The CyberWire Daily Podcast 7.31.20
Ep 1142 | 7.31.20

Social engineering at Twitter. Phishing kits and hackers for hire. Cyberespionage. The EU sanctions actors for Cloudhopper, WannaCry, and NotPetya. And security advice from NSA and NIST.

Transcript

Dave Bittner: An update on social engineering on Twitter. A quick look at the phishing kit criminal market. The European Union sanctions individuals and organizations in Russia, China and North Korea for involvement in notorious hacking campaigns. North Korea's North Star campaign is back and dangling bogus job offers in front of its marks. Deceptikons snoop into European law firms. Zully Ramzan from RSA on digital contact tracing. Our guest is Tom Kellermann from Vmware Carbon Black on top financial CISOs analyzing the 2020 attack landscape. And both NSA and NIST have some advice on shoring up your security.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, July 31, 2020. 

Dave Bittner: According to Twitter, the social engineering that enabled attackers to compromise high-profile accounts to run a bitcoin scam was accomplished through a phone spear-phishing attack. It's unclear exactly what that means, but Graham Cluley speculates that it involved impersonating a Twitter helpdesk, possibly with a combination of SMS phishing, with a request to call a scam help site. By Twitter's account, the social engineering that gave the hackers access to Twitter's internal support tools proceeded in at least two phases. 

Dave Bittner: Twitter says that not all of the employees that were initially targeted had permissions to use account management tools, but the credentials the social engineers obtained from those personnel enabled the attackers to sift through parts of Twitter's internal systems to collect information about the company's processes. Then they used what they learned to find and target other employees who had the access the attackers were after. Once they'd obtained credentials belonging to users with more extensive privileges, the attackers were able to use them to access account support tools. And from that point, they were able to run their low-brow alt-coin advance fee scam, forsaking the deceptive ingenuity they'd employed in all those voice spear-phishing attacks. 

Dave Bittner: Twitter says it's increasing security. As Ars Technica points out, Twitter has been criticized for the large number of people who had access to its account support tools and for inadequate controls in place to prevent the sort of abuse that ultimately compromised them. Twitter has represented its security improvements as assigning a higher priority to security and in pushing forward pre-existing security workstreams and improvements to our tools. With regret, the company says customers may expect less responsive service while it sorts out its procedures. 

Dave Bittner: ZeroFox, the Baltimore-based firm known for social media security and also for having the best known and most active mascot in the security industry, has published a guide to the current state of phishing kits. Phishing kits involve the establishment of convincing malicious sites to which phishing victims can be directed and subsequently fleeced. They also include letters that can be used in phishing expeditions, and they often come with a dashboard that the crooks can use to control their scams. 

Dave Bittner: The researchers set the phishing kit industry - for industry it is - in the context of the criminal market. They divide the participants in the market into two classes - developers and operators. The developers are the ones who make, market and support the phishing kits. The operators are the developers' criminal customers. The most popular sectors for which phishing kits are developed include software-as-a-service companies, webmail providers, financial institutions and payment-handling firms. 

Dave Bittner: The European Union has issued its first sanctions against hackers, singling out individuals and institutions in Russia, China and North Korea. The news from Brussels is that six individuals and three groups in total were sanctioned. The individuals under sanction are two Chinese nationals, both for their involvement in Stone Panda's Operation Cloud Hopper industrial espionage action, and four Russian nationals, all GRU operators fingered for intruding into the Wi-Fi network of the Hague-based Organisation for the Prohibition of Chemical Weapons. 

Dave Bittner: The organizations named in dispatches are the Tianjin Huaying Haitai Science and Technology Development Co. Ltd., named for its role in providing financial, technical or material support for Operation Cloud Hopper and for facilitating its activities; Chosun Expo, a North Korean outfit that supported the Lazarus Group, and specifically in its conduct of the WannaCry attacks; and finally, the Main Centre for Special Technologies of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, that is, a major GRU unit that's specifically cited for its role in the destructive NotPetya pseudo-ransomware campaign, as well as first such Voodoo Bear or Sandworms operations as the attacks against the Ukrainian power grid. 

Dave Bittner: Josep Borell, the EU's foreign policy head, explained to the AP that the effect of the sanctions would be, quote, "a travel ban and asset freeze to natural persons and an asset freeze to entities or bodies. It is also prohibited to directly or indirectly make funds available to listed individuals and entities or bodies," end quote. 

Dave Bittner: The three campaigns the EU cites, CloudHopper, WannaCry and NotPetya, are all familiar and unusually destructive espionage efforts. It's also interesting to see the attempt against the Organisation for the Prohibition of Chemical Weapons, the OPCW, listed among the offenses charged to the four named GRU operators. These men were apprehended in the Netherlands in April 2018 and, shortly thereafter, expelled from the country. It's believed that their hacking attempt was part of an effort to disrupt the OCPW's investigation of a GRU attempt to assassinate a Russian defector in Salisbury, England, using Novichok nerve agent. 

Dave Bittner: McAfee researchers have described Operation North Star, a North Korean cyber-espionage campaign that prospects workers in the defense and aerospace sectors with bogus job offers. Pyongyang has used this approach intermittently since 2018. LinkedIn has again been used to communicate the offers, which are subsequently baited with malicious code. 

Dave Bittner: European law firms are being targeted by a hacker-for-hire mercenary group, ZDNet reports. The group, which is known by the playground hacker name Deceptikons, has been described by Kaspersky researchers. The security company's APT Trends Threat Report for 2020's second quarter describes the group as clever, as opposed to technically advanced. The Deceptikons have been active for a decade and are most interested in collecting financial information, client information and details of negotiations. Kaspersky doesn't associate the group with any particular organization or threat actor - that is, no one beyond the Deceptikons themselves, who seem to be an unusually intrusive business intelligence service and quite indifferent to custom, law and regulation. 

Dave Bittner: And finally, there's some useful advice from the U.S. Government on dealing with current vulnerabilities. The BootHole vulnerability Eclypsium described this week - that's CVE-2020-10713, which earned a CVSS rating of 8.2 - not the highest, but pretty high - affects a great many devices. General consensus in the industry press holds that billions - not a Saganesque billions and billions, but a lot - of Windows and Linux devices are affected. It's going to be, many observers have said, a tough bug to patch. 

Dave Bittner: But NSA has issued mitigation advice for the BootHole vulnerability. Fort Meade suggests two useful approaches. Users can update an endpoint's vulnerable boot components and revoke the trust of existing boot components. This will be suitable for most individual users and small enterprises, in NSA's opinion. Alternatively, for organizations that require higher levels of security, they can implement Secure Boot trust infrastructure and customize their endpoints to use it. 

Dave Bittner: And CISA and NSA have warned that there's currently a heightened risk of foreign espionage services attacking U.S. critical infrastructure. Most of that infrastructure, in the United States, is in private hands. NIST, the National Institute for Standards and Technology, reminds those who operate infrastructure that the institute has guidelines available for secure engineering that can reduce the risk of such attacks. 

Dave Bittner: My guest today is Tom Kellermann. He's head of cybersecurity strategy at VMware. He joins us with results from their recent report on top financial CISOs analyzing the 2020 attack landscape. 

Tom Kellermann: Yeah, this report is seminal. We surveyed and interviewed over a thousand CIOs and CISOs from around the globe. They're all experiencing an increase of attacks. They're all experiencing increased attack sophistication. But more notably, if you look at it from the lens of, like, true ground truth, the prime causes of breaches were, you know, OS vulnerabilities, application attacks and island-hopping. And application attacks and island-hopping are things we need to focus on because the nature in which APIs are being built out left and right to facilitate digital transformation and provision of financial services or the provision of just services to your constituencies, hackers are taking advantage of that. And they're targeting those very APIs to essentially island-hop into entities and then use those entities' digital transformation efforts to attack their constituencies. 

Tom Kellermann: The most prolific types of cyberattacks were custom malware attacks and cloud-based attacks, specifically cloud-based attacks using Google Drive. And process hollowing has become the new MO of living off the land or lateral movement within organizations. We've been focusing on PowerShell for too long. I wish Microsoft would just fix the problem. But then they also have the other problem of WMI. But, frankly, process hollowing has been widely embraced by the elite hacker crews of the world as the mechanism by which to move from east to west or west to east within the infrastructure and then perform campaigns of not only island-hopping but, essentially, commandeering the entire infrastructure as a whole. 

Dave Bittner: Wow. Are there any common elements for the organizations that are doing a good job, that are effectively defending themselves? Do they have any common threads there? 

Tom Kellermann: Yes, they do. They've integrated their security controls. They understand that it's an all-hands-on-deck approach and that they have to break down the silos between IT and security. They've got to operationalize security through IT, and to do so, they need to dramatically increase visibility. These same organizations are regularly conducting threat-hunting exercises and using those as, essentially, a game-day film for the inevitable allocation of resources and personnel. These people believe in securing applications, securing workloads, and they also believe in the premise of just-in-time administration in so much that administrative privileges shouldn't remain indefinitely for anyone within an organization as an easy stepping stone. 

Dave Bittner: Were there any surprises that came out of the survey that you did, anything you didn't expect? 

Tom Kellermann: Well, I didn't expect that process hollowing would increase by 300% and destructive attacks would be on such a rise. I did expect the island-hopping phenomenon. I did expect the application attacks. The OS vulnerabilities, the exploitation of OS - yes, we've always talked about that in the past, but I think we're dealing with a resurgence. There's a newfound renaissance. I think in large part that's attributed to the economy of scale of the dark web. As noted in the World Economic Forum report that was released a few weeks ago, they said that the dark web economy of scale will be the third largest economy in the world by '21, which is scary to me. But also, more importantly, they said that the second greatest risks to corporations globally will be cyber, which we've all been waiting for. 

Dave Bittner: (Laughter). 

Tom Kellermann: No. 1 being, obviously, pandemics, which we're all dealing with. But I do think that the COVID crisis and the pandemic of COVID is exacerbating our attack surface. Our adversaries are taking advantage of the situation. Frankly, the U.S., as a hegemony, is very weak right now, and you have nation-states, nonstate actors and criminal groups all pursuing a campaign of attrition against us. This is the problem with our industry. And I'm going to call a spade a spade here. 

Dave Bittner: Yeah. 

Tom Kellermann: We've been focused far too long on the bullets, the munitions, that are being launched against us, versus the interdependencies of the dark web, versus, how did they target us in the first place and the behaviors that coincide to be able to predict when they're coming, how they're coming and whether they're alone. And I say this because the Lockheed Martin kill chain is outdated. It is too linear. It doesn't take into account what I would call the cognitions of an adversary. 

Tom Kellermann: Remember, a cognition is a precursor for behaviors. We cannot just focus on TTPs. I give MITRE 1,000 pounds of credit, and I appreciate everything they've done with attack. But now we must begin to think, how do we predict new TTPs? How do we predict new combinations of TTPs? And how do we understand and appreciate that it's not a kill chain? They're not coming in and leaving. They are staying in, and then they're going to move laterally and they're going to leverage island-hopping. And so how do we understand those behavioral anomalies within us? Because we have to invert the security paradigm. Decreasing dwell time is, I guess, the ROI for success in today's day and age, but I'm hoping in the end we can suppress adversaries unbeknownst to adversaries when they're inside of us and run them in circles. 

Dave Bittner: That's Tom Kellerman from VMware. If you want to hear an extended version of this interview, head on over to thecyberwire.com. You can find it there in the CyberWire Pro section. 

Dave Bittner: Are you a follower of the CyberWire on LinkedIn? If not, you might just want to do that. Why, you ask? Well, we do a weekly discount code drop for CyberWire Pro. Each week, we will be dropping one discount code on LinkedIn with significant discounts for CyberWire Pro. That discount code can only be used five times. So follow @thecyberwire on LinkedIn. Keep your eyes peeled. The code could drop any day of the week, and it's first-come, first-serve. 

Dave Bittner: And joining me once again is Dr. Zulfikar Ramzan. He is the chief technology officer at RSA. Zully, it's always great to have you back. I wanted to get your take on digital contact tracing. As we find ourselves continuing to go through this situation with COVID-19, this is top of mind for a lot of people. What are your thoughts? 

Zulfikar Ramzan: So, you know, first of all, I think, Dave, it's important to realize that contact tracing is an extremely well-known idea in epidemiology. It's been around forever, basically. It involves being able to identify individuals who've been exposed or been in contact with somebody who's been deemed to be infectious with the virus. And really it's about making those people aware of the fact that they've been exposed and then recommending appropriate measures, like getting tested or quarantining and so on and so forth. Now, I think that, you know, given the COVID-19 situation, how long people can be asymptomatic for a while and the fact that they can be asymptomatic and infectious at the same time leads people to believe that, hey, epidemiology should really be implementing contact-tracing mechanisms. Now, to me, I think traditional contact tracing is very manual. So you have to have patient interviews. You've got to maybe manually figure out where they've been and who they've been in contact with and so on and so forth. And really, making this process digital is about trying to reduce the error rate of the manual process, number one, and number two, it's about being able to cast a wider net so you can more effectively capture a wide variety people and let them all know that they've been potentially impacted. 

Dave Bittner: As you look at the efforts that are going on globally with this, where do you think folks are getting it right and where do you think they're coming up short? 

Zulfikar Ramzan: Well, you know, first of all, I think that there is an element where, you know, there's a lot of basic privacy and fairness and discrimination questions that come up - right? You have to think about questions around, you know, what data is collected? How is that data being used? You know, what checks and balances exist to avoid misuse and abuse of that data? Is there a way to provide some level of governance on top of the systems that are being used to perform digital contract tracing? What I do worry about at the fundamental level is, are we creating a massive surveillance system that could potentially be used for other purposes? Today, we'll build a system thinking, hey, we need it for COVID-19, and maybe people are willing to accept the privacy risk associated with those systems. But a year from now or two years from now as COVID becomes less of an issue, these systems will still be around. And there's a question of whether or not the data being collected by these systems could now have a deeper and more maybe nefarious purposes for that matter. 

Dave Bittner: Yeah. It's a really interesting aspect, isn't it - that I think a lot of people would think, yes, you know, maybe I'm willing to give up some of my privacy in the short-term for the greater good to try to get us through this, but that doesn't mean that I want to turn that information over forever. 

Zulfikar Ramzan: Correct. Yeah. Maybe, you know, you're willing to provide information about your COVID status. But if that same data that was used to collect information about your COVID status can glean other insights about your health - like, maybe it tells about other aspects of your health history that you may not want to have divulged - all of a sudden you may not have that choice. All of a sudden, you may be caught in this difficult situation where the same data being used to convey COVID status could be used to convey other aspects of your health. 

Dave Bittner: Yeah. It seems to me too that, you know, a component of this beyond the technology side - that there's really, I guess, almost a PR side of this. Being able to - the folks who are trying to do this to effectively communicate the message that, you know, this is what we're trying to do, these are the privacy things that we put in place, and here's why we need your participation. 

Zulfikar Ramzan: Right. And I think that's an important element of it. I think with every technology we have to have a corresponding way of communicating about that technology. For every one person to understand the technical details, you need 10 who can explain it in maybe layman's terms or explain it to policymakers and talk about the implications. If you don't have that in place, that effective communication channel where you can really educate the broader population as well as educate policymakers, you know, we're going to be in for a very, very tough ride. And you know, I think we're already seeing this now where, you know, these apps that are talking about doing, let's say, Bluetooth-based contact tracing. They're not perfect - right? They have security issues occasionally. There are some vulnerability issues associated Bluetooth, although not very common these days, but still they do come every now and then. People need to understand the risks. I think more importantly, it's also important to realize that, you know, two things with contract tracing. One is, if you want this type of Bluetooth-based contact tracing to be effective, it's got to be prevalent. If you don't have enough people doing contact tracing, its effectiveness goes down considerably. And the second element to keep in mind is that, to me, the digital part of contact tracing is just a means to an end - right? It's a way of identifying potential exposures. But the real heart of contact tracing, when you talk to epidemiologists, is it's really important to follow up with that exposure information to ensure that people who have been tracked and who've been identified as potentially being exposed are given the right set of recommendations and are being told, hey, you shouldn't be doing these things now that you've been exposed or you should be getting tested. So this whole aspect of follow-up, it goes beyond that technology piece alone. And I think unless you get all these pieces right to an appropriate degree, we're not going to see the effects of digital contact tracing take place effectively enough in the way that we want to. 

Dave Bittner: Yeah. All right. Well, Dr. Zulfikar Ramzan, thanks for joining us. 

Zulfikar Ramzan: Always a pleasure. Thank you so much, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: Be sure to check out this weekend's episode of Research Saturday and my conversation with Daniel Kats. He's a senior principal researcher at NortonLifeLock research group. We're discussing BotSite, a new tool to detect bots on Twitter in real time. That's Research Saturday. Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.