The CyberWire Daily Podcast 6.28.19
Ep 875 | 6.28.19

Regin in Yandex? Golang is out and busy. So is the ShadowGate crew. The ICO wants an explanation from the Metropolitan Police. Trackers in news sites. Phishing those who seek “Verification.”

Transcript

Dave Bittner: [00:00:03] Yandex says it was hacked with Regin spyware. The Golang cryptominer is spreading again. And the ShadowGate ransomware crew is newly active with a dangerous drive-by. Three data exposures are reported. London’s Metropolitan Police are in trouble with the Information Commissioner’s Office. A look at tracker behavior. The Verified Badge as a phishing lure. My conversation with the new head of Deloitte Cyber, Deborah Golden. And congratulations to a Loeb Award winner. 

Dave Bittner: [00:00:39]  And now a few words from our sponsor, KnowBe4. Everyone knows that multi-factor authentication, or MFA, is more secure than a simple login name and password. But too many people think that MFA is a perfect, unhackable solution - it isn't. Learn from Roger Grimes, KnowBe4's data-driven defense evangelist in an on-demand webinar where he'll explore 12 ways hackers can and do get around your favorite MFA solution. The webinar includes a hacking demo by KnowBe4's chief hacking officer Kevin Mitnick and real-life successful examples of every attack type. It will end by telling you how to better defend your MFA solution so that you get maximum benefit and security. Go to knowbe4.com/mfa to watch the webinar. That's knowbe4.com/mfa. And we thank KnowBe4 for sponsoring our show. 

Dave Bittner: [00:01:38]  Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com. 

Dave Bittner: [00:01:53]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, June 28, 2019. 

Dave Bittner: [00:02:01]  Russian online services giant Yandex, the Russian Google, says it detected and remediated a Regin spyware infestation late in 2018, Reuters reports in an exclusive. Regin, a tool named after the dwarf smith of Norse mythology, has been publicly associated by Edward Snowden with the Five Eyes. In this case, the malware appears to have been active in October and November of last year. Yandex says its security teams detected the infection and contained it quickly. A company spokesman told Reuters, quote, "It was fully neutralized before any damage was done," end quote. Although, one wonders how they could be so certain of this. Kaspersky was called in to help with the remediation, and the security company said that the infection’s goal was espionage and that its immediate targets were developers. Kaspersky and the U.S. Government declined to comment when contacted by Reuters. The Russian government did comment, saying that they hadn’t heard about anything like this going on at Yandex, but that they’re not surprised because, as they put it, Russian companies are attacked every day, and a lot of those attacks come from the West. 

Dave Bittner: [00:03:12]  Regin tends to get pretty good reviews as a technical piece of work. Symantec’s Vikram Thakur told Reuters that, quote, "Regin is the crown jewel of attack frameworks used for espionage. Its architecture, complexity and capability sits in a ballpark of its own." 

Dave Bittner: [00:03:30]  Trend Micro is tracking a campaign using a spreader to scan for vulnerable machines it can infect with the Golang coin miner. The scanning is interesting, as are some of Golang’s more assertive features. It scans and mines, to be sure, but according to Trend Micro's researchers, it also disables security tools, clears logs and histories and also finds and kills any competing cryptomining activities that may have been present on the victim machine. 

Dave Bittner: [00:03:58]  The ShadowGate ransomware gang, also being tracked by Trend Micro, is back with what Ars Technica calls the worst drive-by attacks in recent memory. The campaign, which uses compromised websites as its infection vector, employs the GreenFlash Sundown exploit kit. It actually accomplishes three things. It installs SEON ransomware - a dangerous strain - Pony botnet malware and a cryptojacker. The gang’s activities had previously been confined largely to South Korea, but it’s broken into the European and North American markets in a big way. The best protection is patching because the usual route into a machine is through an old, unpatched instance of Adobe Flash. And antivirus software usually detects the exploits and payloads. 

Dave Bittner: [00:04:47]  Several data exposures have come to light late this week. KrebsOnSecurity writes that PCM, the California-based cloud solutions provider, was compromised in May by attackers who stole administrative credentials PCM used to manage clients' Office 365 accounts. The hackers' goal appears to have been obtaining information useful in gift card fraud. 

Dave Bittner: [00:05:10]  Researchers at security firm UpGuard discovered exposed AWS S3 buckets belonging to data management firm Attunity on May 13. They confirmed the exposure and notified Attunity on May 16. It's unknown which of Attunity's clients were affected, but UpGuard says it found data apparently belonging to Netflix, TD Bank and Ford. The data have since been secured. 

Dave Bittner: [00:05:36]  Comparitech found and disclosed an exposed MongoDB database belonging to medicaresupplement.com. The database appeared to be a marketing leads tool, but it's said to have included some personal medical information as well. Medicaresupplement.com isn’t an insurance company, but rather a firm that enables users to find such supplemental coverage as may be available to them. The data the company collects from its users includes personal information and a range of what Comparitech describes as marketing-related information. That would include lead duration, clicks, landing pages and so forth. Comparitech says that MedicareSupplement has apparently secured the database. They add that the New Jersey-based company has a good Better Business Bureau rating, and that there’s no sign it’s experienced other data incidents. 

Dave Bittner: [00:06:27]  The U.K.'s Information Commissioner's Office has imposed two enforcement orders on London's Metropolitan Police. At issue is the Metropolitan Police's failure to respond to Subject Access Requests, an SAR, in which people inquire about certain data the police might hold about them. This seems more a matter of backlog than deliberate resistance on the part of the Metropolitan Police. Under the applicable law, failure to respond to an SAR is a violation of data protection responsibilities, not merely blowing off some citizen’s random curiosity. 

Dave Bittner: [00:07:03]  A study by Feroot looks at the hidden behaviors and concealed activities of third- and fourth-party tools and scripts on the user side of websites and web apps with a view to coming to grips with the risks these present. What the study found was basically an expansive attack surface. News sites are especially rife with trackers. Most of the major news sites in North America, Germany and the U.K. use ad trackers that automatically transfer data across borders, and they consistently send information about user behavior to Russia, among other places. 

Dave Bittner: [00:07:37]  Vanity has a new name, and vanity, thy name is apparently Instagram. Sucuri researchers say that social engineers are using an application for the swanky and evidently highly coveted Verified Badge as phishbait while trolling for vain Instagramers' credentials. The hoods have set up a plausible-looking application page, but the information they’re soliciting should raise red flags of warning for the properly wary user. First, they ask you for your Instagram credentials, which no reputable and thinking service would do. And second, they ask you to confirm that you are, in fact, you by asking for your email address and email service login password, which no reputable and thinking service would really and truly ever do. Why do they want your email? For lots of reasons of opportunity for fraud, but in particular because it will allow them to reset your Instagram credentials should they find themselves locked out of the account formerly known as yours. 

Dave Bittner: [00:08:39]  The information they ask for amounts to two big red flags. A smaller but still significant one is their domain name. The Instagram - it’s Instagram for business dot info, which needless to say ain’t Instagram. 

Dave Bittner: [00:08:52]  Why would you want that badge of authenticity? Well, do your friends have one? Probably not. Be the first one on your virtual block to get yourself badged. Or alternatively, forswear worldly vanity and devote yourself to better things. Yeah, we thought not. And finally, congratulations to Andy Greenberg, who won the Loeb Award yesterday for his reporting on NotPetya. His piece in WIRED last year, The Untold Story Of NotPetya, The Most Devastating Cyberattack In History" is well worth reading. Congratulations and well done. 

Dave Bittner: [00:09:30]  And now a few words from our sponsor Dragos, the leaders in industrial cybersecurity technology. Threats to industrial organizations are proliferating, as Dragos recently identified the most dangerous threat to ICS. Xenotime, the activity group behind Trisis, has expanded its targeting beyond oil and gas, illustrating a trend that will likely continue for other ICS-targeting adversaries. Learn more about the eight public threat activity groups Dragos tracks at dragos.com/adversaries and how taking an intelligence-driven approach to ICS security is the most comprehensive defensive strategy to combat industrial adversaries. To register for a free 30-day trial of Dragos' ICS threat intelligence, visit dragos.com/worldview. And we thank Dragos for sponsoring our show. 

Dave Bittner: [00:10:33]  And I'm pleased to be joined once again by Michael Sechrist. He's chief technologist at Booz Allen Hamilton. He also leads their managed threat services intelligence team. Michael, it's great to have you back. We've been seeing a lot of stories about deep fakes and the growing technology that's enabling that sort of thing. And I'm curious what you're seeing and what your team is tracking when it comes to this stuff. 

Michael Sechrist: [00:10:57]  Yeah. Thanks a lot for having me back. I mean, so one of the things that we're seeing is a little bit of how can attackers or those with kind of strategic interest, you know, ice out truth? And what I mean by that is our - you know, we're seeing kind of the rise in the public space about who has access to the actual truth of the matter. 

Michael Sechrist: [00:11:20]  This could be in the pro or anti-vaccination debate. It could be in the fake news and real news debate. It can bleed over obviously to the deep fake world, where we're talking about whether an image or a video is created and is purported to be from the actual organization or individual itself or not. It could be from also when we're talking about just whether the data that you might get back that you see in your environment is being tampered with. And we're seeing that potential with ransomware payments and what you get back and determining whether that is really your data as it existed before it left the environment. 

Michael Sechrist: [00:11:58]  So all these things are kind of, you know, assaulting kind of previous notions or kind of challenging kind of the overall how we kind of arrive at ground truth. And one of the sort of functions that we see is very important to countering this trend, is to build an intelligence function within organizations. And necessarily doesn't have to just be around cyber threat intelligence, but one that kind of builds in a level of confidence and a surety in the data that you work with in your enterprise and how to have kind of a better trust that what you're arriving at is really your known ground truth. You know, that - like I said, this could be with, you know, data that resides even in a business application. How do you arrive at that without having some sort of baseline of what that known data or good sort of data looks like in your environment? 

Michael Sechrist: [00:12:55]  So that's when I - when I'm talking about your ground truth, that's what I mean, is that there are sort of ways that, you know, arrive at a known good and a known bad in an organization. And that really is a function of having, you know, a good level of confidence and integrity in the data itself. 

Dave Bittner: [00:13:14]  Yeah. And I imagine with things like deep fakes, when we're dealing with imagery, how much are we relying on a chain of custody, of being able to track what changes have been made internally and perhaps, you know, externally with third parties, with partners along the way? 

Michael Sechrist: [00:13:31]  So, you know, one of the things organizations have built is a certain repository with, you know, certain values or hash functions that are associated with certain files and data that you've kind of correlated to be the true or the authentic version of that data to some sort of high degree of confidence. Obviously, you know, nothing's perfect, and there's no 100% surety in security or in confidence-level itself. But you want to have kind of certain best practices and implementations built in that can arrive at a high degree of that confidence and high authentication of that data internally. And that is really, you know, working closely with a team that can validate this data and kind of how the mechanisms arrive at being your data. 

Dave Bittner: [00:14:18]  All right. Well, it's certainly an interesting development and one to track. Michael Sechrist, thanks for joining us. 

Michael Sechrist: [00:14:25]  Thank you so much. 

Dave Bittner: [00:14:30]  And now a word from our sponsor ExtraHop, the enterprise cyber analytics company delivering security from the inside out. Prevention-based tools leave you blind to any threats inside your network. By adding behavioral-based network traffic analysis to your SOC, you can find and stop attackers before they make their move. ExtraHop illuminates the dark space with complete visibility at enterprise scale, detects threats up to 95% faster with machine learning and guided investigations that help Tier 1 analysts perform like seasoned threat hunters. Visit extrahop.com/cyber to learn why the SANS Institute calls ExtraHop fast and amazingly thorough, a product with which many SOC teams could hit the ground running. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show. 

Dave Bittner: [00:15:29]  My guest today is Deborah Golden. She's recently been named the head of Deloitte Cyber, an organization with over 4,200 employees here in the U.S. In an industry where only 5% of executive positions are held by women, she's a champion for diversity. But not just for diversity sake. 

Deborah Golden: [00:15:47]  You know, I've been in the field in some capacity or another for about 25-plus years. Always been intrigued by technology and computers. I grew up in a household where my father was heavily dedicated to the IT profession, from his collegiate career all the way through to working for an organization for 35 years, focused in their CIO shop. And so grew up with trinkets in the house, you know. And one of the things that my father always did was he never brought home a manual for how things worked, and I was always intrigued with how to put them together and how to make them work and how to think through the process of enabling them through technology or, ultimately, you know, what you're trying to achieve and kind of traverse through my career. 

Deborah Golden: [00:16:29]  And so after I graduated - I have both an undergraduate and a master's degree - I actually came into Deloitte - I worked for another company for two years. But, basically, I've spent the predominance of my industrial career here at Deloitte. And one of the things that I think differentiates me in how I kind of look at how my career has evolved - I've always looked at it from a business side. So what is the business trying to do? What are we trying to solve for? What is the outcome we're looking for? And how do we talk about these things in a business sense while, at the same time, trying to solve for the cyber piece of it? 

Deborah Golden: [00:17:02]  And if you think back, you know, again, to my childhood, as I said, I was trying to solve for it without having the manual. And so it makes complete sense to me when I think about how my journey has gotten me to where I am of really always wanting to solve for that problem and understand the complexities associated with it, while at the same time trying to achieve and help clients ultimately achieve their mission or their goals without necessarily making it a cyber (inaudible) - because I think cyber has historically been a technology issue. 

Deborah Golden: [00:17:32]  And so instead - and where we needed to continue to evolve to is having cyber really be built into the cornerstone of all business aspects and how we approach the world, how we approach our industry, how we approach our problems. 

Dave Bittner: [00:17:46]  Now, as you were making your way around the organization and taking on new challenges, was leadership something that was always front and center for you? 

Deborah Golden: [00:17:55]  No, actually, it wasn't. I'm a heads-down, work-hard kind of person, and, you know, my work ethic and work attitude and collaboration really is front and center for me. And so I always say, you know, I'm a partner's partner, and I don't mean that by title or by action; I mean it by the sense of, I'm here for everyone, right? I'm here to help better - if it's a client, whatever my client's looking to achieve, if it's my team, if it's whether that's leading up or leading down, right? 

Deborah Golden: [00:18:24]  And so to be in the trenches and working and having everyone else's back, while at the same time, of course, you always aspire to do something different. I didn't set out to say, you know, this is going to be what I am tomorrow. I just said, I know we've got to work together and try and collaborate to get there. And I think over time have realized that obviously if you want to continue to evolve yourself, leadership obviously becomes front and center to that. And I think one of the things that I pride myself on is, not only am I an authentic leader, I really do try to be an inspirational leader as well. So how do you create leaders amongst leaders, is one of the things that over time has become really important to me as I've been put into a variety of different leadership positions. 

Dave Bittner: [00:19:08]  You know, as you look across the industry, looking at cybersecurity, there's a - the statistics that you see are that between - depending on who you ask, I've seen between 13% and 20% of folks in the field are women. Deloitte does much better than that. Around a third of the folks at Deloitte are female. First of all, what do you think is behind that? What do you have going on there at Deloitte that encourages that? And why is that important? 

Deborah Golden: [00:19:37]  I'm incredibly proud by the fact that we promote a diverse workforce. And we're really deliberate about it. It's not something that we look as an afterthought. I myself obviously am incredibly deliberate and purposeful about creating and sustaining a diverse workforce. But it's not just me; it's the culture we've built. If you think about how Deloitte has evolved their initiatives associated with diversity, it's candidly been going on since the day I joined Deloitte. We've put a lot of time and energy as you think about - as we should - all levels of the firm, really looking to create that authentic workforce that is purposeful in its diversity. 

Deborah Golden: [00:20:17]  And I think that's very different than looking in and saying, we need to hit a statistic. We need to make sure we do better. We need to make sure that we have X number of Y-types of people. You have to be passionate about wanting to do it, and you also have to be passionate about, how do you retain these types of individuals? So it's not just about getting them in the door; it's about how do you actually retain people. And I think the retention programs - you know, we are a place that people want to be. 

Dave Bittner: [00:20:41]  Do you see that diversity as being a competitive advantage? 

Deborah Golden: [00:20:46]  One-hundred percent. I am also a firm believer that you need to have diversity of thought to solve problems. If you create everything in a linear manner where everyone's thinking the same way, I guess that's easier. I guess maybe you come to conclusions quicker because everybody agrees. And by the way, there's good things to have about healthy tension, and that doesn't mean that diversity is always causing tension; it means that diversity is always bringing different types of thought to solving problems. And it is absolutely a differentiator, and it's also something that helps me learn, right? 

Deborah Golden: [00:21:18]  Every one of us should always want to learn. I constantly am wanting to try and understand, like I said, how trinkets work, and that includes people. And so when you think about how people think, and you think about what drives individuals, how we solve problems, the more diversity we can bring to solving some of our client's most complex problems, we're going to get there in much more unique ways. 

Dave Bittner: [00:21:38]  What advice do you have for that youngster who is considering a career in cybersecurity? And maybe they're one of the underrepresented groups, a member of one of those groups. What words of wisdom do you have for them? 

Deborah Golden: [00:21:52]  You know, start early. As we all know STEM programs are going more and more K through 12. And you've got so many different options, so that when you think about, you know, where (inaudible) is cyber? It's not, I want to be just cyber; it's you've got individuals - I have kids or friends of mine who have children who come up to me and say, you know, my daughter or my son, my niece, nephew, whomever, they want to go build missiles, and they want to go build rockets, and they want to go be doctors. 

Deborah Golden: [00:22:20]  And when you talk to them a little bit more about that, then they're like, well, what happens if someone gets into the missile? Or what happens if someone gets into the application? And so they're already thinking about it. We know the younger generation, again, K through 12, they're on computers, they're on, you know, phones, they're on devices. The world that we live in is changing. We know we're going to have autonomous vehicles. We've got refrigerators that can order food for us. 

Deborah Golden: [00:22:44]  I think what we need to encourage people to do is, again, as they're doing. How do you think about the impact of those things on your lives? And I think also the dynamic of the individuals are changing, too. We know younger professionals, younger individuals are looking to put more and more data out there, right? There's more people, whether it's in chat messages, whether it's photos. And so there's also a changing dynamic, which is interesting to me, around privacy of data. 

Deborah Golden: [00:23:10]  And I think when you start talking about all these things, getting interested about those types of concepts at a very young age, so that when you come into the workforce, you're not thinking about it like privacy or security is some technology component; you're thinking about it - I want to go build a missile, and it's going to be really important for me to make sure I understand cyber and privacy or data in order to do that, not just the components of how to actually build the missile. Cyber becomes that component, equally as important as the materials to build that missile. 

Dave Bittner: [00:23:40]  That's Deborah Golden. She's the new head of Deloitte Cyber. 

Dave Bittner: [00:23:48]  And that's the CyberWire. Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:24:15]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.