Some notes on cyber gangland. South Korean APT using zero days against North Koreans? USB attacks. Telework challenges. CMMC remains on schedule.

Dave Bittner: [00:00:03] Ransomware gangs don't seem to be trimming their activities for the greater good, TA505 and Silence identified as the groups behind recent attacks on European companies. An APT possibly connected to South Korea is linked to attacks on North Korean professionals. A criminal campaign of USB attacks is reported. Problems with VPNs and teleconferencing. And the Pentagon's CMMC will move forward on schedule. 

Dave Bittner: [00:00:36]  And now a word from our sponsor ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book, "SOAR Platforms: Everything You Need to Know About Security, Orchestration, Automation and Response." The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. You can download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud, to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time. 

Dave Bittner: [00:02:07]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, March 27, 2020. 

Dave Bittner: [00:02:16]  So were you counting on the ransomware gangs to keep their promise to leave hospitals alone during the pandemic? Dark Reading says you should prepare to be disappointed. But, really, that shouldn't surprise anyone. Ransomware has continued against the usual range of targets. Digital Shadows and others who've kept an eye on some of the sketchier online meeting places for hoods do note some vague, feebly well-intentioned ruminations about taking care not to harm the vulnerable, but a post on Torum shows a representative slip of the mask. This particular skid wrote, how can we, on and offline, take advantage of the coronavirus and make some real money? That is, how could we do this awful thing to people who are stressed and afraid? Oh, right. It's because they want the money. It's the sort of thinking done by those who reckon the value of others' suffering at zero. Not a good time to relax your guard. And to law enforcement everywhere, good hunting. 

Dave Bittner: [00:03:17]  Speaking of cybercrime, Group-IB researchers have attributed recent attacks against European manufacturing and pharmaceutical companies to the Russian-speaking cyber gangs Silence and TA505. The attacks exploited privilege escalation vulnerabilities in Windows 10. There's an apparent connection between the two gangs' attacks, but it's unclear whether that connection amounts to actual cooperation or simply the use of malware from a common supplier. 

Dave Bittner: [00:03:46]  Google's Threat Analysis Group has concluded that an unknown but sophisticated APT from South Korea exploited five zero-days last year in a campaign against selected North Korean targets. The zero-days were in Internet Explorer, Google Chrome and Windows Kernel, and the targets are described as North Korean professionals. 

Dave Bittner: [00:04:07]  Researchers as Kaspersky told WIRED that they see a possible connection to DarkHotel, a threat group that's been linked to various East Asian governments but that's now come to be thought of as possibly associated with Seoul. When Kaspersky began tracking DarkHotel some six years ago, the researchers characterized the typical targets as being corporate executives - CEOs, senior vice presidents, sales and marketing directors and top R&D staff. 

Dave Bittner: [00:04:36]  According to Kaspersky, the recent activity against North Korea, whether it's DarkHotel or not, shows a lot of polish. It's unusual to see that many zero-days used in a coordinated campaign. It's also noteworthy that in the recent late-2019 campaign, the attackers began by prospecting their targets with a series of benign emails, the better to overcome suspicion and set them up for the eventual hit. 

Dave Bittner: [00:05:02]  Trustwave reports an unusual USB attack. The victims receive a letter purporting to be from Best Buy thanking them for being a long-time customer and offering them as a reward a $50 gift card. It can be spent on any of the items listed in the conveniently enclosed USB thumb drive. In fact, the drive contains a keyboard emulator ready to install a reconnaissance payload that collects information about the infected device and reports it back to a command and control server. So in general, don't put that thing in your USB port. You don't know where it's been. 

Dave Bittner: [00:05:38]  BleepingComputer reports that an unpatched iOS vulnerability can prevent some virtual private networks from encrypting all traffic, possibly exposing users' data or IP address. The issue is troubling given the rise of VPN as people increasingly work remotely. 

Dave Bittner: [00:05:56]  According to The Telegraph, teleconferencing service Zoom may be open to certain forms of eavesdropping. British security services are recommending that people who need to discuss sensitive matters use tools with more advanced security. 

Dave Bittner: [00:06:10]  And Vice reports that Zoom's iOS app shares analytical data with Facebook, whether or not the user has a Facebook account. Privacy Matters says there's nothing in Zoom's privacy policies to indicate that this is happening. Vice summarizes the data collection as follows - quote, "the Zoom app notifies Facebook when the user opens the app, details on the user's device, such as the model, the time zone and city they are connecting from, which phone carrier they are using and a unique advertiser identifier created by the user's device, which companies can use to target a user with advertisements," end quote. It goes on to add that this is similar to data the Ring smart doorbell was determined to be sending Facebook's way. 

Dave Bittner: [00:06:53]  Yesterday, the U.S. Department of Defense firmly quashed rumors that it was going to delay implementation of the Cybersecurity Maturity Model Certification, familiarly known as the CMMC, Nextgov reports. The department has executed its memorandum of understanding with the independent not-for-profit group that will serve as the accreditation body, and businesses should expect the program to proceed as planned. The accreditation will apply to new contracts, and it won't be retroactively imposed on existing agreements. The CMMC is similar to standards contractors have used for self-assessment. The use of an independent accreditation organization, however, is new. Self-attestation is going the way of the dinosaur, apparently. 

Dave Bittner: [00:07:38]  As governments continue to improvise technical aids to assist them in tracking and controlling the COVID-19 pandemic, The Wall Street Journal notes that leaders aren't exempt. British Prime Minister Boris Johnson has come down with coronavirus and is self-isolating. He says he's got mild symptoms and will continue to work from home at No. 11 Downing Street. 

Dave Bittner: [00:08:01]  We're working from our homes, too, and the CyberWire will keep publishing on schedule during the coronavirus emergency. Stay healthy and, as always, stay in touch - virtually, not physically in touch. Physically, stay 6 feet or 2 meters apart. Notice that if you use the English system, you're allowed at least 17 centimeters more intimacy than if you were on the metric system. See, there are advantages to staying old school and not chasing the newest Johnny-come-lately innovation from Paris. 

Dave Bittner: [00:08:37]  And now a word from our sponsor, KnowBe4. Email is still the No. 1 attack vector the bad guys use with a whopping 91% of cyberattacks beginning with phishing. But email hacking is much more than phishing and launching malware. Find out how to protect your organization with an on-demand webinar by Roger A. Grimes, KnowBe4's data-driven defense evangelist. Roger walks you through 10 incredible ways you can be hacked by email and how to stop the bad guys. And he also shares a hacking demo by KnowBe4's chief hacking officer, Kevin Mitnick. So check out the "10 Incredible Ways" where you'll learn how silent malware launch, remote password hash capture and rogue rules work, why rogue documents, establishing fake relationships and compromising a user's ethics are often so effective, details behind clickjacking and web beacons and how to defend against all of these. Go to knowbe4.com/10ways and check out the webinar. That's knowbe4.com/10ways.com And we thank KnowBe4 for sponsoring our show. 

Dave Bittner: [00:09:52]  My guest today is James Dawson. He's adviser to the head of IT Business Risk and Controls in the Office of the CISO at Danske Bank. The global banking industry is generally acknowledged as being on the leading edge of security practices, and, of course, the fact that they are highly regulated has a lot to do with that, along with the reality that they have a big target on their backs being where the money is. Here's my conversation with James Dawson. 

James Dawson: [00:10:18]  The biggest change that I've noticed recently is that it's almost like leadership people the world in general, everyone from the worker bee at the McDonald's to the head of, you know, a global organization, they're more in tune to IT, cyber and technology than they ever were before. So I find that, for me, it's almost a little easier. I spend a little less time going in and explaining the basics. And I can get right down to the nitty-gritty of what's happening. 

Dave Bittner: [00:10:48]  To me, it kind of points to this idea that there's been maturation from both sides. In other words, you're saying you don't have to explain to them as much as you used to. But I suppose the flip side of that is that you become better at being able to speak in shorthand their language of risk as well. 

James Dawson: [00:11:13]  Yeah and better at serving them. I think that decision-makers have a lot on their mind. Men and women have so many other things on their mind. When you come to them with a cyber risk or control issue and you want to try to get to an answer or a decision or a pre-decision, it used to take a lot of time but now that they're so sympathetic to what's going on, they're more attuned to the world into cyber and technology. It's easier to get to a solution for them. I spend less time explaining things, although I do think it is a good skill to be able to explain complicated things in a simple way because no matter what we do in cyber technology, as you know - I imagine you know, Dave - people still need to have a little bit of coaching and need to have things explained to them in very, very simple ways - get to the kiss rule with, especially in cyber. So if you can do that, that's a great skill to have. You don't even have to be that technically proficient. But if you can explain something and you understand the basics of it, that has - I found that that really, really helps. 

Dave Bittner: [00:12:13]  Are there any unique challenges that you face in the highly regulated world of global banking? 

James Dawson: [00:12:19]  You know, there are. You have two things that you're always fighting against, and that is meeting your obligations - those are laws. So for every country of operation of a global bank, you've got to meet certain laws and regulations. And they're different for different countries. They may deal with privacy. They may deal with data handling. They may deal with record keeping. But there are laws or protection of people's rights, whether they're employees or customers. And then the other thing is you have to also know or understand the business. You need to get down to why - what do we really do here? 

James Dawson: [00:12:53]  You know, a lot of people say, oh, I've worked for a bank for a couple of years, and they don't really know what the bank does. So I always like to think of risk and controls around what's the business purpose? What is the critical process that the business does or each of the business lines do? Understand that and you'll be able to really help and serve them and really protect them from a cyber standpoint or from any risk standpoint. So understanding the business end and that - I found that that was really, really essential. 

Dave Bittner: [00:13:24]  But what about the human side of things? Obviously, no shortage of technology when it comes to global banking and slinging money around the world at the speed of light, as it were, but it's still - at the end of the day, it's a people business. 

James Dawson: [00:13:39]  It is a people business. And, you know, there is nothing that we do, whether we're in a global bank or a global pharmacy or whatever or small mom-and-pop company around the corner, you serve people. That's what you do. You're there to serve people. Everything we do - and by the way, every risk scenario that you go through in cyber starts with a human and ends with a human. So in between, there's a lot of machines, but it usually starts with a human and it starts with unstructured data and the entry of unstructured data or some process that some human does. They enter an ABA wire number into a program, right? I like to think of IT risk and controls as not a technology thing, not a cyber control thing. 

James Dawson: [00:14:22]  The world today I think and especially in banking - and this happens in almost every industry - they went to the end first. Everybody jumped to the end as we learned about how to protect organizations from cyberthreats. They started at the wrong end. They started with their risks and their controls whereas where they should have started is identifying the business-critical processes first. What do the people do? What's the most important process or three or four processes in that business line? And then from there build out your IT risk and controls. 

Dave Bittner: [00:15:00]  Let me come at it from a different angle, though, because I wonder about, particularly if I'm in charge of security or even if I'm - let's say, I'm on the board and I'm getting messages from cybersecurity vendors and they're telling me, hey, listen, you know, that - you know, you mentioned earlier not having to worry about, for example, you know, the system that the janitor uses. Well, I can imagine them spinning a tale that says, hey, you know, that system that the janitor uses every day to clock in and out, what happens one day if that janitor was, you know, handed a flash drive by his daughter with a video of his grandson, you know, singing a song and he can't wait to see it, so he plugs it into the computer and, kaboom, now we're all infected? 

James Dawson: [00:15:50]  Sure. And, you know - and we do get those questions. So it's - you made a - you kind of made a good side point before you asked the question about the vendor. I usually find that vendors - although many of them have excellent products and I have some favorites out there in the world that I love, but many of them, of course, they're there to sell you their product or service. So you got to take that with a grain of salt. And I think that boards and CEOs and men and women of those positions learned that. But if you can get around that and explain to them or the vendor can explain to them why that one risk scenario that you described to them is important to the operation of the bank or the operation of the company overall, then you might have an argument. But, yes, there is always these rare instances where somebody is going to come in and, you know, maybe the janitor - maybe she just doesn't like the bank, you know? 

Dave Bittner: [00:16:42]  Right. 

James Dawson: [00:16:43]  And she just wants to do bad things. That's going to happen. You know, everyone knows that 60 to 70% of all your threats come from inside the house. So that's where you need to start with your risk and controls. 

Dave Bittner: [00:16:53]  Well, I suppose, I mean, it could lead to a useful conversation also or a line of inquiry that, hey, you know, these systems that our employees are using to clock in and out, how extensive is their connectivity to the important stuff? 

James Dawson: [00:17:06]  Right. And how likely is that event, that scenario from happening? 

Dave Bittner: [00:17:10]  Right. 

James Dawson: [00:17:10]  You know, risk and control assessment is very basic - it's impact and likelihood. So, you know, you have to weigh those two factors. And so whenever someone presents a scenario to me that seems like a one-off or an if of an if of an if, you know, I would say to them, sure, that possibly could happen, but the likelihood is so low that I'm going to rank that as a very low risk. And I'm not going to concentrate on it. More importantly is my high risk and maybe my medium risk, depending on my business type. 

James Dawson: [00:17:38]  I always take that - my team members - I have a quite a few people that work with me now. I always take them, and I will sit down and say, let's take a look at this business process, this mission critical process, and let's try to figure out where the humans are involved in it. That's where you're going to have a lot of risk. That's where you're going to have mistakes. And then I also say to them, now think like a criminal, those men and women who do bad things. If you were an insider and you had a grudge against the bank or you were an outsider and you wanted to try to, you know, extort the bank from money, what would you do? What would you do? 

Dave Bittner: [00:18:14]  That's James Dawson from Danske Bank. 

Dave Bittner: [00:18:21]  Coming up on Tuesday, March 31, Rick Howard, the CyberWire's chief analyst, and I will be hosting our first quarterly Cybersecurity Analyst Call for members of CyberWire Pro Plus. Each quarter, we'll be joined by a rotating group of experts to engage in an insightful discussion about the events of the last 90 days that will materially impact your career, the organizations you're responsible for and the daily lives of people all over the world. Those who tune in to the live stream will be able to ask questions and participate in the conversation. To learn more, visit thecyberwire.com/analystcall. That's thecyberwire.com/analystcall. We hope to see you there. 

Dave Bittner: [00:19:09]  And joining me once again is Robert M. Lee. He is the CEO at Dragos. Rob, it's always great to have you back. You know, as we are in the midst of this coronavirus event globally, one story that I have not heard, thankfully, is the lights going out. The power is staying on. Those critical services are still being delivered. And I thought it'd be a good opportunity for you and I to discuss the resiliency of these kinds of services. If you could share some insights with us, how are these systems designed to keep up and running? 

Robert M. Lee: [00:19:41]  Yeah, absolutely. So look. I mean, all these companies, especially these massive companies that provide these kind of services, have a variety of business continuity plans and disaster continuity plans. And they're always rehearsing and making sure that they're going to go. Obviously, something like a global pandemic is something that is probably not on the common tabletop exercise list. But they still think about, what would happen if we can't go to the site? What would happen if we are unable to interact with our systems in the normal way? And so we see a number of companies going the distance. 

Robert M. Lee: [00:20:16]  And we see a number of people at those companies really doing the right thing, trying to make sure that operations continue so that everybody and that everybody's way of life can continue. So a good example is, you know, from the oil company perspective as an example, Equinor up in Norway, as well as Shell, had announced that they had some folks out on offshore rigs that had been infected with coronavirus and that they were kind of self-quarantining off to the side in their cabin, that they were checking in on the other staff on the rigs to make sure that they were OK. But business was continuing as normal. 

Robert M. Lee: [00:20:50]  And, you know, that's an awful position to be in at times for the employees to do this, but a lot of those companies give those employees the options and figure out, like, what's best for them. And they're tripping over backwards to take care of their people. And I guess kind of where I'd leave that on the oil side, as an example, is, you'll find a lot of those folks out on the rigs, out on the refineries, et cetera, want to go continue to do their job. And it's not just doing it because of pay or other considerations. Again, those companies oftentimes have pretty flexible options for their folks. It's doing it because the folks that work in the industrial community are very mission-driven, and they understand the impact of the work that they do. 

Robert M. Lee: [00:21:32]  And you'll find the same type of dedication, you know, in the power and water sector, as an example, or in manufacturing, where the lights aren't going to go out just because people are teleworking. You've got people - critical personnel, mission critical personnel - that are still going into the plants, still going into the generation facilities, transmission, et cetera and doing their day-to-day job. So long story short, no one should be expecting disruptions in day-to-day life, especially as it relates to oil, gas, water, electricity, et cetera because of the dedication and the passion towards the mission that those folks have. 

Dave Bittner: [00:22:07]  Now, in this age of connectivity, does that provide these organizations with more flexibility to be able to keep things running than they had in the past? 

Robert M. Lee: [00:22:16]  For sure some of them. So there's always going to be a human component to a lot of these production environments. Even if you wanted to have a fully unmanned facility, as an example, they usually don't just for considerations around safety or environmental protections. So you might have a smaller staffing. And that's just a trend of the industry - just have a smaller amount of staff, but you still have people there for safety purposes. And you would see the same thing in these kind of scenarios where, because of the trend in automation that we've seen, because of the developments in technology we have, these assets take less people than ever to be able to operate them safely and correctly, which absolutely supports scenarios like this. 

Robert M. Lee: [00:22:59]  But at the same time, there's also still considerations around it. As an example, in the U.S. electric system, you're not able to remotely connect in to bulk electric assets. The NERC CIP regulations put a variety of controls around what you can and can't do, especially with regards to remote access. And that isn't to say that we should look at changing that. I mean, maybe, you know, consider disaster plans and how the regulations would allow different modes of operation during true disasters. 

Dave Bittner: [00:23:30]  Right. 

Robert M. Lee: [00:23:31]  But what I would say is it's already existing, therefore people already know how to work around it. So are people still going to site? Yes. Are less people than ever going to site? Yes. But are operations continuing as normal and are they built for that? Absolutely. 

Dave Bittner: [00:23:48]  All right. Well, Rob Lee, thanks for joining us. 

Dave Bittner: [00:23:56]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: [00:24:14]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:24:26]  Don't miss this weekend's Research Saturday. Rick Altherr from Eclypsium is talking about Perilous Peripherals: Hidden Dangers Inside Windows and Linux Computers. Do check it out. 

Dave Bittner: [00:24:38]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. 

Dave Bittner: [00:24:46]  Are amazing CyberWire work-from-home team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. See you back here next week.