom's advisory team.
In addition to Alex Stamos, whose appointment has been known for several days,
she indicated in a tweet that she'd be joined by, as ZDNet lists them,
privacy expert Leah Kistner, former global lead of privacy technology at Google,
cryptographer and Johns Hopkins professor Matthew Green,
and three well-known security auditing firms, Bishop Fox, the NCC Group, and Trail of Bits.
So should organizations use Zoom or not?
Forbes offers sensible advice.
If data privacy and security are paramount, then no.
If, however, affordability and ease of use are more important than locking down your data,
then Zoom isn't a bad choice.
So if your office is holding a virtual happy hour, go ahead and Zoom happily.
If you need to discuss PII, trade secrets, or heaven forfend, classified information, then seek thou else wither.
And if it's classified stuff you're talking, take it to a skiff, friends.
Thank you. and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Robert M. Lee.
He is the CEO at Dragos.
Rob, you recently keynoted at the 2020 RSA conference.
I was hoping you could give us a little summary.
What were some of the topics that you touched on there?
Yeah, absolutely.
And thanks.
It was a big shock, by the way, even getting that.
It was just really exciting.
And it wasn't because I thought I was so good.
Contrary to that, actually, it was because I thought
that the community had really rallied around that.
And the reason it felt so great is because people showed up.
There was tons of people online.
There was tons of people in the room,
I think 500 or 600 people that were there in the auditorium,
just caring about industrial infrastructure.
And I just thought that was such a wonderful moment
in our community.
The keynote focused on the Dragos year-end review reports
we published.
So those year-end review reports have insights
into the threats, our lessons from the field,
and also insights into vulnerabilities.
What we have found a couple years ago
is that nobody was publishing as vendor-neutral as possible
reports about the status of the industry and what's going on and setting some kind of trend lines found a couple years ago is that nobody was publishing as vendor neutral as possible reports
about the status of the industry and what's going on and setting some kind of trend lines
to be able to follow over the years.
So this keynote really had a couple points from there, but I in many ways also treated
it as this welcome to the ICS community, here's how we play and work together and this is
what you need to be aware of, kind of wide audience presentation.
And the points really were, one, industrial is different.
Please stop trying to call it IoT.
I see a lot of big firms and marketing firms and markets and et cetera get confused on
this ICS stuff or operations technology or OT stuff, so they just try to flavor it as,
well, it's IoT, it's internet-connected stuff,
except for our systems have been around
longer than your internet,
so let's focus on the fact that it's ICS or OT.
So number one, we're different,
and please don't call it IoT.
Number two, the reason we're different
is not just because we have different systems.
We have Windows systems too.
It's the fact that we have different threats,
different missions, different risks.
Everything about what we're trying to accomplish
in the environment to which we're accomplishing it
is different, which also means there's that interaction
with physics.
We have to take different approaches to security.
A lot of the things that you would think would work
in an IT environment,
deploying antivirus or endpoint protection systems,
relying heavily on vulnerability management programs,
encryption, et cetera.
A lot of the things that you would want in an IT environment,
you don't actually even want in the ICS.
I'm not saying don't patch or don't do antivirus,
but the limits of those controls are significant
when you look at what you're actually trying to reduce risk against.
And then the third thing is I just kind of gave an overview of where we are with threats,
vulnerabilities, and kind of lessons from the field. From the threats perspective,
there are 11 different teams targeting industrial control systems specifically now,
with two that have shown the ability to do destructive and disruptive attacks.
That is a huge increase from where we were just a couple years ago. But where I kind of
gave the community a note of optimism was, look, this is also because we're starting to look.
So it's not like things have just gotten worse than ever and, oh my gosh, we're screwed. It's
more the fact that our community is becoming mature, doing things like asset identification
and visibility and network monitoring in these environments. We're seeing more things.
In the same way, I talked about the vulnerabilities,
which actually a significant portion of the vulnerabilities in ICS are useless.
And we shouldn't over-focus on them,
but there are some that are important.
And let's figure out how to evaluate these correctly
so we're not going to operations and saying,
you should patch all these vulnerabilities,
but instead going to them and saying,
look, there's like 450 that came out this year
and we only really care about these five.
Let's go take advantage of these five together.
There's more of a sense of partnership.
The last thing was just around instant response lessons learned.
Even though we're a technology company, we still do a lot of instant response and get
a lot of good insights from that in our services work.
A couple of the metrics that kind of stood out was,
one, 100% of people that thought they had an air gap
had multiple routes of connectivity
into their industrial environments.
We found that 51% of our incident response engagements,
we were given information that was supposed to help us,
like network diagrams or similar,
and it was so out of date or so bad that it actually hurt us.
And we were better off throwing that information to the side.
And then we found the fact that in the instant response engagements we went into, none of
them were benefited at all from any level of centralized logging or network visibility
or any of the tooling required to be successful in those environments.
So as a call to action for the community,
we really wanted to say, look, go think about
what the response would look like and work backwards
to build the detection strategy and the collection strategy
that you want to be able to operate in that response scenario.
Anyways, that was a lot, but that was a lot shorter
than the keynote, so that's good too.
That's right, that's right.
Well, it's a good summary, and I suppose RSA has put these keynotes online,
so if you want to check it out, you can do that, right?
Yeah, absolutely.
It's out there and viewed.
As of right now, again, talk about an amazing community response.
It already has something like 50,000 views on it as of today,
and that's crazy.
I mean, think about people caring about our infrastructure
and caring about the industrial community,
and I just think we're in this real inflection point
within our community where I think
there's a lot of work to be done,
but there's a lot of desire and goodwill to get it done,
and I ultimately just think we're going to be successful.
Yeah.
All right, well, congratulations, Rob,
and thanks for joining us to be successful. Yeah. All right. Well, congratulations, Rob. And
thanks for joining us. Robert M. Lee.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your
company safe and compliant. And that's the Cyber Wire. For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is
Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol
Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer
Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.