CyberWire Daily - Will no one rid me of this turbulent newsletter? US court delays TikTok ban. Microsoft takes down cyberespionage operation. Huawei’s CFO gets another day in court. REvil recruits.
Episode Date: September 28, 2020The TikTok ban has been delayed; the November goal for the company’s change in ownership still stands, at least for now. Microsoft takes down infrastructure used by a Chinese cyberespionage group. H...uawei’s CFO returns to court in Vancouver. The UK shows some of its cyber offensive hand. DDoS in Hungary; malware in Texas. The strange and sad case of eBay and a newsletter. Rick Howard shares lessons learned from his CSO Perspectives podcast. Our guest is Thomas Etheridge from CrowdStrike on mitigating the risk of public cloud key compromises. And REvil wants to recruit more criminal affiliates. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/188 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The TikTok ban has been delayed.
Microsoft takes down infrastructure used by a Chinese cyber espionage group.
Huawei's CFO returns to court in Vancouver.
The UK shows some of its cyber offensive hand.
DDoS in Hungary. Malware in Texas.
The strange and sad case of eBay and a newsletter.
Rick Howard shares lessons learned from his CSO Perspectives podcast.
Our guest is Thomas Etheridge from CrowdStrike on mitigating the risk of public cloud key compromises.
And our evil wants to recruit more criminal affiliates.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, September 28th, 2020.
In what the Wall Street Journal calls a short-term victory,
the U.S. District Court for the District of Columbia yesterday granted a nationwide preliminary injunction
that stopped the scheduled U.S. ban on TikTok transactions.
The Verge, which has a useful brief history of this particular phase of the dispute,
quotes TikTok as arguing that the government's ban,
which would have taken effect last night at midnight,
was arbitrary and capricious.
Both sides will get together to review the dispute tomorrow.
Fortune notes that the judge left the November deadline
for TikTok's sale in place, for now at least.
Official Beijing is unhappy with the prospect
of a forced spinoff of TikTok
Global, the proposed name for the new company, whatever its ownership turns out to be. The Wall
Street Journal describes several reasons for this. Chinese government-controlled media have
characterized the sale as dirty and unfair, which seems the sort of reaction any major power would
have when it felt itself
strong-armed by a competitor. But the government seems particularly troubled by the aspects of the
deal that would permit Oracle to inspect TikTok's source code, ostensibly because of the troubling
precedent that would set for protection of Chinese intellectual property against foreign exposure.
Sources tell the Journal that at least some ByteDance executives
have been uprated by the government for failure to undertake proper consultation
before negotiating the spinoff.
Microsoft has taken down 18 Azure Active Directory accounts
that were being used by Gadolinium,
also known as APT40, Leviviathan, or kryptonite panda,
a Chinese government threat actor that's most active against the maritime and healthcare sectors.
Gadolinium's recent campaign has used a great deal of spear phishing. The attacks proceeded
on three phases. First, the payload is distributed in a COVID-19-themed spear phishing campaign.
Opening the message infects the target system with PowerShell-based malware.
Second, the attackers use this malware to install one of the 18 Azure Active Directory applications.
Third, an Azure Active Directory is used to configure the compromised endpoint
so that it can exfiltrate data to a Microsoft OneDrive
under Gadolinium's control. So it's an information-stealing campaign, a case of cyber
espionage. The BBC says that today's the day Huawei's CFO Meng Wanzhao returns to a Vancouver
court as she continues to fight extradition from Canada to the United States.
The U.S. charges she faces involve violations of sanctions against Iran.
The Guardian reports that in an unusual public avowal,
the head of the U.K.'s Strategic Command, General Sir Patrick Sanders,
says Prime Minister Johnson has directed him to ensure that the U. the UK remains a leading full-spectrum cyber power,
and that includes deploying significant offensive capability.
General Sanders' public statements may foreshadow the five-year integrated defense review, expected to be complete in November.
Magyar Telekom said that Hungary's banking and telecom sector suffered a brief but sharp disruption last Thursday, according to Reuters.
Magyar Telekom said the distributed denial of service was mounted by Russian, Chinese, and Vietnamese hackers,
but that the company was able to thwart the attack quickly.
A qualification the servers used were in Russia, China, and Vietnam,
but that in itself is insufficient for attribution. On Saturday, Tyler Technologies warned that two
of its customers had reported suspicious logons to their systems using Tyler credentials. The
Dallas Morning News says the company was hit by an unspecified ransomware
strain the very strange story of the then ebay employees who took unusually active measures
against a mom-and-pop newsletter the company's then leaders found displeasing is winding its
way through the courts the new york times has a long and thorough account of what happened
that account is striking in its portrayal of an aggressive corporate culture,
hermetically locked by threat from above and fear from below,
from anything that might have served to moderate it.
The company's global security and resiliency team was the section alleged to be responsible
for an extended campaign of focused and unremitting harassment of the proprietors of e-commerce bytes,
an online publication that served an audience of sellers,
of people who sell things on Amazon, Etsy, and other sites, including, of course, eBay.
An example of the immoderate guidance the company's communications chief used
with the corporate enforcers of global security and resiliency
is as follows, quote,
I genuinely believe these people are acting out of malice,
and anything we can do to solve it must be explored.
He signed that particular message.
The Times says,
Whatever, period, it, period, takes, period.
The CEO was equally direct with communications like,
I couldn't care less what she says, take her down. Neither the former CEO nor the former
communications director have been charged in the case, and both have denied ordering the harassment
the Massachusetts couple who run e-commerce bites suffered. But the communications quoted in the Times story
hardly seem to have even the ambiguity of King Henry II's
Will no one rid me of this turbulent priest?
The offhand remark that got St. Thomas a Beckett
martyred by overzealous barons.
And finally, bleeping computer reports
that our evil, the Sodinokibi ransomware gang,
has put its Bitcoin where its virtual mouth is,
posting a million dollars in altcoin to a Russophone hacking forum to recruit new affiliates.
The hoods say, quote,
For your peace of mind and confidence, we have made a deposit of one million U.S. dollars, end quote.
Apparently, the fund, to which potential affiliates may contribute
can be used to buy illicit goods and services. Thank you. com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have
continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And it's always a pleasure to welcome back to the show Rick Howard.
He is the CyberWire's chief security officer, also our chief analyst.
But more importantly than any of that, he is the host of the CSO Perspectives podcast,
which is part of CyberWire Pro.
Rick, great to have you back.
Thank you, sir.
So you are just wrapping up season two of CSO Perspectives.
Let's take stock here for a minute.
First of all, two seasons.
How have things evolved since you started this endeavor?
Yeah, so we started the same back in April,
season one, episode one,
and we had this vague idea
about creating kind of a new podcast
designed from the perspective of the cybersecurity C-suite.
You know, not a technical show and not a news show,
but a discussion of topics pitched at the executive level.
So, have you kept with that?
I mean, is the show primarily targeting executives?
Is it only for them?
No, not at all.
The idea is that if you can hear what executives are worried about,
you know, and then across the entire cybersecurity landscape, then even the newbies, the technicians and the analysts, the graybeards, the junior management, and even other C-suite executives, we can all learn together about how we think about different problems.
Well, let's talk about Season 2 specifically.
What are some of the big takeaways that you learned this round?
So, we covered five tactics that many InfoSec programs are running today.
We talked about security operations centers.
We talked about incident management,
data loss protection and prevention programs,
identity management systems,
and finally, red team, blue team operations.
And I will tell you,
my big takeaway from this season
is that your mileage may
vary on any one of those things, right? It's kind of up to you to decide which one to tackle first.
You know, the entire premise of the podcast, if we go back to day one, was we're trying to find out
the, you know, first principle thinking in cybersecurity. And what we've come up with is
you're trying to reduce the probability of material impact to your organization. So the question you're trying to answer in season two was any of those
tactical functions, are they really, really necessary? And what we've learned is, you know,
maybe not for everybody. It depends on your organization, depends on politics,
pick and choose, but pick the one thing that will have the greatest impact in your organization. Is there any frustration there for you that the answer is kind of fuzzy?
Yeah, I really wanted to be black and white, okay? And it just isn't. Every organization is
different. You know, we've introduced this hash table idea where we bring in these executives in from all over the world, and they tell us how they're doing it.
And it turns out that everybody is different, and the priorities are different depending on your situation, depending on the way you've deployed your stuff, and depending on your culture.
So, yeah, I'm a little frustrated by that, but I'm willing to learn a little bit.
All right.
So, Season 3, when does season three kick off?
Any previews there?
Yeah, we're going to take a couple of weeks off and prepare all that.
The next episodes for season three start on 19 October.
So if anybody has any ideas about what they want us to cover,
they can hit me up on LinkedIn or Twitter,
and I'd be glad to entertain all of that. All right. Well, Rick Howard, host of CSO
Perspectives, a part of Cyber Wire Pro, thanks for joining us. Thank you, sir.
Thank you. of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant. And joining me once again is Thomas Etheridge.
He is the Senior Vice President of Services at CrowdStrike.
Thomas, it's always great to have you back.
We wanted to touch today on some issues with the cloud, specifically with some
things going on with public cloud keys and the security that needs to be monitored there.
What do you have to share with us today? Thanks, Dave. It's great to be here again.
So what we're seeing is as organizations move workloads and some of their critical infrastructure to the cloud,
understanding that cloud security has its own set of challenges
and that organizations need to be focused on some of the basic blocking and tackling
in terms of securing cloud infrastructure.
We have observed over the last few years an increasing number of sophisticated operations where many financially
motivated adversaries are using cloud application programming interfaces, API keys, to harvest
information for ransom and for sale. The adversaries are also looking for other keys and passwords to
facilitate further access, enabling them to kind of rinse and repeat the cycle.
So gaining access and securing API keys for cloud infrastructure is absolutely essential.
And so what are your recommendations here?
I mean, what are the best practices?
There are several things.
The first really is avoiding the use of static API keys anywhere in your cloud infrastructure. We strongly encourage using ephemeral credentials for automated cloud activity.
We want to make sure that organizations are enforcing the usage of those credentials
only from authorized IP address spaces.
And we really, really encourage multi-factor authentication
for all user-originated cloud activity.
That's number one.
Number two, it's managing cloud accounts and permissions.
Inventorying accounts is really, really critical.
So many organizations don't even understand how many accounts exist
or who has responsibility for those accounts.
So really understanding what accounts are active in your environment is very,
very important. Leveraging cloud account factory models for standardization of accounts,
reviewing permissions on legacy accounts and accounts that may be ready for decommissioning
is also important. And then looking at which accounts are not being monitored by your existing security tool set, also important.
So good account hygiene, very, very critical.
The next thing is enabling logging and alerting.
I know that's a cost for many organizations, but enabling detailed logging, including API and data object access logging,
to the maximum extent possible that you can afford. Really important,
especially if you need to do investigations down the road. And then investigating and tuning
automated alerting where possible to make sure you're getting quick and prescriptive alerting
on things that may be changing in your environment. And then lastly, looking at firewall rules on the cloud as well.
Looking at automated and manual firewall rule sets to avoid global permitting is also important.
Where do you suppose we find ourselves today in terms of organizations getting a handle on this?
Are we getting better? I think most organizations are starting to understand that
by moving to cloud infrastructure and moving workloads to cloud
that those workloads require the same type of security
as on-premise infrastructure.
There is no shortage of blog posts and technical papers
and presentations that exist in the market
that talk about many of the things I just mentioned,
making sure you're not using static keys, making sure you're inventorying accounts
and you don't have accounts that should be decommissioned that still exist in active status in your environment
and that the permissions are properly configured.
A lot of the basic blocking and tackling needs to be done,
and I think there's plenty of material
out there that is filtering into organizations that are either considering moving to cloud
infrastructure or have already started to move and need to uplift their overall security programs to
consider these factors. All right. Good information as always. Thomas Etheridge, thanks for joining us.
Thank you, David. Great to be here.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
We work hard so you don't have to.
Listen for us on your Alexa smart speaker, too.
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment called Security Ha!
I join Jason and Brian on their show for a lively discussion of the latest cybersecurity news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
And check out the Recorded Future podcast, which I also host.
The subject there is threat intelligence,
and every week we talk to interesting people about timely cybersecurity topics. Thank you. cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Guru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Valecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Thank you.