Ups and downs in the cyber underworld. Enduring effects of COVID-19 in cyberspace. Safer online shopping. “Take me home, United Road, to the place I belong, to Old Trafford, to see United…”
Dave Bittner: QBot is dropping EGregor ransomware, and Ragnar Locker continues its recent rampage. Cryptocurrency platforms are troubled by social engineering at a third party. TrickBot reaches version 100. Stuffed credentials are exposed in the cloud. COVID-19 practices may endure beyond the pandemic. Advice for safer online shopping over the course of the week. Malek Ben Salem from Accenture Labs has methods for preserving privacy when using machine learning. Rick Howard digs deeper into SOAR. And someone's hacking a Premier League side.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, November 23, 2020.
Dave Bittner: Ransomware continues to occupy dreary pride of place in the realm of cybercrime, with foreseeable evolutions in the criminal marketplace. Group-IB has observed QBot dropping EGregor ransomware. EGregor has been regarded as the criminal market successor to the now-shuttered Maze, with which it shares an encrypt-and-dox strategy. QBot's operators had formerly been partial to ProLock ransomware, but they've moved on.
Dave Bittner: The FBI has distributed a flash alert on Ragnar Locker, the information-stealing ransomware strain that's been involved in several high-profile, highly damaging attacks since April of this year and which achieved notoriety for its recent Facebook advertising.
Dave Bittner: Last week, several cryptocurrency platforms, both exchanges and legitimate coin-mining services, sustained attempts to divert their email traffic to domains under the control of unauthorized third parties. KrebsOnSecurity reports that the attempts at redirection were facilitated by social engineering of employees of the GoDaddy domain registrar. Some of those attempts coincided with a widespread system outage at GoDaddy that interfered with the registrar's ability to respond to reports of traffic diversion. The timing appears to have been fortuitous. GoDaddy says the outages on November 17 weren't deliberately induced but cropped up during unexpected difficulties encountered in the course of planned system maintenance.
Dave Bittner: BleepingComputer says TrickBot has reached a milestone. It's now on its 100th version, now more evasive than ever. TrickBot is used, you'll recall, to establish persistence and download a range of other modules into the victim's system. Those modules do such things as steal credentials and other information and facilitate lateral movement across a targeted network. TrickBot has also been commonly used by the operators of Ryuk and Conti ransomware.
Dave Bittner: When the cloud raineth data, it raineth upon the just and the unjust. Criminals don't always excel at opsec. The story of enterprises inadvertently leaving databases open to inspection from the internet without snoopers needing so much as a by-your-leave is an old and familiar one. It happens to the hoods, too. CNET, citing research published by vpnMentor, reports that a crew engaged in credential stuffing Spotify accounts left their list of successfully stuffed credentials exposed online. Spotify is having its users change their passwords.
Dave Bittner: SiliconANGLE has an interesting account of the way in which many organizations have come to see what initially seemed to be temporary accommodations to the COVID-19 pandemic as likely to endure in some form or another. It's particularly striking that some of this sentiment comes from sectors that have been disproportionately hit by the effects of the pandemic and who might be expected to wish for - and so to expect - a return to the pre-COVID normal, so their statements also amount to an admission against interest. 2020 has accelerated what we knew was coming, SiliconANGLE sums up, especially the continued shift towards solutions offered as services and to the expansion of remote work in ways that make the internet the new private network.
Dave Bittner: So you've heard of this Black Friday thing, right? We would like to apologize to the rest of the world for the way in which the American propensity to turn holidays into sales has spread beyond these shores. We say we'd like to apologize, but we won't because, rest of the world, you too can enjoy bargains galore - and you're welcome. And besides, who says the Commonwealth has to celebrate Thanksgiving?
Dave Bittner: Anyhoo, this whole Black Friday and Cyber Monday thing are going to unfold over the course of the next week, and some advice on how to shop safely comes from Britain's National Cyber Security Centre. The NCSC organizes its advice under six headings. Choose carefully where you shop. Leon's Nut House of Bargains, the one with the Pyongyang IP address, is probably the kind of place you want to pass up. Put your virtual hands in your digital pockets and walk on by.
Dave Bittner: Use a credit card for online payments, not a debit card. You may have some protection against fraud with your credit card. If the hoods get your debit card or direct access to your account, then your funds are probably just gone, baby, gone. Only provide enough details to complete your purchase. The online shoe store doesn't need to know grandma's maiden name, your Social Security number or where you were born.
Dave Bittner: Keep your accounts secure with, for example, two-factor authentication, by keeping your software up to date and by avoiding password reuse. Watch out for suspicious emails, calls and text messages because the social engineers can be expected to be out in force. And if things do go wrong, tell the appropriate authorities. There's an appropriate authority for every jurisdiction. You may say all of this is just common sense. And, of course, it is. But it bears repeating. So safe shopping to you all.
Dave Bittner: Manchester United was hit with an attempted cyberattack Friday, ESPN reports. The English Premier League football - that is, soccer - club said media channels and personal data were safe and that Man U had shut down affected systems to contain the incident. The attackers have been described in the British press as subtle, sophisticated, but beyond that and beyond their apparent lack of effort, not much is known about them. Man U has reported the incident to the Information Commissioner's Office, and the Manchester police are also investigating.
Dave Bittner: It's worth noting in passing that nowadays almost every attack is described as sophisticated, especially when the victim has a part in framing the description. But some of the tabloid press, like The Sun, have rumbled that the attack shows all the hallmarks of a Russian operation. But espionage seems a bit far-fetched as an explanation.
Dave Bittner: So who was it then? Supporters of another club? Arsenal, for instance? Did the hack amount to a cyber way of shouting, up the Gunners? No, no, certainly not, and not just because we don't think Arsenal supporters would stoop so low. Ordinary cybercrime seems the likeliest explanation. Man U may have been targeted on the simple Willie Sutton-esque grounds that there's money there. It's one of the world's most valuable professional sports franchises, and the hoods probably thought they had deep pockets. Anyhoo, supporters take heart - matches were played as scheduled on Saturday.
Dave Bittner: And I'm pleased to welcome back to the show Rick Howard, the CyberWire's chief analyst and chief security officer. Rick, welcome back to the show.
Rick Howard: Thank you, sir.
Dave Bittner: So last week, you and I were talking about SOAR, and you gave an overview of what exactly SOAR is and why it's important within the security operations center. So after we were finished talking, it struck me that most organizations have a SIEM tool already.
Rick Howard: That's right.
Dave Bittner: So why would they need another tool just to weed out the noise from, you know, the avalanche of alerts that they're getting from their security stack? Why not just use their SIEM tool to do that?
Rick Howard: That's a very fine question, and the SIEM vendors know it, let me tell you. OK, so...
Rick Howard: So SIEM stands for security information and event management. And they first became available as a tool sometime around 2006. They were essentially on-prem analysis engine databases, right? That - according to Steven Galey over at Cybersecurity Magazine, quote, "They combined the security event management system with the security information management system." So in other words, they're security stack alerts plus intelligence.
Dave Bittner: Right. But, I mean, that's kind of my point. I mean, if they already have all the telemetry from all the devices that are in their security stack, why not just program them to get rid of the noise?
Rick Howard: Yeah. So in those early days, since they were on-prem - OK? - the SIEMS never really had enough hard drive space, right? We couldn't stuff enough information into them to make them useful. So people like me kept having to make decisions about what not to collect in the SIEM. And for the stuff we did collect, we had to decide how long we wanted to keep it - so, typically, two to three weeks. So it wasn't a really good long-term analysis tool. So in those early days, SIEMS were not that useful.
Dave Bittner: So did the situation improve? I mean, these days we've got cloud storage - you know, storage is as much as you want, right?
Rick Howard: Sure. You started to see SIEM vendors offer cloud storage sometime around 2017. So, suddenly, network defenders had infinite hard drive space in the cloud at relatively cheap prices. In the cloud, they could store everything they wanted. But the truth of the matter, though, is those SIEM tools have always been hard to automate, you know. Their internal scripting languages, they were proprietary and notoriously hard to use. In one of my previous CISO gigs, I hired a full-time guy just to be the SIEM programmer. And after a year of work, we had little to show for it.
Dave Bittner: (Laughter) Well, that must have caused just a little bit of frustration.
Rick Howard: Yeah, I couldn't - you know, I'm just walking around going, jeez, this can't be this hard. But, you know, that left the situation open for a new disrupter technology called SOAR to come in and fill the gap, and it left the SIEM vendors scrambling to stay relevant. And, you know, the result is that the two capabilities are collapsing into each other. SIEM vendors are way better today at doing SOAR stuff, and SOAR vendors work more and more seamlessly with the SIEM vendors.
Rick Howard: And I was talking to Kevin Magee about this at the CyberWire's Hash Table. He is Microsoft CSO for Canada. And he thinks that the next generation analysis tool is some combination of SOAR and SIEM delivered from the cloud.
Kevin Magee: Integrating SOAR, integrating other tools, really to make the tool SIEM into, you know, more than the sum of its parts. I'm not sure if there's a term coined for next-generation SIEM or whatnot, but I'm sure it's coming at some point. But I think that's where we're headed. And cloud scale's really allowing us to do that - something we'd never, ever done before.
Rick Howard: So in this week's "CSO Perspectives" podcast, we talk about all of that, plus an entire host of things you can use with your SOAR tool that you probably haven't thought about yet.
Dave Bittner: All right. Well, that is over on "CSO Perspectives." That is part of CyberWire Pro. You can check all of that out on our website - thecyberwire.com. Rick Howard, thanks for joining us.
Rick Howard: Thank you, sir.
Dave Bittner: And joining me once again is Malek Ben Salem. She is the America's security R&D lead at Accenture Labs. Malek, it is always great to have you back. You and I previously talked about some privacy attacks on machine learning. Let's go at that from the other direction. Can you share with us some information about preserving privacy when it comes to machine learning?
Malek Ben Salem: Absolutely. Yeah, there is a new trend, if you will, or a new approach for performing machine learning known as privacy-preserving machine learning. And the goal of this approach is, obviously, to preserve privacy. Those techniques can be categorized into two different category approaches. No. 1 are the cryptographic approaches, where the party that is sharing data with the other parties to perform the machine learning or uploading, you know, their own data to the cloud encrypt that data beforehand and performs the machine learning on the encrypted data. The way to do that is through homomorphically encrypting the data.
Malek Ben Salem: So homomorphic encryption, or fully homomorphic encryption, enables the computation on encrypted data with operations such as addition and multiplication that can be used as the basis for more complex arbitrary functions. The other - there are other ways of performing - or other cryptographic approaches to be used, such as garbled circuits and *****
Malek Ben Salem: ***** secret sharing. But the main one is homomorphic encryption. So that is one way of performing privacy-preserving machine learning. The other general category or approach is known as perturbation approaches. And under that category, there is differential privacy. Differential privacy, basically, is a randomized algorithm by which the party can add some random noise either to the input data that is used to train the machine learning model or to the parameters of the machine learning model itself or to the output of the machine learning model, so that when the output gets shared, you know, it has some random noise added to it and thereby protecting the privacy of the underlying data used to train the model. And then the other, you know, main approach and/or these perturbation approaches is dimensionality reduction. Dimensionality reduction, basically, is a technique by which - the goal of which, actually, is to reduce the complexity of the input data to the training model and to make the model itself much simpler and also a lot more robust. But by reducing the dimensionality of the input data - when we talk about dimensionality, we're talking about - you know, you have data with N features. So, you know, it can be - it has, basically, N dimensions to it. And you want to reduce that number so that you rely on a more reduced set of features. So the technique basically projects that data into a lower dimensional hyperplane or space. But by that transformation, there is some loss of information. And it's assumed that that loss of information basically removes some of the private information and, therefore, protect privacy. This is more of an assumption, I think. It has to be mathematically proven. You know, we have to prove how much privacy is - what other privacy guarantees, if at all. But that's a second type of approach that can be used to preserve privacy.
Dave Bittner: Now, are these, you know, computationally expensive? I know, you know, homomorphic encryption was something that, it seemed like, for a while, it was just out of reach. And now I know there are a lot of - or not a lot, but there are certainly organizations who are implementing it successfully these days.
Malek Ben Salem: Yeah. Absolutely. So homomorphic encryption is very computationally expensive. You know, obviously, it depends on the use case and the type of computation and the model being applied. But, you know, you can assume that on the order of - you know, the order of magnitude is that it's, you know, 1,000 times more expensive computationally than the regular, you know, addition or multiplication operation. So the use cases for it have to be carefully selected. But we have - within Accenture, for instance, for our clients, we have successfully been able to implement it for specific use cases.
Dave Bittner: Interesting. Yeah. So it's in the option - it's in the list of options that are available if it's something that folks think they might need.
Malek Ben Salem: Exactly. Exactly.
Dave Bittner: Yeah. Yeah.
Malek Ben Salem: And we're going to see it, you know, being more used with the advances that we see in hardware, right? So...
Dave Bittner: Right. Right. All right. Well, Malek Ben Salem, thanks for joining us.
Malek Ben Salem: Thank you, Dave. My pleasure.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the cyberwire.com. And for professionals and cyber security leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed - solutions for a small planet. Listen for us on your Alexa Smart Speaker, too. Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha! I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing Cyberwire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.