CyberWire Daily - VPNs in Tehran’s crosshairs. US indictments of foreign cyber threat actors. Strife exacerbated by social media. ByteDance’s plan for TikTok.
Episode Date: September 16, 2020CISA and the FBI warn of extensive Iranian cyberattacks that exploit flaws in widely used VPNs. The US indicts two men for website defacements undertaken for the benefit of Iran, and in retribution fo...r the US drone strike that killed Quds Force commander Soleimani. The US has also indicted seven in a cybercrime and cyberespionage wave conducted in conjunction with Wicked Panda. Ethiopian strife made worse by social media. Joe Carrigan describes scammers using fake alerts on web sites. Our guest is Kevin Ford, CISO of the state of North Dakota on their move to offer free anti-malware to all state k-12 institutions. And ByteDance’s plans for TikTok grow clearer. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/180 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
CISA and the FBI warn of extensive Iranian cyberattacks
that exploit flaws in widely used VPNs.
The U.S. indicts two men for website defacements undertaken for the benefit of Iran
and in retribution for the U.S. drone strike that killed Quds Force Commander Soleimani.
The U.S. has also indicted seven in a cybercrime and cyberespionage wave conducted in conjunction with Wicked Panda.
Ethiopian strifes made worse by social media.
Joe Kerrigan describes scammers using fake alerts on websites.
Our guest is Kevin Ford, CISO of the state of North Dakota,
on their move to offer free anti-malware
to all state K-12 institutions.
And ByteDance's plans for TikTok grow clearer.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, September 16th, 2020. CISA, the U.S. Cybersecurity and Infrastructure Security Agency,
has warned in a joint alert issued with the FBI
that threat actors based in Iran have increased their exploitation
of known vulnerabilities in virtual private networks.
VPN use has spiked during the pandemic and the attackers are taking advantage of the expanded
attack surface. Federal agencies are being targeted. So are private sector organizations,
mostly in healthcare, technology, financial, insurance, and the media. The attackers are making much use of three web shells,
tiny China chopper and chunky tuna, and tunneling tools FRPC and chisel, with FRPC used over port
7557. CISA and the FBI note that the Iranian threat actors use NGROC a great deal, and this
may appear as TCP port 443 connections to external cloud-based
infrastructure. The two agencies offer some advice for mitigating the risk these campaigns present.
They come down, for the most part, to sound digital hygiene. If you haven't patched for the Citrix CVE-2019-19781 vulnerability, do so. CISA Alert AA-20-031A offers some recommendations
in this regard. You should also, as a matter of routine, audit your configuration and patch
management programs. The agencies also recommend monitoring network traffic for unexpected and
unapproved protocols. They recommend using multi-factor authentication
and implementing the principle of least privilege with respect to data access.
And of course, keep software up to date.
You can read the whole thing yourself in CISA Alert AA20-259A.
The warning came as tensions between the U.S. and Iran remain high.
Iran is under unusual public pressure from the recent U.S.-brokered rapprochement of Israel
and some of Iran's regional Arab rivals, notably the United Arab Emirates.
The U.S. Justice Department yesterday unsealed its indictment of two Iranians
in connection with their alleged defacement of websites
in response to the U.S. drone strike that killed Iranian General Soleimani
during his activities in Baghdad.
The two men charged are accused of what would appear to be
patriotically motivated cyber vandalism.
They began working together in December of last year,
but began the defacement campaign that led to the charges
after January's drone strike
that killed the Quds Force commander outside the Baghdad airport.
The two are charged with conspiring to commit intentional damage to a protected computer
and with intentionally damaging a protected computer.
The first charge carries a sentence of up to five years in prison,
three years of supervised release, and a fine of $250,000,
or twice the gain or Division, pointedly said in the Justice Department press release Joseph R. Bonavolonta, special agent in charge of the FBI Boston division,
pointedly said in the Justice Department press release that the two are now effectively unable to travel outside the Islamic Republic
or the Palestinian Authority without risking arrest and extradition.
Denial of free travel is one of the costs commonly imposed on criminal hackers
outside the reach of the U.S. government,
even when they're the sort
of low-level talent involved here. Such imposition of costs may also be seen in a second U.S. federal
indictment of seven people on charges of international cybercrime announced this morning.
Two defendants have been arrested in Malaysia, and the remaining five remain at large in China.
Two defendants have been arrested in Malaysia, and the remaining five remain at large in China.
The seven are alleged to have stolen source code, software code signing certificates,
customer account data, and what the Justice Department characterizes as valuable business information.
The intrusions through which the theft was accomplished facilitated other criminal activity as well,
particularly ransomware and cryptojacking. Two of the seven
are charged with 25 counts of conspiracy, wire fraud, aggravated identity theft, money laundering,
and violations of the Computer Fraud and Abuse Act. They targeted companies, but they also had
a side hustle going in the form of a video game conspiracy in which they stole and resold in-game
currencies and commodities.
They also sought to get the gaming companies to ban various criminal competitors.
The remaining three Chinese nationals face nine counts of racketeering conspiracy,
conspiracy to violate the CFAA, substantial violations of the CFAA, access device fraud,
identity theft, aggravated identity theft, and money laundering.
The alleged racketeering conspiracy pertains to their operation of Chengdu 404 Network Technology,
a Chinese company through which they engaged in a range of racketeering that affected more than
100 companies. At least one of the individuals under indictment is said to have boasted of his
connections with Chinese security and intelligence services.
Indeed, the activity seems to have some connection with APT41, also known as Wicked Panda,
and some of the targets were government networks where the defendants appear to have been collecting intelligence.
So the activity would indicate that China's government is willing to let its contractors make some money on the side,
as long as their activities benefit Beijing. Vice describes the way in which Facebook has apparently figured in Ethiopia's growing ethnic violence. The strife has been centered in the
region of Omoria, where intergroup tensions have found expression and amplification in social media.
group tensions have found expression and amplification in social media.
And finally, ByteDance's deal with Oracle has grown clearer. According to the Wall Street Journal, TikTok's American operations will be incorporated as a U.S. company, with Oracle
holding a significant but still minority stake in the new company. ByteDance will retain majority
ownership. The Washington Post thinks the reorganization is likely to meet with U.S. regulatory approval. Thank you. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached.
of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
The state of North Dakota quietly flies under the radar when it comes to cybersecurity policy,
but they recently implemented a plan for a statewide offering of anti-malware software
and services for every K-12 organization in the state. Kevin Ford is Chief Information
Security Officer for the state of North Dakota, and he joins us with the case for why the move
deserves attention. The state of North Dakota has a statewide network
that all public organizations are required by law to be on.
That includes K-12, but it also includes cities, counties,
as well as the state government.
So we have a very, very large user pool here.
It's all co-mingled.
It's about 250,000 devices at any one given time. So we have a pretty
large task on our hands keeping that all secure. K12 happens to be our largest user group,
and it's a user group that we feel really needs to be protected, particularly during this time when teleworking and virtual learning
are so key to the state. So with that in mind, the state has decided to provide free security
services to K-12 organizations. That includes a very robust and feature-rich anti-malware, next-generation anti-malware that has a very,
very strong capability against modern types of ransomware. It also includes
vulnerability management as well as breach monitoring. And what has the response been
so far? Are they welcoming this effort? The majority of K-12 organizations have been
very welcoming of this. First off, I think it hits the right price point free. So that's always
great for everyone. And we're very pleased to be able to offer it for free. I should say we had to
do a lot of kind of financial acrobatics to get this done. But I think we're in a good spot.
So, you know, our key mission is to reduce risk for every citizen in North Dakota. And I think
this is a big road forward in that regard. What went on, you know, behind the scenes from
the value proposition side of things, as you all were making the case to, you know, behind the scenes from the value proposition side of things, as you all were making
the case to, you know, the various stakeholders at the state level that this is a good thing to
invest in? So I think one of the most important things that we were able to do was make
officials understand or help them understand that, and it's an old maxim, an ounce of prevention is worth a pound of cure.
So this is and should be seen, and I believe is seen by the majority of leaders within the state,
as a key method of reducing risk and thereby reducing the expense around cybersecurity events for the state. So this is one way that the state
is trying to kind of prevent that sort of ransomware attack or these other risks that
can be so expensive. And when you compare the cost of doing this versus the cost of these
ransomware events and these large malware outbreaks, it seems to be a no-brainer.
We're really saving a lot of money for K-12 organizations within the state. And if you
take the state as a whole, we're saving a lot of money for the state as a whole.
That's Kevin Ford. He's Chief Information Security Officer for the state of North Dakota. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your
company safe and compliant. And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute
and also my co-host on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
Interesting article came by.
This is from the folks over at Sophos.
This is written by Sean Gallagher,
and it's titled,
Faking It, The Thriving Business of Fake Alert Web Scams.
I have seen these myself.
What's going on here, Joe?
Well, this is an analysis
of the business behind this
and how this whole thing works
and how it's kind of evolving.
Basically, the underlying method
that this works with
is with an advertising network
that injects these malicious ads
into a website.
And these ads pop up
and they use techniques like cascading style sheets
in JavaScript to make these pop-ups look really, really convincing. A lot of times they will look
like a Windows interface or like an Apple interface, and they will lead you to some
path where you are separated from your money. That's how this works. So the classic one we've all seen and heard about
is the tech support scam.
You have a virus on your computer,
please call this number.
And then you call the number and someone there says,
well, we'll sign you up for some virus software
that costs $500 a year and you'll be A-OK, right?
Well, now we're seeing this more,
what Sean's talking about here is you're seeing
this more on the mobile platforms as well. We've talked about this as well on Hacking Humans and
I believe on this show, one of the big problems with the mobile platform is that the screen real
estate is really limited. So you may not have as much of a clue that you're looking at a webpage
or you may not be able to notice the smaller alerts that
say, hey, this is not a secure web page. Additionally, one of the things that they're
doing on the mobile application is they're saying, just go to the store, the Apple store,
the Google Play store, and download this app that will take care of it. And of course, that's what
they call a PUA, a potentially unwanted application. And it can be something that we've talked about
before as well called fleeceware,
which is a piece of software that will cost you an exorbitantly large amount of money to use every month.
And in order to cancel it, you have to go into your store account,
either the Apple App Store account or your Google Play account and cancel it.
And you can get your money back, but a lot of people don't do that.
And these guys make bank on this. Right, right. One of the things I've noticed about some of these
pop-ups is they refer to it in the article as browser lock attacks, which is when one of these
pops up, you can't do anything else in the browser, even in other tabs, before you, you know, get rid
of this alert or do something in this alert?
Well, what happens is the JavaScript is written such that when you close the alert, it immediately
reopens it, which then assumes control of the tab again.
Now, they did say that on Safari, you can open another tab and then close the original
tab or go to the tabs interface and close the tab so it goes away.
And I think you
can do that on Chrome, on Android as well. I'm not sure. I haven't received one of these on
my mobile app recently. So yeah, you can close them, but if you're not a sophisticated user,
it's difficult to close. The best thing you can also do, you can just close the application.
And then when you open the browser again, it starts with a new fresh page. So you can do that. I'm not sure how it works in Apple.
One of the interesting things that Sean mentioned in this article, and this hadn't ever occurred to
me before, is that if you're on a PC and you get one of these attacks and they start, they install
this fraudulent software or this malware that they're selling as legitimate,
in some cases that they were investigating,
they found that the computer's victim becomes an exit node for a peer-to-peer VPN service,
which then allows the scammers to use that computer
and the victim's internet connection for further scams.
So not only are you being victimized,
but your machine is then being utilized to victimize
others. Wow. What are the recommendations here to put it into these sorts of things? Is there
anything you can do to prevent them? Yeah, Sean lists a number of those
preventions. He says on the desktop, at least, you can use a pop-up blocker that will provide
some protection, but it might not protect
against the pop-under advertisements. There are tracker blockers, such as the Electronic Frontier
Foundation's Privacy Badger that can suppress trackers from malvertising networks and prevent
pop-unders from being loaded. There's reputation-based blocks and malware protection
that can also block any of these sites. So when you go to the site, you're actually alerted,
hey, this is a scam site.
But the problem is,
if all this is new and fresh
and nobody else has hit it
and you're being victimized by this attack
within the first couple of hours of a campaign,
you're going to be your only line of defense.
It's going to come down to you
as it usually does.
So just close the app
if you can't do anything else.
But never install software that's advertised on a pop-up.
Never click on a website.
And never allow a phone call to go through
or never make a phone call from one of these sites.
They're always scams.
Microsoft will never call you.
Microsoft doesn't reach out to you this way.
Apple doesn't reach out to you this way.
Google doesn't reach out to you this way. Apple doesn't reach out to you this way. Google doesn't reach out to you this way.
Right, right. All right. Well, Joe Kerrigan, thanks for joining us.
It's my pleasure, Dave.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time, keep you informed, and it leaps tall buildings in a single bound. Listen for us on your Alexa smart speaker too. The CyberWire podcast is proudly produced in
Maryland out of the startup studios of DataTribe, where they're co-building the next generation of
cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Harold Terrio, Ben Yellen, Thanks for listening.
We'll see you back here tomorrow. Thank you. that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.