The evolution of malware, both criminal and state-run.
Dave Bittner: [00:00:00] Hey, everybody. Dave here. And I want to tell you about CyberWire's new subscription program CyberWire Pro. It's designed for security professionals and all others who want to stay abreast of cybersecurity news. CyberWire Pro is a premium service that will save you time and keep you informed. You may be saying to yourself, hey, that sounds great and something my entire organization can benefit from. We think so, too. With a CyberWire Pro Enterprise subscription, you can make that happen. You can help to keep your organization up to date with the latest news, analysis and trends across the evolving cybersecurity landscape. Save some money and look like a hero at the same time. We've got great discounts for government, commercial teams and academia, too. To learn more, visit thecyberwire.com/pro and click on the Contact Us link in the Enterprise box. That's thecyberwire.com/pro, and then click Contact Us in the Enterprise box. And we will help you become that office hero.
Dave Bittner: [00:01:02] Turla tunes its tools. The commodity Trojan AnarchyGrabber is now stealing passwords. A new iOS jailbreak has been released. The U.K. reconsiders its decision to allow Huawei into its 5G network. A tech group lobbies the U.S. House against warrantless inspection of searches. Remote work's regulatory risk. COVID-19 conspiracy theories. Hackers say they're vigilantes. Our own Rick Howard on intrusion kill chains - his latest episode of "CSO Perspectives." Our guest is Nico Fischbach from Forcepoint on deepfakes expanding outside of disinformation campaigns to the enterprise. And too many remote workers appear to have too much time on their hands.
Dave Bittner: [00:01:49] And now a word from our sponsor the University of San Diego. Cybersecurity newsflash - in addition to gumming up the works with malware, phishing expeditions and DNS attacks, the black hat hackers of the world are also creating jobs. Let me explain. Cybercrime is causing so many headaches and financial losses for many CEOs that companies everywhere are paying top dollar for cybersecurity talent. By some estimates, the financial damage caused by the global cybercrime epidemic each year is about to hit $6 trillion. That's why employers across all industries are paying six-figure salaries for cybersecurity pros with the right experience and training. University of San Diego and its online cybersecurity engineering master's degree program are doing a lot of reporting on this. They also offer an outstanding online training program if you're interested in sharpening your skills to advance your career or to transition into cybersecurity. Connect with a team at sandiego.edu/cyberwire. Mention this podcast and they'll waive the fee to apply. That's sandiego.edu/cyberwire. And we thank the University of San Diego for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time.
Dave Bittner: [00:03:31] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, May 26, 2020.
Dave Bittner: [00:03:40] ESET reports a development in Turla's tactics. The Russian threat group also known as Snake has updated its old ComRAT backdoor, also known as Agent.BTZ or Chinch and probably in use since 2007. It now uses the Gmail web user interface for command and control, and many security systems interpret Gmail traffic as innocent. It's also adopted the practice of collecting antivirus logs - the better to evaluate whether it's being detected. ZDNet says that the targets of Turla's recent campaigns are non-Russian military and diplomatic organizations.
Dave Bittner: [00:04:18] The freely distributed commodity Trojan AnarchyGrabber, known for its use in stealing Discord tokens, has been updated with new functionality. According to BleepingComputer, the latest version, AnarchyGrabber3, steals plaintext passwords and commands an infected device to spread the malware to the user's Discord friends. The stolen passwords are thought to be destined for use in credential stuffing attacks. Another reason, as if any more were required, to avoid reusing passwords.
Dave Bittner: [00:04:50] Hackers at Unc0ver have developed a jailbreaking tool for iOS devices, The Verge reports. VICE says the jailbreak uses a kernel zero-day that Apple's been unaware of. Jailbreaks give users more control over their devices. They can also expose those devices to exploitation. Jailbreaking a device should be approached with caution. It's not known yet what zero-day Unc0ver found in iOS. Doubtless, Apple and others will be looking for it.
Dave Bittner: [00:05:18] Under parliamentary pressures from the ruling Tory majority and diplomatic undertakings from the U.S. and Australia, the British government is reconsidering its decision to allow Huawei to participate in the country's 5G build-out, TechCrunch reports. Government is now drawing up plans that would remove Huawei from the country's 5G infrastructure by the year 2023. The government had formally planned to cap Huawei's share of the British market at 35% and to exclude the company from participation in core infrastructure. Under the new plans, at least three of the Five Eyes are now relatively closely aligned in their approach to the risk of infrastructure being compromised by Chinese intelligence services. The U.S. had suggested that allowing Huawei and similar companies into a country's networks would gravely limit the amount and quality of information the U.S. would be willing to share with its allied counterparts. The British move comes after a week in which the U.S. announced stiffer export controls that would effectively keep U.S.-developed semiconductors out of Huawei's hands. Huawei acknowledges that the latest export controls would impose a hardship on the company. They're also expected to drive Chinese hardware in the direction of greater independence.
Dave Bittner: [00:06:34] A tech industry group has written the U.S. House of Representatives, urging explicit prohibition of warrantless collection of internet search and browsing history in the USA FREEDOM Reauthorization Act.
Dave Bittner: [00:06:46] There's another self-described vigilante campaign underway. The hackers "CyberWare" have told BleepingComputer that they're punishing scammers with MilkmanVictory ransomware. As they told the publication, lapsing into a brief Shadow Brokeresque uncertainty about articles, quote, "the victims are saying they give loan, but you first have to pay and then you get nothing," end quote. In this case, MilkmanVictory is really functioning as a wiper, since CyberWare isn't offering a decryption key. When a target is infected, it displays a note from the attackers. Hello - the cheery message begins - this computer has been destroyed with the MilkmanVictory ransomware because we know you are a scammer. And it's signed with a punctuational smiley - a colon, a hyphen and a right parenthesis. CyberWare says it's gone after one particular German loan company that's also been hit with a distributed denial-of-service attack. Let's remain agnostic about whether the target had it coming. Hackers - even vigilante hackers - aren't entitled to a presumption of righteousness.
Dave Bittner: [00:07:52] Remote work of the kind so many organizations are currently using involves exposure to some forms of legal risk. The Information Commissioner's Office in the U.K. has offered guidance on how it intends to treat data protection regulations during periods of widespread remote work. Computer Weekly's gloss on that guidance is simple - quote, "in practice, this means that remote working is not an excuse to implement less stringent security measures than you would have otherwise had in place. The standard remains that organizations must ensure that an appropriate level of security is applied to the personal data that they process," end quote.
Dave Bittner: [00:08:29] Nico Fischbach is global CTO at security firm Forcepoint. He explains the potential for deepfakes to expand outside of disinformation campaigns to the enterprise.
Nico Fischbach: [00:08:41] So I think today, you know, most people understand what a deepfake is. And the level of awareness has really changed because, you know, they've been a little bit used and abused late last year and early this year, especially on social media, and it also made kind of the news - you know? - the more regular newspapers. And I think the fact that many large social media and platform players have come up with ways to detect some of them and, you know, even help maybe mitigate the spread of them, you know, I think the awareness is - has really changed.
Nico Fischbach: [00:09:18] Funny enough, though, I was expecting, you know, many more - obviously, the topic, you know, was the 2020 U.S. election coming up. And I was expecting, you know, COVID and the noise around COVID also to be used, you know, in a deepfake arena, but I haven't seen many. You know, most of them were to make fun, you know, sadly, of things but, you know, not that many to actually, you know, attack the enterprise using, you know, the COVID-themed messaging.
Dave Bittner: [00:09:51] So where do you suppose we're headed then? What are the concerns for enterprise?
Nico Fischbach: [00:09:55] I think the concern is that it's another tool in the arsenal of the bad guys. You know, clearly, with the stress level and the social engineering happening when it comes to phishing, you know, enterprises, you know, especially the chief information security officers, they need to start or to continue to educate the users about, you know, this new way or this new medium that's being used by the bad guys to try to break in, you know, be it into your accounts to compromise your credentials or to get somebody into an enterprise to do an action, like, you know, wire money to an external account - so basically explain to the userbase that, you know, it's another form of trickery that's being used to get you to do something, you know, under pressure or by creating this need that really doesn't exist.
Dave Bittner: [00:10:50] What are your recommendations for people to defend themselves? How can we detect these sort of things?
Nico Fischbach: [00:10:56] It is a combination of using, you know, security hygiene tools. Think of, you know, anti-spam, anti-phishing technologies, cloud security to make sure that the websites that host, you know, those videos sometimes get, you know, blocked. I think that's still the technology side of things. I think user education and, you know, security awareness is key. And, you know, I was just reading some stats yesterday. You know, those type of SaaS offerings when it comes to security awareness and training, you know, have grown. And it's not just, you know, the Zooms and the collaboration tools, but it's also those type of tools. So I think the CISOs recognize that there's a technology element to it, but also there's an education, you know, item that needs to be addressed.
Dave Bittner: [00:11:41] That's Nico Fischbach from Forcepoint.
Dave Bittner: [00:11:45] Among the lamentable cultural artifacts of the pandemic are the various conspiracy theories that have gurgled to the cultural surface. A BuzzFeed piece outlines the form the imagined conspiracies are taking in sections of the popular imagination. It's a familiar shape. Wealthy forces operating behind the scenes are manipulating world events with a hidden hand for their own malign purposes. Historically, the conspiracy has usually involved the Illuminati or the Rothschilds. But in this case, the malign force the theorists perceive is Microsoft co-founder Bill Gates, who's held by many to be lashed up with the traditional bugaboos.
Dave Bittner: [00:12:25] So what's everybody been doing with all these hours at home? Spending time with the family? Improving themselves through edifying reading? Learning a new craft? Scrapbooking? Watching cooking shows for recipes that would help them prepare a nice meal for the loved ones with whom they're sheltering? Tending a victory garden? No, probably not, at least if the Telegraph is to be believed. Mostly, they're consuming adult content, consumption rate up a whopping 292%; streaming TV, up as much as 179% on some services; and, of course, playing online games, up 98%. That's in the U.K., of course, and the study is based on observations of people who use Gener8's browser add-on, but it seems reasonable to assume that things aren't much different elsewhere, however your system is configured. Organizations may have to deal with some less-than-seemly habits that have developed during this period of self-isolation. We have it on the good authority of Baltimore sports talk radio that people are actually so out of whack that there's a brisk betting traffic in Russian Ping-Pong. Trust us. The Illuminati have nothing to do with that.
Dave Bittner: [00:13:40] Hey, everybody. Dave here. As you know, we've been fortunate to have built a pretty influential audience over the years. Security leaders across the globe trust us and depend on us every day to deliver the news and analysis they need to do their jobs. And that's also why so many top security companies and hot startups trust us to connect them to the decision-makers and influencers to help get the word out about their brand and fill their sales funnels. We've got lots of great sponsorship opportunities that can help you get the word out, too. Just visit thecyberwire.com/sponsorship to learn more and connect with us. That's thecyberwire.com/sponsorship.
Dave Bittner: [00:14:26] And joining me once again is Rick Howard. He is the CyberWire's chief analyst. Rick, welcome back to the show. I wanted to touch base with you about something that I know you've been spending some time on, and that's taking a look at some of the first principles that we have in cybersecurity and some of the long-term implications of that. What do you have to share with us?
Rick Howard: [00:14:47] Yeah, it's one of my pet peeves, Dave, for - jeez - forever now. You know, I started back in the day, like you did, and we made a bunch of assumptions as far back as the early 1990s about how we should do cybersecurity. And, you know, it's 2020 now, and the question is, were those early decisions the right ones? And I've been fascinated with the idea that we could apply some first principle thinking to cybersecurity to see if we could prioritize what we've been working on and maybe discard some of the old stuff that doesn't really work that well.
Dave Bittner: [00:15:20] Well, give me some examples here. What kind of stuff do you have on your mind?
Rick Howard: [00:15:24] Well, it's interesting. If you think about if I'm trying to protect, let's say, the CyberWire's infrastructure - OK? - what is the most important thing that we should be worried about, all right? And if you ask that question to any network defender out there, I bet we get about a hundred different answers. And I've been thinking about this for a long time, and I've gone through lots of gyrations. So should I hit you with it? It's pretty simple. It's like you could fit it on a Twitter.
Dave Bittner: [00:15:50] Well, my first reaction was tasty snacks in the break room, but...
Rick Howard: [00:15:53] (Laughter).
Dave Bittner: [00:15:53] ...I'm guessing that's probably not at the top of your list.
Rick Howard: [00:15:57] It's...
Dave Bittner: [00:15:57] Please, go ahead.
Rick Howard: [00:15:58] It's the second one - OK? - but not...
Dave Bittner: [00:16:00] OK (laughter).
Rick Howard: [00:16:00] ...The first one. All right.
Rick Howard: [00:16:03] So if you think about what we're trying to do - OK? - a lot of people think we should stop all breaches or prevent all attacks or react quickly to an attack, and none of that is good enough, right? That is not what we're trying to do because it's really hard to convey that kind of information to your senior leaders or even to the board. So here's what I think it is. We're trying to reduce the probability of a material impact to our organization due to a cyber event. And I want to parse that a little bit, OK? 'Cause...
Dave Bittner: [00:16:34] Yeah.
Rick Howard: [00:16:35] Remember; I don't - it's not - I'm not trying to stop all attacks, all right? What I'm doing is reducing the likelihood that something like that will happen. So what do you think? Am I getting you with this at all?
Dave Bittner: [00:16:46] Yeah, you are. I mean, I find it helpful to think about a lot of this stuff in terms of comparing it to public health policy. In other words, you're never going to keep everybody from getting a common cold, but there are many things we can do to cut down the likelihood that someone will get a common cold. And I - is that along the lines of what you're talking about here?
Rick Howard: [00:17:08] That's exactly right, and it goes to how we talk about this with our board members, right? If you go to them and say, I need a gazillion dollars to, you know, do my pet cybersecurity project this year, they have no way to judge whether or not that's good unless, you know, they're scared to death. And they may give you the money or they may not. But if I - instead, I can go to them and say, we can do these three things and we reduce the probability that we will be materially impacted, and that's a decision they can weigh and weigh it against all the other risks that they are dealing with in their - you know, when they do their daily jobs.
Dave Bittner: [00:17:41] Does that also help sort of spread out that responsibility that, you know, it's not all on the security folks, that you're putting some of that decision-making of where we're going to apply our resources and where we're going to dial in different amounts of risk - you're moving that up the food chain, as it were?
Rick Howard: [00:17:57] Yeah, it absolutely is. I think we made a mistake early on in, you know, this network defender community by trying to hold all that responsibility on our own, right? And really, the mistake we made is assuming or trying to convey the idea that cybersecurity risk is somehow different than all the other business risks that, you know, senior leaders have to deal with. And after 25 years of doing this, it's just not true, OK? It's just another risk, right? And so if I go to the boss and say, hey, here's some - I need some money to do X, the boss is going weigh - OK? - that risk compared to all the other things he's got to spend money and resources on. And so I think we've made that mistake as a community.
Dave Bittner: [00:18:37] Yeah. All right, Rick, well, thanks for joining us. You can check out the latest episode of Rick's podcast "CSO Perspectives" when you sign up for CyberWire Pro. The most recent episode is about intrusion kill chains. Rick, always great to have you on the show.
Rick Howard: [00:18:51] Thank you, sir.
Dave Bittner: [00:18:57] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Dave Bittner: [00:19:15] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:27] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence, and every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:19:55] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.