Credential stuffing attacks and data breaches. Coronavirus-themed phishbait is an international problem. Super Tuesday security post mortems. Huawei agonistes.

Elliott Peltzman: [00:00:04] Credential stuffing affects J. Crew and Tesco customers. T-Mobile discloses a data breach. Emcor works to recover from a ransomware infestation. Coronavirus-themed emails remain common phishbait - it's an international problem. U.S. authorities are pleased with how elections security on Super Tuesday went, but some local governments are recovering from self-inflicted tech wounds. And there's more on official U.S. suspicion of Huawei. 

Dave Bittner: [00:00:37]  And now a word from our sponsor, ExtraHop - securing modern business with network detection and response. Cloud-native is a buzzword, but it's also a direction. IDC predicts that 70% of enterprise applications will be developed cloud-native by 2021. It's time for security teams to adopt the same agility and speed as their DevOps counterparts so they can secure multicloud deployments and enterprise IOT at scale. ExtraHop helps organizations like Home Depot and Wizards of the Coast detect threats inside their hybrid and cloud environments up to 95% faster and respond 60% more efficiently. Investigate an attack with ExtraHop in the full product demo of cloud-native network detection and response available online at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show. 

Dave Bittner: [00:01:36]  Funding for this CyberWire podcast is made possible in part by McAfee, security build natively in the cloud for the cloud, to protect the latest like containers, to empower your change-makers like developers and to enable business accelerators like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time. 

Elliott Peltzman: [00:01:59]  From the CyberWire studios at DataTribe, I'm Elliott Peltzman, filling in for Dave Bittner, with your CyberWire summary for Thursday, March 5, 2020. 

Elliott Peltzman: [00:02:10]  Today's news includes several disclosures of data breaches and ransomware attacks. First, clothing retailer J. Crew has warned affected customers that it sustained a data breach in April of 2019. The store has disabled an unknown number of accounts that were exposed in the attack. It's asked the affected customers to contact customer care to restore those accounts. 

Elliott Peltzman: [00:02:34]  BleepingComputer says the incident was a credential stuffing attack. In credential stuffing attacks, the bad actors use big collections of username and password combinations, which they try against targeted accounts. Sometimes they get hits. The tactic works because people tend to use the same usernames and passwords across multiple accounts. If one account is compromised, the credentials can be tried elsewhere. There is a thriving underworld market for stolen credentials, and credential stuffing is a big reason why that particular crime pays. 

Elliott Peltzman: [00:03:08]  In addition to writing affected customers, J. Crew has also notified California's attorney general. TechCrunch wonders why it took J. Crew almost a year to disclose the breach. A spokesman told the news outlet that routine web scanning detected improper access, and customers were, quote, "promptly notified," end quote There is some vagueness there. It's not clear, for example, when the scanning took place or when the anomalies were detected. 

Elliott Peltzman: [00:03:38]  Credential staffing has also bothered consumers in the U.K. The big British supermarket chain Tesco has responded to a credential stuffing campaign against shoppers who use its loyalty cards by reissuing some 600,000 new cards to its customers. Tesco told the BBC that its own systems had not been breached but that customer loyalty accounts had been. 

Elliott Peltzman: [00:04:01]  Back in the U.S. Connecticut-headquartered industrial conglomerate Emcor has disclosed that it sustained a ransomware attack. The specific strain involved is Ryuk. Emcor says it's investigating but that operations continue, and there appears to have been no data breach. 

Elliott Peltzman: [00:04:19]  And mobile carrier T-Mobile has warned customers that an attack on its email provider resulted in the compromise of a relatively small number of employee email accounts. This is of concern to customers because some of the employee emails that could have been accessed by the attackers contained customer information. That information might have included, T-Mobile said, quote, "customer names and addresses, phone numbers, account numbers, rate plans and features and billing information," end quote. Credit card and Social Security numbers were not, the company added, at risk. They've closed the breach and are working with federal law enforcement to investigate 

Elliott Peltzman: [00:05:02]  Historically, CISOs have turned to the government and said, defend us from other countries that want to wage war on a country. But how do you defend against a country that wants to wage war against a business? Joining us is Bil Harmer, CEO at SecureAuth, who spoke with Dave about the new challenges CISOs face helping businesses stay ahead of these threats. 

Bil Harmer: [00:05:26]  The world of bringing systems people, companies online into a digital environment that has no gates, no controls has a pathway from anywhere to anywhere in milliseconds. And if you think sort of historically or even currently, you know, an ICBM takes 30 to 35 minutes to make it from Russia to the U.S. Right now you can launch a DDoS attack in milliseconds. And now with encrypted technology, so with everything going to SSL, you have nice, private communications between some endpoint somewhere and the target you're after. 

Bil Harmer: [00:05:59]  Today, you know, with the attacks that we see - Equifax, Marriott, OPM, Anthem - none of that data showed up on the dark web for sale, and that's because, you know, somebody nation-state - and I think it was just yesterday they just charged the PLA with the Equifax hack - they're looking for massive amounts of data. They need as much data as they can because then they can start - they can quite comfortably, sitting in a secure facility somewhere in China or Russia or wherever it is, start running analysis on who would be a good attack - or a good target. Who would be a good victim? Who could they turn? And it doesn't have to be that typical one where you're looking for the one person that has access to everything. You can look for somebody who has access to someone who has access to someone who has access. And, you know, it's sort of going down the line. So it's a really, really messy place that we're sitting in right now. 

Dave Bittner: [00:06:53]  You know, I've heard folks say that imagine had the Sony breach been a physical breach, had a nation-state broken in, rifled through the file cabinets and taken things, you know, back to their country. We'd be talking about a different situation in terms of how we would describe that or label that. You know, could be considered not just espionage, perhaps an act of war. How do we contend with that? How do we contend with that difference, that in the end, it seems to me like the results are the same? The bad guys have your information. They have your data. What's the responsibility of our nation to help protect us against these things? 

Bil Harmer: [00:07:35]  That is a really good question because it extends, I think, farther than just stealing information. You know, a DDoS attack takes people - takes systems out, causes economic disruption. Well, the U.S. always had isolation, right? Friends to the north, friends to the south. And historically, if you look to something like Britain, Britain had the RAF, they had the anti-aircraft guns, they had boats in the water patrolling the shores. And that's how they defended. So, you know, planes came over, tried to carpet-bomb the citizens or the factories or destroy the economy, they had a defense against it. And right now, we don't. And the problem with that is to bring in a defense creates a lack of privacy, for lack of a better way to put it. But to try and put up those barriers, to try and put geopolitical barriers on the internet is - it doesn't work. We know it doesn't work. There is a responsibility, I believe, by the government to provide some sort of protection. What that is, I'm not sure yet. 

Dave Bittner: [00:08:32]  What about coming at this from the other direction? I think these days, particularly with ransomware attacks, sometimes you'll see organizations who have fallen victim to these things, they'll stand in front of the microphones and the cameras, and they'll throw their arms up, and they'll say, well, there's nothing we could do. This was a nation-state attack. And it's sort of a - if nothing else, it's a rhetorical get out of jail free card. 

Bil Harmer: [00:08:58]  Yeah, it's a tough one. It is very much a tough one because a nation-state attack is not predicated on making money, right? Ransomware, or typical ransomware, where they're looking to get bitcoin out of it and make some money out of it, that's an economic grab. And if you stop paying ransomware, ransomware goes away because it's no longer profitable. So it is a bit of a get out of jail free card because if someone points back and says, hey, nation-state attack, well, what can I do, I think eventually that's going to wear thin. I think we're going to have to start looking at ways to protect people. And that's ultimately, I think, what it is because they need the people. They need those user identities, they need the password credentials, they need the people to do things. 

Bil Harmer: [00:09:41]  So we're moving to a place where - I've for a long time said there's no longer a work-life balance. There is simply a balanced life. Because of mobile phones, because of telecommuting, companies are going to have to start finding ways to extend the security that they have at the office to the person - not to the building, not to the physical location, but to the person always at all times because even that person that works in the factory is going to have a mobile phone. They're going to walk into the factory with a mobile phone. And unless they're dumping them off at the door and (unintelligible) caging the place, they're walking in there with an electronic device that is a potential attack point. So they're going to have to find ways to start extending. 

Bil Harmer: [00:10:19]  And I think it will become a business or an enterprise piece, almost like a benefit, like - kind of like insurance. You know, we're giving you insurance to help you with your health. We're giving you dental insurance and vision insurance, and we're going to give you digital security. We're going to do something. And there'll be a way, a form of doing that. We see that with companies like Zscaler that do the always on. Take it with wherever you go. But I think it'll go beyond that. It'll get to a point where there's a balance, there's a different profile because everybody has different identities. Everybody's got a work identity. They've got a personal - probably have two or three personal identities. I think we're going to start seeing these enterprises, in an effort to protect themselves, extend the protection to their individuals at all times. 

Elliott Peltzman: [00:11:01]  That's Bill Harmer from SecureAuth. 

Elliott Peltzman: [00:11:05]  Criminals continue to use coronavirus stories as phishbait in attacks on businesses, the Wall Street Journal writes, citing research by Proofpoint. Sometimes the approach is straightforward phishing, as it is in cases of a bogus email purporting to originate with the World Health Organization. At other times, it can involve business email compromise, as in cases that show phony invoices for large purchases of face masks from medical supply companies. It's an international problem first observed in Japan. According to Reuters, even Russian President Putin is taking note and blaming foreign rumor-mongers and similar assorted no-goodniks. Russia's internet authority Roskomnadzor has been blocking bogus stories on Vkontakte and Facebook. 

Elliott Peltzman: [00:11:55]  The Super Tuesday primaries in the U.S. went off without hacking or evidence of effective disinformation, and Bloomberg reports that NSA Director Nakasone told Congress yesterday that superior preparation on the defenders' part made the difference. He compared this week's smooth defensive performance to what he saw in 2018. The 2018 midterm elections didn't go off badly, but in comparison to this week's operation, the 2018 security measures were, General Nakasone said, like a pickup game. 

Elliott Peltzman: [00:12:30]  Out in the Golden State, Los Angeles County did stumble badly with its new voting machines. Long delays induced by malfunctioning machines produced what the Los Angeles Times called, quote, "an ugly debut for the county's new $300 million voting system," end quote. Voters are reported to have been standing around the polling places for two hours or more while poll workers tried to get the machines up and running or else get a backup ballot into the voter's hands. Other election authorities who have adopted similar devices are reviewing their plans. The problems in and around the city of angels were, it should be noted, the result of technical and organizational mishaps and mistakes, not the work of hackers or other meddlers. 

Elliott Peltzman: [00:13:17]  Executives from Nokia and Ericsson, the European hardware manufacturers the U.S. government has suggested would be attractive and more secure alternatives to China's Huawei, expressed their support this week for U.S. laws that would push the Chinese manufacturer out of 5G infrastructure, The Washington Post reports. Huawei executives also attended the hearings on their own but weren't invited to testify. Huawei's preferred solution, they say, is transparency on everyone's part, and the company's executives believe that a fair reading of everything they've done for security would set everyone's mind at ease. 

Elliott Peltzman: [00:13:56]  And speaking of Huawei, Reuters reports that yesterday, an attorney for the company entered a plea of not guilty to racketeering charges. At an arraignment in a U.S. district court in Brooklyn, N.Y., the company also said they might have to ask for delays in the proceedings, as the coronavirus is making it difficult for their legal staff to travel. The racketeering charges are directly related to the company's alleged theft of intellectual property from U.S. firms. 

Dave Bittner: [00:14:31]  And now a word from our sponsor ObserveIT, a Proofpoint company. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show. 

Dave Bittner: [00:15:23]  And joining me once again is Mike Benjamin. He's the head of Black Lotus Labs at CenturyLink. Mike, it's always great to have you back. You and your team have been doing some research on Nanocore, and you've got some stuff you want to share with us today. What do you have for us? 

Mike Benjamin: [00:15:39]  Yeah, thanks Dave. So Nanocore, as many people are aware, it's a somewhat commodity RAT and has many of the remote access Trojan features you'd expect - keyloggers, password stealers, file exfil - nothing really particularly unique in that space. Our feeling was recently that a lot of folks have dropped off their visibility into it because most desktop antivirus does a really good job of checking the binary install and stopping it. However, what we like to do is go hunt these things in a more internet-wide scale. And we found a pretty wide install base of people both trying to deliver and having it actively installed with callbacks across the internet. So what we went and did is ultimately try to validate where they're running, how they're running, and then look for the install base. Of course, you know, we'd like to notify people of their infections. But really, the message is that Nanocore as a RAT is not something that we should be ignoring. There's always a host and an infrastructure that does not have that adequate update, does not have that adequate catch. An employee has figured out how to bypass an antivirus, or somebody is home doesn't have it installed. And so things like Nanocore or other RATs really are still a threat for stealing information from people on a day-to-day basis. 

Dave Bittner: [00:16:59]  And is there any particular sector that they're focused on? 

Mike Benjamin: [00:17:03]  So it was interesting. The install base that we saw was heavy across broadband providers. Funny enough, the two biggest broadband providers were in the U.S. and Russia, but also, you know, big populations of people in both those places. And so our belief was that they were targeting more people on the smaller end of the business spectrum - larger businesses doing a better job at protecting these things, as well as some home users looking to be more opportunistic around username and passwords to banking sites and other things. 

Dave Bittner: [00:17:33]  So what are your recommendations for folks to best protect themselves against Nanocore? 

Mike Benjamin: [00:17:38]  Realistically, best practice is make sure that you've got some sort of endpoint agent blocking things from running that shouldn't be running or even being on the file system that shouldn't be there. Nanocore, thankfully, is relatively easy to protect from that perspective. But also, don't click links. Don't download things. Nothing particularly sophisticated from a protection perspective. I will note one interesting thing that we found during the analysis, a really odd statistical concentration of command and control callback to Nigeria. And so ultimately, looking at the geography of where you've got traffic going can really yield some interesting things in just about any environment. 

Dave Bittner: [00:18:12]  Yeah, that is interesting. All right, well, Mike Benjamin, thanks for joining us. 

Elliott Peltzman: [00:18:22]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders that want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Look for us on your Alexa smart speaker, too. 

Elliott Peltzman: [00:18:43]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Elliott Peltzman: [00:18:57]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Elliott Peltzman, filling in for our regular host, Dave Bittner, who will be back tomorrow. As always, thanks for listening.