Suppressing Trickbot: cyber warfare and cyber lawfare. Chaining vulnerabilities. An intergovernmental call for backdoors in the aid of law enforcement.
Dave Bittner: Trickbot gets hit by both U.S. Cyber Command and an industry team led by Microsoft. CISA and the FBI warn that an unnamed threat actor is chaining vulnerabilities, including Zerologon, to gain access to infrastructure and government targets. Ben Yelin shares his thoughts on the U.S. House's report on monopoly status for some of tech's biggest players. Our guest is David Higgins from CyberArk on how work-from-home has put a light on privileged access security. And the Five Eyes plus two call for legal access to encrypted communications.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, October 13, 2020.
Dave Bittner: The unknown operators that KrebsOnSecurity said were disrupting Trickbot turns out to have been neither vigilantes nor criminal rivals, but rather U.S. Cyber Command, The Washington Post reported late Friday. Cyber Command had been concerned that Trickbot's use in deploying ransomware made it a potential threat to the November elections.
Dave Bittner: The disruption apparently took the form of sending updates to the botnet's command-and-control servers that effectively severed communications with the machines the gang controlled. The updates, of course, were bogus. The damage wasn't permanent, but it was disruptive. And it was noticed and remarked upon by the criminals themselves in high, all-caps, chat room dudgeon.
Dave Bittner: Cyber Command's operations are, as The New York Times describes them, from Fort Meade's midterm election protection playbook, developed in 2018.
Dave Bittner: Microsoft also took action against Trickbot with the cooperation of ESET, Lumen's Black Lotus Labs Threat Research, NTT and other organizations, obtaining a court order allowing Redmond to take the botnet down. The New York Times says Microsoft and its partners had been unaware of U.S. Cyber Command's activities against the botnet and that the two actions appear not to have been coordinated.
Dave Bittner: The effect of the sort of takedown Microsoft and its partners executed is basically twofold. First, it prevents further deployment of the malware. And second, it cuts off already infected machines from executing further commands.
Dave Bittner: Sophos, which congratulated the companies involved in the takedown on its blog, also downplayed in an interview with iTWire the likelihood that ransomware or a financial information stealer would represent a dedicated threat to elections. Insofar as they're talking about criminal ransomware gangs, they've got a point. The gangs are interested in money - and in politics only insofar as it can get them money.
Dave Bittner: But there are other respects in which ransomware can threaten the conduct of an election. Some ransomware has proven itself imperfectly containable, and it can infect systems that aren't its principal targets. But more to the present point, Trickbot is thought to be a well-established Russian-speaking gang, and such gangs operate at the sufferance of Russian security and intelligence services. They're regarded as easily co-opted, and it would've been unwise to ignore a significant botnet as representing nothing more than a criminal operation.
Dave Bittner: Microsoft's corporate vice president of Customer Security & Trust, Tom Burt, said Microsoft had been planning the move since April. In his characterization, he said, quote, "we have now cut off key infrastructures so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems," end quote.
Dave Bittner: Some experts maintain the disruption is limited and likely temporary since the botnet is diffuse and dynamic. Swiss botnet-monitoring firm Feodo Tracker shows numerous tricked-out servers still online. Threat analysts at Intel 471 say they have not seen any significant impact on Trickbot's infrastructure and ability to communicate. But this seems, in some respects, unduly pessimistic. As those who've monitored the gang's chatter have observed, the hoods themselves have been doing a lot of complaining.
Dave Bittner: Bloomberg offered a different perspective. In its far more optimistic estimation, quote, "it will likely take months or years for the criminals to recover, if at all," end quote. According to Security Boulevard, the Trickbot perps are considering a 1,400% ransomware demand raise in retaliation. And, of course, there's no more a permanent solution to ransomware than there is to, say, shoplifting. The best you can do is contain the gangs and reduce what the retailers call shrinkage.
Dave Bittner: On Friday, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency and the FBI issued a joint alert updated yesterday describing an effort by APT actors to chain Windows and VPN vulnerabilities in a campaign directed against state, local, tribal and territorial government networks, critical infrastructure and election support systems. They succeeded in penetrating and establishing a degree of persistence in some of their targets, and the target selection is suggestive. But CISA and the bureau say that election security wasn't compromised.
Dave Bittner: The alert includes an extensive review of the exploits used, and it outlines measures that organizations can take to protect themselves. You can find this alert and others on the cisa.gov website.
Dave Bittner: On Sunday, representatives of the Five Eyes, India and Japan issued a joint international statement on end-to-end encryption and public safety. The statement affirmed support for strong encryption but deplored, quote, "counterproductive and dangerous approaches that would materially weaken or limit security systems," end quote, and then called upon companies to design systems so that law enforcement could, with proper authorization, access encrypted communications.
Dave Bittner: They specifically called for an international regime in which governments and software companies would cooperate to achieve three goals - first, embed the safety of the public and system designs, thereby enabling companies to act against illegal content and activity effectively with no reduction to safety and facilitating the investigation and prosecution of offenses and safeguarding the vulnerable; second, enable law enforcement access to content in a readable and usable format where an authorization is lawfully issued, is necessary and proportionate and is subject to strong safeguards and oversight; and engage in consultation with governments and other stakeholders to facilitate legal access in a way that is substantive and genuinely influences design decisions.
Dave Bittner: In the view of the officials who drafted the joint communique - which is framed entirely in terms of protecting children from online exploitation, a goal hardly anyone likely to gainsay - the way in which end-to-end encryption is presently handled amounts to irresponsibility - quote, "end-to-end encryption that precludes lawful access to the content of communications in any circumstances directly impacts these responsibilities, creating several risks to public safety in two ways - one, by severely undermining a company's own ability to identify and respond to violations of their terms of service - this includes responding to the most serious illegal content and activity on its platform, including child sexual exploitation and abuse, violent crime, terrorist propaganda and attack planning - and by precluding the ability of law enforcement agencies to access content in limited circumstances where necessary and proportionate to investigate serious crimes and protect national security where there is lawful authority to do so."
Dave Bittner: So the goal is a familiar one - devise means by which duly constituted legal authorities could, under the right circumstances that would be strictly controlled, gain access to otherwise inaccessible communications.
Dave Bittner: The criticism is equally familiar. Privacy and security hawks object that criminals and other bad actors could, in principle, find and exploit what would, in their view, amount to legally mandated security weaknesses. And, of course, there's also the objection that such capability would amount to a standing temptation to abuse by even well-intentioned law enforcement organizations.
Dave Bittner: David Higgins is EMEA technical director at CyberArk. He joins us with thoughts on how work-from-home has changed the threat landscape and made privileged access management and security even more important.
David Higgins: Privileged access management is something that's become a key element that's been hugely important from a security strategy. The reason being is when we look at instances, whether they be cyberattack or nation-state, there's a commonality that takes place in these attacks, which is at some point, they look to escalate their privileges. They look to perform credential theft and perform actual (ph) movement in order to get to their objective, whatever that may be.
David Higgins: So it's become a really key element in a security strategy to protect that privileged access, which historically has been your administrators, IT admins, but also in today's world is expanding to, of course, the cloud platform automation. And even the definition itself of privilege is expanding to some business-type users as well.
Dave Bittner: So at its basic level, I mean, is it who in your organization has access to various parts of your network, the different data that's found throughout?
David Higgins: At a basic level, yeah, that's part of it. Right. It's - you know, if you look at it from the kind of traditional IT administrator, these are individuals that have the keys to the kingdom. They're keeping the lights on within the business. They're supporting service, maintaining databases. And they'll be using separate identities in order to execute that kind of access, which is the privileged access. And it's that access that's targeted, and therefore that access needs to be protected. We need to make sure that the right users are getting the right level access at the right time and, importantly, for the right reasons.
Dave Bittner: I could envision that, you know, people would - the natural impulse would be, well, you know, let's give the CEO access to everything. I mean, you know, she's the boss, after all. But at the same time, she's likely to be a real target, so perhaps, you know, that's the person who you want to minimize access in case someone gets into their accounts.
David Higgins: Definitely. You've got to look across the different types of privileged identities. And that isn't just the IT admins. It's exactly as you mentioned, right? It could be the CEO. It could be the head of finance. And you've got to focus on what's going to pose the biggest business impact to your organization, and that's where to start. That's what to lock down.
David Higgins: But you're right. Just simply because someone is senior or executive doesn't mean they should just have access to everything. The access to everything is the approach that's kind of being taken today. It's, well, it's easier just to just drop them in the admin group - right? - give them the access they need.
David Higgins: It's a lot more than they need. But then there's no formal process or proper process to make sure that being (ph) is you, they won't be (ph), you know, kind of removed afterwards. And this just kind of builds up over time. And, you know, when an attack is in an environment, they're going to seek out those accounts that have far-reaching access rights.
Dave Bittner: That's David Higgins from CyberArk.
Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security, also my co-host over on the "Caveat" podcast. Hello, Ben.
Ben Yelin: Hello, Dave.
Dave Bittner: On this week's "Caveat," you and I have a interesting discussion about important news that dropped, which is the report from the House of Representatives on the monopolies - the claimed monopolies - what they're claiming are monopolies of some of the biggest tech companies in the world - the Facebooks of the world, the Googles, the - you got your Facebooks. You got your Amazons. You got your Apples.
Dave Bittner: Can you unpack this for us here? I mean, what's the upshot of this report from the House?
Ben Yelin: Sure. So it is a 450-page report that was released after this House committee collected over 1.6 million pages of documents and held pretty contentious hearings with the CEOs of these companies. And, you know, it's not easy to haul Mark Zuckerberg, Jeff Bezos, Tim Cook and Sundar Pichai in front of a congressional committee and get them to share their anti-competitive practices.
Dave Bittner: (Laughter).
Ben Yelin: So it was a very comprehensive investigation, and this is the culmination of that investigation. And what they determined is that these four companies really do have monopolistic power as it relates to their spheres of influence.
Ben Yelin: You know, Facebook controls the market for social media. It's been able to bully its competitors out of the market. And, you know, not only are they market participants, but because of their position within that market, they're able to set the rules and standards for that industry. And that's very destructive for the promotion of competitive business practices. And the same is true for Amazon as it relates to online shopping, Google for search engines and Apple for all of the things that they produce - the App Store, iPhones, et cetera.
Ben Yelin: So this report not only calls them out for having monopolistic power that's akin, in their opinion, to some of the monopolies we saw at the beginning of the 20th century that led to the progressive era in this country - the oil barons and railroad tycoons, as they mention - but it also has some recommendations.
Ben Yelin: So one of the recommendations is they want to make it tougher for tech giants to buy up smaller companies in order to consolidate the industry. They want to introduce a nondiscrimination requirement to stop platforms from prioritizing their own products over rivals'.
Ben Yelin: And they also want a, you know, a series of measures to enforce antitrust laws. They would increase their own powers as members of Congress, but also they want to empower federal agencies to start enforcing some of the antitrust laws that have been on the books but that have been dormant over the past 40 years, where we've really sort of abandoned our centuries-long effort at going against these anti-competitive business practices.
Ben Yelin: So, you know, the moral of the story in the report is all of these companies have delivered clear benefits to the general public. You and I and probably all of our listeners have used their products and have reaped the benefits of their products. But when you have these types of companies that run the marketplace and compete in that same marketplace, they can come up with a set of rules for themselves while they force others to play by an entirely different set of rules. And that ends up hurting the consumer.
Ben Yelin: When the consumer doesn't have choices, there's less incentive for these large companies to protect the interests of their users. And we see that with things like, you know, Facebook and its political ads, Facebook and the Cambridge Analytica scandal, where, you know, if there were actually a competitive marketplace, people could go and use the services of a competing social media company. That would be a way of holding Facebook accountable. But because of their market power, that's just not really an option. So it's the consumers that end up getting hurt the most.
Ben Yelin: So I think it's a really interesting report. Obviously, most people are not going to read all 450 pages, but I'd highly encourage you if you have interest in this stuff, at least...
Dave Bittner: That's what we have you for, Ben (laughter).
Ben Yelin: I know. Well, it's not like I'm going to read all 450 pages. However, I did read the executive summary. And I did stay at a Holiday Inn Express last night, so...
Dave Bittner: Well, there you go (laughter).
Dave Bittner: How much - what do you suppose could come of this? I mean, we've got - obviously, these companies disagree with the findings. And with the size of these companies comes a lot of influence. You know, they are able to invest in the world's best lobbyists.
Ben Yelin: Yeah, exactly. So not only do they have monopolistic power; they also have a lot of political power. You know, and they also make a lot of content moderation decisions that, you know, can augment their own power as well.
Ben Yelin: So it's hard to know exactly what's going to come from this. This is a recommendation from one House committee. We're getting towards the end of this session of Congress, meaning it's very unlikely that they will turn this report into some kind of legislative proposal in the near term.
Ben Yelin: But if this is something that lingers as a salient political issue and we're in a future Congress, you know, this might be the starting point for negotiations on a bill to increase competitive practices in the tech industry.
Ben Yelin: And I think that's something that actually could garner bipartisan support. I think there are members on both the political left and the right who have, you know, maybe different problems with monopolization in this industry, but both see it as a major concern. You know, so I would not necessarily write this off as an issue that's going to be destroyed by polarization.
Ben Yelin: The tech companies will fight to - you know, fight tooth and nail against this.
Dave Bittner: Yeah.
Ben Yelin: They want to maintain these anti-competitive practices because that's what's allowed them to accumulate $5 trillion worth of capital. And, you know, that's a very difficult interest to go up against. But I think this really could be the basis for at least the start of a movement to erode at some of these anti-competitive business practices.
Dave Bittner: All right. Well, Ben Yelin, thanks for joining us.
Ben Yelin: Thank you.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed, and it plumps when you cook it. Listen for us on your Alexa smart speaker, too.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.