Militia said to be target of US cyberattack. Myanmar shuts down networks. Spam campaign. Supply chain issues for Huawei gear. Election security. Recovering from ransomware by paying up?
Dave Bittner: [00:00:03] Sources name a Shiite militia aligned with Iran as one target of last week's U.S. cyberattacks. Myanmar shuts down mobile networks in its Rakhine province, where the Buddhist insurgence of the Arakan Army have been using Facebook for coordination and inspiration. A major spam campaign is distributing LokiBot and NanoCore. Finite State finds bugs in Huawei gear, election security notes and paying the ransom to ransomware extortionists.
Dave Bittner: [00:00:38] And now, a few words from our sponsor KnowBe4. Everyone knows that multifactor authentication, or MFA, is more secure than a simple login name and password. But too many people think that MFA is a perfect, unhackable solution. It isn't. Learn from Roger Grimes, KnowBe4's data-driven defense evangelist, in an on-demand webinar, where he'll explore 12 ways hackers can and do get around your favorite MFA solution. The webinar includes a hacking demo by KnowBe4's chief hacking officer Kevin Mitnick and real-life successful examples of every attack type. It will end by telling you how to better defend your MFA solution so that you get maximum benefit and security. Go to knowbe4.com/mfa to watch the webinar. That's knowbe4.com/mfa. And we thank KnowBe4 for sponsoring our show.
Dave Bittner: [00:01:39] Funding for this CyberWire podcast is made possible, in part, by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com.
Dave Bittner: [00:01:53] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, June 26, 2019. Last week's U.S. cyberattacks against Iranian targets haven't been officially acknowledged by the U.S., but a number of current and former U.S. officials are talking about them on background. Exactly which Iranian targets the U.S. hit hasn't been discussed with great specificity, reports having characterized the attacks as directed against a Revolutionary Guard-associated intelligence group said to be involved in tracking shipping in the region and as interfering with missile launch or command systems.
Dave Bittner: [00:02:32] Reports are now identifying at least one of the groups affected. CNN says U.S. cyberstrikes interfered with the operations of Kata'ib Hezbollah, a Shiite militia active in the region that's widely held to be an Iranian military proxy. Kata'ib Hezbollah is believed to have access to Iranian missiles, which suggests why it may have been singled out for neutralization.
Dave Bittner: [00:02:57] Warnings have been circulating to U.S. businesses since CISA's heads-up this Saturday that enterprises should expect a continuing uptick in cyberattacks emanating from Iran. Vice rather breathlessly attributes this to Iranian retaliation, saying that the U.S. cyber operations, quote, "just put a target on American businesses." In truth, the target's been there for some time, as recent reports of increased Iranian attention to U.S. infrastructure appeared before last week's cyberattacks in the Gulf region. Most of the warnings urge organizations to arm themselves against phishing attacks with destructive wiper malware as the payload.
Dave Bittner: [00:03:38] Myanmar has shut down mobile networks in substantial sections of the Rakhine province, CNN reports. The blackout was imposed in conjunction with a military sweep. A regional news outlet, The Irrawaddy, says the government intends to keep the networks down until the situation in the troubled province stabilizes. Locals are believed to phone insurgents information on government operations. U.N. observers have expressed concern that closing down the networks increases the risk of human rights violations being countered by the prospect that they'll go unreported.
Dave Bittner: [00:04:13] Most of the international attention to ongoing violence in Myanmar has focused on the government's aggressive repression of the country's Rohingya Muslim minority. But the current blackout and security sweep isn't directed principally at the Rohingya. Instead, the government is seeking to shut down armed groups operating in the province. First among those insurgent groups is the Arakan Army, which, Foreign Policy notes, claims to represent ethnic Rakhine Buddhists. The Arakan Army has, for some time, used Facebook for coordination and inspiration, despite Facebook's attempts to deny violent groups the use of its platform.
Dave Bittner: [00:04:50] The widespread adoption of software as a service provides both benefits and challenges to users and security teams. David Politis is CEO of BetterCloud, a SaaS operations management and security platform, and he makes the case that security pros should be on the lookout for information sprawl.
David Politis: [00:05:09] You know, if you look at over the last five to 10 years, the adoption of SaaS applications has really gone through the roof. And what's driving that is this move towards best-in-breed cations, best-in-breed infrastructure, best-in-breed environments. And you know, compared to the legacy environments where it'd be very homogenous, you would say, I'm a Microsoft shop; I'm an IBM shop. And you would have everything in the stack you - Active Directory, Exchange, SharePoint, Link. You'd have the entire stack, and that was your environment.
David Politis: [00:05:43] And in today's world, we've moved to this place where there's so many applications available for the different use cases and the different types of productivity use cases that you have in your environment that people are moving to this best-in-breed world. Maybe they have Exchange for mail. Maybe they're using Office 365. But then they'll have Slack for chat and - instead of teams, and they'll have Zoom for video calls. And they'll have Box instead of OneDrive SharePoint.
David Politis: [00:06:10] And so you're starting to see these environments that are best in breed, and I think that's been honestly amazing for the worker, the end user. It's changed the way that people work. The way people collaborate today in the workplace is unlike it's ever been before, and all of this has only happened in the last five years. I mean, if you look at it, Zoom wasn't around 10 years ago. Slack wasn't around 10 years ago. Office 365 wasn't around 10 years ago. And so really, in the last five to 10 years, we've seen this massive adoption and the rise of SaaS.
David Politis: [00:06:43] The challenge is the sprawl. The challenge is that it's not all in one system. It's not all in one application. It's not all in one platform. And so the biggest challenge is centralizing all the information so that there's actually a clear view of where all your data lives, how that data is being accessed, how that data is being shared. That is the No. 1 challenge that people have. When you solve that, that already gives you the visibility. At least you can see what's there.
David Politis: [00:07:15] Now, there's a whole separate set of challenges around, how do you control the access to those applications or those - the data objects? But the No. 1 thing we see where people are successful is when they start bringing all of this data from these disparate systems into a single place where they can at least see it, audit it and dig into what's happening.
Dave Bittner: [00:07:34] I'm imagining, too, that having everything in view like that allows you to handle things like, for example, encryption, where you can make sure that whatever level of encryption you think is appropriate to have dialed in, by having that high-level view of all your stuff, it makes it easier to make sure that that's actually happening.
David Politis: [00:07:52] Definitely. And really, actually, where encryption comes in is what we're seeing, and this is - again, this is new in the last couple of years - is we're seeing that the native SaaS applications themselves are starting to offer different types of encryption choices to their customers, and it's all built in natively inside of these SaaS applications.
David Politis: [00:08:14] And so part of our view is we want to let customers control those native encryption choices that are given to them, those options that are given to them by a sales force, for example, who has a native encryption offering. We want to give our customers the ability to leverage that. It's not just encryption. I mean, encryption is a piece of it, but it's also - for example, let's say you're looking at all your files and you see some sensitive files that may be shared inappropriately in Box (ph). You want to be able to go and use the native security controls in Box (ph) to say, I want to lock this file. I want to tag this file with confidential, and I want to send a message to the security team that that just occurred with a link to where that - all that information now is.
David Politis: [00:08:56] And so our view is we believe, and I think customers believe this as well, and security, I believe, thinks that you want to use the native controls that are available from the SaaS applications so that you're not changing the behavior of your users. When you start changing the behavior of your users in those SaaS applications, when you force them to change how they interact, it kind of defeats the purpose of using the SaaS applications in the first place.
David Politis: [00:09:24] We've seen customers who have come in and said, you know what? I'm going to go - companies come in. They say, I'm going to go to platform XYZ, let's call it G Suite, for example. But I'm going to go there, and I'm going to lock down all sharing, all collaboration, any - I'm going to lock it all down. Well, in that case, you might as well not move to a cloud-based productivity application. And so I think the key is, how do you leave - let users do what they want to do every day but control to kind of have this invisible hand, if you will, that's making sure that they're doing it in the most secure way? It's hard to describe exactly, but that's how I envision it. I envision security's job to be that invisible hand, to be there while users are doing what they want to do every day, being productive, sharing their files, but just making sure that they're doing it the right way and in a secure way.
Dave Bittner: [00:10:13] That's David Politis from BetterCloud.
Dave Bittner: [00:10:17] Researchers at Netskope are tracking a spam campaign that's been distributing LokiBot and NanoCore since April. The phishbait is a notice about an overdue invoice with an ISO file, specifically a disk image, which is unusual in this sort of criminal campaign. LokiBot, whose use in phishing attacks Netskope says is increasing, steals browsing information, checks for web and email servers, locates email and file transfer credentials and detects popular remote administration tools. NanoCore is a remote access Trojan, a RAT.
Dave Bittner: [00:10:57] Finite State studied the supply chain and found Huawei gear unusually buggy. It doesn't say the bugs were deliberately introduced by Huawei, the Chinese government or anyone else, but it does say that they amount to troubling vulnerabilities. The report casts doubt on whether undeniably low-priced Huawei equipment, in fact, represents best value. U.S. authorities have suggested that it doesn't and that there are better alternatives from both a security and an economic perspective.
Dave Bittner: [00:11:24] As the next U.S. election cycle approaches, the Global Cyber Alliance and the Center for Internet Security offer an election security toolkit for the use of authorities who actually run the voting. A survey by NormShield finds, surprisingly and encouragingly, that declared presidential candidates appear to be taking their campaigns' cybersecurity more seriously than has been the case in the recent past.
Dave Bittner: [00:11:47] The U.S. federal government is also publicly committing to work with state and local officials to secure the election. Administration officials at a press call organized by the National Security Council yesterday said they were focused on two main problems, potential interference - that is, ensuring that votes can be cast and counted properly - and potential influence - that is, disinformation and other information operations. The administration is expanding free support services to all 50 states and to all presidential campaigns. That support includes, among other things, sharing classified information with affected parties when it's relevant and necessary.
Dave Bittner: [00:12:27] A PwC study of leading cybersecurity practitioners - trailblazers, as the study calls them - finds again that what sets the successful apart is their ability to align cybersecurity with business objectives and practices.
Dave Bittner: [00:12:42] ProPublica reports that Emsisoft, in an investigatory sting, found that the Scotland-based ransomware recovery service Red Mosquito would pay the ransom and then charge the customer four times that amount for its services.
Dave Bittner: [00:12:57] Here's how the sting went. Emsisoft researcher Fabian Wosar made up some phony ransomware, called it GOTCHA, and sent Red Mosquito an email with a request to help under the assumed name of Joe Mess. He also set up contact info for the pretended attackers. Within minutes, he said Red Mosquito contacted the faux hackers and began negotiating over the ransom. Wosar's Mr. Mess identity had said he didn't want to pay the ransom, and he asked Red Mosquito to confirm that they wouldn't do so on his behalf. He received a noncommittal, we are still investigating and will get back to you as soon as possible.
Dave Bittner: [00:13:35] But the correspondence between the ransomware recovery company and the pretended masters of GOTCHA went something like this. How much for decrypt? Twelve-hundred dollars in bitcoin. You pay, we provide key and decryptor to recover data. Can you do for 500 USD? Nine-hundred dollars - take it or kiss data bye-bye; we don't run charity here. Shortly thereafter, Red Mosquito contacted Joe Mess with the good news. They were pleased to confirm that we can recover your encrypted files. The price - $3,950.
Dave Bittner: [00:14:10] Emsisoft objects mostly to the lack of transparency. There might be times you'd pay ransom, Emsisoft says, but you should be clear that that's what you're doing.
Dave Bittner: [00:14:20] Some victims of ransomware are concluding it might be better to pay up. We're not convinced this is generally a good idea, but another Florida town has decided to pony up. Lake City became the second municipality in the Sunshine State to pay ransom in as many weeks. On Monday, the city council voted to pay $460,000 to recover its files. Of course, there's no guarantee the criminals will keep their word. They sometimes do and sometimes don't. Lake City's nearly half a million is steep, but if you've fumbled your defenses, it could cost you a lot more. After all, the price tag for recovery in Baltimore is now $18 million and counting.
Dave Bittner: [00:15:08] And now a few words from our sponsor, Dragos, the leaders in industrial cybersecurity technology. Threats to industrial organizations are proliferating, as Dragos recently identified the most dangerous threat to ICS. Xenotime, the activity group behind Trisis, has expanded its targeting beyond oil and gas, illustrating a trend that will likely continue for other ICS-targeting adversaries. Learn more about the eight public threat activity groups Dragos tracks at dragos.com/adversaries and how taking an intelligence-driven approach to ICS security is the most comprehensive defensive strategy to combat industrial adversaries. To register for a free 30-day trial of Dragos' ICS threat intelligence, visit dragos.com/worldview. And we thank Dragos for sponsoring our show.
Dave Bittner: [00:16:07] And I'm pleased to be joined once again by David Dufour. He's the vice president of engineering and cybersecurity at Webroot.
Dave Bittner: [00:16:14] David, it's always great to have you back. You recently spent some time over at Infosec Europe, and you brought back some interesting things to compare - Europe versus the U.S. and what you're seeing when it comes to threats and collaboration.
David Dufour: [00:16:27] That's exactly right. Great to be back, David. Always love to talk about these topics.
David Dufour: [00:16:32] And I think you know - maybe some of your listeners don't - we have a very big presence in Europe, as well as the United States. And I think those of us in the U.S. always just presume that everyone thinks about the same type of issues or think about things in the same way that we do here in the States. But Europe has some different things that are concerning them, none of which will be a surprise. I just think that the level of concern that maybe isn't here in the States anymore that they have for certain things is pretty interesting.
Dave Bittner: [00:17:00] Take us through some of the things you learned.
David Dufour: [00:17:02] We're going to sing the same old song of ransomware and phishing. But here in the U.S., I think - I don't want to say ransomware is under control, but people are more familiar with it. We know how it works. We spend a lot of time understanding how to prevent it, how to get rid of it. And we've all had the debate, should you pay? Should you not pay?
David Dufour: [00:17:20] I think that debate and those discussions are just now really coming to the forefront in Europe. And I don't know - you know, credit card scams were, you know, predominantly U.S.-based for a while, and now they're becoming global. I don't know if you'd take advantage of the U.S. first because that's where the money is, and then you start propagating elsewhere. That could be happening. There's a lot of discussion. And you see a lot of concern about ransomware.
Dave Bittner: [00:17:41] Yeah. It's interesting to me that it seems like there are some basic cultural differences that inform these things. I think the big one is privacy, where we have GDPR. And Europeans seem to have a different approach to privacy than we do here in the U.S.
David Dufour: [00:17:56] That is a fact. And, again, I'm going to bring that - jump to GDPR. You know, that is No. 1 in their minds, has been for several years. And to be fair, they had this huge regulation coming down from the EU, whether - depending on you think it's good or bad, I'm not going to make that discussion. But they have had to focus so much of their energy on the GDPR efforts over the last several years, they haven't been paying as much attention to ransomware, phishing, machine learning.
Dave Bittner: [00:18:26] So what are your recommendations for folks who are looking to do business in Europe? Any sensitivities they should have when they're reaching out?
David Dufour: [00:18:35] Well, for sure, the No. 1 thing is GDPR. It's still top of mind. Everyone really focuses on that. Data protection is key because what people are worried about - you know, getting sued or things of that nature.
David Dufour: [00:18:47] But in general, I think it's the same idea of, how are you protecting the endpoints? How are you protecting the customers? Focusing on phishing and ransomware right now is something that they really are looking at. It's kind of what we talk about here, but just to get the bundle in GDPR.
Dave Bittner: [00:19:02] I mean, it sounds like we've got more in common than we don't, but there are some important nuances to take note of as well.
David Dufour: [00:19:08] That's exactly right. You know, the cycles are a little bit different over there. I think we all end up at the same place; we just might take different trains to get there.
Dave Bittner: [00:19:15] All right. Well, David Dufour, thanks for joining us.
David Dufour: [00:19:18] Great being here, David.
Dave Bittner: [00:19:25] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:46] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.