The CyberWire Daily Podcast 3.30.20
Ep 1055 | 3.30.20

Updates on the cyber ramifications of the coronavirus pandemic. Saudi surveillance program. Ransomware developments. Lost USB attacks are in progress.

Transcript

Dave Bittner: [00:00:00] Hey, everybody. Dave here with a quick note to remind you that coming up on Tuesday, March 31, Rick Howard, the CyberWire's chief analyst, and yours truly will be hosting our first quarterly cybersecurity analyst call. This is for members of CyberWire Pro+. Every quarter, we'll be joined by a rotating group of experts to engage in an insightful discussion about the events of the last 90 days that will materially impact your career, the organizations you're responsible for and the daily lives of people all over the world. Those who tune in to the livestream will be able to ask questions and participate in the conversation. You can find out more by visiting thecyberwire.com/analystcall. That's thecyberwire.com/analystcall. We hope to see you there. Thanks. 

Dave Bittner: [00:00:46]  Updates on the coronavirus and its effect on the cyber sector; criminals spoof infection warnings from hospitals. The country of Georgia's voter data has been exposed online. The Kingdom of Saudi Arabia seems to have conducted extensive surveillance of its subjects as they travel in the U.S. The Zeus Sphinx Trojan is back. Dharma ransomware's source code is for sale in the black market. And beware teddy bears bearing USB drives. 

Dave Bittner: [00:01:20]  And now a word from our sponsor LastPass. LastPass is an award-winning security solution that helps millions of individuals and over 61,000 organizations navigate their online lives easily and securely. Businesses can maximize productivity while still maintaining effortless strong security with LastPass. Transitioning to remote work can be complicated. LastPass Identity is here to make the transition easier without decreasing security. Through integrated single sign-on, password management and multifactor authentication, LastPass Identity enables remote teams to increase security. With an uptick in phishing attacks, LastPass reduces the risk of phishing schemes by never auto-filling passwords on suspicious websites and adds MFA across apps, workstations and VPNs. It helps manage user access. Regardless of where or how employees need access, LastPass ensures employees have secure access to work applications through SSO and password manager. It enables secure sharing. LastPass enables remote employees to securely share passwords across teams in order to securely collaborate and stay on top of critical projects. And it allows you to maintain control. LastPass enables IT to remain in complete control over which employees are accessing which resources, no matter where they're coming from. With LastPass Identity, the transition to remote work can be a simple and secure one. Visit lastpass.com to learn more. That's lastpass.com. And we thank LastPass for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee - security built natively in the cloud for the cloud to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time. 

Dave Bittner: [00:03:22]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, March 30, 2020. 

Dave Bittner: [00:03:31]  Companies across essentially all sectors are feeling the effects of the pandemic, and neither the cybersecurity nor the larger tech sectors are immune. VentureBeat has some crowdsourced charts from Candor that offer an overview of how COVID-19 is affecting employment, including both hiring freezes and layoffs. One area that's so far performing well, according to The Wall Street Journal, is cloud computing. In general, the cloud has held up well, and cloud providers are emerging as the few corporate winners during the crisis. The Journal quotes Matthew Prince, Cloudflare CEO, to the effect that, quote, "if we think of the cloud as a utility, it's hard to imagine any other public utility that could sustain a 50% increase in utilization, whether that's electric or water or sewage system, and not fall over. The fact that the cloud is holding up as well as it has is one of the real bright spots of this crisis," end quote. 

Dave Bittner: [00:04:27]  Zoom isn't a cloud provider but rather a company whose products facilitate telework. Its service has seen dramatically increased usage during the pandemic state of emergency, and with that increase in usage came increased attention both from hackers and from privacy advocates, from bad types and good types. Zoom has sought to address both. First, it's removed the code that Motherboard reported was sharing analytical data with Facebook. This is the sort of app behavior that's been found objectionable when other products have been caught doing it. Second, the vulnerabilities that Check Point last week reported finding in Zoom - vulnerabilities whose exploitation could render Zoom sessions susceptible to eavesdropping - turn out to have been patched, so those particular issues should be addressed. 

Dave Bittner: [00:05:13]  Various cybersecurity companies continue to offer services for free or at sharply discounted rates. Computer Weekly has a rundown of some of the recent offers. One timely and notable instance of expertise applied to direct aid of pandemic relief efforts comes from our partners at CenturyLink, who donated and installed high-speed connectivity for the hospital ship USNS Mercy, now on station in Los Angeles to provide the region with increased emergency medical capacity. 

Dave Bittner: [00:05:43]  An unusually loathsome bit of phishing is in progress. BleepingComputer reports that criminals are sending spoofed emails that pretend to be from a local hospital. They warn the recipient that they or a family member may have been exposed to COVID-19. An attachment offering more information contains a malicious executable. The samples displayed in the report involve a hospital in Ottawa, but it seems inevitable that the scam won't find itself contained in Ontario. 

Dave Bittner: [00:06:11]  A database containing information on essentially all the registered voters in the country of Georgia - nearly 5 million - appeared in a hacker forum over the weekend, ZDNet reports. Georgia's Central Election Commission says that the database contains information it doesn't normally collect and that it doesn't have any evidence that it sustained a cyberattack. The Central Election Commission suggests that the data might have come from or been assembled from another source. Investigation continues. 

Dave Bittner: [00:06:41]  An unnamed whistleblower has provided The Guardian with information that suggests Saudi Arabia has been engaged in extensive surveillance of Saudi citizens in the U.S. The three major Saudi mobile operators - Saudi Telecom, Mobily and Zain - sent a U.S. mobile carrier a combined monthly average of 2.3 million tracking requests - provide subscriber information, PSI, messages - over the global SS7 message system from November 1, 2019, to March 1, 2020. Many of the PSIs were blocked by U.S. carriers. The SSS protocol - Signaling System 7 - enables calls to be routed among different carriers' networks. And PSIs have legitimate uses, like ensuring proper billing, but as TechCrunch points out, the high rate of Saudi PSIs far exceeds anything one might expect from such legitimate use. Members of Congress complain that the apparent surveillance was enabled by the U.S. FCC's inaction on cleaning up known issues with SS7. 

Dave Bittner: [00:07:45]  IBM's X-Force says that the Zeus Sphinx Trojan, quiescent for the last three years, resurfaced this month after an apparent period of low-level testing that began in December. As it had before, Zeus Sphinx is disseminated by malicious documents attached to emails. The phishbait is, of course, coronavirus. The targets are bank accounts, mostly in the U.S. and Canada. ZDNet reports that the source code for Dharma ransomware is now being sold in Russian-language underground markets, with the going rate for the code running about $2,000. Dharma has been used in various forms since it debuted in 2016 under the name CrySiS. Since then, it's become one of the biggest turnkey ransomware-as-a-service solutions on offer. 

Dave Bittner: [00:08:31]  The insurance company Chubb, which, in addition to its other businesses, is a prominent underwriter of cyber-risk, continues to investigate the cyberattack it sustained last week. In the meantime, according to Infosecurity Magazine, the operators of Maze have posted in their news site the claim that they're the gang that successfully infected Chubb with its ransomware. Insurance Journal quotes Chubb as saying that, so far, at least, it seems that the company's networks were unaffected. 

Dave Bittner: [00:09:00]  One of the challenges security teams face is keeping track of all the devices that touch their networks. Having an accurate inventory of all that stuff and what it's up to can be a daunting task. Daniel dos Santos is a security research lead at device visibility firm Forescout. We caught up at the RSA Conference. 

Daniel Dos Santos: [00:09:20]  So we really focus on this hyperconnectivity on connected devices like IOT. And some of the things that we looked at were specifically building automation systems and smart buildings and how the IOT enters these kinds of legacy systems. We also moved to collaboration systems and smart TVs and meeting and remote working systems. We have been looking at medical devices and some other things. So it's really, like, a wide range of devices that basically affect our daily lives nowadays. And we just want to see what is the overall security status when it comes to these devices. Yeah. 

Dave Bittner: [00:09:57]  Are we heading towards having some standards, some frameworks when it comes to these devices, a baseline that we can count on as consumers of them? 

Daniel Dos Santos: [00:10:06]  Yeah. I think there is - there are some initiatives in that way, not that I know so far anything that's been extremely successful that is being picked up by industry and by everybody, but there are some initiatives in this direction. And I would hope so. Again, as I mentioned before, I think that just the multitude of vendors - it's something that is very complicated in the IOT space - right? - because of all supply chain issues that we have nowadays - also, vendors from different countries, different, you know, geopolitical reasons and so on. So that's one of the main issues, yeah. 

Dave Bittner: [00:10:39]  Are you optimistic as you look forward? Do you think this is a situation that we're gaining ground on? 

Daniel Dos Santos: [00:10:46]  I think so. I think there's a lot of people working towards solutions. I think there is a lot of work still to be done, and I think that something like perfect security is probably unachievable. But as I said, there's a lot of smart people working towards very smart solutions. And we can always try to implement these solutions and try to be one or two steps ahead of the attackers or at least one or two steps ahead of some other targets. That's, in the end, what you have to do in terms of security. 

Dave Bittner: [00:11:16]  What's your advice for folks out there - I'm thinking particularly of the folks in enterprise who, you know, have all of these devices deployed around their network. Are there any areas that aren't getting the attention you think they deserve? 

Daniel Dos Santos: [00:11:30]  Yeah. Like I mentioned, I think the basic steps are network visibility, so visibility into the devices that you have that are connected into your network. That's, like, the basic security control on top of which you can build other things. So you just need to know everything that's connected to your network and to be able to monitor. So network visibility and network monitoring are definitely the basis and then, on top of that, implementing proper segmentation, proper control of these devices, manageability on the devices that you can manage. Now, there is a whole problem with IOT devices that cannot be managed, but at least on those, you can also have monitoring, and segmentation and so on. So I think those are the main areas that definitely can be improved, yeah. 

Dave Bittner: [00:12:13]  That's Daniel dos Santos from Forescout. 

Dave Bittner: [00:12:17]  We heard last week that people had been receiving malware loaded onto USB drives mailed to them in conjunction with a phony Best Buy gift card offer. It turns out, according to BleepingComputer, that there are other scams in progress also delivered by the U.S. Postal Service. The FBI identified the FIN7 gang as the outfit behind the campaign. The scam is a variation of the familiar lost-USB technique long used by pentesters. The FBI says that the USB drives are being distributed in the company of usual bits of swag, teddy bears among them. 

Dave Bittner: [00:12:53]  As we near the close of this podcast, we return to the coronavirus and its effects on our sector, and we're happy to report some good news. It's about Exabeam's Chris Tillett, an early COVID-19 patient who had a severe case of the virus. He's now out of his medically induced coma, back with his family and on the way to recovery. May he continue to do well, and may all those similarly afflicted and their families receive healing and comfort. 

Dave Bittner: [00:13:21]  And finally, a new social phenomenon emerges as people stay home during the COVID-19 outbreak - EDS, or exhausted dog syndrome, observed as people take their dogs for many more walks than usual just to get out of the house. There's a lot of up and at 'em, pooch, particularly in the teleworking tech sector. To give credit where credit is due, the discovery of EDS must be credited to James Stavridis, admiral, United States Navy, retired. And all we can add to this news is, Admiral, hello, Nobel. 

Dave Bittner: [00:14:01]  And now a word from our sponsor Mazars Cybersecurity. Currently, the largest fine under the GDPR is over 200 million euros. With other similar laws like the California Consumer Privacy Act coming online, it's critical to review your company's readiness for and compliance with privacy regulations. The legal experts and cybersecurity professionals at Mazars Cybersecurity can review your systems and processes, ensuring that you are in compliance with privacy regulations, reducing your risk moving forward. Their world-class team in over 90 countries has experience with the full range of regulatory regimes globally and insight into local requirements at the state level. They can even act as your data protection officer. They understand that today's business world is international, online and interconnected. A law a world away can substantially impact your organization. Can you afford to be out of compliance? See how Mazars helps at www.mazarsusa.com/cybersecurity. Again, that's www.mazarsusa.com/cybersecurity. And we thank Mazars Cybersecurity for sponsoring our show. 

Dave Bittner: [00:15:25]  And I'm pleased to be joined once again by David Dufour. He's the vice president of cybersecurity and engineering at Webroot. David, it's always great to have you back. I wanted to touch base today on this notion of privacy versus security. I think a lot of people conflate the two, but you point out that they're not really the same thing. 

David Dufour: [00:15:44]  That's absolutely right. And, you know, I think several years ago, David, it was safe to say that they were the same in the essence of, you know, you see the TLS connection, your HTTPS, and you're communicating securely to your bank. You can enter your banking information. And that was great. Obviously, you don't want someone, you know, Wiresharking your bank account login or sniffing that. 

David Dufour: [00:16:10]  But what's happened is all websites now - typically, we're seeing about 90% of the time spent on websites is on - are on websites with HTTPS pages. So the bulk of web traffic now is HTTPS. There's a proliferation of sites that will give away certificates for free, so that allows you to have that free HTTPS. And it sounds good on the surface, you know? Hey, I want everything to be secure. 

Dave Bittner: [00:16:35]  Right. 

David Dufour: [00:16:35]  Why wouldn't we, David, right? I mean, that sounds great. 

Dave Bittner: [00:16:38]  Sure. Sounds good to me. 

David Dufour: [00:16:39]  Well, so what's really happening is HTTPS secures the connection from your machine to the actual server you're communicating with. And there are sometimes some very complicated things we can do to break that connection and see the data traffic, but it's getting harder and harder. And again, you may be thinking to yourself, well, that's great. Now, you know, my information's secure. Well, the problem is the cybercriminals have realized, if we can land on the endpoint and we can do bad things on the endpoint and make a secure connection to a server, we can send traffic privately across these HTTPS connections. 

David Dufour: [00:17:15]  And the issue is the bulk of the tools in the network layer that protect us need to be able to see the traffic to make a determination if you're communicating with a country you don't want to communicate with, to make a determination if you're communicating with a known bad website, to make a determination if the data flowing down to you is malware. If you're not able to see that network traffic, a lot of the tools that have been built by this industry don't work. And so what ends up happening is you should feel very good, David, that you are now privately connected to that malware deliverer, and you will privately get that delivered to you. 

Dave Bittner: [00:17:55]  Yeah. Well, so what's the solution here? It seems like be careful what you ask for. 

David Dufour: [00:18:01]  Well, it is a little bit be careful what you ask for. And to go back and say, you know, to the industry, let's all stop HTTPS - that's not going to happen. And I always like to have an answer 'cause I like to, you know, pretend like I know a lot. But in this case, I think, David, what we really need to be aware of is this is becoming more and more of a problem. And right now, the answer is to ensure you have a secure, safe endpoint. 

David Dufour: [00:18:25]  But I think that's only a short-term answer and that over time, as an industry, we've got to be putting in tools that allow us to do filtering on the endpoint of websites to make sure people are browsing to where they want to go to. Potentially, we're able to rate these certificate sites. You know, a Verisign is probably a better, more reliable security token than Dave Dufour SSL certificate. And so we might want to start ranking where people get these certificates, and I'm sure there's a lot of people out there who are coming up with ways to understand and view how we can be more secure with this encrypted communication. It's just something that the industry really needs to be aware of and start thinking about 'cause a lot of our tools, at least on the network layer, are going to become antiquated over time. 

Dave Bittner: [00:19:15]  How does this affect consumers? 

David Dufour: [00:19:16]  So if you're a consumer, again, it's a big deal that if you're going to a site that is your bank or something like that, you definitely want to see that green lock in your browser because that does mean, at the very least, the connection is secure. But, again, people send down phishing sites that might be your bank - but it's pretending to be your bank, and they're going to have the green lock now as well. 

Dave Bittner: [00:19:40]  Right. 

David Dufour: [00:19:40]  So you have to be more vigilant. And I always like to say, consumers, it's better to not click something or not receive a phone call. It's better to reach out. So if you get an email and it says click the link here and enter your account information, don't do that. Either call your bank, call the financial institution or browse by typing it in the address bar to where you want to go. Just to be aware of these type of attacks and, you know, just - we've got to be vigilant, David. 

Dave Bittner: [00:20:10]  Yeah, yeah. All right. Good advice. David Dufour, thanks for joining us. 

David Dufour: [00:20:14]  Great being here. 

Dave Bittner: [00:20:20]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: [00:20:38]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:20:50]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. See you back here tomorrow.