The CyberWire Daily Podcast 3.26.20
Ep 1053 | 3.26.20

Advice on secure telework. Magecart infestations. DNS hijacking with a COVID-19 twist and an info-stealer hook. Patch notes. The US 5G security strategy.


Dave Bittner: [00:00:03] NIST offers advice on telework, as does Microsoft; things to do for your professional growth while you're in your bunker; Magecart hits Tupperware, and they won't be the last as e-commerce targeting spikes. DNS hijacking contributes to an info-stealing campaign. Apple and Adobe both patch. The U.S. publishes its 5G security strategy - and some thoughts on the value of work. 

Dave Bittner: [00:00:34]  And now a word from our sponsor ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book, "SOAR Platforms: Everything You Need to Know About Security Orchestration, Automation, and Response." The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. You can download it at That's And we thank ThreatConnect for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud, to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your team's. Cloud security that accelerates business - it's about time. Go to 

Dave Bittner: [00:02:05]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, March 26, 2020. Remote work, for those of us who are happily able to phone it in on the job, is very much the thing under the current state of pandemic emergency. NIST has used its March ITL Bulletin to offer some timely advice about secure teleworking. The advice is pitched to enterprise IT organizations, not individual users, but enterprises of many sizes will find it useful. 

Dave Bittner: [00:02:38]  If you are not a big organization, you might take a look at Microsoft's Roger Halbheer, who blogs a useful compendium of advice for smaller organizations and individuals. One of the resources he links to is a Microsoft page designed for the end user, the employee who's working from the home bunker. The advice is organized under three headings. 

Dave Bittner: [00:02:58]  Pick a Good Workspace - that is, find somewhere comfortable and private and a place that doesn't lend itself to shoulder surfing by - we add the example - your neighborhood busybody or voyeur with binoculars and time on their hands. So don't sit with your back to a window, for example. For conference calls or video meetings, be similarly aware of eavesdroppers or ecouteurs, if we may coin a word for the audio counterparts of voyeurs. Keep your family or other housemates away from your work devices. Maybe they're well-intentioned, sure, but lead them not into temptation of viewing PewDiePie or the site that blows the lid off of the WHO cover-up. Use only encrypted Wi-Fi for business. 

Dave Bittner: [00:03:40]  The second heading is, Keep Your Data Secure. Use strong authentication to control access to your work device, and access the cloud by multi-factor authentication. Maybe consider reviewing your passwords to make them a bit stronger. Encrypt your local drives. Ensure your device's software is up-to-date and properly patched. This especially goes for the browser you use. Store files in a secure cloud location. And wherever possible, use the web version of your productivity software. 

Dave Bittner: [00:04:07]  The final heading is, Keep in Touch. Stay connected to your organization's IT and security teams and don't give in to the temptation to install and use shadow IT. 

Dave Bittner: [00:04:19]  If you are a security professional with some enforced time at home on your hands, here's something to consider - the SANS Institute has a large number of online no-travel courses available for professional development and certification. They're not alone either, although they certainly are well-known. A number of companies and institutions are offering online training in cybersecurity. 

Dave Bittner: [00:04:41]  Tupperware is the latest high-profile victim of the Magecart online card skimmer. Malwarebytes found the malicious activity last Friday and notified the company. As Computing censoriously observes, Tupperware didn't do much about the issue until Malwarebytes took their discovery public yesterday, but the houseware a company now appears to have cleaned its site of the skimmer. Tupperware isn't the first and won't be the last victim of Magecart. Criminals can be expected to target e-commerce sites at an increased rate, a rate that's commensurate with the number of consumers driven from the malls to online shopping as they shop from home. You didn't think everything going on from home was work from home, did you? 

Dave Bittner: [00:05:23]  Bitdefender yesterday reported discovering an attack campaign that's changing DNS settings on home routers to redirect traffic to a site that purports to be an alert from the World Health Organization. The bogus WHO note urges those redirected there to download an app that will give them the latest information and instructions about coronavirus. Doing so, in fact, installs the Oski infostealer. The attack begins by brute-forcing vulnerable routers, mostly Linksys and D-Link devices, to get management credentials. The next step is altering the routers' DNS IP address and redirecting a specific set of pages or domains to the phony WHO site. The malware is stored in Bitbucket, and TinyURL is used to conceal the Bitbucket link. And the final stage is delivery of the malicious payload. ZDNet lists some specific IP addresses to be on alert for. 

Dave Bittner: [00:06:20]  In these times of increased uncertainty, it's important to check in on your third-party suppliers to see how they're doing and what plans they put in place to weather the storm. Michelle Koblas is director of customer trust at AppDynamics, a Cisco subsidiary. 

Michelle Koblas: [00:06:36]  I think that companies are doing a better approach to third-party risk management now than they used to. Organizations have gotten smarter about how they're doing management of their third parties. It used to be that when we first started this exercise, people would kind of just check the boxes on - oh, vendor has X, Y, Z. And now I find that companies are diving in a little bit more and going, what do I really need to know about my vendors? What of my risk am I handing to them, and what do I need to pay attention to what they're doing with my information? 

Dave Bittner: [00:07:11]  And what's happening from the vendor side? Are they prepping themselves so that it's easier for them to demonstrate compliance, to prove that they're doing what needs to be done? 

Michelle Koblas: [00:07:23]  I think that vendors are doing a good job. I think that, between the two, there's a lot of give-and-take still that goes on. It's a really hard exercise for a company to manage their vendors and, as a vendor, to be managed. And companies have a lot of diverse vendors, so they've got a whole bunch of vendors out there that they need to manage, and they rely on questionnaires, somebody who is in their environment looking at what's going on. 

Michelle Koblas: [00:07:54]  The vendors, on the other side, are being slammed with hundreds of different kinds of questionnaires and information. And they're making a lot of information available and trying to put it all together. But it's a challenge on both sides, I think. I think that we need to work towards a better exchange of information and a more consistent methodology so that it's easier for all of us to work this out. 

Dave Bittner: [00:08:23]  In the real world, people still have to get business done. And so it seems to me, like, because of that, there has to be a little bit of messiness with this. There has to be some give-and-take. How much of a reality is that? 

Michelle Koblas: [00:08:39]  That's the reality all the time, right? Using any third-party is about risk, and it's about risk management. And every organization has to factor in what their risk tolerance is. So you know, it's a trust relationship between an organization and their vendors, right? You have to, first and foremost, make a decision - do I trust somebody with the data that I need to give them, with the access that I need to provide them? What happens if it all goes wrong in some way? And so the whole exercise is about understanding how much you can and then how much you can trust - right? And that's about, you know, picking quality vendors, understanding who you're using, understanding that they also have risk in the game. 

Michelle Koblas: [00:09:30]  And you know, vendors, for their part, have to think about that, too because if, you know, as a vendor, you have to be, like, 10 times more worried about the data that you're getting than your customers - or hundreds of times more worried about the data that you're getting than your customers are because they've got their data; they're worrying about their data. You're worrying about everybody's data, right? It really behooves vendors to remember that that burden is on their shoulders. 

Dave Bittner: [00:09:59]  That's Michelle Koblas from AppDynamics. 

Dave Bittner: [00:10:03]  Adobe has patched a vulnerability in its Creative Cloud desktop application for Windows. Exploitation of the flaw, rated critical, could result in file deletion. And Apple has issued what Naked Security calls a something-for-everyone update that fixes issues in iOS, iPadOS, macOS, watchOS and tvOS. 

Dave Bittner: [00:10:24]  The White House, yesterday, released the U.S. national strategy to secure 5G. Apparently, the strategy was ready to go Monday, when the Secure 5G and Beyond Act, which included provisions requiring the president to develop such a strategy, was signed into law. The strategy defines four lines of effort - first, facilitate domestic 5G rollout; second, assess risks to and identify core security principles of 5G infrastructure; third, address risks to the United States economic and national security during development and deployment of 5G infrastructure worldwide; and fourth, promote responsible global development and deployment of 5G. 

Dave Bittner: [00:11:07]  And finally, we've had a lot to say today and over the past two weeks about remote work. Those of us who can do our jobs remotely are the lucky ones, and we should spare a thought for those who aren't able to work at all. These are hard times for the people whose jobs are being called nonessential. And remember that the nonessential makes up the greater part of what we might otherwise call civilization. Nonessentials shouldn't and doesn't mean trivial, inconsequential or unimportant. There is dignity in all honest work. 

Dave Bittner: [00:11:39]  And spare a thought for those essential workers whose jobs can't be phoned in. We always think - and rightly - about police, firefighters and first responders, of the people providing health care and of soldiers, sailors, airmen and Marines. We think less often about those who keep utilities up and running and of sanitation workers and their jobs. And here's another category of usually overlooked heroes - the people whose essential work is supplying and operating grocery stores. Let's not forget the work they're doing either, from the farm to the checkout line. Thanks to all of you. 

Dave Bittner: [00:12:19]  And now a word from our sponsor KnowBe4. Email is still the No. 1 attack vector the bad guys use, with a whopping 91% of cyberattacks beginning with phishing. But email hacking is much more than phishing and launching malware. Find out how to protect your organization with an on-demand webinar by Roger A. Grimes, KnowBe4's data-driven defense evangelist. Roger walks you through 10 incredible ways you can be hacked by email and how to stop the bad guys. And he also shares a hacking demo by KnowBe4's chief hacking officer Kevin Mitnick. So check out the 10 Incredible Ways, where you'll learn how silent malware launch, remote password hash capture and rogue rules work; why rogue documents establishing fake relationships and compromising a user's ethics are often so effective; details behind clickjacking and web beacons and how to defend against all of these. Go to and check out the webinar. That's And we thank KnowBe4 for sponsoring our show. 

Dave Bittner: [00:13:34]  And I'm pleased to be joined once again by Tom Etheridge. He's the VP of services at Crowdstrike. Tom, it's always great to have you back. You and your team at Crowdstrike recently published a report. It's titled the 2020 Crowdstrike Services Cyber Front Lines Report. Take us through - first of all, let's start off - what prompted the creation of this report? 

Tom Etheridge: [00:13:56]  Thanks, Dave. We produce this report annually. It's a summation of some of the key findings and trends that we've seen throughout the course of the prior year. In this year's report, we made an attempt at bringing in not just some of the themes and findings, but we also tried to piggyback that with a number of prescriptive recommendations and things that we would recommend to clients in order to improve their overall security posture and be able to better detect and prevent these types of things from happening. 

Dave Bittner: [00:14:32]  Well, let's go through it together. Can you share some of the highlights from the report? 

Tom Etheridge: [00:14:36]  Absolutely. First big theme was that about 36% of the incidents that we investigated last year, we categorized into a business disruption category. Most of those cases were ransomware, although we did see some destructive malware, malware propagation and denial of service attacks that really impacted organizations in their ability to service clients. 

Tom Etheridge: [00:15:02]  The second piece from the report was around the ability for organizations to self-detect. We saw that almost 80 - actually 79% of organizations in their IR teams that we've engaged with were able to detect and respond to a breach without being notified by external parties, say, a law enforcement or the attacker themselves. That was a good metric. However, the bad metric that we reported on is that the dwell time for attackers in organizations increased from about 85 days to 95 days, and that's due in part by the advanced tactics and techniques that many of these adversaries are employing and the countermeasures that they deploy in order to remain hidden for extended period of times in organizations' environments. 

Dave Bittner: [00:15:53]  But was there anything coming out of the report that was unexpected, anything that surprised you? 

Tom Etheridge: [00:15:58]  One of the things that I'm certainly passion about and something that we reported on in the report this year was the increase in third-party service providers, managed service providers, being a target for many of the e-crime adversaries that operate in the ransomware space. And the advantage that the attackers were following this past year was to really, rather than focusing on targeting a specific single organization, they would focus in on a larger service provider or maybe managed service provider that service multiple customers in a particular industry or vertical. And that actually provides the threat actor with more of an attack service in which to operate. 

Dave Bittner: [00:16:47]  It seems to me that this report is showing that there's an increase in maturity here, that folks' ability to defend against these things is growing more sophisticated; we're getting better. 

Tom Etheridge: [00:17:03]  Dave, one of the things we reported on this year is, again, self-detection - organizations being able to self-detect. Almost 80% of the organizations that we were engaged with were able to understand quickly that they were having a problem. Some of that could be due in large part to the fact that when you have a ransomware screen splashed up in front of your computer, you pretty much know that there is a problem. So self-detection is certainly a metric that we want to go up. But more importantly, we want organizations to be able to understand faster that there is a problem during the staging of certain malware and ransomware in an organization's environment before the ransomware is launched and they get that screen splashed up on their system. 

Dave Bittner: [00:17:53]  All right. Well, Tom Etheridge, thanks for joining us. 

Dave Bittner: [00:18:01]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: [00:18:19]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at 

Dave Bittner: [00:18:30]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. Do stay safe. We'll see you back here tomorrow.