The CyberWire Daily Podcast 8.7.20
Ep 1147 | 8.7.20
US Executive Orders against TikTok, WeChat. Chimera takes chip IP. Intel data leaked. Texting Rewards for Justice. Coordinated inauthenticity. Magecart’s homoglyph attacks.
Transcript

Dave Bittner: President Trump issues executive orders restricting TikTok and WeChat in the U.S. A Chinese APT has been active in industrial espionage against Taiwan's semiconductor industry. Intel sustains a leak of sensitive company intellectual property. Rewards for Justice communicated to Russian and Iranian individuals by text message. Coordinated inauthenticity from Romanian actors - probably criminals. Magecart moves to homoglyph attacks. Craig Williams from Cisco Talos on ransomware campaigns making use of maze and snake malware. Our guest is Monica Ruiz from the Hewlett Foundation Cyber Initiative on the potential for a volunteer cyber workforce. And sorry, Fort Meade, there are limits to telework.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, August 7, 2020. 

Dave Bittner: U.S. President Trump yesterday issued two executive orders that imposed new limitations on Chinese-owned social media apps TikTok and WeChat. WeChat is a subsidiary of Tencent, TikTok of ByteDance. And both parent companies are mentioned in the orders. The Wall Street Journal summarizes the effect of the orders as prohibiting anyone in the United States or subject to U.S. jurisdiction from conducting transactions with the owners of the two services. The ban will become effective 45 days from the date of the executive orders, which, unless we've miscounted, puts the deadline on September 20. This could prevent U.S. citizens from downloading the apps from such sources as Google Play or the Apple Store. It also puts a deadline on Microsoft's possible acquisition of TikTok. 

Dave Bittner: Both executive orders stated as an official finding that, quote, "additional steps must be taken to deal with the national emergency with respect to the information and communications technology and services supply chain declared in Executive Order 13873 of May 15, 2019, securing the information and communications technology and services supply chain", end quote. Both of the apps represent a threat because they automatically capture vast amounts of information from their users, and the data they collect are, in principle, accessible to the Chinese Communist Party and Chinese government intelligence services. 

Dave Bittner: Both social platforms, the orders say, actively censor domestic dissent in China, and TikTok has been active in spreading COVID-19 disinformation on behalf of the Chinese government. The order affecting WeChat in an aside cites restrictions India and Australia have placed on the app as an indication that the U.S. isn't alone in seeing a problem with Chinese data collection practices. The secretary of commerce will be in charge of implementation and enforcement. 

Dave Bittner: TikTok, which has moved data formerly held in U.S. servers to servers in Ireland, objected to the executive order in a strongly worded statement it issued this morning. The company sees what it views as a lack of due process as most objectionable. Quote, "we are shocked by the recent executive order, which was issued without any due process. For nearly a year, we have sought to engage with the U.S. government in good faith to provide a constructive solution to the concerns that have been expressed. What we encountered instead was that the U.S. administration paid no attention to facts, dictated terms of an agreement without going through standard legal processes and tried to insert itself into negotiations between private businesses," end quote. The statement also includes an explicit denial of the specific accusations of the order. Quote, "we have made clear that TikTok has never shared user data with the Chinese government, nor censored content at its request," end quote. And, of course, the statement urges all of the American users and creators who've been engaged with TikTok to write their elected representatives. We found no comparable statement from WeChat. 

Dave Bittner: At Black Hat yesterday, researchers at security firm CyCraft described a Chinese government threat group, Chimera, that successfully targeted Taiwan's semiconductor industry, or pillaged the industry, as WIRED puts it. Their goal was source code, chip designs, software development kits and similar intellectual property. CyCraft calls the action against chip manufacturers Operation Skeleton Key after its use of SkeletonKeyInjector, which implanted a skeleton key into domain controller servers to enable persistence and continuous lateral movement. Its ability to make direct syscalls enabled it to bypass security systems. Additionally, by making direct syscalls, the malware could bypass security systems dependent on API hooking. 

Dave Bittner: The operators' principal remote access Trojan was Cobalt Strike, used to establish a backdoor into victim systems for exfiltration. Chimera uses what CyCraft called an old and patched version of RAR. 

Dave Bittner: There was also a significant loss of IP from California-based Intel. The company has suffered a breach that cost it 20 gigabytes of sensitive corporate intellectual property from Intel exconfidential Lake. CyberScoop says Intel is investigating, but that a corporate representative said, quote, "we believe an individual with access downloaded and shared this data," end quote. 

Dave Bittner: The data dump was announced in a tweet by an IT consultant who goes by the handle Tillie 1312 Kottmann #BLM. Tillie 1312 Kottmann #BLM, a software engineer based in Switzerland, has some role in the incident - discoverer, leaker, security researcher, or middle-person - but exactly what isn't clear. According to Ars Technica, Tillie 1312 Kottmann promised that there would be more leaks to come. 

Dave Bittner: SecurityWeek says that the same person has been connected with other, earlier leaks of proprietary source code from well-known companies, including Microsoft, Adobe, Disney and Nintendo to name a few. Most of the information, Tillie 1312 Kottmann said, comes from improperly configured or exposed DevOps infrastructure. Much of the incident has called the material lost classified, or confidential, or secret. Some clarification is in order. The information is corporate, proprietary and sensitive, but not apparently classified in the formal, governmental sense. 

Dave Bittner: The U.S. State Department reward being offered for information concerning attempts to hack U.S. elections has been communicated in some surprising places. Reuters reports that text messages communicating the offer and link to Rewards for Justice have been turning up in Iranian and Russian devices. Who sent the texts isn't clear, but there's speculation that the messaging was done on behalf of the U.S. government. U.S. Cyber Command referred Reuters to the State Department, and State had nothing to say. 

Dave Bittner: According to The Washington Post, Facebook has disabled a Romanian network that was sending inauthentic messages expressing implausible support for President Trump. One would have to be naive indeed to uncritically swallow a report that former President Obama and former first lady Michelle Obama had thrown their wholehearted support to the re-election of President Trump. The motivation is as likely to be financial fraud as it is influence. 

Dave Bittner: Malwarebytes reports an ongoing series of homoglyph attacks, which substitutes similar characters into familiar domain names. The activity appears linked to Magecart, and it shows the gang evolving to take advantage of similarities among Turkish, Cyrillic and other international character sets with the, to us, more familiar Roman letters. 

Dave Bittner: And finally, as remote work increasingly looks likely to become an important part of the new normal, the U.S. National Security Agency has said that it's expanding its telework capabilities with a 2021 adoption of Microsoft Office 365 to support unclassified work, FCW reports. But to rumors that NSA is going to open up its top-secret cloud to remote work, the agency's CIO, Gregory Smithberger, said, no, that's just not a thing. And why not? Because, come on, friends, there's just some kinds of work that you can't phone in. 

Dave Bittner: My guest today is Monica Ruiz. She's a Cyber Initiative and Special Projects fellow at The William and Flora Hewlett Foundation, who are financial supporters of the CyberWire. Our conversation explores the notion of a common volunteer cyber workforce. The idea that citizens with expertise in cybersecurity could volunteer or be called upon to respond to cyber incidents, much the same way a volunteer firefighter brigade functions. Some suggest it could be modeled after the old merchant marine where civilians with specific expertise could be temporarily called in by their government to support the common good. 

Monica Ruiz: One of the things that I oftentimes say when I explain this concept of cyber volunteer units is the fact that there are complex challenges in cyber defense. So, you know, we have resource and talents constraints in the public sector. We have competitive private-sector salaries that impede government recruitment and retention. And we have poor cyber hygiene or awareness in our societies. And so all of those realities that have existed for years have really brought to bear the need to integrate outside talent into public sector cyber defense. 

Dave Bittner: You know, when I think about volunteer organizations in communities, there's several things that come to mind. I think of volunteer fireman, I think of things like the National Guard - which isn't volunteer necessarily. But I also think of things like the ham radio operators who come in times of a - say there's a hurricane or something like that. They step up and provide communications. Are any of those models along the lines of the possibilities here with cyber? 

Monica Ruiz: Yes, I think so, Dave. And just to add two more models to that, for example, we have the 17th century U.S. Minutemen - right? - which were civilian colonists who formed militias during the American Revolutionary War, and they were known as being ready at a minute's notice. Or you have the Civil Air Patrol that was created in 1942. That was initiated by roughly 150,000 aviation enthusiasts who convinced the government to incorporate them formally. And so all the models that you just made reference to and these two past examples that I just said really goes to the root of all of this, which is, you know, someone's need to serve their country and appealing to someone's sense of duty. And I do think that applies in a cyber context. 

Monica Ruiz: If you are an individual that has the skill sets and you want to help, there needs to be a way to allow you to do that. And I think an example of that was, for example, in 2012 following Hurricane Sandy, more than 900 people from New York started communities, signed up to coordinate efforts online. But a lack of a framework really prevented them from getting involved and being more effective in their efforts. And so I think the overlying - you know, the common denominator in all of the examples that we just made reference to is, you know, appealing to someone's sense of duty and building the infrastructure for them to be able to be operationalized for the good. 

Dave Bittner: Are there any examples out there of communities that are already doing this? Some good samples that you can build on? 

Monica Ruiz: Sure. So I - I've written extensively about the Estonian Defense League Cyber Defense Unit, so that's more of an international model. But it's probably best to highlight some of the models that have already been put in place in a U.S. context. And so one of the earliest ones that I found that has - shares many similarities with the Estonian Defense League Cyber Defense Unit is the Michigan Cyber Civilian Corps that was created in 2013. And this model is essentially a group of trained civilian-technical experts who volunteer to provide rapid response assistance to the state of Michigan in the event of a critical cyber incident. And its mission is essentially to provide mutual aid in the event of these incidents at all levels of government, education and business organizations. And so that's one of the models that has really informed what other states are doing. 

Monica Ruiz: You also have the Ohio Cyber Reserve, which was created in 2019. And what was interesting about what Ohio did is that they set up the cyber collaboration committee to determine what the state needed in order to improve its cybersecurity and training. And it was interesting because this mapped the current cybersecurity gaps in the state so that then the Ohio Cyber Reserve force can help serve as an extended response capability to fill those gaps. 

Dave Bittner: Can you point us in the direction of some resources if folks want to see what's available in their community or take a leadership role, try to get things started? Where's a good place for them to find out how to go about doing that? 

Monica Ruiz: Sure Dave. So I would recommend individuals to contact their National Guard offices. One of the issues that I've also been researching is potentially having the National Guard serve as that vehicle that integrates outside talent, given that it's uniquely positioned to do so because it has dual-constitutional authorities. And so I've seen a couple of states start using their National Guard to start building these models. So depending on what state you're in, contact your National Guard. Learn whether they are also exploring these options and how you can get involved. Cyberthreats are ongoing and increasing, especially as COVID forces everyone into virtual settings. 

Monica Ruiz: And so the three takeaways that I would love to leave everyone with is that, one, we need to tap into diverse civilian talent. Second, is that we need to find a way to integrate that talent for societal benefit. And third, is that we need to focus on the long term of these efforts, so training and cyber education. And I do think cyber-civilian units are uniquely positioned to address those three needs that I just laid out. 

Dave Bittner: Our thanks to Monica Ruiz from the Hewlett Foundation for joining us. There's an extended version of our interview available on CyberWire Pro. Check it out on our website thecyberwire.com. 

Dave Bittner: Hey everybody. Dave here. And I'm pleased to be joined once again by Craig Williams. He is the head of Talos outreach at Cisco. Craig, always great to have you back. You and your team have been tracking some ransomware campaigns that have been making use of the Maze and the Snake malware. Can you give us some insights? What's going on here? 

Craig Williams: Yeah. So this is just one of the trends that our team has been tracking, you know, across the internet, across the data that they have ability to monitor. And it's something we became more and more concerned about due to the recent pandemic because we know a lot of people are working from home. Right. And so just to cut to the meat of it, really what's happening is we're seeing attackers compromise systems. But instead of immediately deploying ransomware, many are doing reconnaissance and waiting. And if you think about that, it does make some sense. Right? 

Craig Williams: If you think about the way businesses are right now, they may have security on the endpoint or limit the things that the endpoints can access. However, you know, maybe in 30 days, six months, 90 days they may go back into the office. They may reconnect those machines. They may remove some of those security restrictions to help business. And so these attackers are not just immediately deploying ransomware, they're doing some additional reconnaissance, they're collecting credentials, they're collecting data. And then, you know, 30 days in the future or whatever, - you know, whatever floats the attackers' boat - they're then deploying the ransomware and then ensuring they can cause the most damage possible. 

Dave Bittner: That's fascinating. So the notion being here that if I'm able to hit your computer while you're working at home - let's say your laptop - at some point, odds are you may go back to the office, reconnect to that corporate network. Is that what we're tracking here? 

Craig Williams: Well, that's our concern, right? This isn't necessarily a new thing but we're definitely seeing an increase of it. Now, that could be due to the fact that COVID-19 lures are just simply more effective. Right. That could account for it. But I'm also concerned that the attackers could be making more of a push towards getting into those data centers a little bit more effectively by collecting more information ahead of time. And so I think this is something that we need to make sure that IR teams and security response teams are looking for. You know, look for people compromising those endpoints, you know, assume credentials may be compromised a little bit more often than usual. Maybe even up your rotation a little bit if you have the ability to do that. You know, it's definitely something people need to worry about. And if you don't have visibility on the endpoint, it's something you need to start considering. 

Dave Bittner: Does this reflect an increase in the professionalism of these bad actors - this - their ability to have more patience here, to bide their time? 

Craig Williams: I think it does. You know, I don't know that that's necessarily a recent thing. I think this has been going on for a while. But I think the way that the lures are becoming more effective, the way that users are working from home, the way that security policies may have to be modified to facilitate working from home are definitely all going to combine to make industry more vulnerable. 

Dave Bittner: So as folks are planning for their workers to come back to the office, to reengage, to plug those systems back in and connect to that corporate Wi-Fi what sort of things should be top of mind? 

Craig Williams: Well, I think segmentation is key, right? If there's no reason for users to be able to connect to certain machines that are sensitive, - right? - like your backup servers, don't let them. Right? Set up the access restrictions you need to prevent that from happening. And even go one step further and try and make sure you have visibility into what's going on in the endpoints. 

Dave Bittner: All right. Well, Craig Williams, thanks for joining us. 

Craig Williams: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor Proofpoint’s ObserveIT, the leading people-centric insider threat management solution. Learn more at observeit.com. 

Dave Bittner: Don't forget to check out this week's research Saturday and my conversation with Karim Lalji and Johannes Ullrich from the SANS Technology Institute. We're going to be talking about their research on the cyber bunker criminal gang. It's a fun one. That's Research Saturday. Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.