COVID-19 as both incentive for remote work and phishbait. Offshored trolling. A list of “digital predators.” US Senate doesn’t extend domestic surveillance authority.

Dave Bittner: [00:00:04] COVID-19 significantly increased remote working, and the pandemic is now a favorite lure in the fishing tackle of both intelligence services and criminal gangs. Russian trolling has been offshored, setting up shop in Ghana and Nigeria for running influence operations against the U.S. Microsoft issues an out-of-band patch. Reporters Without Borders publishes its list of digital predators. And the Senate doesn't renew U.S. domestic surveillance authorities. 

Dave Bittner: [00:00:39]  And now a word from our sponsor, ObserveIT, a Proofpoint company. The greatest threat to businesses today isn't the outsider trying to get in, it's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you'll know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show. 

Dave Bittner: [00:01:27]  Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud, to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your team's. Cloud security that accelerates business - it's about time. Go to mcafee.com/time. 

Dave Bittner: [00:01:50]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, March 13, 2020. 

Dave Bittner: [00:01:59]  The COVID-19 pandemic is generating two immediate security effects. First, it's dramatically increased the incidence of telework. And this, as The Washington Post and others point out, brings with it an expanded opportunity for cyberattack and a relatively unfamiliar set of security challenges. 

Dave Bittner: [00:02:17]  Some service providers who provide the infrastructure necessary for remote work, Verizon among them, are reassuring their customers that they're prepared to help them accommodate the surge in demand that's accompanied the pandemic. Other outfits are offering free remote access and security services to organizations whose IT and security resources are being stressed by coronavirus remote work pressure. 

Dave Bittner: [00:02:40]  Second, both criminals and nation-state intelligence services are exploiting public concern about the pandemic to send phishing emails. ZDNet offers a summary of Russian, Chinese and North Korean organizations using coronavirus-themed vectors to install malware in their targets. 

Dave Bittner: [00:02:58]  Fortinet, Sophos, Proofpoint, KnowBe4, and Recorded Future are among the security firms who've been tracking criminal activity related to the coronavirus. Recorded Future reports that many criminal attacks arrive as convincing spoofs of trusted sources like the World Health Organization and the U.S. Centers for Disease Control. The researchers have also seen a surge in the registration of domain names that suggest a connection to the disease. And these, of course, lend themselves to use in phishing and waterholing campaigns. 

Dave Bittner: [00:03:30]  Bloomberg Quint offers some examples of the phishbait. Here's one sample, which researchers at BAE provided - please kindly download the updated attachment for your knowledge. Please go through the cases to avoid potential hazards. Those of you who are accomplished textual critics of spam will recognize that the sample bears the familiar textual stigmata of the genre. The repetition of an ingratiating please, the appearance of the adjective kindly, the high-minded admonition for your knowledge, the urgency hinted at by the adjective updated, and, of course, the eccentric capitalization of potential and potential hazard. You can't hear the capital P, of course, but I can see it. And take it straight for me, it is there in all its typographic glory. 

Dave Bittner: [00:04:15]  And ransomware gangs are hitting public health agencies at a time when the availability of their services and information are in high demand. Mother Jones describes one such attack in Illinois. The Champaign-Urbana Public Health District, which serves more than 200,000 people in the central part of the state, was hit Thursday morning with NetWalker ransomware, which the News-Gazette says is a relatively little-known strain. The site is expected to be down for at least two weeks, and this is obviously an inconvenient time for it to be out of service. 

Dave Bittner: [00:04:47]  The criminal activity is by no means confined to American targets or the English language. It's showing the usual global opportunism and has been found in many countries around the world. 

Dave Bittner: [00:04:59]  It would be nice if we could always rely on clumsy prose to betray phishing, but unfortunately, even criminals can become better writers, perhaps by investing in some online tools like Grammarly. And government trolls are even better than hoods at slinging the lingo. The St. Petersburg troll farms, for example, have long shown a slick facility with American English that does their language teachers credit. 

Dave Bittner: [00:05:23]  They've also apparently expanded overseas. Russian trolling has been offshored, in part, at least, to operators in Ghana and Nigeria, CNN reports. Researchers at Clemson University informed CNN's investigation. They say it's election season influence, and it's very much in the Russian style - disruptive and racially themed. And CNN says some of the operators, many of them Ghanaian or Nigerian, tell them that, sure, they're working for Russia. A number of the trolls are organized by a front organization, Eliminating Barriers for the Liberation of Africa, or EBLA for short. 

Dave Bittner: [00:06:00]  Russian oligarch Yevgeny Prigozhin - sometimes referred to as Putin's chef and regarded as the organizing spirit behind St. Petersburg's Internet Research Agency - is believed to be behind EBLA, too. But he didn't respond to CNN's request for comment. This week, according to The Hill, several members of the U.S. Congress called on the European Union to sanction Mr. Prigozhin for his activities. 

Dave Bittner: [00:06:26]  Microsoft yesterday issued an out-of-band patch for a vulnerability hinted at but not addressed on Patch Tuesday. It fixes a server remote code execution issue in the way Microsoft Server Message Block 3.1.1 protocol handles certain requests. 

Dave Bittner: [00:06:43]  Reporters Without Borders has published its selection of bad cyber actors. Digital predators, it calls them. These range from companies to gangs to government agencies to intelligence services to semiofficial political units. Infosecurity Magazine notes the announcement was made in conjunction with yesterday's World Day Against Cyber Censorship. Reporters Without Borders divides the bad action into four categories - harassment, state censorship, disinformation and spying or surveillance. Some of the actors are state intelligence services and their contractors. These are Russian, Iranian, Algerian, Venezuelan, Saudi, Egyptian and Chinese agencies. Others are political groups often affiliated with current incumbents, and some represent organized criminal groups, like the Mexican drug cartels. The companies mentioned in dispatches tend to be either lawful intercept vendors or exploit brokers whose wares, Reporters Without Borders say, have found their way into the hands of repressive regimes. The offenses alleged against them fall into the fourth category, spying or surveillance. 

Dave Bittner: [00:07:50]  The U.S. Senate did not pass the revisions to domestic surveillance authorities and the Foreign Intelligence Surveillance Act the House sent it earlier this week. The measure did have bipartisan support in both houses, but it faced significant opposition as well. The opponents, in general, thought the measure did not go far enough in reforming FISA and domestic surveillance. The domestic surveillance program - effectively dormant since NSA shelved its implementation early last year and generally regarded by observers as having seen relatively indifferent success - will thus sunset over the weekend. Congress will have an opportunity to revisit the issues when it returns from its recess. 

Dave Bittner: [00:08:36]  It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely because that's what you want, actionable intelligence. Sign up for the Cyber Daily email. And every day, you'll receive the top trending indicators Recorded Future captures crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/cyberwire and subscribe for free threat intelligence updates. And we thank Recorded Future for sponsoring our show. 

Dave Bittner: [00:09:47]  My guest today is Josiah Dykstra. He's a technical fellow in cybersecurity at the National Security Agency. His work at NSA has included penetration testing, malware analysis as well as network operations and digital forensics for cloud computing environments. He's a popular speaker at events like RSA and Black Hat, and author of the book "Essential Cybersecurity Science." Josiah Dykstra joined us in our studios. 

Josiah Dykstra: [00:10:14]  In October, NSA launched this new organization called the Cybersecurity Directorate. And the goal of this organization is to prevent and eradicate cyber threats to national security systems, including the Department of Defense networks and the defense industrial base, who supports everything that we do in national security. One of the goals for this organization is to collaborate with industry and to put out public guidance outside of our secure facilities that can help both DOD and the general public be more secure online. 

Josiah Dykstra: [00:10:44]  Cloud computing is something that, as you might expect, is a big part of the Department of Defense. NSA uses a lot of cloud computing. And as people consider and adopt more of these cloud services, we wanted to make sure they were doing so considering the appropriate risks. And so we undertook this document that we put out about a month ago to help people understand that, yes, cloud is a very powerful useful capability, and we encourage people to use it. And at the same time, we want to make sure they consider the risks and mitigate those appropriately when they go to implement. 

Dave Bittner: [00:11:18]  Well, let's walk through some of the things that the document covers here. Take us through - what are you trying to get across to people? 

Josiah Dykstra: [00:11:25]  So there's four main areas of vulnerabilities that we want people to consider as they go - as they move to the cloud. And these are vendor-agnostic. It doesn't matter which cloud service you're using. And they're not in response to any particular threat, but it was threat-informed. So all the things that we see in our world helped us put together this document. I'll also say that we collaborated with industry in making sure that we were talking about the right things in the appropriate ways to help people be the most effective that they could be. 

Josiah Dykstra: [00:11:55]  So the four areas that we highlight that we want people to consider are misconfigurations in their cloud services, the implementation of good access controls, the situation of shared tenancy in cloud services and supply chain vulnerabilities. Now, the first two are definitely the most common. Misconfigurations and access controls gets a lot of people into trouble. And it has led to lots of data breaches. 

Dave Bittner: [00:12:16]  And we hear lots of stories of open S3 buckets, misconfiguration errors. 

Josiah Dykstra: [00:12:23]  Yes, they show up in the press all the time. It's very unfortunate because it's an easy - comparatively easy thing to fix. So those are - that we wanted to highlight first and foremost. The other thing that I'll say is I think that's not only a technical problem but a human problem. As many things are in technology, having the appropriate training for your technical people is a very important way to mitigate those misconfigurations. 

Dave Bittner: [00:12:49]  One of the things you touched on here is that notion of defense in depth, of having, you know, multiple layers to protect against these sorts of things. 

Josiah Dykstra: [00:12:58]  Defense in depth is a long-time concept in the Department of Defense. We've talked about this for decades. Cloud computing is just a new technology that applies the same or needs the same concepts. And so whether it's different layers of technological control or different sort of tradeoffs between the cloud provider and the cloud consumer, all of those same principles apply in cloud computing. 

Dave Bittner: [00:13:22]  So of the things that you listed at the outset here, I think the one that I probably feel like I know the least amount about is the shared tenancy vulnerabilities. Can you describe to us what's going on with that one? 

Josiah Dykstra: [00:13:35]  Yes, I will start by saying that this is a very sophisticated kind of attack and not as prevalent as things like misconfigurations. That being said, it is a very real vulnerability that people adopting cloud need to think about. What shared tenancy means is, in many cloud services, the data that you have in the processes that you run sometimes execute on the same physical machine or on the same infrastructure of the cloud provider. And that is a risk area because other people on those shared resources have at least the potential of accessing your data in a malicious kind of way. Generally, the way clouds are implemented, this is very secure. The cloud vendors are very motivated to try and make sure that tenants can't interact with each other. But the risk is a possibility. And so we want to make sure people understand that. 

Dave Bittner: [00:14:28]  What are the take-homes here? In terms of the message that NSA wants to get out to people for best practices for securing their cloud infrastructures, what are the messages that you really think are important here? 

Josiah Dykstra: [00:14:41]  So, first, I think cloud is a very useful and powerful capability. There is no reason that we think you should avoid it, but we just want to make sure that it is risk-informed decision-making. Whether you're at the top making sort of corporate strategic choices or at the bottom doing technical implementation, we want to make sure you don't forget about some of the very prevalent and common mistakes that can be made and the vulnerabilities that can rise that are different in cloud than if you just have servers in your basement. And so as you go about thinking about, should I pick a Vendor A or B, should we put this sensitive data in the cloud or not, how should we do encryption, these are the things we want to make sure every consumer is thinking about in their adoption. 

Dave Bittner: [00:15:23]  You know, it's interesting to me as NSA has started this initiative with more communications with the public, with being - more outreach with documents and publications like this. I think a document like this coming from the agency has a certain amount of gravitas, if you will, demands a certain amount of attention that, perhaps, coming from other organizations it might not have. 

Josiah Dykstra: [00:15:50]  There are definitely many people doing cloud security guidance - vendors, other parts of the government. We did think it was important for us to lend our weight behind this because it is a very important problem. And it's the first of many. In fact, NSA has been doing collaborations a little bit more behind-the-scenes for quite a while. The fact that we've now begun to do them very publicly is an acknowledgement that the threats are worse, that other people have important insights that we need to collaborate with them on. And so this is the first I hope of very many that NSA will release. And I would say watch our website and our social media for the next upcoming ones. 

Dave Bittner: [00:16:26]  Our thanks to Josiah Dykstra from the National Security Agency for joining us. 

Dave Bittner: [00:16:31]  And now a word from our sponsor, BlackCloak. Oh, come on. It's not like anybody actually needs this anymore. I mean, executives in their personal lives? They're doing great. They all have advanced malware detection on all their devices. They're using dual-factor authentication everywhere. Their home networks are rock-solid secure, and they never ever use a weak password. As for their families, little Luke and Leia and their significant other, well, they're pillars in the cybersecurity community, right? You're right. I was dreaming there for a minute. The fact is executives and their families are targets. And at home, they have no cybersecurity team to back them up. Instead of hacking the company with millions of dollars' worth of cyber controls, hackers have turned their attention to the executives' home network and devices, which have little to no protection. BlackCloak closes this gap in your company's protection. With their unique solution, the cybersecurity professionals of BlackCloak are able to protect your executives and their families from hacking, financial loss and private exposure. Mitigate these risks that could lead to a corporate data breach or reputational loss. Protect your company by protecting your executives. To learn more and partner with BlackCloak, visit blackcloak.io. That's blackcloak.io. And we thank BlackCloak for sponsoring our show. 

Dave Bittner: [00:17:58]  And joining me once again is Tom Etheridge. He's the VP of services at CrowdStrike. Tom, it's always great to have you back. I wanted to get some insights from you with the things that you and your team at CrowdStrike are seeing when it comes to ransomware and how that is impacting your clients around the world. 

Tom Etheridge: [00:18:18]  Excellent. Thank you, Dave. Great to be back. The number of ransomware cases that we saw last year increased, substantially. About 36% of our overall responses last year were what we call business disruption-type events. Certainly, looking at metrics for this type of event, most people focus on the actual ransomware payment and the costs that that has on the organization. And one of the things I think is important to talk about is the unknown costs or looking at the cost of ransomware in aggregate across the market. That's something that's really important to be discussing. 

Dave Bittner: [00:19:00]  Well, let's dig into that. How do you measure those things? 

Tom Etheridge: [00:19:04]  One thing that we will try to look at is - what are the costs to businesses from downtime? What are the cost in terms of communities and municipal government organizations and school districts that are unable to function for a period of time? What is the downstream impact from being out of business for a period of time create for the community, for citizens of a particular community or students at a particular school district? And those are really hard costs to aggregate and think about. But, overall, these things need to be factored in to ransomware, in particular. And when you do that, you start to increasingly think that this is more of a national security issue than something localized to a particular school district or small business. 

Dave Bittner: [00:19:55]  It's an interesting insight. I mean, it makes me wonder if you can do that calculation, you know, let's say, even though we're doing regular backups. And so we know that we're covered in terms of that. But at some point, somebody has to do the math to figure out - how long is that restoration going to take us? 

Tom Etheridge: [00:20:13]  Absolutely, you know. Some companies we know for sure have gone out of business due to impact from a ransomware event. There's certainly public reporting around probably the largest and more well-known ransomware outbreak with the city of Baltimore. And the fact that, in that particular ransomware case, certain real estate deals were put on hold because the city could not process title transfers or didn't have the insight into know whether or not liens on properties had been paid off. Those types of impacts really are, although they're difficult to manage, certainly something that organizations should take into account when they're looking at the overall impact of ransomware. 

Tom Etheridge: [00:20:58]  And the one thing that's intriguing as well is - what is this going to do to the municipal bond market? Still to be determined. But, you know, as trust might be eroding in many state and local organizations, where they just are unable to prevent these types of attacks, there may be some downstream impacts over time to the municipal bond market and the confidence that the stakeholders have in that space. 

Dave Bittner: [00:21:25]  You mentioned the possibility that this could be considered a national security issue. In your mind, how would a national response play out? What would it look like? 

Tom Etheridge: [00:21:36]  One I think, again, getting better reporting on the effects of ransomware in the aggregate, not just looking at it from a ransomware payment perspective but maybe thinking about some of these downstream impacts or, you know, tangential impacts of cost by organizations being hit by ransomware. Whether organization's going out of business, records being lost, services unable to be provided or delivered, looking at what kind of public policy that can be discussed or implemented to draw attention to the issue and then, again, providing better tools and expertise at the state and municipal level so that many of these organizations that do not have the funding in place or lack the critical expertise and resources to respond to these events have backups offsite that can be leveraged to have the kind of technology input to work on better networking infrastructure, better tooling to be able to detect and prevent these types of attacks from happening. Those are the things that organizations need to be paying attention to. 

Dave Bittner: [00:22:49]  All right. Well, Tom Etheridge, thanks for joining us. 

Dave Bittner: [00:22:56]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: [00:23:14]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:23:26]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team - currently working from home - is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.