The CyberWire Daily Podcast 4.2.20
Ep 1058 | 4.2.20

WHO email accounts prospected. Mandrake versus Android users. Vollgar versus MS-SQL servers. Ransomware and hospitals. Notes on the effects of COVID-19, and a disinformation campaign.

Transcript

Dave Bittner: [00:00:03] Attempts on World Health Organization email accounts are possibly linked to Iran. Mandrake Android malware is active against carefully selected targets. Vollgar attacks Windows systems running MS SQL server. Hospitals remain attractive targets for ransomware gangs. Italy's social security operations have been shut down by hacking. Coronavirus disinformation, the pandemic's effects on business and a look at the fortunes of Zoom. 

Dave Bittner: [00:00:37]  And now a word from our sponsor LastPass. LastPass is an award-winning security solution that helps millions of individuals and over 61,000 organizations navigate their online lives easily and securely. Businesses can maximize productivity while still maintaining effortless, strong security with LastPass. Transitioning to remote work can be complicated. LastPass identity is here to make the transition easier without decreasing security. Through integrated single sign-on, password management and multifactor authentication, LastPass identity enables remote teams to increase security. With an uptick in phishing attacks, LastPass reduces the risk of phishing schemes by never auto-filling passwords on suspicious websites and adds MFA across apps, workstations and VPNs. It helps manage user access. Regardless of where or how employees need access, LastPass ensures employees have secure access to work applications through SSO and password manager. It enables secure sharing. LastPass enables remote employees to securely share passwords across teams in order to securely collaborate and stay on top of critical projects, and it allows you to maintain control. LastPass enables IT to remain in complete control over which employees are accessing which resources no matter where they're coming from. With LastPass Identity, the transition to remote work can be a simple and secure one. Visit lastpass.com to learn more. That's lastpass.com, and we thank LastPass for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee - security built natively in the cloud, for the cloud to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time. 

Dave Bittner: [00:02:39]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, April 2, 2020. Reuters reports that attempts to compromise the email accounts of World Health Organization staffers may be the work of Iranian operators. WHO officially says it's not in any position to make an attribution, but anonymous sources close to the U.N. organization say the attacks seem connected to Tehran. Security firm Prevailion told Reuters that they saw significant circumstantial evidence suggesting an Iranian campaign. The attempted cyberattacks on WHO have been murky, sometimes linked to the DarkHotel APT, which itself has been connected to several governments but none in a definitive way. 

Dave Bittner: [00:03:28]  Threat researchers at BitDefender have offered ZDNet an update on the Mandrake strain of Android malware it discovered earlier this year. Mandrake focuses on Australian Android users, eschews mass automated attacks in favor of human-run operations against selected targets. Mandrake appears to be a criminal operation, probably a patient attempt at what Bitdefender characterizes as credential stealing, information exfiltration to money transfers and blackmailing. 

Dave Bittner: [00:03:59]  Security firm Guardicore reports a long-running criminal campaign targeting MS SQL servers. They call it Vollgar, a portmanteau of Vollar, the cryptocurrency the campaign mines, and vulgar, which is how Guardicore views the criminals' behavior. The servers make attractive targets not only for their computational power but also for the large amount of sensitive data they hold. China, India, the U.S., South Korea and Turkey have so far been the countries most affected by Vollgar. The attack typically begins by brute-forcing internet-connected servers with weak credentials. 

Dave Bittner: [00:04:37]  Microsoft warns hospitals to expect a surge in ransomware attacks and offers advice on how they might defend themselves. Gangs using the Revile, also known as Soninke, strain of ransomware have been especially active against health care targets. 

Dave Bittner: [00:04:55]  The current coronavirus emergency obviously continues to have considerable effect not only on public health but also on economic conditions and international rivalry. One of the difficulties of assessing the COVID-19 pandemic in ways that might usefully inform effective disease control policies has been the challenge of understanding the pandemic's extent and the course infection takes in its sufferers. Chinese information control practices haven't helped. The U.S. intelligence community last week delivered a classified study to the White House that concluded, according to Bloomberg, that China's public reporting on cases and deaths is intentionally incomplete. Others with fewer or at least different dogs in this particular fight have reached the same conclusion. Vice summarizes Beijing's policy with respect to information about the coronavirus, and it finds a comprehensive program of censorship and disinformation directed at both domestic and international audiences. Stanford University's Internet Observatory says that deliberate misdirection and obfuscation have been in progress since January. 

Dave Bittner: [00:06:04]  Lockdowns, illness, self-isolation, enforced closures and the attendant throttling of commerce have taken a toll on all sectors. CNBC, in a nonrigorous but informative look at startups, concludes that more than 3,500 jobs were eliminated during March at some 40 companies, who'd collectively raised more than $14 billion in capital. The New York Times calls the job destruction the great unwinding. The tech sector and its security subsector have been less heavily affected than some others, but they've by no means been immune. 

Dave Bittner: [00:06:40]  Perry Carpenter describes himself as a security behavior alchemist, and he's also chief evangelist and strategy officer at security awareness firm KnowBe4. I caught up with Perry Carpenter at the RSA Conference. 

Perry Carpenter: [00:06:54]  And I think that there's two sides to the data story, right? The fact that if all these vendors are successful and all the organizations are successful implementing technology-based vendor solutions for security - we would have no breaches if that's the solve, right? 

Dave Bittner: [00:07:10]  Right. 

Perry Carpenter: [00:07:10]  And the fact is day after day, week after week, month after month, year after year, decade after decade, at this point, we see security-related breaches caused by human error, and the technology that's supposed to have fixed that a few years ago hasn't. And so when somebody comes to me and says, well, the technology is the only way, and you're wasting your time with working with humans, I could also say, well, the technology isn't working for you, either. And so you do have to step up, and you have to add that additional layer of security, that human piece. 

Perry Carpenter: [00:07:44]  And then the other side of the data is we do have data that shows that if you are paying attention and if you are training your people and doing that in a behavior design-based way and there's parameters to that that I can share with you - but if you're following best practices for behavior design and doing simulation combined with training, then you can knock down the propensity for somebody to click on a phishing email dramatically within three months and super-dramatically within a year. And so what we've seen is that a typical baseline - if nobody's ever done any training with this before, then upwards of 40% of people have a propensity to click, which is bad. That's a bad day for your organization. 

Dave Bittner: [00:08:29]  (Laughter) Right. 

Perry Carpenter: [00:08:30]  But within three months, if you've combined some training with simulated phishing tests at least once every 30 days, we've seen that go down to about half of that - actually, under half of that, about 17%. And then over a year period, you can knock that down into the low single digits. And so that's consistency. You're building muscle memory. You're - it's the same way that if you were to only go to the gym once a year, all you're really doing is causing yourself pain, and you're showing yourself how pathetic you are. So... 

Dave Bittner: [00:09:00]  (Laughter). 

Perry Carpenter: [00:09:00]  So people that do a phishing test once a year - that's what they're getting (laughter). 

Dave Bittner: [00:09:03]  Hitting a little close to home here, Perry (laughter). 

Perry Carpenter: [00:09:05]  I know. I feel that too. But if you're wanting to actually improve, well, then you go consistently. You feel the pain for a while, but ultimately, you start to adapt, and you get the benefits from that. And the same thing holds true for security training. 

Dave Bittner: [00:09:21]  That's Perry Carpenter from KnowBe4. 

Dave Bittner: [00:09:24]  Zoom has had a remarkable, wild and decidedly mixed ride over the course of the pandemic. The remote conferencing service listed on the Nasdaq as ZM had, between October and the end of January, traded between $60 and $80. On February 3, three days after the U.S. banned travel from China and the day after the first death outside China from COVID-19 was reported, the company's shares rose to $87.66. They peaked at $159.56 on March 23, the day the U.K.'s lockdown began, six days after France imposed a nationwide lockdown and eight days after the U.S. Centers for Disease Control recommended social isolation. It's a telework-driven surge. As of last week, MarketWatch marveled, Zoom's daily active user count was up 378% from where it was a year ago. 

Dave Bittner: [00:10:20]  Zoom has since fallen off those highs, closing yesterday at $137. Problems with security and privacy have made for what Axios calls a tarnished moment of glory. WIRED thinks the issues - data sharing - that's prompted a class-action lawsuit, oversharing of user data and relative ease with which skids and others have been able to intrude into sessions - called Zoom-bombing - and two new zero-days collectively mean that the Zoom privacy backlash is only getting started. 

Dave Bittner: [00:10:52]  Zoom itself, which Forbes credits with having at least as much transparency as to render the company relatively journalist-friendly, is working to fix its privacy and security issues. CEO Eric Yuan has blogged that the company has frozen all updates other than those designed to enhance security. He's also announced a variety of training and support initiatives, has offered clarification and, where appropriate, apologies about certain Zoom features, notably its encryption, which turns out to have been less rigorous than marketing claims may have led users to believe. The difficulties Zoom is experiencing are no doubt connected with its success, a sudden transformation from a reliable and user-friendly conferencing service to what amounts almost to a public utility. That's Zoom's view. As CEO Yuan wrote, quote, "we did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived," end quote. 

Dave Bittner: [00:12:03]  Axios offers a speculative but plausible explanation of what's happening. Quote, "the same design choices and default settings that made Zoom so easy to install and use are the ones that make it vulnerable. The level of trust that users within a large company assume as they work together breaks down among more heterogeneous groups in public environments," end quote. And it's so easy to use that it almost constitutes an attractive nuisance, as a Wall Street Journal story about virtual happy hours suggests. 

Dave Bittner: [00:12:40]  And now a word from our sponsor Mazars Cybersecurity. Currently, the largest fine under the GDPR is over 200 million euros. With other similar laws like the California Consumer Privacy Act coming online, it's critical to review your company's readiness for and compliance with privacy regulations. The legal experts and cybersecurity professionals at Mazars Cybersecurity can review your systems and processes, ensuring that you are in compliance with privacy regulations, reducing your risk moving forward. Their world-class team in over 90 countries has experience with a full range of regulatory regimes globally and insight into local requirements at the state level. They can even act as your data protection officer. They understand that today's business world is international, online and interconnected. A law a world away can substantially impact your organization. Can you afford to be out of compliance? See how Mazars helps at www.mazarsusa.com/cybersecurity. Again, that's www.mazarsusa.com/cybersecurity, and we thank Mazars Cybersecurity for sponsoring our show. 

Dave Bittner: [00:14:03]  And joining me once again is Andrea Little Limbago. She is the chief social scientist at Virtru. Andrea, it's great to have you back. I wanted to touch today on this notion of what's shaping up as a global battle for information control and how various nation-states are coming at that. This was originally going to be something you were going to discuss in a panel discussion at South by Southwest. That didn't happen because of some global virus concerns, but let's dig into the topic itself. 

Andrea Little Limbago: [00:14:33]  Yeah, it was - we were supposed to be talking about it shortly, had a great panel lined up with Nina Kollars, Megan Gray and Lisa Jiggetts. So hopefully, we'll get to do that again in the near future. But what we were going to address - actually, it was a large focus on the nation-states but also actually bringing in the non-state actor as well. And so I'll explain that. By the way, Freedom House measures internet freedoms and so forth - nine straight years in a row of a decline in internet freedoms. We're seeing at the same time roughly 14 years in a row decline of democracy across the globe. 

Andrea Little Limbago: [00:15:04]  So we have these two trends going on, and what it really is showing is just the spread and diffusion of authoritarian digital control of the environment and what the digital authoritarian playbook is. And we have that pretty well-understood, I think, at this point. So if you look at it - and it's not just China, not just Russia. And I think that that's the core message we really want to send. Although China and Russia really are the innovators in this area, their models are spreading. And so the way we look at it, or at least the way I look at it, is focused on the use of cyberattacks for, say, data access, data theft, data manipulation, data dumps, those kind of things that I think this audience is very well familiar with. You've got the hardware and software that they're using as well that can provide either backdoors or other kinds of access and control. You've got the disinformation for controlling the narrative. And, again, you're talking about the coronavirus. We're seeing that very much so right now being an authoritarian tool of choice for controlling the narrative - and, again, not just in China. Iran and others are doing the same. 

Andrea Little Limbago: [00:15:57]  And then what we're also seeing, really, is the rise also of using, you know, the law and policy use of control - so anything from requiring data storage within their borders to requiring and mandating backdoor access, and that's part of the encryption debate that we see in the U.S., has already been going on across the globe. And in many authoritarian regimes, they do require the use of encryption software with government-mandated access to it. So that's where we see on the authoritarian side what the playbook really is and that it is spreading everywhere in different aspects and to different degrees, you know, from Thailand and Vietnam to Malawi to Ecuador. I mean, it's really becoming a global phenomenon. And on the democratic side, we really don't know what the digital democracy looks like yet. 

Andrea Little Limbago: [00:16:38]  And so because there is not that alternative playbook, we're seeing more and more of democracies adapt some of those different components of the playbook - not full-out adopting it all but getting - you know, adopting different parts of it. And that's, again, where we see aspects like Australians' anti-encryption law, where you're seeing - in Brazil, we saw an awful lot of domestic disinformation around their election. And so we're seeing that battle really playing out, and we're starting to see a little bit, you know, glimmers of signs of what a digital democracy could look like. And the European Union is really the one leading the way in that area so far with the GDPR, the General Data Protection Regulation, which is really focusing on giving individuals control of their data. 

Dave Bittner: [00:17:19]  On the democracy side, what sorts of tools of influence are available to try to push back against some of these authoritarian regimes? 

Andrea Little Limbago: [00:17:29]  What we're starting to see - on the one hand, I think that's where defenders can come into play, especially against the cyberattacks - is helping control what data is getting stolen, helping focus on data integrity. Other areas where I really do think - and this is where I'd love to see America start to come together and provide some leadership in this area - is on just on crafting the rules and regulations for data privacy and security. And so while we have a pretty good idea on, you know, cyberspace and the role of offense, and while there still are norms that need to be shaped - and that is one, actually, additional area where I'd like to see is the leadership focusing on establishing those norms for the use of offense in cyberspace. I also would like to see the U.S. take a lead in data protection and privacy and so focusing on the soft power aspect of it. 

Andrea Little Limbago: [00:18:11]  So what soft power is in international relations is really frameworks and models that attract and inspire others to want to have a similar kind of, you know, policy or model or so forth. And so you think about privacy and data protection and especially digital privacy as a component of a digital democracy. Those are the kinds of behaviors and rights that people across the globe will want to have, especially as the surveillance state becomes, you know, more and more pronounced across the globe. And so I think if we could leverage the soft power of privacy and show what a democracy can look like that does - both protects data, protects privacy and ensures levels of innovation - and again, we don't have - we don't know what that right mix is yet. 

Andrea Little Limbago: [00:18:52]  But we really also have not explored or innovated in that area, and so I think there's so much room for innovation to figure out what that right balance would be. And on the one hand, you know, there's no ultimate security, no ultimate privacy. But if we can optimize among both and try to get rules and regulations and the tech all together to move towards that end, I think there's a lot that we can be done. 

Dave Bittner: [00:19:10]  Yeah. All right. Well, Andrea Little Limbago, thanks for joining us. 

Andrea Little Limbago: [00:19:14]  Thanks so much for having me. 

Dave Bittner: [00:19:21]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: [00:19:40]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:19:53]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.