The CyberWire Daily Podcast 5.21.20
Ep 1093 | 5.21.20
Cyberwar, cybercrime, and hacktivism: updates on all three. Contact tracing and its discontents. Cybersecurity economic trends during the pandemic.
Transcript

Dave Bittner: [00:00:04] Website defacements in Israel may be hacktivist work. Iranian cyberespionage against Saudi Arabia and Kuwait. The latest evolution of ZeuS. The Winnti Group is still hacking, and it still likes stealing in-game commodities. Contact tracing during the pandemic proves harder than many thought it would be. Caleb Barlow wonders if GDPR may have unintended consequences for stopping COVID-19 scammers. Gabriel Bassett is here from Verizon to discuss the 2020 DBIR. And if you're looking for qualified workers, follow the layoff news. 

Dave Bittner: [00:00:43]  And now a word from our sponsor ExtraHop, securing modern business with network detection and response. Security and IT teams are under more pressure than ever. Any workforce that can go remote has done so almost overnight. That means more stress on critical systems, more potentially unsecured IoT devices on corporate networks and an urgent need to see and respond to threats as quickly as possible. ExtraHop helps organizations like Wizards of the Coast detect threats up to 95% faster and respond 60% more efficiently. As chief architect and information security officer Dan McDaniel put it, quote, "There is no other company that aligns to supporting the DevOps model, the speed and the lack of friction than ExtraHop." See how it works in the full product demo, free online at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud, to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time. 

Dave Bittner: [00:02:10]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, May 21, 2020. Thousands of Israeli websites hosted on uPress were defaced early this morning with messages calling for the destruction of Israel. Israel and Iran have been swapping cyberattacks recently, but Haaretz says there's no evidence of a direct Iranian connection to the campaign. The group claiming responsibility calls itself the Hackers of Saviour. Iranian hackers have been active against government agencies and transportation targets, especially airports, in Saudi Arabia and Kuwait. It seems a fairly straightforward espionage effort. Bitdefender reports that the Chafer APT, generally regarded as a run from Tehran, appears to have been engaged in reconnaissance and data exfiltration. The operators relied on social engineering for initial deployment of their payloads. 

Dave Bittner: [00:03:08]  Malwarebytes today released a report on the recent evolution of the ZeuS banking Trojan, which the researchers call, with some justification, the most famous banking Trojan ever released. They've observed a new family built on the old ZeuS framework. It emerged in November of last year, and it's currently being hawked in Russian-speaking criminal-to-criminal markets as Silent Night. The seller and developer, who goes by the name Axe, says it took him much time and many pains to pull together and he's charging a premium. A general build goes for $2,000 a month, a unique build for $4,000. The researchers regard this version as clean and well-made but not particularly innovative. They expect it to become a product catering to high-end criminals 

Dave Bittner: [00:03:55]  Researchers at ESET have an update on the Winnti Group, which continues its practice of using backdoors to attack online gaming companies. The goal is usually theft and monetization of in-game commodities. Those loot boxes have uses beyond arming your avatar or giving it cool-looking armor. In the MITRE taxonomy, the Winnti Group is described as being of Chinese origin and as having associations with APT17, Axiom and Ke3chang. Many of these associations are code-sharing, especially of the Winnti malware. Note that Winnti isn't the only strain or type of malware that Winnti Group uses. As ESET explains, they refer to the actor as Winnti Group because of its early use of the malware, but its horizons have expanded over the years. 

Dave Bittner: [00:04:44]  Prime Minister Boris Johnson says the UK will have an effective contact tracing system in place by the 1st of June. He was, the Telegraph reports, responding to labor concerns about staff safety should schools reopen. But in some respects, the early favorable reviews Britain's NHS received from its contact tracing pilot on the Isle of Wight now seem to have represented a false dawn. At the very least, more work needs to be done on the security of the app. 

Dave Bittner: [00:05:12]  People have been asked to let the National Cyber Security Centre know about any problems they found with the NHSX-sponsored contact tracing app, and they've reported, Computer Weekly reports, three classes of significant issues - those involving the registration process for app users, the application of the Bluetooth communication standard and how the data are encrypted. Some of the issues involve developer missteps - inevitable with such compressed development cycles. But many of them involve design choices or even simple failure to communicate. 

Dave Bittner: [00:05:45]  Not all areas of the UK will adopt the national contact tracing app, whatever its final form may be. Northern Ireland won't, for one. According to the BBC, they intend to follow the Republic of Ireland's lead. Northern Ireland has some issues with the NHSX app's privacy protections. But more importantly, it values facilitating travel across the Irish border more than it does travel to England, Scotland or Wales. North-south movement is more important than east-west travel. 

Dave Bittner: [00:06:15]  The Apple-Google decentralized exposure notification system now being rolled out has attracted interest from governments who are proving willing to sacrifice the advantages of centralized data management and analysis in favor of an approach that users may find more congenial. Reuters reports that some 23 governments have shown an interest in the Apple-Google solution. 

Dave Bittner: [00:06:38]  1Password has published a survey of people whose jobs have been affected by remote work and other measures taken to deal with the emergency, and they've concluded that IT departments are actually getting a good bit of love from their colleagues. Eighty-nine percent of respondents had no criticism of their company's IT team. Given the scale of the upheaval, that's a remarkable testament to the incredible work IT teams are doing. There may also be a growing preference for working from home, with 68% of respondents saying they like it or that at least they've grown happier with telecommuting. 

Dave Bittner: [00:07:12]  It is fair to say the annual release of the Verizon Data Breach Investigations Report may be the most anticipated cybersecurity publication of the year, and this year's DBIR is no exception. Gabriel Bassett is one of the authors of the Verizon report. 

Gabriel Bassett: [00:07:29]  So one of the things we notice in the report pretty regularly is that we don't see a lot of exploitation of vulnerabilities. And what that means to us is that exploiting a vulnerability is not the attacker's easiest path to a breach. And so we dug down into that this year and looked at a bunch of things around - vulnerabilities around asset management. We also looked at patching, and, you know, the patching wasn't great. There's no single figure to really point to in the report, but if you look at the industry section, there's some figures about patching. And we see that overall, most organizations are patching 57% of their breaches in the first quarter - the first 90 days - which isn't great. 

Gabriel Bassett: [00:08:11]  And so - but if that's not causing exploits to be commonly used for breaches, what's going on there? And so when we look, what we found is that, you know, there's a small set of - the majority of an organization's assets, particularly their internet-facing ones, don't have any significant vulnerabilities. For half of organizations, they had - 1 or 0% of their assets had a significant vulnerability, and for 90% of them, it was - 10 or less of their internet-facing assets had any significant vulnerability. But there's the rest of their assets - right? - the ones that maybe they don't know about because organizations had 43% of their assets on their first - number of the first autonomous system, number of their first ASN. But half of all organizations had another six ASNs that their assets were spread across. And so the question is, do you know what those assets are as an organization, and, you know, what's the patch level, right? 

Gabriel Bassett: [00:09:11]  We see any time a new vulnerability comes out that there's tens of thousands of assets on the internet that are vulnerable to it. And, you know, that makes us wonder, well, is that me? Like, you know, is one of my assets in there? I think I'm patching, right? And so we looked at what those assets were. More specifically, we looked at what they were vulnerable to, you know? And so say if a computer on the internet is vulnerable to EternalBlue, what other vulnerabilities is it vulnerable to? And more specifically, what's the first major vulnerability that it's vulnerable to? 

Gabriel Bassett: [00:09:43]  And the goal here is to say - to try to figure out if these are machines that are being patched regularly and just haven't been patched for this vulnerability or just aren't being patched at all. And what we found is that machines that had, like, EternalBlue - we also checked the (unintelligible) vulnerability from last year. They hadn't been patched in 10 years. The majority of these machines were things that - it's not that they are getting patched slowly. It's that they're getting patched never. And the reality is if someone wanted to take any of these systems over - a large portion; there were ones that were patched. But the majority of them - if someone wanted to take them over, they could use any one of the attacks from the last decade. They don't have to use the newest vulnerability. 

Dave Bittner: [00:10:24]  What is your outlook? Do you have a sense that - are we gaining ground? Are we losing ground? Are we, you know, treading water, as you were, to mix metaphors? 

Gabriel Bassett: [00:10:34]  You know, from a data perspective, it is hard to say whether we are improving or getting better or getting worse. But ultimately, my outlook is positive. I think - you know, more than anything, I think that the things we are doing are working. We are stopping a lot of the attacks. We know where the attackers are going, and they're going for kind of these very quick and narrow attacks - things like credentials, phishing. We know how to respond to those. We know how to use two-factor authentication to secure credentials. We know how to deal with phishing. You know, it's just a matter of us continuing to mitigate these things and push the attackers into ever narrower and narrower attacks to the point where our security operations can deal with all the attacks that they see. 

Dave Bittner: [00:11:25]  That's Gabriel Bassett from Verizon. There's much more to our conversation than we have time for in the daily podcast, and you can listen to the full interview on our website when you sign up for CyberWire Pro. 

Dave Bittner: [00:11:37]  While security isn't something organizations can easily cut during periods of stress, the larger tech sector nor its security subsector have proven immune from the economic effects of the pandemic. While IT and security businesses haven't been as hard-hit as those in other industries and the COVID-19 downturn has been particularly hard on media shops, they, too, have had to endure lower revenue and, in some cases, lay off employees. 

Dave Bittner: [00:12:03]  Checkmarx, for one, on Monday said it was laying off dozens of staff. The company's CEO Emmanuel Benzaquen suggested that restructuring had been in the plans for some time, saying, quote, "we didn't do it earlier because of the exit and the coronavirus crisis, but now it is time to make some changes," end quote. It's part of building for the long term, and while the pandemic has affected the company like everyone else, he expects to emerge stronger from the other side of the emergency. The private equity firm Hellman & Friedman LLC finalized its purchase of Checkmarx in April, paying $1.15 billion for the company. The lesson, CTech observes, is that even unicorns aren't immune to COVID-19. 

Dave Bittner: [00:12:49]  And finally, remember that there are security companies who are still hiring even during the pandemic. May we suggest they take a look at people who've recently been laid off? They represent an attractive talent pool, as close to prescreened as any talent pool ever is. And if you're in between jobs, hang in there. Tough times do pass. 

Dave Bittner: [00:13:15]  And now a word from our sponsor Thycotic. Thycotic protects companies from cyberattacks by developing innovative technologies that secure privileged accounts across the modern enterprise. Thycotic recently partnered with Cybrary to conduct a global survey of IT professionals focusing on how organizations are implementing least privilege. Their new survey report shows overprivileged users are still a big challenge for IT professionals. The report reveals important insights for anyone planning or already down the path with their own least privileged security program. From the survey, they found that even though least privilege is a top or urgent priority, most organizations struggle with complexity and user complaints when implementing a least-privileged security strategy. Go to thycotic.com/cyberwire to download the report now and get more details about the survey results, the key takeaways and recommendations for how to ensure success in your least privilege implementation. Again, that's thycotic.com/cyberwire to download this special report on the state of least privilege. And we thank Thycotic for sponsoring our show. 

Dave Bittner: [00:14:31]  And I'm pleased to be joined once again by Caleb Barlow. He is the CEO at Cynergistek. Caleb, it's always great to have you back. You've been tracking some interesting patterns when it comes to phishing attempts. You've got some interesting insights of the phishing we've seen related to COVID-19. What can you share with us today? 

Caleb Barlow: [00:14:50]  Well, Dave, any time we see a major event - could be a sporting event like the Super Bowl or World Cup, could be a weather event like a hurricane or a typhoon. But any time that there is an opportunity where people want new information, they want to get access to, you know, maybe a better view on things, they're much more likely to click on a link. And it's not surprising that we've seen a dramatic increase in phishing attempts. You know, depending on which news outlet you look at, you know, you can see Google's talking about an increase of about 350% amid COVID-19. IBM X-Force is out saying that they've seen an increase of almost 14,000%, which I don't even know how you calculate that number. But anyway, the point is - and I don't think this is any surprise to anybody - all of the phishers are now leveraging COVID-19-type phish bait. We've even seen, you know, lots of fake sites getting set up, you know, variants, for example, of Zoom conferencing because, you know, Zoom is obviously one of the more popular solutions that people are using to communicate through this crisis. And you're not seeing, you know, three or four examples. You're seeing hundreds and hundreds of examples of these fake sites. 

Dave Bittner: [00:16:02]  Right. 

Caleb Barlow: [00:16:02]  But here's what nobody's talking about - why is it so much larger than things we've seen in the past? And there's a big reason why. Any guesses, Dave? 

Dave Bittner: [00:16:14]  (Laughter) Well, I mean, my initial response would be that this event is bigger than things we've seen in the past. How often does something happen that affects the entire globe? 

Caleb Barlow: [00:16:25]  All right. I'll have to give you partial credit for that because I don't think you're wrong. 

Dave Bittner: [00:16:29]  (Laughter) Fair enough. 

Caleb Barlow: [00:16:30]  But there is one other factor that hasn't existed before, and that is actually GDPR. The very law and regulation that was designed to protect everybody's privacy, particularly Europeans, is actually working against us in this case because one of the things that never got figured out with GDPR is the state of the who is data. So since the start of the internet, ICANN, which is the independent governing body set up to basically govern the internet and how we all use it. You know, they basically said, look, if you're going to operate on the internet, your IP address needs to be registered. And, you know, we'll maintain this free database that anybody can search to figure out who is behind a particular IP address or domain. And, of course, you had the ability to kind of, like, hide your home address and things like that. But there was a way that law enforcement or security professionals working an investigation could figure out, you know, who is this, and it isn't any different than kind of having a license plate in the back of your car. 

Caleb Barlow: [00:17:31]  Well, the challenge is that GDPR views an IP address as PII. Therefore, you got into this kind of rift that never got resolved between the regulators of GDPR - they're saying, hey, look, this is our role, there's going to be unforeseen consequences, we're not changing it - and ICANN basically standing up, you know, effectively saying, hey, you're about to break the internet and how we've looked at it historically. Well, GDPR comes with gigantic penalties. So the registrars, the people that go in, you know, register your domain, you know, hey, I want a new domain, you know, davesplayland.com (ph). You go out to, like, GoDaddy or something like that and register this domain. Well, those registrars had to step back, saying, hey, we can't deal with these GDPR fines. Even though we're supposed to publish this, we're just going to stop. And that's what happened. But that is the critical resource that security professionals use to root out these phishing domains. 

Dave Bittner: [00:18:34]  And so basically the folks who are out there fighting this, they've got one hand tied behind their back now. 

Caleb Barlow: [00:18:40]  They really do. It is the metaphorical equivalent of everyone taking the license plate off their car and still driving around. Now, Dave, you're an upstanding guy. You're probably still going to drive safely and stop at the intersections and use your blinker. 

Dave Bittner: [00:18:56]  Right. 

Caleb Barlow: [00:18:56]  But is everybody still going to do that if you don't have your license plate on your car? 

Dave Bittner: [00:19:01]  Yeah. Interesting. How do you suppose this shakes out? Is this just - this is the future we're stuck with or are folks trying to come up with solutions to this? 

Caleb Barlow: [00:19:10]  Well, look, there has been just mounting pressure to get this resolved. Unfortunately, I think everybody's dug into their camps. And, you know, look - and I think this is a bit of a bold statement, but I actually think we're running the risk that the very law designed to protect our privacy may cause some of the largest privacy breaches in history. And I think as more people realize this problem, all we need to do is tweak a few things here and have a few exceptions for security professionals. And there's probably a way to get there in the long term. But I don't necessarily know if the motivations are quite there yet. 

Dave Bittner: [00:19:48]  All right. Well, Caleb Barlow, thanks for joining us. 

Caleb Barlow: [00:19:51]  Thanks, Dave. 

Dave Bittner: [00:19:56]  And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:20:27]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. See you back here tomorrow.