Dave Bittner: [00:00:03] The curious history of the delusion that COVID-19 has something to do with 5G. Malvertising spoofs a security company's website. A data breach hits Pakistani mobile users. XHelper is still in circulation. Data privacy versus data utility. COVID-19-driven patterns of cybercrime. And more on Zoom and the challenges of working remotely.
Dave Bittner: [00:00:34] And now a word from our sponsor, ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book, "SOAR Platforms: Everything You Need to Know about Security, Orchestration, Automation and Response." The book talks about intelligence-driven orchestration decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. You can download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud, to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time.
Dave Bittner: [00:02:05] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, April 10, 2020.
Dave Bittner: [00:02:14] State actors, notably China, Russia and to a lesser extent Iran, have actively pushed various lines of disinformation about COVID-19's origins and propagation. A Military Times op-ed wonders how well-prepared the U.S. Department of Defense is to parry large-scale disinformation campaigns and concludes that the answer is not very. In fairness, it's a tough and unfamiliar problem, and there's no easy list of best practices to inform effective countermeasuring.
Dave Bittner: [00:02:45] Some of the difficulty in handling disinformation may be seen in the speed with which misinformation spreads and the surprising reach even implausible memes can have. WIRED traces the strange conviction that COVID-19 is somehow related to 5G and that such relationship has been created by some conspiracy or other to a January interview in a Belgian publication. It's since been picked up by the dreary and tiresome celebrity tribes of slacktivists and influencers, with regrettable but predictably far-reaching effects. Some of those effects have even been kinetic, as cell towers in the English midlands have been vandalized and telecommunications workers threatened.
Dave Bittner: [00:03:30] A malicious domain hosted in Russia and apparently controlled by criminals is spoofing a Malwarebytes site in a malvertising campaign designed to infect visitors to the bogus site with the Raccoon (ph) information stealer. SC Magazine quotes Malwarebytes' suspicions that the campaign is at least in part criminal payback for the company's efforts against cybercrime. The malvertising is thought to appear to a significant extent on adult websites, not venues in which Malwarebytes would normally be expected to place ads.
Dave Bittner: [00:04:02] According to Business Recorder, the personal information of some 115 million Pakistani mobile users is for sale in the dark web. The criminals are asking $2.1 million for the data, which include full names, addresses, mobile numbers, NIC numbers and tax numbers. "The database is freshly hacked this week," the hoods are quoted as saying in their come-on.
Dave Bittner: [00:04:26] Kaspersky has been warning of the xHelper Trojan, a persistent strain of Android malware that Dark Reading and others have been calling unkillable. More than 55,000 devices worldwide are believed to have been infected so far.
Dave Bittner: [00:04:41] As governments work to deploy technology that would enable them to get a handle on the COVID-19 pandemic, privacy hawks continue to worry that it may be easier to establish collection systems than it will be to roll them back once the emergency passes. But the case for collection and analysis remains strong and has all the life-and-death urgency one would expect. New Security Beat makes the argument for the lifesaving potential of data.
Dave Bittner: [00:05:09] FireEye blogs that the patterns of cyberattack during the pandemic show a familiar array of bad actors and attack techniques. What's changed are the target sets and the content surrounding the approach.
Dave Bittner: [00:05:20] That familiarity is certainly there, but there are other interesting ways in which the criminals themselves are responding to black market forces. Some of the criminal surge, as Wandera points out, is simply the familiar pattern of criminals being drawn to fresh opportunity - quote, "it's no surprise that bad actors are taking advantage of the global pandemic. If there was ever a time to target a huge captive audience, it is now," end quote.
Dave Bittner: [00:05:46] But not all the criminal activity is driven by increased opportunities and enlarged attack surfaces. The Free Press, for example, says that Mumbai is seeing criminals shift to online crimes as street crimes become harder to pull off because, presumably, it's more obvious as people stay off the streets and because the police are on alert for it. As criminal tools continue down the path of commodification, making that transition won't be as difficult as it once would've been.
Dave Bittner: [00:06:16] InSight Crime has an interesting overview of how criminals themselves are also feeling an economic pinch. Some of their own supply chains have been disrupted - mules may be harder to come by, for example - and they're scrambling for ways to make up for lost revenue. One of the security problems the COVID-19 pandemic presents is the sheer volume of noise it introduces, especially for health care organizations already stretched by high volumes of demand for medical services. Under such conditions, MedTech Dive reports, medical devices themselves might become attractive targets for attack. They share in some of the laggard security that one sees in the internet of things generally, and as targets of opportunity, they'll prove irresistible to some criminal hackers whose consciences impose few restraints on their behavior.
Dave Bittner: [00:07:05] Infosecurity Magazine talks with experts who think the shift to telework will probably outlast the coronavirus state of emergency. It brings with it not only greater dependence upon a set of tools whose ease of use may exceed their security, but also the heightened risk of those cloud misconfigurations that had already become a common cause of inadvertent data exposure long before COVID-19 was first glimpsed.
Dave Bittner: [00:07:30] One of the experts they talk to is Steve Durbin, managing director of the Information Security Forum, who sees emergency remote work as passing through three phases. The first is the challenge of getting telework tools into workers' hands. The second is parrying targeted attempts against this greatly expanded attack surface. And the third? Durbin told Infosecurity Magazine, quote, "phase three will come about through increased stress and cyber anxiety, which will result in a lowering of vigilance and, frankly, the sheer boredom of having to work remotely when the normal routine has been built around social interaction," end quote.
Dave Bittner: [00:08:08] Underground markets are seeing a brisk trade in compromised Zoom credentials. Threatpost reports that thousands of them are being actively sold in the black market. The stolen credentials appear to come from various sources and not from any single breach, nor even from any small set of breaches or data exposures.
Dave Bittner: [00:08:26] Teleconferencing specialist Zoom, of course, has been prominent in the current discussion of remote work. Its ease and reliable availability made it a popular choice for enterprises of all kinds and sizes, from storefront churches to the U.S. Department of Defense The Voice of America points out that FBI warnings haven't affected use by U.S. government agencies as much as one might expect, but its dramatically increased use exposed troubling privacy and security issues. Both the German government and the U.S. Senate have told their people not to use Zoom, ZDNet reports. The U.S. Department of Homeland Security has issued various less stringent cautions, and Federal News Network says these are being received differently by various agencies, many of whom weren't that invested in Zoom to begin with.
Dave Bittner: [00:09:13] Zoom itself has scrambled to put security fixes in place, including, Forbes reports, giving hosts more control over security and restricting the visibility of meeting IDs. They've also closed a hole Citizen Lab found in Zoom's waiting rooms that could've enabled unauthorized parties to eavesdrop without permission. The company has created an advisory council of CISOs led by former Facebook security chief Alex Stamos to help it up its privacy and security game. Zoom's CEO told Time in an interview that the company has learned its lesson and hopes to regain users' trust.
Dave Bittner: [00:09:51] Other providers of remote work tools and services are, of course, interested in capturing as much of this market as possible. Computerworld reports that Google and Microsoft are talking up the security of their offerings. The subtext seems to be, please don't confuse us with Zoom.
Dave Bittner: [00:10:13] And now a word from our sponsor BlackCloak. Oh, come on. It's not like anybody actually needs this anymore. I mean, executives in their personal lives - they're doing great. They all have advanced malware detection on all their devices. They're using dual-factor authentication everywhere. Their home networks are rock-solid secure, and they never, ever use a weak password. As for their families, little Luke and Leia and their significant other - well, they're pillars in the cybersecurity community. (Echoing) Right?
0:10:33:(SOUNDBITE OF ALARM RINGING)
Dave Bittner: [00:10:45] You're right. I was dreaming there for a minute. The fact is executives and their families are targets. And at home, they have no cybersecurity team to back them up. Instead of hacking the company with millions of dollars' worth of cyber controls, hackers have turned their attention to the executives' home network and devices, which have little to no protection. BlackCloak closes this gap in your company's protection. With their unique solution, the cybersecurity professionals of BlackCloak are able to protect your executives and their families from hacking, financial loss and private exposure. Mitigate these risks that could lead to a corporate data breach or reputational loss. Protect your company by protecting your executives. To learn more and partner with BlackCloak, visit blackcloak.io. That's blackcloak.io. And we thank BlackCloak for sponsoring our show.
Dave Bittner: [00:11:40] My guest today is Nathalie Marcotte. She's president of process automation at Schneider Electric, one of the leading global providers of industrial automation. A large part of her role involves OT security, the operational technology side of the house. And that, of course, involves the ever-increasing intersection of OT and IT.
Nathalie Marcotte: [00:12:01] So if you look at it from the IT-OT convergence aspect, you know, the question has a lot to do with what we're calling, and a lot of people are calling, digital transformation, which implies IT-OT, Industry 4.0, many concepts, but they all relate to this digital transformation and what's the impact on the OT world. So whatever you call it, our customers - they want to improve their operations and their business performance in ways that before, they were not able to imagine. So they're trying to take advantage of all this new technology, and they're expanding connectivity across their people, assets, system. And they want to extract more data, and they want to use that data to improve their operation and process.
Nathalie Marcotte: [00:12:47] So the benefit of all this connectivity with all, you know, this connection between the people, assets and, you know, more and more of it is that now it synchronizes the company operations and the business functions. So it allows them to be able to control their business performance and we like to say in real time. So the risk, though, associated with that is it does widen the attack surface and the potential cybercriminal because every new connection, every newly connected device at all level, and it's true for OT, is now becoming a potential entry point for the bad actors.
Nathalie Marcotte: [00:13:26] So what does it mean when a company sets off its digital transformation? Then, it's clearly that cybersecurity cannot be an afterthought. And it's - you know, more and more, you know, people are saying in the OT world, you know, learning from the IT, it's true. But now, it more - it started to be an integrated part. So there's too much at stake for them financially and operationally. They have no choice, but they have to think about it right upfront.
Nathalie Marcotte: [00:13:54] So when they do implement technology that will converge IT and OT, that demands, really, that they rethink their approach as it relates to cybersecurity. So what I would say is that you should make your comprehensive security strategies part of your standard risk management program upfront. And that's some of the best practices we are seeing out there. So we know as well that these cyberattacks continue to grow in number, sophistication, damage, and it does require proactive and ongoing response. So you need to understand your risk upfront, and then you know that this risk will vary from site to site, and you have to consider that in your strategy as well.
Nathalie Marcotte: [00:14:40] It's also worth mentioning that regulation and standards are also playing quite a significant role in there. And depending on where you are geographically, what industry you're in, you might be required to follow and comply with certain standards and regulations regardless of your risk threshold. So these are all components that need to be taken into account when you define your cybersecurity strategy. The bottom line is that the cybersecurity landscape is changing every day, and we always have to be ready.
Dave Bittner: [00:15:14] When an organization is approaching these issues, what needs to happen at a cultural level to make sure that the IT teams and the OT teams are collaborating and don't end up inadvertently being adversaries with each other?
Nathalie Marcotte: [00:15:32] So that's an interesting question. So we cannot ignore the fact that IT and OT are converging. And you're right. That means IT and OT expertise needs to come together nicely as well, which means that the team will need to work together. The good news is that they can learn from each other. OT has a lot to learn from IT because of more IT technologies been used in OT environments, and vice versa. So they both have to learn from each other. And when you look at it, there is a difference aspect, but technically, there is more similarities than difference.
Nathalie Marcotte: [00:16:08] The big difference comes a little bit with the impact. And the difference - in the OT world, you tend to work in real time, and it's more challenging when you put in place different protections, mechanisms. You cannot necessarily put the whole plan off or, you know, you have to wait for the time to do it, so the planning is critical. As well as the impact is different in terms of in the IT world, the impact of a malfunction on the computer system or the infrastructure is a little bit more financially driven. For the OT world, the impact would be around safety, around environment.
Nathalie Marcotte: [00:16:50] So once people are - can really bridge these difference of impact and the way of working, from a technical aspect, they have more in common. The good news is they have more in common than they have differences. So more and more, we see collaboration between the two, and I think it's going to expand as we go forward as both sides, you know, get the benefit from the other.
Dave Bittner: [00:17:11] With the view that you have on the industry from your position at Schneider Electric, what sort of advice do you have for the people who are out there every day trying to make these systems more safe?
Nathalie Marcotte: [00:17:24] They have to look at three aspects that, you know, they always have to look because it's not just a technical challenge. They have to look at their processes, and they have to look at the people aspect of things. In many cases, they could have the right technology, but if they don't address processes or people, you know, at the end of the day, they will still be vulnerable. So they really have to look at the comprehensive program that will address these three aspects into an overall program itself. And if they do have to collaborate, they do have to collaborate - and we see that as well as best practices out there - they do have to collaborate with their suppliers. They have to collaborate among themselves with end users.
Nathalie Marcotte: [00:18:07] And we see more and more in the whole industrial cybersecurity world this desire for collaboration. And I would encourage them to do so, even with - you know, there's a lot of forums being put in place with, you know, been working with ISAO and the consortium for cybersecurity, really allowing them to share best practices, to hear from the others of impact, vulnerability, impact incidents. So more and more, we share together. More and more, we're going to improve our position, we're going to defend the industry. And it's the benefit of all of us. So it's like safety. It's an area where we have to collaborate and remove some of the competitive elements into the process.
Dave Bittner: [00:18:51] That's Nathalie Marcotte from Schneider Electric.
Dave Bittner: [00:18:58] And now a word from our sponsor ExtraHop, securing modern business with network detection and response. Security and IT teams are under more pressure than ever. Any workforce that can go remote has done so almost overnight. That means more stress on critical systems, more potentially unsecured IoT devices on corporate networks and an urgent need to see and respond to threats as quickly as possible. ExtraHop helps organizations like Wizards of the Coast detect threats up to 95% faster and respond 60% more efficiently. As Chief Architect and Information Security Officer Dan McDaniel put it, quote, "there is no other company that aligns to supporting the DevOps model, the speed and the lack of friction than ExtraHop." See how it works in the full product demo, free online at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:20:02] And I'm pleased to be joined once again by Mike Benjamin. He's the head of Black Lotus Labs at CenturyLink. Mike, always great to have you back. I wanted to check in and get an update on what you and your team have been tracking when it comes to DDoSing and botnets and things when it comes to IoT devices, what sort of things have your attention?
Mike Benjamin: [00:20:22] Yeah. Thanks, Dave. So a number of years ago, we all saw headlines on a almost daily or weekly basis about Mirai and which variant of the week was proliferating across the internet. But more recently, we've seen that news die down a little bit, things not be as interesting. And I would be really interested in just sort of touch in and look at what those botnets have been doing.
Mike Benjamin: [00:20:43] So I went in our system and pulled how many unique botnets we'd pulled out of the IoT DDoS space over the last few months. And we found 900 unique botnets in the last 90 days, over 10 per day. And so a lot of these folks are in the gaming community. They may be what a lot of security community people would categorize as script kiddies or teenagers focused on bravado with their friends.
Mike Benjamin: [00:21:07] But realistically, these things can cause substantive damage to businesses. They can take down infrastructure. They can really break things. And so the IoT space, the devices people have plugged in in their homes, there's still a massively large vulnerable pool. Exploits are still being released. And we do see actors including those new exploits in their scanners and in their distribution methods. So these things are still there. Thankfully, however, for the most part, they don't, on an individual-case basis, build enough firepower to take down major infrastructure.
Mike Benjamin: [00:21:41] So a few years ago, there was a lot of discussion in the world about DDoS attacks exceeding a terabyte a second out of some of these botnets. We're not seeing the install base that can yield that amount of bandwidth. However, it's really interesting. Just in the last couple weeks, we've been working with some folks around a botnet that's hit about 200,000 nodes. And we have an attack that was sending over 1.2 million HTTP requests a second. That particular botnet is based on the Chalubo malware, which does incorporate code from Mirai, as well as Xor.DDoS. But it's a relatively different mechanism in the fact that its callback protocol is actually downloading an encrypted LUIS script. It's not using a persistent TCP socket with real-time communication for commands.
Mike Benjamin: [00:22:26] So it's a little different than those other ones we've looked at, but it's a really important thing to note that that pool of devices is still being abused. People still are compromising. They still are building DDoS botnets. That's something that we all need to be aware of and continuing to clean up and monitor for in our homes and in our infrastructure.
Dave Bittner: [00:22:44] Now, for folks like you and your team there at CenturyLink, what sort of view do you have into this? Specifically, can you tell when the botnets are gathering before they go and execute and do what they're going to do? Can you tell when someone is starting to assemble a botnet for themselves?
Mike Benjamin: [00:23:04] Absolutely. Yeah. So, you know, as I mentioned that 900 number, a lot of that's based on a view of network communication data from, what were all of the devices participating in these things over the last few weeks? And now, what are they all doing behaviorally? So we will see clusters of communication towards new hosts. Often, we can actually speak the malware's C2 protocol to that host, identify it and then send it off to either the data center provider or the network operator who is hosting it and get it cleaned up.
Mike Benjamin: [00:23:33] And so a lot of these botnets are being taken down through mechanisms that we've been operating, as well as a number of our other peers that we often work collaboratively with in this space. But from time to time, we do see this concentration in clusters pop up where we can't speak the C2 protocol. We do see actors modifying the really well-known botnets as well as standing up new things on new code bases. And so it's a constant battle of staying on top of it.
Mike Benjamin: [00:23:59] But realistically, once you start to see things in the hundreds of thousands, it gets a lot of attention. It's a lot of collaboration across the industry. And a lot of groups that we work with collaboratively, as well as ourselves, will go hunt it down, add it to the pool of visibility we have and make sure it doesn't grow to that size and scale again.
Dave Bittner: [00:24:16] So it sounds to me like, in terms of mitigation, we're in a pretty good place. There's a lot of collaboration and capacity to handle these sorts of things.
Mike Benjamin: [00:24:27] I'd say yes, but realistically, we'd love the help of everyone in patching those IoT devices, never connecting a open socket to the internet in the first place, cleaning up things when victim notifications are sent. So really, the community of the rest of the internet can make it so there's not enough devices to really even make this worth anyone's time to go attack.
Dave Bittner: [00:24:50] All right. Interesting insights. Mike Benjamin, thanks for joining us.
Dave Bittner: [00:24:58] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cyber security leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Dave Bittner: [00:25:17] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:25:29] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Dave Bittner: [00:25:38] Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.