The CyberWire Daily Podcast 7.2.20
Ep 1122 | 7.2.20

Evil Corp versus newspapers. Trolling for unprotected MongoDB. Taurus in the criminal souks. Law and security. Loot boxes as gambling items.

Transcript

Dave Bittner: Are you a follower of the CyberWire on LinkedIn? If not, you might just want to do that. Why? You ask. Well, we do a weekly discount code drop for CyberWire Pro. Each week, we will be dropping one discount code on LinkedIn with significant discounts for CyberWire Pro. That discount code can only be used five times. So follow at the CyberWire on LinkedIn. Keep your eyes peeled. The code could drop any day of the week, and it's first-come, first-serve.

Dave Bittner: Evil Corp seems to have been shuffling through some newspaper sites. Don't take the gangs' communiques at face value, but some appear to be trolling for unprotected MongoDB databases. A look at Taurus, an information stealer, are being sold in criminal-to-criminal markets. Chinese law and online security. The EARN-IT Act is being debated. Justin Harvey on smishing. Our guest is Jeff Styles from FireMon on COVID-19 increasing misconfiguration risks. And there's trouble in Tilted Towers. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, July 2, 2020. 

Dave Bittner: Evil Corp's recent actions against a range of US corporations in the recent WastedLocker campaign are said, by BleepingComputer and others, to have affected a large number of newspaper sites run by a single parent corporation. The reports are based on a tweeted update to research Symantec published last week. Neither the news outlets nor their corporate parent are named. These attempts don't appear to have been particularly successful. 

Dave Bittner: A CISA official and an IBM researcher have given CyberScoop an appreciation of ransomware gangs' growing sophistication. It's been common knowledge for the better part of a year that a ransomware attack should also be treated as a data breach. The gangs have for months adopted data theft as a core tactic, both for additional leverage against the victim and as an additional revenue stream. What's relatively new is the amount of effort expended in reconnaissance of the victims' networks. The criminals want to know what the victims have, where it's kept and who has access. 

Dave Bittner: KrebsOnSecurity warns that some news organizations have been overly willing to retail ransomware gangs' claims. He thinks simply transmitting the criminals' woofing only aids their marketing. And who wants that? So good advice - don't take the hoods uncritically at their word. 

Dave Bittner: So on that note, we'll observe that this next story - reported by ZDNet - is sourced to the GDI Foundation, a group devoted to finding and responsibly disclosing vulnerabilities and hardly ones to swallow Internet nonsense whole. They've noticed a problem afflicting MongoDB instances left exposed and unprotected online. 

Dave Bittner: Hackers have been using an automated script to scan for unsecured MongoDB databases, and they've found some 22,900, which by ZDNet's count amounts to about 47% of all such databases accessible online. Once an unprotected database is found, two things happen. First, the criminal backs up the data, and second, they wipe the original. That deletion was, in some initial cases, fumbled or overlooked, but the hoods seem now to have fixed their problem and become more adept at deleting information from their victims. 

Dave Bittner: Then they leave a ransom note. The ransom isn't particularly high, coming in at just 15/1,000 of a Bitcoin - that's about $140. It is interesting, however, to see the extortionists use both the carrot and a stick to induce compliance with their chicken-feed demand. The carrot is the promise that the wiped data will be restored from the crooks' own backup. The stick is that the stolen data will be referred to European authorities to get the victim prosecuted under GDPR. There's also a deadline. The victim has 48 hours to decide, at which point it's adios data and hola, information commissioner - or so the crooks claim. 

Dave Bittner: Researchers at security firm Zscaler describe an information-stealer, Taurus, currently sold in criminal-to-criminal markets. It's offered by the tastelessly self-named Predator the Thief, and it's carefully coded not to execute in twelve former Soviet republics. That's understandable since accommodation to the Organs has long been the better part of criminal valor. One might expect more unrestrained bravery from someone calling themselves Predator the Thief. Maybe Bottom-Feeder the Scavenger would be better. Anyhoo, since we've never cooled our heels in an Orenburg slammer, maybe we shouldn't cast stones. 

Dave Bittner: Taurus concentrates on system information, passwords, cookies, browser history, autofill values and cryptocurrency wallets. The payload is delivered by phishing. Predator the Thief's criminal clients can keep track of where their phishbait is being swallowed on a snazzy dashboard with a heat map of the whole world. Not every former Soviet republic is immune, by the way. The map shows infections in the three Baltic states, none of which are particularly Moscow-friendly. 

Dave Bittner: China's national security law has effectively ended Hong Kong's former autonomy, The Register reports. The Wall Street Journal says this marks an end to business as usual in the city. The law is cast as a measure against secession, subversion, terrorism and collusion with foreign forces. Those who run afoul of it are subject to removal to the mainland and long prison sentences in principle extending to life. China's full online surveillance apparatus can henceforth be expected to be used against Hong Kong. But of course, the online cyber aspects of the national security law are not the most important of its effects. As far as extradition to the mainland is concerned, Foreign Affairs published an elegy for Hong Kong autonomy today under the title "Hong Kong is Part of the Mainland Now." 

Dave Bittner: Jeff Styles is vice president of global field engineering at FireMon. Among the many security issues he and his team have been tracking during COVID-19 are a dramatic increase in misconfigurations. He joins us with these insights. 

Jeff Styles: So misconfigurations, think of it as is human error. Right? And this can happen on any form of technology - right? - from overly permissive access to incorrect zone access, fat fingering a subnet, putting the wrong toggle in place - anything that's unintended. Right? Whenever we're configuring a software platform, hardware, you name it - you know, we make a mistake and then that mistake can be exploited. 

Dave Bittner: Now, mistakes are going to happen. And you know, people make mistakes. From your point of view, what are the most effective ways to mitigate them? 

Jeff Styles: You're right. So mistakes are going to happen. You know, we look at solving that from two aspects. There's the alerting mechanisms - right? - which are typically reactive, meaning somebody makes the mistake, we catch that mistake and then alert on it. Unfortunately, with the reactive state, you're - typically the damage is already done or could be done. Right? So we have to kind of evolve and look at more of a proactive approach. So we want to be able to catch a change before it goes live. So there's almost an element of staging in there. But the proactive place is really what we want to do. And we do this through a form of automation. Right? We take the guesswork out of it. What is done by humans, we evaluate it before it goes live. And then every other step after that, we try to automate it to remove that human error. 

Dave Bittner: Now, how do you put something like that in place while balancing the need to not introduce unnecessary or frustrating friction, of slowing people down? 

Jeff Styles: Yeah, you know, it's funny. Whenever we talk about security, there's always that balancing act. Right? You go to one level, security becomes null and void. You go to the other side, it becomes so intrusive that nobody can get anything done because there's just too many hurdles. There's too many layers. So you do have to find that balancing point. 

Dave Bittner: But what about looking at all this through the lens of the COVID crisis that we find ourselves in today? How does that affect the likelihood of these misconfiguration errors? 

Jeff Styles: Yeah, that's a great question. The COVID-19 thing is really - it's really done a change in the way we do business and the way we look at things. So the spike in bad activity happening right now is all capitalizing on the shift to remote work. They're all trying to exploit all these people moving at a very fast pace with very little security understanding. This becomes the breeding ground for misconfigurations. So we're seeing this across the board as everybody's trying to go from zero to 60 in, you know, 3 seconds to - so they can go to work the next day and everybody's remote. They're making a lot of - they're making a lot of errors. And these things are what everybody is capitalizing on - lot of interesting change happening during the COVID-19. 

Dave Bittner: That's Jeff Styles from FireMon. 

Dave Bittner: Huawei has made its statement to the media concerning the US Federal Communications Commission's designation of the company as a threat to national security. It wants a reprieve, denouncing the designation as based on selective information, innuendo and mistaken assumptions. The company is canny enough to appeal to concerns about telecommunications for rural areas and underserved regions generally. These constitute a natural market for the company's equipment. 

Dave Bittner: The US Congress is taking up their EARN IT Act in earnest today: "encryption fireworks," the Washington Post calls the discussion. The measure represents an anti-encryption shot in the Crypto Wars. We'll know more about how the debate proceeded after Independence Day weekend. 

Dave Bittner: And finally, Professor Hill, call your office because, oh, there's trouble, my friends, in Tilted Towers. And there's a difference between a commoner and a Lord or a Lady with a capital L, and that stands for loot. Your young'uns have been fritterin' away their days and nights in Tilted Towers, or Retail Row. 

Dave Bittner: ZDNet sounds the alarm: Britain's House of Lords wants to regulate loot boxes as a form of gambling. So do your Fortnite Charleston while you still can, kids, before milord gets his hands on it because fritterin' may be on the skids in Westminster. But if things like online poker, dog tracks and loot boxes all cater to an addictive pursuit of the rainbow's end, then maybe milord's got a point. 

Dave Bittner: And joining me once again is Justin Harvey. He is the global incident response leader at Accenture. Justin, always great to have you back. You know, we hear a lot about phishing. We hear about vishing, which is using video for phishing. You wanted to touch today on smishing, which you and your team have been tracking as a growing problem. What are we talking about here? 

Justin Harvey: Well, smishing is when you receive a phish or a scam via an SMS text. And I don't mean your safe and secure blue iMessaging. We're just talking about straight-off SMS green text coming through your phone. We have seen an uptick in criminals that are utilizing SMS to distribute phishing attacks. And we have been training the internet community for years now to really question emails coming through and be like, OK, this is the domain. Is it a real one? Is it too good to be true? But we've been kind of ignoring that we use our mobile devices so much, and there's text, there's iMessages, there's apps. And on a daily basis, we receive texts that are really important to us, like our Amazon delivery - oh, it's around the corner - OK, great - our food delivery and even our bank account alerting us to questionable behavior with our bank accounts, and then we're even receiving some six-digit codes if we use SMS for two-factor. 

Dave Bittner: Right. 

Justin Harvey: And what's happening is we are seeing criminals that are preying upon this because when you receive an unsolicited email and it hits your box, you're thinking, that's a little - it looks a little weird. It seems too good to be true. Maybe the graphics are off. But you'll be able to look at the domain name and see that doesn't look right. When it comes from a phone number, we haven't - phone numbers are numeric. So if - even if, let's say, the president of the United States sends you a text, it would come through as text 'cause you don't have the president's number or cellphone. I'm hoping that the majority of our... 

Dave Bittner: You might not, Justin, but (laughter). 

Justin Harvey: ...Listeners don't have - yeah. I always pick up when the White House is texting. 

Dave Bittner: Sure, sure. 

Justin Harvey: So when you receive this text, it looks very benign. And given that it's in plain text, it's easy to be fooled and say, click this link to know more. And then, of course, that link also is typically shortened with a short - shortening service like Bitly or Google. 

Dave Bittner: Right. 

Justin Harvey: And so when you get that text and it says, let's say, Bank of America has told you that you have a fraudulent transaction; please click this shortened link to go review it, a lot of people are being fooled by that. So it's important to remember to really question not only the source of the SMS message but also the content. And just be extra careful when you click that link and it opens up your browser that that also might not be an official source for that information. 

Dave Bittner: You know, I wonder, too, how much of this - if there's a generational factor here as well because I think about my children and the amount that they use text messaging versus email compared to what I do. It's probably the exact opposite. You know, they - to them, using email is something that only old people do, and they do pretty much everything through their texting. So it makes me wonder if they would be - just by virtue of the volume of messaging that they get, would that make them more susceptible to this, or, being natives, are they more careful? 

Justin Harvey: I think the jury is still out, but I think that this could probably be more associated with technology evolving to be more of a hybrid situation where people are using their browsers, but then they also have to use SMS to get multifactors and to communicate. So I think it's just a sign of our times. 

Justin Harvey: And it's not like there can be a very easy fix for this. Given that they come from numeric numbers, it's very hard to whitelist or even blacklist because you don't know if, let's say, the next time that you go to do your multifactor authentication, some services change their number that they text you from every time, or they have a bank of numbers, and there'd be no way to really whitelist or blacklist it. 

Justin Harvey: But I think the good rule of thumb here is really scrutinize the source and the message. And if you do think that this is from your bank or it's from - it's legitimate, copy and paste the URL out of that. Put it into, let's say, a secure browser in secure mode or in privacy mode. I know that there are multiple modes out there for Safari and Edge and Chrome and Opera and Firefox. Everyone has that private browsing mode, and if you really do suspect that you need to see what's on there, utilizing that. Or even what I do a lot of times is actually take the source phone number and plug that into Google and try to do a reverse search. And what you find is that there's a lot of websites out there that catalog scamming phone numbers. So a lot of times... 

Dave Bittner: Right. 

Justin Harvey: ...You can just plug in the phone number and, like... 

Dave Bittner: Scam (laughter). 

Justin Harvey: There were five reports in the - yeah - in the past seven days... 

Dave Bittner: Right, right. 

Justin Harvey: ...That I've won. And then the final thing I would want to say here, Dave, is that no matter how important things are, if your bank or someone is sending you something that is critical via an SMS, go to the website or go to your bank or call them and say, hey, is this legitimate? I've got this message from you, and it says it's important, but I want to verify it. And if you're one of the many people that are signing up for text notifications on things, be very wary in being able to tell the difference between when you're getting a shipment notification or an ad from your favorite online retailer versus someone offering something that's too good to be true. 

Dave Bittner: Yeah. All right, well, Justin Harvey, thanks for joining us. 

Justin Harvey: Thank you. 

Dave Bittner: And that's the CyberWire. We'll be observing Independence Day this week, so we won't be publishing on either Friday or Saturday. We'll be back with a new episode of "Career Notes" this coming Sunday. And as usual, we'll return to our normal publication and podcasting schedule Monday. In the meantime, enjoy the Fourth. 

Dave Bittner: For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.