Implications of Solorigate’s circumspection. RBNZ cleans data sources. Gamarue in student laptops. Dodgy apps. Ransom DDoS surges. Securing the President’s Peloton.
Dave Bittner: Twice, it's maybe an indicator. Once, it's nothing at all - to the machines. The Reserve Bank of New Zealand works to clean up its data sources. Wormy student laptops. Daily Food Diary is a glutton for your data. Ransom DDoS. Caleb Barlow examines how we handle disinformation in our runbooks and response plans. Our guest, Ron Gula from Gula Tech Adventures, shares his thoughts on proper public cyber response to the SolarWinds attack. And should we worry about that White House Peloton?
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, January 22, 2020.
Dave Bittner: Microsoft's discussion of what they've found while looking into the Solorigate incident continues to attract attention from the security sector, and other firms' researchers are corroborating the general picture Microsoft drew of how the threat actors worked. DomainTools, for one, points out that Solorigate and the tactics its operators used conclusively demonstrates the limitations of indicators-centric defenses. The Solorigate campaign was too quiet, too cagey, too Protean, to portray itself by simple indicators, especially when potential indicators are used just once.
Dave Bittner: The Reserve Bank of New Zealand, afflicted by a data breach it suffered by illegal access of a third-party file-sharing service, has decided to delay its regularly scheduled release of statistical data while it continues to investigate the breach. Part of the issue is data collection, some of which was done via the compromised service. Reuters reports that the central bank says it's making progress in that investigation.
Dave Bittner: Everyone wants to help students engaged in remote learning, and several governments around the world have provided suitable devices and connectivity to students who might otherwise lack them. Of course, amid general success, not all has proceeded happily. The BBC reports that some laptops Her Majesty's Government had issued to support children being schooled at home during the pandemic have been found to come pre-equipped with malware. A school in Bradford noticed the problem when some of the devices were noticed to be quacking to a server in Russia, which is not the sort of behavior one wants to see. It wasn't all of them, only some. But the calling back to Russian servers and affected machines apparently started when the devices were unpacked and set up, which suggests that the infection preceded anything the students might have done with their new laptops.
Dave Bittner: Why would the Russians be spying on British kids? Well, they're not - anyway, probably not. Computing says the malware is a version of the Gamarue worm. It's a commodity worm that's been around in the underworld for almost a decade. ESET's 2017 description of Gamarue remains informative - the worm was then and remains widely used malware traded in various criminal markets. It's been most often used for credential theft and for installation of other malicious software. Gamarue has been widely available for years.
Dave Bittner: Security researchers at Pradeo this morning released notes on a malicious app that's found its way into the not exactly walled, but at least fenced-in garden of Google Play. It's called Daily Food Diary, and it represents itself as a tool for introspective dieters who prefer an app to a concerned friend as an aide to intake and portion control. You take pictures of your meals and set yourself various gastronomic reminders. But it's a pretty intrusive app, and it's interested in things other than what's on your plate. It asks for foreground service permission - that is, a setting that runs it automatically at startup. And it also sets itself to run in the background, arrogating this wake lock permission without so much as a by-your-leave. It also overrides attempts to exit the app.
Dave Bittner: And there's more. Daily Food Diary nags its users for permission to access their contact list, whose contents it then exfiltrated to parts unknown. It will also ask - repeatedly - to manage your phone calls as well as your calories, enabling it to refuse calls that might interrupt whatever else the app was up to. Pradeo sees some code similarities to Joker malware. So stay clear of the Daily Food Diary. Try a pad and pencil. Dear diary, I can't believe I ate the whole thing. There we go. Fixed it.
Dave Bittner: Researchers at Lumen report a disturbing rise in extortion by threatened distributed denial-of-service over the second half of 2020. Ransom DDoS - or RDDoS, it's being called. One of the more active criminal groups in the field represents itself as being a nation-state's intelligence service, using such services' familiar nicknames, including the Armada Collective, Lazarus Group, Fancy Bear and Cozy Bear. It's none of those, but it's been successful enough to inspire imitators. So again, no bears, no pandas, no cute-but-malign animals whatsoever. Just grifters, hoods and racketeers. Lumen advises against paying.
Dave Bittner: Security firm Radware is also seeing a surge in attempted RDDoS. They began seeing letters in December sent to some of their customers that began with a greeting equally matey and menacing, quote, "Maybe you forgot us, but we didn't forget you. We were busy working on more profitable projects, but now we are back," end quote. Radware thinks the correspondents are the same goons who cumbered email boxes back in August.
Dave Bittner: Anyhoo, the letter continues in a darker key, quote, "We asked for 10 bitcoin to avoid getting your whole network DDoSed. It's a long time overdue and we did not receive payment. Why? What is wrong? Do you think you can mitigate our attacks? Do you think that it was a prank or that we will just give up? In any case, you are wrong," end quote.
Dave Bittner: As the threatening language heats up, the idiomatic control downshifts into a Shadow Broker-ish (ph) gear, quote, "We can easily shut you down completely, but considering your company's size, it would probably cost you more one day without the internet than what we are asking. So we calculated and decided to try peacefully again. And we are not doing this for cyber vandalism, but to make money. So we are trying to be (ph) make it easier for both," end quote.
Dave Bittner: Radware speculates that the bull market in Bitcoin, with its attendant price rise, may have convinced the crooks that the extortion is worth their while. That seems corroborated by the crooks themselves, who go on to say, "We will be kind and will not increase your fee. Actually, since the Bitcoin price went up over 100% since the last time, we will temporarily decrease the fee to five bitcoin temporarily. Yes, pay us five bitcoin and we are gone," end quote.
Dave Bittner: So there you go. But remember, as the RDDoSers themselves might say, there's no particular reason to take them at their word for anything. One way in which they would never be heard from again might be if they were apprehended and given a nice sabbatical at Club Fed or a period of reflection at Her Majesty's pleasure, or the equivalent in Canada, Australia, New Zealand, Germany, France - you get the picture. Good hunting, law enforcement.
Dave Bittner: And finally, to return to personal wellness, here's another fitness-related thing people are worrying about - the connected Peloton stationary bicycle, which counts President Biden among its users. Apparently, people are concerned that the Peloton's onboard camera and microphone could be compromised, revealing whatever Mr. Biden looked and sounded like while he was spinning away. Graham Cluley says it's all much ado about nothing, pointing out that the President could secure the camera with a Post-it note and maybe find the microphone and stuff it with something that would muffle its input. And in addition to a Post-it or tape on the camera, be decently clad while on the Peloton just in case.
Dave Bittner: But we have a better idea. Maybe just play some music at a distractingly high volume while exercising. Secret Service, you're welcome. And Popular Mechanics, The Times, The Guardian, Cycling Weekly, don't sweat the small stuff. We're pretty sure NSA wouldn't.
Dave Bittner: And now, a word from our sponsor, KnowBe4. There's a reason more than half of today's ransomware victims end up paying the ransom. Cybercriminals have become thoughtful, taking time to maximize your organization's potential damage and their payoffs. After achieving root access, the bad guys explore your network, reading email, finding data troves. And once they know you, they craft a plan to cause the most panic, pain and operational disruption. Ransomware has gone nuclear. The folks at KnowBe4 have an upcoming webinar that'll get you up to speed on ransomware. In this webinar, you'll find out why data backups - even offline backups - won't save you, why ransomware isn't your real problem and how your end users can become your best last line of defense. Go to knowbe4.com/ransom to learn more about the webinar. That's knowbe4.com/ransom. And we thank KnowBe4 for sponsoring our show.
Dave Bittner: In the aftermath of the SolarWinds Orion data breach, there's been active discussion of what kinds of steps need to be taken in response to the event from both the federal government and the private sector. Joining me to discuss this aspect of the story is Ron Gula, co-founder of Gula Tech Adventures and former CEO and co-founder of Tenable Network Solutions.
Dave Bittner: So today, we're going to be talking about some issues related to the recent SolarWinds breach. Before we dig into some of the specifics, can I get just kind of a general sense of response from you? I mean, we're several days out from the revelations about this. From your point of view, where do we stand?
Ron Gula: So I think the big winners for the SolarWinds response are FireEye. You know, FireEye, you know, did not have to disclose this, but they did disclose it and good for them. The losers have been, you know, folks who probably should have detected this. So perhaps - it's pretty easy to armchair and criticize the intelligence community and say, hey, why didn't you, you know, stop this? Maybe they stopped 10 other SolarWinds and, you know, the 11th one got through. But, you know, what about all the companies and vendors and IT support teams who were defending the government networks that this backdoor went out of? So you got to kind of question what's going on there. I look at this in terms of, like, winners and losers. You know what the response is going to be - right? - more cyber vendors, more policy, more talking about who's in charge. That's kind of where we're at.
Dave Bittner: What do you suppose an ideal response would be?
Ron Gula: Well, an ideal response would be one that would be more uniformed and consistent. It's pretty easy to kind of point to President Trump's firing of Chris Krebs from CISA. But even if Chris Krebs was there - you know, if you look at just the statement that - the joint statement from the NSA and Cyber Command and the FBI and the DOJ, I mean, the amount of people involved in the statement were longer than the actual statement itself, right? So unlike COVID, you know, where we have a Dr. Fauci or we have people who are talking directly the American people. We've got a lot of people talking about a lot of different things at a lot of different levels. It's very difficult, as a cybersecurity expert or just being in the cybersecurity industry, to kind of communicate about what should be done.
Dave Bittner: Is that something that you think perhaps the Biden administration should address is having a clear person at the top of that chain?
Ron Gula: I think the operational role of coordinating within the government is a different role than being perhaps a public figure. And, you know, if you look at some of the moves that have been made recently - I mean, Anne Neuberger's going to be joining the National Security Council, brings a tremendous amount of experience. I don't know how public that position's going to be. You typically don't have National Security Council members, you know, going on TV and saying, you know, this is our strategy for this or that. It's typically more the White House adviser roles, kind of like Tom Bossert used to be for DHS and Rob Jois used to be, you know, for the NSA. But we do need this role of somebody who can speak at the national level - sort of the Fox News, CNN and NBC level in a consistent manner that's not only going to convey the right information but is going to inspire people to kind of patch their systems or check if they have SolarWinds as a vendor - that sort of thing. We don't have that equivalent as a cyber industry.
Dave Bittner: Can you give us some insights - I mean, how would you envision a more active public-private partnership? I mean, what - how does the government step up to fill in some of the gaps here?
Ron Gula: Well, there's a couple of different ways. So one is continuing erosion of what I call the equities issue. So right now, you have Cyber Command and the cyber directorate at the NSA - if they find a vulnerability, rightly so, they have a process to decide, you know, is it better to protect the nation or is it better to, you know, spy on our adversaries? And that process is done, you know, inside the Fort Meade. And that's always been done that way and it should be done that way. Well, now you've got issues where - well, maybe Apple would have a different decision, you know, if they had awareness of that. Maybe Amazon would have a different view of that, you know, if they were aware of that. You know, maybe the average person, you know, from a citizen, you know, would have a different view of that versus a seasoned, you know, cybersecurity, you know, infosec leader.
Ron Gula: So I'd love to see a little bit more transparency with this. Unfortunately, the general public - you know, we don't think of cybersecurity the same way we think of, like, healthcare due to COVID. Buildings that burn and blow up from terrorist attacks and people who die from COVID are always going to be more important than, you know, enhancing our cybersecurity. But having said that, you know, we're not that far away where - from where a cybersecurity incident could cause tremendous amounts of damage, including what happened with SolarWinds. If you imagine, you know, shutting down and doing an actual attack on the economy of the United States - this is something the Cyberspace Solarium really, really addressed. So I could see more discussions like this occur in the Biden administration just as we get more involved with cyber as a nation.
Dave Bittner: That's Ron Gula from Gula Tech Adventures. There is a lot more to our interview. Don't forget to go listen to extended versions of this and many other interviews at Cyberwire Pro It's on our website, thecyberwire.com.
Dave Bittner: And I'm pleased to be joined once again by Caleb Barlow, he is the CEO at CynergisTek. Caleb, it's always great to have you back. You know, I want to touch base with you as we - as this new administration takes its place in Washington, what are some of the things that are top of mind for you? What are some of the things that you'd like to see them focus on?
Caleb Barlow: Well, I think we're all kind of asking the question, what's the Biden policy on cyber, right? And you can't use the Obama administration as a proxy because that was, like, cyber decades ago, right? You know, of course...
Dave Bittner: (Laughter) Time flies.
Caleb Barlow: ...Right. And, you know, both in terms of the people he's going to put in and, you know, what's his stance on China, Russia and all of that stuff that gets into the - you know, the intersection between political and cyber. But, you know, I thought about this, Dave, and I think there's a couple of problems that, as security professionals, putting aside the politics for a second, have just got to be things that get solved in this next administration. So I've got five things here, right? And the first one, Dave - privacy, right? We've got 52 different breach disclosure laws in the US. We've got GDPR in Europe, which - and let's face it, you and I have talked about this many times - you know, you can have great security and have awful privacy, but you can't have good privacy without good security.
Caleb Barlow: And, you know, there's some major problems with GDPR, particularly around, you know, the fact they never worked out the I can and who is issues. And in a lot of ways - and I've said this many times - GDPR's causing more privacy problems than it's fixing because of the implications to security. So, you know, one of the questions that's been asked for a long time is could we get a nationwide security policy? And without it, we've got - you know, we've got things going on in California, we've got things going on in Europe, and every state is different right now. If you have a breach right now that involves the loss of data potentially in all 50 states, you know, you literally have 52-plus different things that you've got to do and you've got to do them quickly. That's kind of crazy.
Dave Bittner: Right. Do you think there's political will for that? I mean, is it - is that something that can bubble up to the top?
Caleb Barlow: You know, I don't know. And I think that's the real interesting thing with this question. I don't know if the political will is there, but I think, as security professionals, one of the things we have to do this time is we've got to start to realize that privacy's actually part of our slimline. So you're going to need to reach out to that compliance officer. You're going to need to start to figure this out. Because we're going to have to as security professionals because we're getting held to meeting these regulations, whether we realize it or not. OK. So let's go to number two, Dave.
Dave Bittner: Yeah.
Caleb Barlow: So number two is supply chain and IoT in particular. And hey - no - couldn't be a better couple of weeks to bring this up with the whole thing going on with SolarWinds, right?
Dave Bittner: Yeah. Yeah.
Caleb Barlow: But, you know, also look at - and I think this is an area where we are seeing investment. I mean, just look at what's happening there with Robert Lee, who's also on the podcast a lot in the investment in Dragos, right? There's clearly people realizing that, hey, this is a place that we need to invest and, you know, we've got to do some things. But if we look at what happened with SolarWinds and the fact that, you know, this isn't the first supply chain breach. I mean, heck, you can even go all the way back to Target. But also, let's not forget that NotPetya was a supply chain breach, right?
Dave Bittner: Right.
Caleb Barlow: We've got to think about how we secure a supply chain in a new way, and that's probably going to mean that you can't self-attest your security posture anymore. We're going to have to describe a minimum acceptable defense, and we're starting to see some progress towards that.
Dave Bittner: What's next on your list?
Caleb Barlow: OK, next on the list is kinetic impact - so when things actually cause physical damage. And this is happening right now in health care. We've talked for years, especially kind of in the military ranks, around, well, when does the cybersecurity incident get to the point at which it's an act of war? Or that a proportional response is bigger than just cyber? Well, unfortunately, we're probably going to have to address that because, for the first time, we have cyber attacks that are actually causing harm to people.
Caleb Barlow: And, you know, the recent incident that occurred with 12 hospitals going down, you know, due to a targeted series of attacks - and in particular in Vermont, where they actually had to bring in the National Guard to help them respond to this. You know, in Germany, we saw a loss - an alleged loss of life due to a patient that had to be diverted when the hospital was taken down. We're in it now in terms of kinetic impact. But what we haven't figured out - what we haven't talked about as a society yet - what's a proportional response to this? And especially since this is not coming from a nation state actor, this is coming from what is likely an organized crime actor.
Dave Bittner: Yeah. What's next on your list?
Caleb Barlow: Skills gap - 500,000 open unfilled cybersecurity jobs right now in the United States, probably more than two million worldwide. We have got to figure out how we're going to get more talent into our own supply chain. As security professionals, that means we're going to have to start hiring younger people, we're going to have to start growing them, we're going to have to start educating them ourselves. And the last one here is we've got to deal with trust and broken data and to be able - changing data. Like, if we saw anything in this last election cycle, a - we are - as security professionals, we're the ones - the sentinels standing guard on trust. And we're going to have to figure out not only how do we make sure that we can trust our systems, but that people aren't manipulating the data in those systems. And that's a form of attack that we just haven't dealt with yet, but it is absolutely coming.
Dave Bittner: Yeah, yeah. I mean, I agree with you that that specter is out there. I mean, we've seen, you know, the locking up of data, we've seen destruction of data, but so far alteration of data hasn't really - we haven't seen much of that.
Caleb Barlow: And what's government's role when you see that someone is altering data in a critical U.S. system? What - where does government step in and how? And most importantly, how does government step in to help with resiliency in that case?
Dave Bittner: Yeah. All right. Well, Caleb Barlow, thanks for joining us.
Caleb Barlow: Thanks, Dave.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Stay just a little bit longer. Listen for us on your Alexa smart speaker too. Whatever you may be up to this weekend, be sure to set aside some time to check out "Research Saturday" and my conversation with Mark Arina from Intel 471. We're discussing Trickbot - whether it may be down but not out. That's research Saturday. Give it a listen.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening, we'll see you back here next week.