Zoom addresses concerns about call joining and cameras. ICS vulnerabilities addressed. Patch Tuesday notes. Tracing a disinformation campaign.

Dave Bittner: [00:00:03] Zoom agrees to change what it still sort of regards as a feature and not a bug. Industrial control system vulnerabilities are reported and patched. Microsoft issues 77 fixes on Patch Tuesday. Adobe has a relatively light month for patches. Marriott is hit with a large fine from the U.K.'s Information Commissioner's Office. And an investigation report traces disinformation about a 2016 Washington murder to Russia's SVR foreign intelligence service. 

Dave Bittner: [00:00:38]  Now a moment to tell you about our sponsor ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book, "SOAR Platforms: Everything You Need to Know About security, orchestration, Automation and Response." The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. Download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show. 

Dave Bittner: [00:01:49]  Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com. 

Dave Bittner: [00:02:04]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, July 10, 2019. Last night, Zoom revised its videoconferencing service to completely remove the local web server and add an option to its menu that enables users to remove the app. Two other changes planned for release Friday will save new users' choice of the always-turn-off-my-video option and will permit returning users to turn video off by default. Zoom says it made these changes in response to widespread outcry against the way a user could've been unwittingly joined to a conference with their video on. The company had viewed these controversial aspects of its service as features not bugs, design elements that they said were, essential to our seamless join process. The company also addressed the possibility of distributed denial-of-service conducted against users of its conferencing platform. It's striking to see the extent to which Zoom has stuck to its metaphorical guns. The aspects of their platform that attracted such odium earlier this week were, the company says, deliberate design choices made to provide an easy and pleasant user experience. They're listening to the users and changing the production to suit the market's mood, but one has the distinct impression that they think the marketplace of opinion has this one largely wrong. 

Dave Bittner: [00:03:26]  Tenable has reported a range of ICS vulnerabilities, many of them involving systems used in the operation of power plants. The vulnerabilities have been disclosed to the vendors responsible for the systems, and they appear to have been addressed with patches or other mitigations. The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency - the young organization known by its acronym CISA - has issued a number of advisories on the industrial control system vulnerabilities this week. The vendors, who have been fixing their systems, include major providers Siemens, Schneider and Emerson. 

Dave Bittner: [00:04:03]  Yesterday, of course, was Patch Tuesday. Microsoft brought out 77 fixes, many of them addressing issues in Explorer and Edge. The patches fixed two zero-days that are being actively exploited in the wild. The first is a vulnerability in Spooler Windows OS, a Windows process. The second is an issue that arises when Win32k improperly handles objects in memory. This vulnerability has been found in a targeted attack against an Eastern European target, where the tactics and techniques looked a lot like those used by Fancy Bear - that is Russia's GRU military intelligence service. Both of the zero-days are rated important but not critical. There were 15 critical patches. The one that seems to have drawn the most attention from observers is CVE-2019-0785, a remotely exploitable memory corruption issue that affects all versions of Windows Server released since 2012. 

Dave Bittner: [00:05:01]  Adobe had a relatively light set of patches, offering fixes for issues in Dreamweaver, Experience Manager and Bridge CC. None were rated critical. It's perhaps noteworthy that Flash, which normally takes a star turn on Patch Tuesday, was completely absent from this month's list. 

Dave Bittner: [00:05:19]  In the past week or so, we've seen substantial fines levied against global organizations for GDPR violations. This has many companies taking a fresh look at their approaches to risk and regulation. The CyberWire's Tamika Smith examines best practices to make sure your plans fit the bill. 

Tamika Smith: [00:05:38]  It's been just over a year since GDPR was implemented, and it's inspiring other countries to create their own data privacy policies and laws. As this transition takes effect, CIOs are trying to create multiple strategies around new laws and regulations that are being developed. Here to shed more light on this topic is Myke Lyons. He's the CISO for Collibra. They raised $100 million recently through their Series-E funding round and was recently valued at a billion dollars, raising the company's status to unicorn. Welcome to the program, Myke. 

Myke Lyons: [00:06:13]  How are you, Tamika? 

Tamika Smith: [00:06:13]  I'm doing great - safe to say you guys are doing something right. 

Myke Lyons: [00:06:16]  We're in a good place. 

Tamika Smith: [00:06:18]  (Laughter). So like I said before, the GDPR passed its one-year milestone in May, and countries, including the U.S., are developing their own regulations to tighten up data privacy and security. What advice do you have to CIOs who are watching this transition? 

Myke Lyons: [00:06:33]  I think you highlight it well. There's a lot of additional regulations coming state by state, country by country. So organizations are going to need to figure out how they can quickly adopt these standards - many of these new regulations will be based on GDPR - but look at ways that they're different and look at ways that they can adopt them and really start to think about a privacy platform - more of a data governance platform - rather than single one-off technologies. 

Tamika Smith: [00:06:59]  So when you say look at a platform, what platforms would you suggest or at least put on their radar? 

Myke Lyons: [00:07:05]  When you're looking at a platform, you need to be able to understand that data is going to take all shapes and forms, and what those data are and how they're tagged and classified is a very difficult and - challenge that could never be accomplished through the manual labor that we have today. You could probably hire a million people to do it, but that's very noneconomical. And so looking at ways to automate those classifications are going to be critical. It's about knowing where your data is so you know how to protect it better. Well, if I know my data is sitting in this, you know, in this DMZ or on this web server and is available through these mechanisms, I know that if it's important data on there, I'm going to add additional layers of protection. 

Myke Lyons: [00:07:40]  But one of the challenges that governments have faced for so long - they take a broad brush when they apply things like a classification. When you have a technology that allows you to, you know, be a little bit more surgical - and more precise is probably even a better word - with those data, you can then put the appropriate levels of control in place to protect that system, protect the data that's sitting on that system. That's sort of the security view. The business view of that is, I have this data. Let me make sure that I'm using the data appropriately. So, for example, I'm a person who is looking for sales data about a product that I'm trying to come up with a new package or offering to my potential customers. Well, there's another person who's responsible for the data itself and owns that data. So when I go to find data that I can use to make sure that I'm targeting the right folks and, you know, they're not just being spammed, et cetera, I'll make a request of an individual or a - I'll find a data set and make a request. But what essentially comes on the back side of that is that someone else is going to say, well, you can use my data, but these are the conditions for which you need to abide by. 

Tamika Smith: [00:08:41]  So a new area I would like to explore is the security compliance incident response plan. What are the dos and don'ts of having one? 

Myke Lyons: [00:08:50]  Well, I think dos are have one (laughter) - definitely the most important one, right? 

Tamika Smith: [00:08:56]  (Laughter) Sure. 

Myke Lyons: [00:08:56]  You have to have one. 

Tamika Smith: [00:08:57]  (Laughter) Yes. 

Myke Lyons: [00:08:57]  If you don't, you're in trouble. You know, the one you need to allow for and understand more is that there's never a security incident that involves one team within a company, right? Those are not really incidents. Those are just general events. And so you need to be able to work and work collaboratively across all of the parts of your business. This can be parts that you may not have thought through, right? This could be - I need finance involved because I need a bag of money. These are things that are real nowadays. And the second thing about incident response then is don't just think about it as an incident, like this nation-state decided to break into my network, and now they're ruining my day. You've got to think about it in the context of things that are outside of your control, like a vulnerability that is released by a vendor through a, you know, responsible disclosure program. But now that's an incident for me because I use that vendor software. And I have to act, and I have to act quickly. 

Tamika Smith: [00:09:48]  And vendor software has definitely been one of the weaknesses of companies. 

Myke Lyons: [00:09:53]  Well, absolutely. I mean - and we're going to use vendor software, right? We're always going to use vendor software. I think the important thing there is making sure that you're working with vendors that have an understanding of how to remediate their - you know, their flaws. Software has bugs. It's the nature. I think the third real component of this is around privacy because there is a requirement to respond to privacy-related events, specifically under GDPR, in 72 hours. That's a pretty aggressive timeline, quite frankly. And these are things where CIOs and CISOs are being challenged - is, how do you do that? How do you, you know, get in contact with the appropriate people to notify them there? With all of those aspects, the reality is you need to practice and work hard towards getting that muscle memory generated so you can, in fact, respond appropriately. 

Tamika Smith: [00:10:36]  Myke Lyons, thanks for joining the program. We definitely have a lot to learn here. 

Myke Lyons: [00:10:41]  Thank you, Tamika. This has been great. 

Dave Bittner: [00:10:43]  That's our own Tamika Smith reporting. 

Dave Bittner: [00:10:46]  The U.K.'s Information Commissioner's Office handed out its second big fine of the week for a GDPR violation. After levying 183-million-pound fine against British Airways - that's 229 million U.S - the ICO announced yesterday that it was fining Marriott just over 99 million pounds - that's $123 million - for a breach the hotel chain suffered in 2018 as it integrated the reservation system it acquired when it bought the Starwood properties. The fine amounts to 3% of the chain's annual revenue, one percentage point lower than the maximum allowable fine under GDPR. Marriott, disappointed by the ruling, intends to appeal. 

Dave Bittner: [00:11:28]  The two big fines are widely seen as representing some sort of shift at the ICO, which had previously taken a lighter hand with data privacy fumbles, in some cases, issuing warnings without fines, giving organizations a period of a few months to resolve their problems and so on. This week's heavy fines are regarded as likely to change businesses' risk calculations and move them away from a willingness to accept risk and toward a determination to mitigate it. Transferring the risk of punitive action under GDPR seems a less likely option. 

Dave Bittner: [00:12:01]  A Yahoo News investigative report has concluded that Russia's SVR foreign intelligence service developed and disseminated a particularly ugly piece of disinformation during the last U.S. presidential election season. Seth Rich, a young data director working for the U.S. Democratic National Committee, was murdered early Sunday morning, July 13, 2016. Local authorities concluded - and continue to believe - that he was the victim of a botched armed robbery, a mugging gone wrong. But three days after the killing, the SVR fabricated a bogus intelligence report that retailed the story that Rich was a whistleblower who was killed by a hit squad working for then-presidential candidate Hillary Clinton. The story was that he was a disappointed supporter of Senator Sanders who intended soon to be in touch with federal authorities about criminal corruption involving the Democratic Party's nominee. Yahoo's report points out that there's no particular evidence that Rich supported any particular Democratic candidate and that he seems not to have been the disappointed Bernie Bro the disinformation represented him as being. 

Dave Bittner: [00:13:07]  The story was first leaked to whatdoesitmean.com, a site with a reputation for being a conduit for Russian information operations. On August 9, WikiLeaks' Julian Assange strongly suggested that the late Mr. Rich had been the source of leaked DNC emails WikiLeaks had received. Mr. Assange offered a $20,000 reward for information leading to the solution of the crime, noting at the time that, our sources take risks. There's been scant evidence that Seth Rich was in contact with WikiLeaks. The story nonetheless was featured for some months by RT and Sputnik, both Russian government media outlets. It was also amplified by inauthentic social media accounts operated by the St. Petersburg-based Internet Research Agency. The Assange connection is interesting, suggesting as it does at least a shared worldview in the Kremlin and the guest quarters of Ecuador's London embassy, if not actual coordination. 

Dave Bittner: [00:14:04]  Yahoo's report offers an interesting reconstruction of how the story grew its legs. The lie received its customary bodyguard of truth - in this case, the sad street murder of a young man - and was designed to hit a fault line in public opinion, where those disposed to see corruption would find their suspicions apparently confirmed. Either the SVR or its sister service, the FSB, by the way, are generally thought to be Cozy Bear. Whichever KGB institutional descendant actually runs Cozy Bear probably doesn't matter much, unless you're a Kremlin insider concerned with agency equities. In the end, of course, they're all working for Papa Bear. 

Dave Bittner: [00:14:50]  And now a few words from our sponsor Dragos, the leaders in industrial cybersecurity technology. Threats to industrial organizations are proliferating, as Dragos recently identified the most dangerous threat to ICS - XENOTIME, the activity group behind TRISIS, has expanded its targeting beyond oil and gas, illustrating a trend that will likely continue for other ICS-targeting adversaries. Learn more about the eight public threat activity groups Dragos tracks at dragos.com/adversaries and how taking an intelligence-driven approach to ICS security is the most comprehensive defensive strategy to combat industrial adversaries. To register for a free 30-day trial of Dragos' ICS threat intelligence, visit dragos.com/worldview. And we thank Dragos for sponsoring our show. 

Dave Bittner: [00:15:52]  And joining me once again is Craig Williams. He's the head of Talos Outreach at Cisco. Craig, great to have you back. You all recently published some new research. This is about something that you're referring to as Spelevo. What's going on here? 

Craig Williams: [00:16:07]  Well, so Spelevo is basically an exploit kit that we've been tracking. You know, a lot of people think exploit kits kind of died because they really went from an incredibly common thing to something that we just don't quite see as much anymore. You know, like, if you think back about it, I would say the most popular heyday of the exploit kits was probably four years ago, when we had the Angler exploit kit out there basically compromising everybody. And we were able to show that they were basically making millions of dollars - you know, super profitable, very widespread. But as word got out and as browsers started hardening, they've gotten a little bit out of, you know, popularity just because the difficulty involved, and the redirection systems are very complicated. And so the fact that Spelevo is back and pretty effective - it's a good, notable piece of malware to look at. 

Dave Bittner: [00:16:57]  And so what are some of the details here that you need to share? 

Craig Williams: [00:17:00]  Well, so the way that exploit kits work is they find a legitimate website and find a way to inject some code into it. And this can be done through, like, a redirection technique. It can be done by compromising the website. So, you know, let's say one of the people with access to the web page isn't using two-factor authentication and is sharing credentials on various sites. Right? I know no one would do that (laughter), but it does happen from time to time. And so what happens is the attackers can then get on to those sites and add in the code, or they can find a vulnerability on the server and add in the code. And it's very, very difficult to detect. I mean, typically, when we're talking about these redirects, it's like one line of code - right? - one little link hidden in the web page. And so you can literally be looking at it, and it's very, very easy to miss, especially if you're not super technically savvy. You know, it'll look like you just went to a website. It redirected once or twice. And meanwhile, in the background, your web browser was interrogated. It tried to figure out if you were vulnerable to any of the, you know, exploits that it was using. And if it was, it would feed you one. And if not, it would redirect you to something else, like a phishing website, potentially. 

Dave Bittner: [00:18:04]  So in terms of detection, is this the kind of thing where if I'm, for example, running antivirus or something like that, is that going to get pinged by this? 

Craig Williams: [00:18:13]  Potentially, right? A lot of the payloads, a lot of the loaders are often detected. However, we have seen several examples of loaders for stuff like this that are generated on the fly. And to make it worse, these sites have a system in place so that you can't, like, automatically harvest the binaries - right? - you can't automate detection very easily. And they do that by looking at the redirection paths in the source and the refer paths. And if they don't match up to the right sites, you won't actually get the malware sample. So when we see something like this, there's a couple of different layers you can block it at, right? The first one would be the DNS lookup, right? Maybe we know that the site's compromised because we saw it via our telemetry system, and so we block the website for a couple hours until they can have a time to clean up that broken link, right? So that would be done at, like, you know, Umbrella or something like that. Another way to do it would be with, like, a web inspection - right? - so something like our Web Security Appliance or something like Firepower or any content inspection box out there, right? 

Craig Williams: [00:19:10]  Now, those may not be super effective, but that's, you know, where you can go to something on the endpoint - right? - so like, endpoint antivirus - something like that, like AMP - that's the other layer. So there's really, you know, let's say two really good layers to focus on this type of stuff - right? - the DNS lookup and on the endpoint because in those two places, you're going to have the capabilities to see what you need to see. And on the endpoint, you can actually do a little bit more advanced inspection and, you know, look for things like obfuscation techniques that's not used by normal software. 

Dave Bittner: [00:19:40]  All right. Well, the blog post is titled Welcome Spelevo: New Exploit Kit Full of Old Tricks. Check it out. It's on the Talos website. Craig Williams, thanks for joining us. 

Dave Bittner: [00:19:56]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:20:08]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.