The CyberWire Daily Podcast 3.23.20
Ep 1050 | 3.23.20

Coronavirus fraud booms; prosecutors are taking note. Stolen data on the dark net. Software updates affected by pandemic. A new Mirai variant is out. A DDoS that wasn’t.

Transcript

Dave Bittner: [00:00:03] U.S. prosecutors begin to follow through on their announced determination to pay close attention to coronavirus fraud. Data stolen from Chinese social network Weibo is now for sale on the black market at a discount. The pandemic affects scheduled software updates and sunsets at Google and Microsoft. A new Mirai variant is out in the wild. And a DDoS attack in Australia turns out to be just a lot of Australians in need of government services. 

Dave Bittner: [00:00:37]  And now a word from our sponsor ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book, "SOAR Platforms: Everything You Need to Know About Security Orchestration, Automation, and Response." The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. You can download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time. 

Dave Bittner: [00:02:08]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, March 23, 2020. U.S. federal prosecutors are taking the attorney general's advice on getting serious about investigating COVID-19 fraud seriously. The U.S. Department of Justice announced yesterday that it had undertaken its first enforcement action against online coronavirus scams. The department secured an injunction Saturday against a website, coronavirusmedicalkit.com, that was offering World Health Organization COVID-19 vaccine kits for just $4.85 shipping and handling. And that would be a bargain, except that there is no vaccine, still less a vaccine kit. And the World Health Organization isn't distributing anything of the kind. 

Dave Bittner: [00:02:59]  Connoisseurs of phishing expeditions will note that the website, which the Department of Justice is queuing up for a wire fraud indictment, asks people to enter their credit card information on the site. It's simple and easy, but it's also phishing, and you don't have to be Sir Izaak Walton to figure out what comes next. 

Dave Bittner: [00:03:18]  A federal criminal investigation into alleged wire fraud continues. The injunction is intended to prevent harm to potential victims. The announcement quoted the U.S. attorney for the Western District of Texas as noting the action's consistency with Attorney General Barr's memorandum urging that priority be given to prosecution of coronavirus-related online crime. There are also some cooperative state and federal law enforcement efforts in progress. StateScoop reports that the U.S. Justice Department and the commonwealth of Virginia have formed a task force to investigate coronavirus fraud. It's particularly important at times like this to verify that appeals from businesses, charities and government agencies are, in fact, legitimate, that the appeals are, in fact, coming from the real organizations and that those organizations aren't selling snake oil. There's always a bull market in snake oil at times like this. And phishing is going like gangbusters. 

Dave Bittner: [00:04:16]  And there's always a bull market on stolen PII. It's a criminal evergreen. Information from 538 million users of the Chinese social network Weibo is now for sale online. ZDNet, which has seen the black-market advertising for the data, says the information offered includes real names, site usernames, gender and location. About a third of the affected users' phone numbers are also for sale. Still, the data are less valuable than they might've been. Passwords aren't included, which accounts for the data's low, low price of roughly 250 bucks American. 

Dave Bittner: [00:04:53]  The coronavirus pandemic is having an impact on software updates. According to Forbes, Microsoft has decided to extend security support for Windows 10 by six months, out through October 13 of this year. Redmond's intention is to ease the burden on customers, who have other things to deal with these days beyond upgrading to a newer OS. 

Dave Bittner: [00:05:14]  Google's planned upgrades to Chrome are also being affected, in this case put on hiatus. Mountain View says its priority is to ensure Chrome continues to be stable, secure and work reliably for anyone who depends on it. If any fixes are necessary, Google says the ones affecting security will get first call on their resources. They're also making changes to their planned upgrades. Chrome 81, released last week, will remain in beta, BleepingComputer reports. Google will skip Chrome 82 altogether and move on to Chrome 83. 

Dave Bittner: [00:05:49]  By some accounts, nearly 40% of successful breaches occur at the application layer, but investments in securing that layer continue to lag. Andrew Peterson is founder and CEO at Signal Sciences, a company that's looking to close that gap. We caught up at the RSA Conference. 

Andrew Peterson: [00:06:07]  So what's interesting with the rise of this conversation around zero trust networks... 

Dave Bittner: [00:06:11]  Yeah. 

Andrew Peterson: [00:06:11]  So many people are focused on the authentication side of what that story is. And to us, zero trust at its core is whether or not it's an internal application or an external one from a web perspective, because a lot of people are still look like - when you're building internal applications within a company, a lot of times you're building it as a web-based application, right? So you're accessing that internal application with your web browser, OK? 

Dave Bittner: [00:06:33]  Right, right. 

Andrew Peterson: [00:06:34]  And historically, you've never used a WAP (ph) on that. That's always been behind a network. You've got a VPN. You're inside. But to us, it's like, look; if you have somebody that's an authenticated internal user sending, you know, even OWASP top 10 attack types - you know, SQL injection or cross-site scripting or whatever - on those internal apps, you got to be more worried about that than even your external apps 'cause those internal ones, especially if you get access to it, you're going to have, you know, user credentials and user control to be able to access all sorts of things... 

Dave Bittner: [00:07:03]  Right. 

Andrew Peterson: [00:07:03]  ...That in many ways are actually way more harmful or potentially more valuable to that attacker than something that they could access via a customer-facing website. That's a big area that, you know, we've been talking to a lot of the analyst community and a lot of our customers about. If something hasn't been in the budget for protection in the past, it's got to be something new that people are thinking about. So we're saying, like, look; whether or not it's an internal application or an internal one, that philosophy around, you know, zero trust - it's, use the same approach they're using on external things for internal applications. 

Dave Bittner: [00:07:34]  Right. 

Andrew Peterson: [00:07:34]  Like, it needs to apply in the sort of web protection space as well. 

Dave Bittner: [00:07:38]  How do you help your customers when they come to you and they say, listen; I've got - here's my budget, and I've got to figure out how I'm going to allocate, you know, what gets what percentage of what, you know? And how do I - help me understand how to throw the correct amounts of money at the different tools, one of which could be yours. 

Andrew Peterson: [00:08:00]  Sure. 

Dave Bittner: [00:08:00]  What's that conversation like? 

Andrew Peterson: [00:08:02]  It depends on the customer, first of all, right? 

Dave Bittner: [00:08:03]  Yeah, yeah. 

Andrew Peterson: [00:08:04]  And they tend to fall into two buckets - one where it's a company that's probably just starting to make investments in security tools. 

Dave Bittner: [00:08:10]  OK. 

Andrew Peterson: [00:08:11]  And then the other would be an enterprise that's been doing it for a long time. So the new customer group where they're trying to say, hey, look; I'm making a budget from scratch, or I know that I need to make more of an investment on the security side, that's great. Like, and we're seeing that more and more. There's more companies earlier on that are making earlier investments in security. 

Dave Bittner: [00:08:27]  OK. 

Andrew Peterson: [00:08:28]  And the question then with them is, well, what are the most important assets you have? And those companies - they tend to be cloud-native. Like, they tend to be - they fall into that bucket of modern software or modern technology companies, where the whole value of their technology is actually the software, right? 

Dave Bittner: [00:08:42]  Right, right. Looking at the big picture, as you look towards the future not just within your own products but within the whole vertical of cybersecurity itself, what sort of things are you looking toward? How do you see things playing out? 

Andrew Peterson: [00:08:59]  I've been lucky to have some conversations with a bunch of folks that are really forward-thinking - right? - in this area. And so we certainly have our own views, but I like to validate that with other people on the market. 

Dave Bittner: [00:09:10]  Right. 

Andrew Peterson: [00:09:11]  I think one of the consistent things that I've heard from CISOs about what they think that the - especially the defensive world needs to be able to move forward is kind of two different things. One is when one person gets attacked, we need to make sure that everybody else becomes more protected instead of more vulnerable, right? And so the message there is essentially, like, you know, look; if an attacker is able to find one CVE and they're able to exploit that, typically what happens is they use that same CVE on everybody else. And immediately, everybody else is less safe rather than more safe after that attack has occurred, right? 

Dave Bittner: [00:09:45]  Right. 

Andrew Peterson: [00:09:46]  Even after you do analysis on it and we can get reporting and we can name the CVE and we, you know, call it all that, that's something that, you know, attackers are always going to have the advantage on defenders until we can get into a situation where, hey, the moment that one person gets attacked and we can identify, you know, that attack pattern that we can actually make everyone safer at the same time. 

Dave Bittner: [00:10:06]  Yeah. 

Andrew Peterson: [00:10:06]  So - surprise, surprise - this is kind of a core value of what we do, at least at Signal Sciences. But I think it's - you're starting to see this at other types of security companies as well - is that they're leveraging this cloud back-end system where you can have a bunch of technology that's deployed within a bunch of different infrastructure. And once you identify an attack that's happening in one place, the whole network gets stronger and the whole network gets smarter. And that's immediately, right? That's not like a, hey, we're going to do an FS-ISAC and we're going to share information after the fact. We're going to do it actually in an automated fashion. 

Dave Bittner: [00:10:38]  And figure out a way where all these different systems can talk to each other and exchange that information... 

Andrew Peterson: [00:10:44]  I mean... 

Dave Bittner: [00:10:44]  ...A Rosetta stone for this sort of stuff, right (laughter)? 

Andrew Peterson: [00:10:48]  Well, it's not a silver bullet - right? - by any means. 

Dave Bittner: [00:10:49]  Yeah, yeah. 

Andrew Peterson: [00:10:50]  But I think it is the way that if we're seeing so much of what the attackers are doing as using automation as a means of being able to get the upper hand... 

Dave Bittner: [00:10:58]  Yeah. 

Andrew Peterson: [00:10:58]  ...We as defenders need to be able to use automation to be able to counter that, right? 

Dave Bittner: [00:11:02]  Yeah, yeah. 

Andrew Peterson: [00:11:02]  So it's essentially - to me, it's the only way that we can really sort of try to scale our defensive efforts is - yeah, is that concept - is, hey, if one person gets attacked, everybody else should become stronger rather than become weaker in the process. 

Dave Bittner: [00:11:16]  Right, right. That's Andrew Peterson from Signal Sciences. 

Dave Bittner: [00:11:21]  A new variant of the Mirai botnet has been exploiting Lilin DVRs and Zyxel network-attached storage devices. Both Lilin and Zyxel have issued fixes, but unpatched devices remain vulnerable. Palo Alto Networks researchers first described the Zyxel issue last Thursday. Researchers at Qihoo 360's Netlab found the similar Lilin vulnerabilities, which they disclosed Friday. Palo Alto calls the botnet Mukashi. ZDNet reports that the Lilin bugs may have been under exploitation since last August and have figured in distributed denial-of-service attacks. 

Dave Bittner: [00:11:58]  Australia's minister for government services says the country's myGov website had suffered a successful distributed denial-of-service attack but quickly recanted. It was just thousands of Australians seeking COVID-19 relief, news.com.au reported. A ZDNet op-ed complains that Canberra has again underestimated the requirements of offering government services online. In this case, last week, there were 95,000 people visiting myGov to seek information and services as the country prepares further measures to weather the coronavirus pandemic. The site, the minister for government services, is only designed to handle 55,000. So it's not malicious outsiders but another case of meeting the enemy and finding he is us. 

Dave Bittner: [00:12:45]  The stress on myGov drove people, many of them people whose employment has ended or is at risk during the pandemic, to seek help in person at Centrelink offices. That didn't go well, either. Not only are the offices working with reduced staffing, but the waits would've been long in any case, with lines stretching around city blocks. It's difficult to know how well people were keeping their distance, but from the photos in the Sydney Morning Herald, it looks as if they're generally standing a lot closer than the recommended 2 meters. Stateside, people are saying stand 6 feet apart, but that's just because 6 feet is easier to visualize than 6.56168 feet and not because North American viruses give you a half-foot's worth of leeway. 

Dave Bittner: [00:13:36]  And now a word from our sponsor KnowBe4. Email is still the No. 1 attack vector the bad guys use, with a whopping 91% of cyberattacks beginning with phishing. But email hacking is much more than phishing and launching malware. Find out how to protect your organization with an on-demand webinar by Roger A. Grimes, KnowBe4's data-driven defense evangelist. Roger walks you through "10 Incredible Ways You Can Be Hacked by Email and How to Stop the Bad Guys." And he also shares a hacking demo by KnowBe4's chief hacking officer Kevin Mitnick. So check out the 10 incredible ways, where you'll learn how silent malware launch, remote password hash capture and rogue rules work, why rogue documents establishing fake relationships and compromising a user's ethics are often so effective, details behind clickjacking and web beacons and how to defend against all of these. Go to knowbe4.com/10ways and check out the webinar. That's knowbe4.com/10ways. And we thank KnowBe4 for sponsoring our show. 

Dave Bittner: [00:14:50]  And joining me once again is Mike Benjamin. He's the head of Black Lotus Labs at CenturyLink. Mike, it's always great to have you back. One of the things you and your team have been tracking is how some of the threat actors have been using third-party file hosting to do some of the things that they do. Can you give us some information here? What are we looking out for? 

Mike Benjamin: [00:15:11]  Yeah. And I'd say that this isn't the newest behavior change, but we haven't talked about it en masse as an industry, so we thought it was something interesting that would be topical to discuss. Realistically, what we're seeing is that many of us have learned to trust these third-party central services. So for instance, Dave, as you and I are talking here today, I had to include a third-party JavaScript library in my browser that's hosted on one of these well-known public cloud services. 

Dave Bittner: [00:15:38]  Right. 

Mike Benjamin: [00:15:38]  My computer now trusts it. And when we're looking at links in our browsers, we're looking at files we download, we've learned over time that some of those big names in the industry are trustworthy. In fact, quite frankly, they have amazing security teams. They do a really good job at removing things. But all the better for now the actors to put files there for a very short time period, deliver it to a small number of people and abuse that trust. 

Mike Benjamin: [00:16:04]  And so the simple act of looking in a browser URL bar to see that, hey, that's a major brand I know, and that really is their domain is something that we've taught people. Now we've allowed actors to put their own malicious files on those very domains. And so it's not just an act to make sure the domain is trustworthy. But even just making sure that the person who sent it is really who it should be, making sure it's something you actually expected. 

Dave Bittner: [00:16:29]  Now, is time a factor here, where the bad guys are putting their files up knowing that they're going to be discovered and removed quickly, so they have a certain window of time to take advantage of? 

Mike Benjamin: [00:16:40]  Yeah. So for a long time, they were actually hosting the primary file of their malware on some of these providers. And over time, the providers have gotten very good at deleting them, allowing - or even blocking them on upload. And so that time-based aspect definitely is a component of it. So now we see the actors shifting to putting only their first-tier downloaders on those things. Now they're scripts they can obfuscate and modify more readily over time, making it much more difficult for the hoster to detect in real time that it's malicious. And so that lightweight maldoc, that lightweight PowerShell script - whatever that may be - that can now be permitted for download for a longer time period, allowing them a little bit more leeway in their campaign time. 

Dave Bittner: [00:17:24]  What sort of technology is available in terms of protecting users from themselves when it comes to this sort of thing? I mean, I can imagine, as you say, some users will see a trusted name, they'll click through. Is there a second line of defense that an organization could have in place? 

Mike Benjamin: [00:17:42]  Well, we go back to traditional security controls, content filters, sandboxes, endpoint agents, anything that's going to be able to detect and block either in real time or relatively quickly after download be able to remove the host from the environment or sandbox the file inside the file system. All of those things can be effective, as they have for a number of years. 

Mike Benjamin: [00:18:04]  But realistically, what we're trying to convey is make sure that people know what that threat is. Be aware of it. Be cognizant of yet another thing they should be thinking about and realize that just because the domain name may be trusted, the entirety of the URL may not be something you expect to go to. I know I use some of those services for my personal email and other things. That doesn't mean that everything at those domains should be something I should be clicking on or interacting with. 

Mike Benjamin: [00:18:29]  And even on top of that, we do see the actors making use of some of the mass mailing software out there that's very popular with the most reputable brands for their customer contact, their email marketing campaigns. What a great way to bypass mailing software that's looking for things to block than using a very trusted service. So just keeping in mind that this is an avenue actors are using and then going back to making sure the efficacy of those normal controls that we've all been focused on for a number of years are there and effective and installed and monitored. 

Dave Bittner: [00:19:00]  All right. Well, Mike Benjamin, thanks so much for joining us. 

Dave Bittner: [00:19:08]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders looking to stay abreast of this rapidly evolving field, sign up for the CyberWire Pro. It will save you time and keep you informed. And you can listen for us on your Alexa smart speaker, too. 

Dave Bittner: [00:19:27]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:19:39]  Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.  

Dave Bittner: [00:20:06]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.