CyberWire Daily - WHO email accounts prospected. Mandrake versus Android users. Vollgar versus MS-SQL servers. Ransomware and hospitals. Notes on the effects of COVID-19, and a disinformation campaign.
Episode Date: April 2, 2020Attempts on World Health Organization email accounts possibly linked to Iran. Mandrake Android malware is active against carefully selected targets. Vollgar attacks Windows systems running MS-SQL Serv...er. Hospitals remain attractive targets for ransomware gangs. Italy’s social security operations shut down by hacking. Coronavirus disinformation. The pandemic’s effects on business. And a look at the fortunes of Zoom. Andrea Little Limbago from Virtru on the global battle for information control, guest is Perry Carpenter from KnowBe4 on security awareness. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_02.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Attempts on World Health Organization email accounts are possibly linked to Iran.
Mandrake Android malware is active against carefully selected targets.
Volgar attacks Windows systems running MSSQL server. Hospitals remain attractive targets
for ransomware gangs. Italy's social security operations have been shut down by hacking.
Coronavirus disinformation, the pandemic's effects on business, and a look at the fortunes of Zoom.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, April 2nd, 2020.
Reuters reports that attempts to compromise the email accounts of World Health Organization
staffers may be the work of Iranian operators.
WHO officially says it's not in any position to make an attribution,
but anonymous sources close to the UN organization say the attacks seem connected to Tehran.
Security firm Prevalian told Reuters that they saw significant circumstantial evidence suggesting an Iranian campaign.
The attempted cyberattacks on WHO have been murky, sometimes linked to the Dark Hotel
APT, which itself has been connected to several governments, but none in a definitive way.
Threat researchers at Bitdefender have offered ZDNet an update on the Mandrake strain of
Android malware it discovered earlier this year.
Mandrake focuses on Australian Android users,
issues mass automated attacks in favor of human-run operations against selected targets.
Mandrake appears to be a criminal operation,
probably a patient attempt at what Bitdefender characterizes as
credential stealing, information exfiltration
to money transfers, and blackmailing. Security firm Guardicore reports a long-running criminal
campaign targeting MSSQL servers. They call it Volgar, a portmanteau of Volar, the cryptocurrency
the campaign mines, and Vulgar, which is how garda core views the criminal's behavior
the servers make attractive targets not only for their computational power but also for the large
amount of sensitive data they hold china india the u.s south korea and turkey have so far been
the country's most affected by vulgar the attack typically begins by brute-forcing internet-connected servers with
weak credentials. Microsoft warns hospitals to expect a surge in ransomware attacks and offers
advice on how they might defend themselves. Gangs using the R-Evil, also known as Sodinokibi
strain of ransomware, have been especially active against healthcare targets.
strain of ransomware have been especially active against health care targets.
The current coronavirus emergency obviously continues to have considerable effect not only on public health but also on economic conditions and international rivalry. One of the
difficulties of assessing the COVID-19 pandemic in ways that might usefully inform effective
disease control policies has been the challenge of understanding the pandemic's extent
and the course infection takes in its sufferers.
Chinese information control practices haven't helped.
The U.S. intelligence community last week delivered a classified study to the White House
that concluded, according to Bloomberg,
that China's public reporting on cases and deaths is intentionally
incomplete. Others, with fewer or at least different dogs in this particular fight,
have reached the same conclusion. Vice summarizes Beijing's policy with respect to information about
the coronavirus, and it finds a comprehensive program of censorship and disinformation
directed at both domestic and international audiences.
Stanford University's Internet Observatory says that deliberate misdirection and obfuscation
have been in progress since January. Lockdowns, illness, self-isolation, enforced closures,
and the attendant throttling of commerce have taken a toll on all sectors. CNBC, in a non-rigorous but informative look at
startups, concludes that more than 3,500 jobs were eliminated during March at some 40 companies
who'd collectively raised more than $14 billion in capital. The New York Times calls the job
destruction the great unwinding. The tech sector and its security subsector have been less heavily
affected than some others, but they've by no means been immune. Perry Carpenter describes himself as
a security behavior alchemist, and he's also chief evangelist and strategy officer at security
awareness firm KnowBefore. I caught up with Perry Carpenter at the RSA conference. And I think that there's two sides
to the data story, right? The fact that if all these vendors are successful and all the
organizations are successful implementing technology-based vendor solutions for security,
we would have no breaches if that's the solve, right? And the fact is, is day after day,
week after week, month after month, year after year, decade after decade,
at this point, we see security-related breaches
caused by human error.
And the technology that's supposed to have fixed that
a few years ago hasn't.
And so when somebody comes to me and says,
well, the technology is the only way
and you're wasting your time with working with humans,
I could also say, well,
the technology isn't working for you either.
And so you do have to step up
and you have to add that additional layer of security,
that human piece.
And then the other side of the data is
we do have data that shows that
if you are paying attention
and if you are training your people
and doing that in a behavior design-based way, and there's parameters to that that I could share with you.
But if you're following best practices for behavior design and doing simulation combined with training, then you can knock down the propensity for somebody to click on a phishing email dramatically.
Dramatically within three months and super dramatically within a year.
dramatically within three months and super dramatically within a year.
And so what we've seen is that a typical baseline,
if nobody's ever done any training with this before,
then upwards of 40% of people have a propensity to click, which is bad. That's a bad day for your organization.
But within three months, if you've combined some training with simulated fishing tests, at least once every 30 days, we've seen that go down to about half of that.
So actually under half of that, about 17 percent. And then over a year period, you can knock that down into the lowest single digits.
And so that's that's consistency. You're building muscle memory. It's the same way that if you were to only go to the gym once a year,
all you're really doing is causing yourself pain
and you're showing yourself how pathetic you are.
So people that do a fishing test once a year,
that's what they're getting.
You're a little close to home here, Perry.
I know.
I feel that too.
But if you're wanting to actually improve,
well, then you go consistently.
You feel the pain for a while,
but ultimately you start to adapt
and you get the benefits from that.
And the same thing holds true for security training.
That's Perry Carpenter from KnowBefore.
Zoom has had a remarkable, wild, and decidedly mixed ride
over the course of the pandemic.
The remote conferencing service listed on the NASDAQ as ZM
had between October and the
end of January traded between $60 and $80. On February 3rd, three days after the U.S. ban
travel from China and the day after the first death outside China from COVID-19 was reported,
the company's shares rose to $87.66. They peaked at $159.56 on March 23rd, the day the UK's lockdown
began, six days after France imposed a nationwide lockdown, and eight days after the US Centers for
Disease Control recommended social isolation. It's a telework-driven surge. As of last week, MarketWatch marveled,
Zoom's daily active user count was up 378% from where it was a year ago.
Zoom has since fallen off those highs, closing yesterday at $137.
Problems with security and privacy have made for what Axios calls a tarnished moment of glory.
Wired thinks the issues issues data sharing that's prompted
a class action lawsuit over sharing of user data and relative ease with which skids and others have
been able to intrude into sessions called zoom bombing and two new zero days collectively mean
that the zoom privacy backlash is only getting started. Zoom itself, which Forbes credits with having at least as much transparency
as to render the company relatively journalist-friendly,
is working to fix its privacy and security issues.
CEO Eric Yan has blogged that the company has frozen all updates
other than those designed to enhance security.
He's also announced a variety of training and support initiatives,
has offered clarification and, where appropriate, to enhance security. He's also announced a variety of training and support initiatives,
has offered clarification and, where appropriate, apologies about certain Zoom features,
notably its encryption, which turns out to have been less rigorous than marketing claims may have led users to believe. The difficulties Zoom is experiencing are no doubt connected with its
success. A sudden transformation from a reliable and user-friendly
conferencing service to what amounts almost to a public utility that's zoom's view as ceo yon wrote
quote we did not design the product with the foresight that in a matter of weeks every person
in the world would suddenly be working studying and socializing from home we now have a much
broader set of users who are utilizing our product in a myriad of unexpected ways presenting us with Axios offers a speculative but plausible explanation of what's happening.
Quote,
And it's so easy to use that it almost constitutes an attractive nuisance, as a Wall Street Journal story about virtual happy hours suggests.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning
with purpose, and showing the world what AI was meant to be. Let's create the agent-first future
together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Andrea Little-Limbago.
She is the chief social scientist at Virtru.
Andrea, it's great to have you back.
I wanted to touch today on this notion of what's shaping up as a global battle for information control and how various
nation states are coming at that. This was originally going to be something you were
going to discuss in a panel discussion at South by Southwest. That didn't happen because of some
global virus concerns. But let's dig into the topic itself. Yeah, we're supposed to be talking
about it shortly. Had a great panel lined up with Nina Collars, Ben Gray, and Lisa Jiggets.
So hopefully we'll get to do that again in the near future.
But what we were going to address actually was a large focus on the nation states, but also actually bringing in the non-state actor as well.
And so I'll explain that.
By the way, Freedom House measures internet freedoms and so forth.
Nine straight years in a row of a decline in internet freedoms.
internet freedoms and so forth, nine straight years in a row of a decline in internet freedoms.
We're seeing at the same time, roughly 14 years in a row, decline of democracy across the globe.
So we have these two trends going on. And what it really is showing is just that the spread and diffusion of authoritarian digital control of the environment and what the digital authoritarian
playbook is. And we have that pretty well understood, I think, at this point. So if you
look at it, and it's not just China, not just Russia, I think that that's the core message we really want to send,
that although China and Russia really are the innovators in this area, their models are
spreading. And so the way we look at it, or at least the way I look at it, is it's focused on
the use of cyber attacks for, say, data access, data theft, data manipulation, data dumps,
those kind of things that I think this audience is very well familiar with.
You've got the hardware and software that they're using as well that can provide either backdoors or other kinds of access and control.
You've got the disinformation for controlling the narrative.
And again, you're talking about the coronavirus.
We're seeing that very much so right now being an authoritarian tool of choice for controlling the narrative.
And again, not just in China.
Iran and others are doing the same.
And then what we're also seeing really is the rise also of using the law and policy use of control.
So anything from requiring data storage within their borders to requiring and mandating backdoor
access. And that's part of the encryption debate that we see in the U.S. has already been going on
across the globe. And in many authoritarian regimes, they do require the use of encryption
software with government mandated access to it. So that's where you see on the authoritarian side
what the playbook really is and that it is spreading everywhere in different aspects and
to different degrees, you know, from Thailand and Vietnam to Malawi to Ecuador. I mean,
it's really becoming a global phenomenon. And on the democratic side, we really don't know what
the digital democracy looks like
yet. And so because there is not that alternative playbook, we're seeing more and more of democracies
adapt some of those different components of the playbook, not full out adopting at all,
but adopting different parts of it. And that's, again, where we see aspects like Australian's
anti-encryption law, where you're seeing in Brazil, we saw an awful lot of domestic
disinformation around their election. And so we're seeing that battle really playing out.
We're starting to see a little bit, you know, glimmers of signs of what a digital democracy
could look like. And the European Union is really the one leading the way in that area so far
with the GDPR, the General Data Protection Regulation, which is really focusing on giving
individuals control of their data.
On the democracy side, what sorts of tools of influence are available to try to push back against some of these authoritarian regimes?
What we're starting to see, on the one hand, I think that's where defenders can come into play,
especially against the cyber taxes, helping control what data is getting stolen, helping
focus on data integrity. Other areas where I really do think, and this is where I'd love to see America start
to come together and provide some leadership in this area, is on just on crafting the rules and
regulations for data privacy and security. And so while we have a pretty good idea on cyberspace
and the role of offense, and while there still are norms that need to be shaped, and that is one
actually additional area where I'd like to see is the leadership focusing on
establishing those norms for the use of offense in cyberspace. I also would like to see the U.S.
take a lead in data protection and privacy. And so focusing on the soft power aspect of it. So
what soft power is in international relations is really frameworks and models that attract and inspire others to
want to have a similar kind of policy or model or so forth. And so if you think about privacy
and data protection, and especially digital privacy as a component of a digital democracy,
those are the kinds of behaviors and rights that people across the globe will want to have,
especially as a surveillance state becomes more and more pronounced across the globe. And so I think if we could leverage the soft power
of privacy and show what a democracy can look like that does both protects data, protects
privacy, and ensures levels of innovation. And again, we don't know what that right mix is yet,
but we really also have not explored or innovated in that area. And so I think there's so much room
for innovation to figure out what that right balance would be. And on the one hand, there's no ultimate security, no ultimate
privacy. If we can optimize among both and try to get rules and regulations and a tech all together
to move towards that end, I think there's a lot that we can be done.
Yeah. All right. Well, Andrea, a little embargo. Thanks for joining us.
Thanks so much for having me. a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. Thank you. building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett
Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave
Bittner.
Thanks for listening.
We'll see you back here tomorrow. but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.