Shifting techniques in cybercrime. Miscreants take note: “the aperture” will henceforth be wider for US Cyber Command and offensive ops. What Radiohead did.

Dave Bittner: [00:00:29] TA505 and FIN8 are both up to their old ways, with some new tricks in their criminal bag. A reminder about social engineering and Google Calendar. A new assertiveness is promised in U.S. cyber operations as the administration widens the aperture. Updates on the security concerns that surround Huawei and ZTE. And Radiohead takes a different approach to online extortion; just render what they're holding for ransom valueless.

Dave Bittner: [00:00:36] And now a word from our sponsor, ObserveIT. According to Cisco, over the course of 1 1/2 months, the typical suspicious insider can download 5,200 documents. Unfortunately, many ad hoc insider threat investigations can drag on for weeks or even months. Since it's tough to know exactly who did what when and why, security analysts have to wade through a sea of event logs, many of which are completely irrelevant, to eventually discover the root cause of an incident. What if we told you that there's a way to investigate insider threat incidents faster? With ObserveIT's dedicated insider threat management platform, security teams can quickly find out the context into both the user and data activity behind an alert. Detailed user activity timelines and easily searchable metadata help you know the whole story on insider threats. Visit observeit.com/cyberwire to try out ObserveIT's sandbox environment for yourself - no downloads or configuration required. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:01:47] Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com.

Dave Bittner: [00:02:01] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, June 12, 2019.

Dave Bittner: [00:02:09] We'll begin today with some news from gangland. According to Trend Micro, TA505, the criminal group best known for its association with credential-stealing financial malware Dridex, may be shifting tactics, but it remains recognizable. The possibility of misattribution can't yet be ruled out, but there's enough overlap between old and new campaigns to suggest evolution and not the emergence of a distinct gang.

Dave Bittner: [00:02:37] Another criminal outfit, FIN8, is showing renewed activity. Researchers at security firm Morphisec say FIN8, which had been a bit quieter than usual, is back with a new version of the ShellTea back door. The gang is currently focused on targets in the hospitality industry.

Dave Bittner: [00:02:56] The U.S. signaled a new willingness to undertake offensive operations in cyberspace to counter hostile nation-state economic espionage. During annual meetings of the Wall Street Journal's CFO Network, National Security Adviser John Bolton alluded to the policy shift. He noted that much of the U.S. action in cyberspace had been devoted to dealing with and deterring election interference. That's changing. We're now opening the aperture, he said, broadening the areas we're prepared to act in. That newly broadened aperture is, in particular, wide enough to encompass foreign industrial espionage.

Dave Bittner: [00:03:34] In general, it's an evolution of the American strategy to impose costs on adversaries. As Bolton pointed out, the U.S. has decided, quote, "to say to Russia or anybody else that's engaged in cyber operations against us, you will pay a price. If we find that you're doing this, we will impose costs on you until you get the point that it's not worth your while to use cyber against us," quote. Thus, widening the aperture seems to be a decent metaphor. It's not a shift of direction, but rather a more active and assertive version of existing strategy.

Dave Bittner: [00:04:09] Up till now, the costs imposed for theft of IP have been a mix of naming and shaming, indictments and sanctions. Action in cyberspace proper has not figured prominently in the U.S. response to economically motivated espionage, although it has been used, most recently during the 2018 midterm elections against Russian troll farmers. The Washington Post did some quick consultation with various security industry figures and found that their general sentiment was cautiously in favor of the policy. They acknowledge that U.S. cyber counteroffensives will probably generate blowback from the opposition - Russia and China, for the most part - and that U.S. companies should be prepared. On the other hand, when you've named, shamed, sanctioned and indicted, it does seem important to have an option that's tougher, but not so tough as, say, delivering a brace of tomahawks or the vertical insertion of a Ranger regiment.

Dave Bittner: [00:05:04] Huawei told the U.K.'s Parliament Monday that the company wasn't bound by Chinese laws requiring cooperation with Beijing's intelligence services. In fact, the company's representatives went so far as to deny that there were any such laws. Most observers think that this claim is disingenuous at best, and that, at the very least, the National Intelligence Law of 2017 enjoins exactly such cooperation, as do at least 10 other related laws enacted over the past decade. And the government does tend to regard the law as the servant of the state and the state's policies, not a constraint upon them.

Dave Bittner: [00:05:42] U.S. Commerce Secretary Wilbur Ross reiterated the administration's view - shared by Congress, which has recently been in a pretty hawkish mood in this respect - that big Chinese firms like Huawei pose a security threat. Secretary Ross pointed out that both Huawei and ZTE have been problems. They've been treated differently, he said, because of the different nature of their offenses. ZTE was sanctioned last year in what amounted to a corporate near-death experience because, Secretary Ross explained, the company was in violation of court-ordered agreements to respect sanctions on Iran and North Korea. The U.S. let ZTE off the hook after the company agreed to extensive controls on its behavior, including embedding a U.S. compliance team with ZTE. Huawei, the larger of the two companies, presents a more comprehensive threat to the global supply chain.

Dave Bittner: [00:06:34] Chinese retaliation for U.S. blacklisting of Huawei is widely expected as the Sino-American trade and security war escalates. Companies in both countries have apparently been thinking for some time about how they might weather this particular storm. Huawei, already feeling the pinch of sanctions in the form of lower sales and delayed product launches, has for several years been working on its own operating system. In the U.S., Apple has been looking to its supply chain. One of its bigger suppliers, Foxconn, says it can shift its iPhone-related production out of China, should Sino-American relations deteriorate to a point where continuing to supply Apple from Chinese plants became impossible.

Dave Bittner: [00:07:16] Let's suppose your organization suffers a data breach. Who are you obligated to notify? The answer varies from state to state. And then, of course, there's GDPR. The U.S. Chamber of Commerce recently partnered with law firm Hunton Andrews Kurth to publish a report titled "Seeking Solutions: Aligning Data Breach Notification Rules Across Borders." Lisa Sotto is partner and chair of the global privacy and cybersecurity practice at Hunton Andrews Kurth LLP.

Lisa Sotto: [00:07:45] It's a little bit of a cacophony. So we have, in the United States, 54 data breach notification laws among the states and other jurisdictions, with 50 state breach notification laws, plus Guam, U.S. Virgin Islands, Puerto Rico and D.C. We have a couple of breach notification requirements at the federal level that are sectoral, so in the health care space, in the financial services space. It is a fragmented approach at best, and really quite messy. And then globally, we have one pan-European rule for data breach notification. That's in the General Data Protection Regulation that came into effect in 2018.

Lisa Sotto: [00:08:26] The problem, of course, with this sort of global launch is that when a business or entity suffers a data breach, breaches are not confined by country. So it's very unusual to have a data breach that affects only people in New York or Arkansas or North Dakota or California. Instead, a data breach will impact people not only all over the country, but all over the world. So we have to, as counsel, interpret, you know, what could be 78 different country regimes to figure out what the breach notification obligations are.

Dave Bittner: [00:09:05] From a practical point of view - I'm a company doing business over state lines and maybe around the world - how much of a burden is this?

Lisa Sotto: [00:09:13] It's a huge burden. It requires significant expertise. It requires significant resources. So not only are you trying - when you suffer a data breach or a cybersecurity event, not only are you working to remediate the event - to either kick the intruder out of your system if you have a live intruder or figure out what happened if it's a historical event and you've just discovered it - you don't know what the nature of the event is in many cases or what the scope of the impact is.

Lisa Sotto: [00:09:44] We're setting in motion a fairly significant forensic investigation using third-party forensic investigation firms and, at the same time, looking to do a legal analysis based on facts that are unclear. There's a significant amount of work that goes into just figuring out what happened, and then taking that information and trying to apply many, many different laws to the facts as we know them and as they keep evolving, because when you're doing a forensic investigation, the facts tend to not be static. They'll change over the course of the investigation. It is a significant amount of work.

Dave Bittner: [00:10:21] One of the things that you're recommending in this report is the establishment of a framework that would handle a data breach notification worldwide.

Lisa Sotto: [00:10:29] It would be very helpful if there were a king of the world who could pose a single breach notification framework globally. That's not going to happen, so instead, you know, what would be useful is for companies to pick up a set of best-practice principles and embed those principles into their legal regimes so that there is a consistent framework globally, because a single breach that might occur, for example, in Pennsylvania might impact people in 150 different countries with 150 different requirements and 150 different types of notifications going out to the affected individuals. And that's not good for consumers. That's not good for businesses. Resources get waylaid trying to manage this fragmented legal approach.

Dave Bittner: [00:11:23] Who's most likely to take the lead on something like this? If we were to see a global framework be proposed, who has the most traction to see something like this through?

Lisa Sotto: [00:11:33] Unfortunately, there's no sort of international body that can take this and run with it and impose this kind of framework. But what we can do is with various jurisdictions to embed these principles into their local laws so that there's more uniformity globally and less of this patchwork quilt approach globally. So I think it's really just a question of getting out there and starting to inculcate these types of best practices with various governments so that there is a possibility of more uniform adoption globally.

Dave Bittner: [00:12:07] That's Lisa Sotto from Hunton Andrews Kurth. The report is titled "Seeking Solutions: Aligning Data Breach Notification Rules Across Borders."

Dave Bittner: [00:12:17] Yesterday was Patch Tuesday. Microsoft patched 88 vulnerabilities, 21 of them classified as crucial. Four of the vulnerabilities fixed, Bleeping Computer notes, seems to be the ones disclosed by SandboxEscaper. Adobe also patched, as expected, addressing issues in its Flash, ColdFusion and Campaign products.

Dave Bittner: [00:12:40] And, finally, here's one way of responding to online extortion. Make the asset being held for ransom worthless to the extortionist. That's what the band Radiohead did when some guy hacked a band member's files and gained access to unreleased recordings and alternative takes they made while working on their "OK Computer" album, released in 1997. The band decided not to pay the hood the $150,000 he demanded in exchange for a promise not to release the material. They went ahead and released it themselves. It's not very good, the band said, but if you want it, you can now buy it all for cheap. Proceeds go to Radiohead's favorite charity, Extinction Rebellion. So "OK Computer."

Dave Bittner: [00:13:27] Now a moment to tell you about our sponsor, ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book, "SOAR Platforms: Everything You Need to Know About Security Orchestration, Automation, and Response." The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. Download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:14:43] And joining me once again is Craig Williams. He's the director of Talos Outreach at Cisco. Craig, it's always great to have you back. You and your team have taken another look at an updated issue here. It was something called JasperLoader. First of all, give us a little of the history here. And then what's the new stuff you've discovered?

Craig Williams: [00:15:03] You know, the way that malware is distributed, or at least commodity malware, these days on the internet is often through a loader, right? And the loader can be something like JasperLoader or Smoke Loader or any of the other ones that we blog about.

Craig Williams: [00:15:16] But in this particular case, we took a look at JasperLoader. But JasperLoader was basically the loader that was taking advantage of this newly required invoicing system in Italy and a couple other countries around the world. And so for those of you who don't remember this interesting scenario, there was a law passed in Europe basically stating that if a business is invoicing a person, they have to use this online invoicing system. Right? I mean, doesn't that sound like a great idea? Why not?

Dave Bittner: [00:15:47] (Laughter) Well, it makes things easier for some people, I suppose.

Craig Williams: [00:15:50] Yeah. Like, why not provide a seemingly trusted source for PDFs and other types of documents that definitely couldn't be malware? And so you can see where this is going.

Craig Williams: [00:16:00] You know, in our blog, we talked about how people are abusing it, how even though it's got some, you know, security properties on the messages, it's really not secure, and it's being abused in a pretty significant way. But the actual malware itself was not super evasive. It was a little obfuscated, but nothing super fancy, nothing that really raised our eyebrows and made us go, whoa. And then I guess our blog post went out, and our podcast went out, and they decided to, you know, do some flexing.

0:16:27:(LAUGHTER)

Dave Bittner: [00:16:29] Said, oh, yeah? Watch this.

Craig Williams: [00:16:30] Yes. So the new version is quite a bit more evasive. You know, we go over all the details in the blog post. It's got some significant obfuscation added. It's got some interesting functionality changes. You know, they even added just layers of obfuscation just to try and make automated analysis more difficult.

Craig Williams: [00:16:49] You know, there's a couple different ways you can look at a malware sample, and depending on the way that you pursue investigating that malware sample, certain types of obfuscation are more effective than others. You know, for example, if you're looking at, you know, a piece of malware like, say, you know, looking at PowerShell Obfuscation, that's kind of hard, right? You might have to write something to simplify it, right? But on the other hand, if you're willing just to fire up a sandbox and just run the obfuscated shell, then you can get a report out pretty quickly. You don't really have to spend a lot of time de-obfuscating it. And as long as your, you know, your sandbox is set up properly, you've got a report on what it does with minimal effort.

Craig Williams: [00:17:28] And so this is one of those, you know, like, time-honored complexity problems. How can the attacker make this as difficult to sort through as possible but, at the same time, really not waste a lot of extra time that's easily bypassed? And so we see a lot of really clever things. And so it's amazing to me that even years into this - I've been doing this for 15 years - we're still seeing kind of the same tricks being applied in new scenarios - right? - you know, breaking the malware apart at different stages, for example, just obfuscating simple shell scripts and, you know, using the scripts to inject, basically, garbage so when you look at it, it's hard to visually identify what they're doing. It's interesting to me that we just still continue to see this and it still continues to be effective, despite the fact that, you know, sophisticated researchers should have the tools able to defeat this relatively easily.

Dave Bittner: [00:18:20] Is it that it's so much of a numbers game that, you know, they may not have to be able to get by those sophisticated researchers if enough of it's getting by those who might not be so sophisticated?

Craig Williams: [00:18:32] And that might absolutely be it, right? You know, you've got to realize that, you know, hit sites like the ransomware problem, right? You know, I love it when I'm out at a conference or something and somebody is talking about how their network was super secure and then, all of a sudden, they had ransomware on it, right? And every time I hear that, I'm just like, oh, so you mean you didn't notice you were owned, you know? Like, that's the one thing that ransomware does is it makes it obvious that you've been compromised. Otherwise, these, you know, victims can be compromised for months, if not years, and simply never notice it. You may lose access to all your files, but you now have an idea when the compromise ended effectively or when your data leak potentially ended.

Dave Bittner: [00:19:15] You know you have to go looking for something.

Craig Williams: [00:19:17] Exactly.

Dave Bittner: [00:19:17] How'd they get in? Yeah. Yeah, interesting. All right, well, as always, it's an interesting blog post on JasperLoader. Craig Williams, thanks for joining us.

Dave Bittner: [00:19:32] And that's the CyberWire. We'd like to close with a shoutout to America's National Guard, and especially the citizen soldiers of the 91st Cyber Brigade doing a tough job that for them can be a labor of love. Thanks for your service, 91st, and good hunting.

Dave Bittner: [00:19:48] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.

Dave Bittner: [00:19:59] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.