The CyberWire Daily Podcast 6.28.21
Ep 1363 | 6.28.21

Nobelium is back. A signed driver is gamer-focused malware. Idle hands. Third-party cloud risk. Bad practices. A net assessment of national cyber power.


Dave Bittner: The SVR's Nobelium appears to be back, this time with a less-than-fully-successful cyberespionage campaign. The Netfilter driver is assessed as malware. Idle hands seem to make for more attacks against online gaming. Mercedes-Benz USA reports a data exposure incident. CISA starts to keep track of bad practices. The International Institute for Strategic Studies publishes a net assessment on national cyber power. Carole Theriault looks at the security implications of frictionless online commerce. Our guest is Clar Rosso from (ISC)2 with insights on building resilient cybersecurity teams. And Loki is a trickster, and his name is a lousy password.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, June 28, 2021. 

Dave Bittner: Microsoft has found a new cyberespionage campaign by Nobelium, a threat actor associated with Russian intelligence services. The campaign has featured password-spraying and brute-force attacks, and, while assessed as having been largely unsuccessful, will bear watching. 

Dave Bittner: As Microsoft points out, this type of activity is not new. The attempts were highly targeted, broken down into primarily IT companies, followed by government and smaller percentages for nongovernmental organizations and think tanks, as well as financial services. The activity was largely focused on U.S. interests, about 45%, followed by 10% in the U.K. and smaller numbers from Germany and Canada. In all, 36 countries were targeted. 

Dave Bittner: Much of the reporting on the activity connects it to the SolarWinds supply chain compromise, but the connection lies only in a common attribution to Nobelium, a group associated with Russia's SVR. Microsoft recommends enabling multifactor authentication as one prudent step to take in protecting an organization against threats of this kind. 

Dave Bittner: GData on Friday announced that it had found a malicious rootkit inadvertently signed by Microsoft. The company notified Microsoft, who, as GData puts it, promptly added malware signatures to Windows Defender and are now conducting an internal investigation. GData noticed that a Microsoft-signed driver called Netfilter was communicating with Chinese command-and-control IPs that contributed no obvious legitimate functionality, and that raised their suspicions. Their investigation led them to conclude that Netfilter was malware. 

Dave Bittner: Microsoft's Security Response Center said, quote, "Microsoft is investigating a malicious actor distributing malicious drivers within gaming environments. The actor submitted drivers for certification through the Windows Hardware Compatibility Program. The drivers were built by a third party. We have suspended the account and reviewed their submissions for additional signs of malware," end quote. 

Dave Bittner: The problems seem confined to the gaming sector and specifically to the gaming sector in China. Redmond also says the risk is a post-exploitation one. Quote, "An attacker must either have already gained administrative privileges in order to be able to run the installer to update the registry and install the malicious driver the next time the system boots or convince the user to do it on their behalf," end quote. Microsoft thinks the hackers' goal was to spoof geolocation and thus enable themselves to play from anywhere. The hackers also seem likely to be able to gain an advantage in certain games over other players and may be interested in compromising their competitors' accounts by using commodity hacking tools like widely available keyloggers. And in the interest of full disclosure, we mention that Microsoft is a CyberWire sponsor. 

Dave Bittner: The discovery comes as attacks against online gaming have been trending upwards. Some of the motivation for such attacks is obvious, like the coin mining, the Crackonosh cryptojacker Avast discovered in pirated copies of popular games like NBA 2K19, Grand Theft Auto V, Far Cry 5, The Sims 4 and Jurassic World Evolution. But overall, there seems to be no single overarching reason for the spike. SC Magazine suggests that it may in part be explicable as opportunistic. People have been relatively inactive during the pandemic and, well, idle hands are the devil's workshop and so on. 

Dave Bittner: Mercedes-Benz USA disclosed Thursday that almost a thousand customers' or potentially interested buyers' personal data were exposed in an unsecured cloud database. Self-reported credit scores, driver's license and Social Security numbers and credit card information were among the compromised information. Mercedes-Benz says there's no evidence of malicious use and that the responsible vendor has fixed the problem. 

Dave Bittner: We're accustomed to hearing about best practices and to security experts sharing of such lists of such recommended practices. But in some respects, failure can be more instructive than success. And so the U.S. Cybersecurity and Infrastructure Security Agency, CISA, has begun cataloging bad practices. CISA will add to its catalog over time, but its first two entries are unlikely to be controversial. They are, first, "use of unsupported or end of life software in service of critical infrastructure and national critical functions is dangerous and significantly elevates risk to national security, national economic security and national public health and safety. This dangerous practice is especially egregious in internet-accessible technologies" and, second, "use of known/fixed/default passwords and credentials in service of critical infrastructure and national critical functions is dangerous and significantly elevates risk to national security, national economic security and national public health and safety. This dangerous practice is especially egregious in internet-accessible technologies," end quote. 

Dave Bittner: There's an emphasis on critical infrastructure throughout, although CISA notes that the bad practices are pretty bad no matter where people commit them. Note, too, the emphasis on how egregious it is to do this stuff on internet-accessible technologies. 

Dave Bittner: The International Institute for Strategic Studies has published a long research paper ranking the world's major cyber powers. "Cyber Capabilities and National Power: A Net Assessment" says the U.S. is No. 1. The report says, what sets the U.S. apart on offensive cyber is its ability to employ a sophisticated surgical capability at scale. 

Dave Bittner: It didn't consider all the states it might have. Four of the Five Eyes are in the assessment, but they left out New Zealand, which seems a curious omission. Three states IISS calls close cyber allies. of the Five Eyes were included - France, Israel and Japan, whereas others, notably Germany, the Netherlands, the Nordic countries and former Warsaw Pact members now aligned with NATO were left out. The familiar four adversaries - China, Russia, Iran and North Korea - are in the study, and they include four developing cyber states, namely India, Indonesia, Malaysia and Vietnam. 

Dave Bittner: But the omissions may be redressed in the future. IISS regards its study as a first in assessing relative national power in cyberspace, and they see their present work as laying out a whole-of-society approach to the issue that can be used more broadly. The methodology used to compile the rankings is principally qualitative and analyzes the wider cyber ecosystem for each country. They looked at strategy and doctrine; governance, command and control; core cyberintelligence capability; cyber empowerment and dependence; cybersecurity and resilience; global leadership in cyberspace affairs; and offensive cyber capability. 

Dave Bittner: One of the distinctive advantages the study saw the Americans enjoying is their large base of cybersecurity companies. The obstacles the U.S. faces in employing cyber power are principally, the IISS writes, of a legal or political nature. 

Dave Bittner: Finally, to return to passwords, especially ones that are frequently used and really not particularly good in the first place, people are still using lame passwords derived from the Marvel and DC superhero universes. Specops Software has published a list of the 40 most common super passwords. The list as a whole is too long and discouraging to repeat here, but we'll favor you with the top 10. Loki comes in first, followed by his Asgardian nemesis Thor. No. 3 is Robin, maybe because Batman is too obvious, so choosing Robin displays a certain gesture in the direction of low cunning - then Joker, followed by Flash. And finally, at No. 6, Batman. Superman is No. 7. And Vision, Falcon and Penguin round out the top 10. Not that you'd be using any of these, but if you are, well, shame on you. Report yourself to CISA at once. 

Dave Bittner: The gap between the number of open positions and the number of qualified candidates in cybersecurity is an ongoing concern. The team at ISC(2) recently surveyed over 2,000 employers and job-seekers to try to get a handle on what can be done to help close that gap. Clar Rosso is CEO at ISC(2). 

Clar Rosso: As you know, Dave, we have been doing the workforce survey for over 15 years. I think we have 11 surveys in a 15-year period. And for - over that time, we've been talking about how there's a gap of cybersecurity professionals that's globally, I think, about 79% more cybersecurity professionals we need than what we have. And so what prompted the team to do this survey was really to start thinking about how do we close that gap and what are we going to need to close that gap. And that led us down the road of, well, let's talk to people who are in the field as well as people who are pursuing careers in cybersecurity and see what we come up with and what kind of tips maybe we could give employers. 

Dave Bittner: Well, let's go through the report together. What are some of the highlights? 

Clar Rosso: Well, I think one of the highlights is that organizations really need to take a new approach to hiring cybersecurity professionals. If I were to use a baseball analogy, I would say, currently, organizations are trying to build their team by using exclusively all-stars via free agency when in effect, what organizations need to be doing is developing a farm system and looking for utility players who can give their programs depth and longevity. It's the difference between the quick win, bringing in that all-star, and playing the long game where you develop team members over time. More specifically, one of the things that we've been finding in the survey that supports the idea of playing the long game and investing in your people is that an increasing number of people who want to enter cybersecurity are actually not coming from an IT or cybersecurity background. 

Dave Bittner: Was there anything in the responses that you got throughout the process of this survey that surprised you? Any feedback that you got that was unexpected? 

Clar Rosso: Well, unexpected or quite interesting - what I would say is, in addition to what I already mentioned about the increasing number of professionals without IT experience that are interested in pursuing cybersecurity careers, we also are seeing that women and younger women are increasingly interested in cybersecurity careers. I would say for several years now, we'd been stuck between 20- and 25% of the cybersecurity workforce globally as women. And when we look at young women with less than three years of experience, that's 37%. So that's a significant increase. We also saw in the study that women who didn't come from IT backgrounds were more likely to want to pursue careers in cybersecurity. 

Dave Bittner: That's Clar Rosso from ISC(2). 

Dave Bittner: When considering online transactions, is it better in general to slow things down or speed things up? I suppose to some extent it depends on which side of the transaction you're on. That said, the security considerations of transactional velocity are worth pondering. Our U.K. correspondent Carole Theriault has been doing just that, and she shares this commentary. 

Carole Theriault: Have you heard of this term frictionless? I see it everywhere this day - though, let's be honest, I am in a particularly technological echo chamber. But for those that are uninitiated, it basically means removing any friction between you, the customer or the consumer, and the item that the company wants you to use or the thing that you want to buy. So if I were a waffle-maker, and I wanted to sell you waffles online, my pages would have pictures of very yummy, tasty waffles. And when you clicked on it, I wouldn't want to have five different things that you need to do before you've purchased the waffles. Indeed, what I really want is a one-click solution because that helps my sales. And if you think about it for a second, it also suits the consumer, or you and me, because we don't have to go through many hoops to get from A to B. Saves us time. 

Carole Theriault: Now, the issue with frictionless online services is it takes the thinking out of the process so that you can do it automatically or with muscle memory, without even giving it a second thought. And the question is whether these kind of one-click frictionless systems are leaving us more open to attack. Imagine we're so used to clicking through via email to a specific merchant to make purchases that it can easily be duped without us actually paying attention. And if we, the consumer, are duped, then that's our responsibility. The onus is on us, the consumer, not the company that has been spoofed by the scammer. 

Carole Theriault: I don't think there's any stopping the frictionless world. It saves everyone time. But as smaller, less security-savvy companies offer frictionless experiences, they may actually be putting their customers inadvertently at risk. For frictionless environment companies, they need to have your payment details and your personal details already in the system. So if that gets cracked because their security is not up to scratch, what do you do then? 

Carole Theriault: So my advice is this. Be careful with whom you allow to store your personal information and your credit card details. Use a complex, unique password. Another tip here is to use a trusted password manager because if you are phished and you accidentally click on a dodgy URL and go to a spoofed website, your password will not be automatically entered. Stay safe out there. This is Carole Theriault for the CyberWire. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.