Supply chain hacks versus Airbus. Phishing around Google Cloud. Masad Clipper and Stealer on the criminal-to-criminal market. Quick zero-day exploitation. DoorDash hack. Inside JTF Ares.

Dave Bittner: [00:00:03] The Airbus supply chain is reported to be under attack, possibly by Chinese industrial espionage operators. Phishing campaigns impersonate Google Cloud Services. A new commodity information stealer is on offer in the black market. The vBulletin zero-day was weaponized surprisingly quickly. DoorDash discloses a hack that exposed almost five million persons' data. Insights on being the CEO of a public company, and a look at JTF ARES operations against ISIS shows commendable attention to increasing the enemy's friction. 

Dave Bittner: [00:00:40]  And now a word from our sponsor LookingGlass Cyber. Organizations have been playing a dangerous game of cyber-Jenga, stacking disparate security tools, point solutions and boxes one on top of the other, hoping to improve their security posture. This convoluted and overloaded security stack can't hold up in today's micro-segmented, borderless and distributed networks. As the enterprise network grows, organizations need a flexible protection around their unique network ecosystems. By weaving security into the investments your organization has already made, formerly disjointed tools can communicate with one another to disrupt and distract the adversary without revealing your defenses. With a software-based approach to unifying your security stack, security teams can easily scale their protection to fit their needs with one integrated software solution requiring no specialty hardware. Learn more at lookingglasscyber.com/contactus. That's lookingglasscyber.com/contactus, and we thank LookingGlass Cyber for sponsoring our show. 

Dave Bittner: [00:01:48]  Funding for this CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pen testers and white hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights like remediation advice to help fix faster while methodology-driven assessments ensure compliance needs are met at bugcrowd.com. 

Dave Bittner: [00:02:16]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, September 27, 2019. Cyberattacks against supply chains are among the third- or nth-party risks that have drawn increased attention over the past year. A high-profile manufacturer, Airbus, has been the subject of an industrial espionage attack on its suppliers. AFP reported yesterday that some major Airbus suppliers were hit by a cyberattack that seems designed to steal trade secrets. Engine manufacturer Rolls-Royce was affected, as was Expleo, a technology consultancy and supplier. At least two other companies in the Airbus supply chain were also attacked, but their identities are not yet publicly known. Neither Airbus nor Rolls-Royce have commented on the incident. Expleo told AFP it could neither confirm nor deny reports of an attack. Airbus did say that it, like any major company, is aware of cyberattacks, but it had nothing to offer concerning this incident, which AFP sources to unnamed security experts. Bloomberg has reported that Airbus has nonetheless taken steps to shore up its security. Sources suggest that the attackers worked against a virtual private network that connected Airbus to its suppliers. 

Dave Bittner: [00:03:31]  The hackers appear to have been particularly interested in collecting information relevant to obtaining aircraft certification. The two aircraft whose technical details drew the most attention were the A400M, a military transport aircraft, and the commercial passenger aircraft A350. There is so far no firm attribution, but informed speculation points to Chinese espionage. Either APT10, which is also known as Stone Panda, and menuPass, or JSSD, are being mentioned in dispatches. JSSD is associated with the regional security ministry in Jiangsu. Jiangsu is a center of Chinese aerospace industry, which is seeking to enter the commercial airline market. Chinese aircraft company Comac is producing the country's first mid-range airliner, the C929, but it's been having difficulty obtaining certifications, which, of course, constitutes a significant barrier to entry in this particular market. 

Dave Bittner: [00:04:30]  Security firm Zscaler reports finding phishing campaigns which the company assesses as sophisticated abusing appspot.com and web.app, both legitimate domains associated with Google Cloud. Researchers say the campaign, which deploys well-executed landing pages that spoof the two widely used sites, is similar to a phishing effort they found in July that was engaged in similar deception with respect to Microsoft Azure. 

Dave Bittner: [00:04:58]  Juniper Networks reports a new strain of spyware delivered by Trojanized Windows executables. Once installed, the Masad Stealer spyware interacts with a Telegram bot the threat actor controls to find and exfiltrate data. The information Masad takes is browser-based, which is useful because it often holds credentials and pay card information. It also automatically swaps out any cryptocurrency wallets it comes across with a wallet of its own. 

Dave Bittner: [00:05:27]  Masad is off-the-shelf crimeware traded in the criminal-to-criminal dark web markets as Masad Clipper and Stealer, where it goes for the low, low price of $85 or so. Juniper points out that this means it can and will be deployed by an indefinitely large number of threat actors beyond the malware's original authors. The vendors have thought a bit about their marketing. They start you off with a free version and then offer increasingly capable versions at correspondingly higher prices. 

Dave Bittner: [00:05:56]  Security firm Imperva reports that vBulletin zero-day is being exploited in the wild. If they're correct - and there's no reason to think they aren't - the vBulletin case shows how quickly a vulnerability can be weaponized after its publication. The company says it observed the first malicious request exploiting the vulnerability less than nine and a quarter hours after the vulnerability was posted to seclists.org. DoorDash disclosed that it's sustained a major data breach. Data on some 4.9 million customers, Dashers - gig workers who deliver for the service - and merchants were exposed to an unauthorized third party in May of this year. The company says the incident affected those who joined Door Dash before April 6, 2018. Customers, Dashers and merchants who joined more recently are unaffected. 

Dave Bittner: [00:06:46]  NPR has published an unusually long look at Joint Task Force ARES, the U.S. Cyber Command unit tasked with hunting ISIS in cyberspace. The account seems to derive from unusual access to JTF ARES and is rich in what we can only call Tom Clancy-esque detail. We note that JTF ARES leaders, for example, are said to give the order to initiate a cyberattack by saying fire. If they were the gunner-inspired leaders we've sometimes been led to expect them to be, we'd have thought they'd use the more proper cancel at my command since when ready is the default for fire commands. But let that pass. The Americans, the Russians say, are notorious for not reading their own field manuals, which makes it difficult to train against them. Besides, General Ed Cardon, one responsible for JTF ARES, didn't come up as a gunner. In any case, fire it was and, thus, JTF ARES opened Operation Glowing Symphony in 2016. 

Dave Bittner: [00:07:44]  Glowing Symphony was intended to disrupt ISIS inspiration - that is ISIS online media operations. And that goal it seems to have achieved. It's noteworthy that the JTF ARES people interviewed note that technical virtuosity was, wisely, not the point. The operation succeeded because it concentrated on introducing friction into ISIS online media operations wherever it could. That friction would be familiar to anyone who's worked with any corporate IT environment. NPR lists some of them that ring very true - slow downloads, dropped connections, access denied, program glitches. General Jennifer Buckner, who led JTF ARES in subsequent phases of the operation, illustrated it this way. She told NPR, quote, "some of these are not sophisticated effects, but they don't need to be. The idea that yesterday I could get into my Instagram account and today I can't is confusing," end quote. 

Dave Bittner: [00:08:40]  Among the more prominent casualties of Operation Glowing Symphony were Dabiq, the ISIS online magazine, which folded, and the Caliphate's news service Amaq, which, among other things, lost its mobile app. Many of the ISIS foreign language news services also folded and have not been reestablished. NPR quotes Citizen Lab on the dangers of actually using cyberattack tools since using them also tends to proliferate them, and that's a risky business. But the operations against ISIS the piece describes don't seem to lend themselves to this kind of reuse. For example, how do you reuse the knowledge that the guy you're working against uses the same numbers for every credential? And that's not just passwords but answers to security questions like, what's your pet name? For the record, the ISIS IT guy said his pet's name was 1-2-5-7. The analysts knew because, like Tabasco sauce, the ISIS IT guy used that on everything. 

Dave Bittner: [00:09:36]  Speaking of the Russians, as we did just a moment ago, one of the more interesting parts of NPR's account is the brief comment that another organization comparable to JTF ARES has been established. It's called the Russian Small Group, and we trust they've got their fire commands down. A question - if people in North America call Russia's GRU hackers Fancy Bear, do the Russians have a comparable name for U.S. Cyber Command? And which animal would they use as its mascot? 

Dave Bittner: [00:10:09]  And now a word from our sponsor ExtraHop, delivering cloud native network detection and response with a hybrid enterprise. The cloud helps your organization move fast, but hybrid isn't easy. Most cloud security failures will fall on customers not service providers. That's one reason enterprises value the SOC visibility triad - Gartner's framework that helps teams like yours scale security and business operations safely and cost effectively. When you combine network detection and response with endpoint protection and SIM, you have the visibility, threat detection and automated response capabilities you need to secure and support cloud growth. Learn more at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show. 

Dave Bittner: [00:11:08]  And joining me once again is David Dufour. He's the VP of engineering and cybersecurity at Webroot. David, it's always great to have you back. The importance of cybersecurity continues to expand throughout organizations, and it's touching more and more things. And that means there are a lot of new roles for people to play within organizations. 

David Dufour: [00:11:28]  First of all, thanks for having me back. You know, we are seeing a lot of new roles both inside organizations and then - you know, where you're hiring people to support security and then - and additionally the training that people need in universities and things like that to be able to come in and build products that actively help prevent, you know, threats or detect threats, things of that nature. So it's quite a lot going on right now. 

Dave Bittner: [00:11:53]  So can you give me some specific examples? What kinds of things are folks spinning up these days? 

David Dufour: [00:11:57]  Well, one of the biggest things - and I know we hear about this a lot. So please, let's remember. I'm on the engineering side not on the sales and marketing side. AI and machine learning - I cannot underscore the need in the industry for folks who are trained and well-qualified in building solutions with that in it because we're trying to get past the hype of saying we've got AI or we've got machine learning, and what we need are those people that are really well-trained in how to implement those solutions such that products use them most effectively. And that is not something you just learn overnight. There's a lot of work involved in understanding how to build those models, build machines that consume data and then understand how to pull and analyze that data to build effective machine learning tools. 

Dave Bittner: [00:12:45]  Yeah. And I think we're also seeing that, besides the traditional computer science pathway, that there are lots of other roles within cybersecurity - folks coming up through school or looking for, perhaps, a new career - they can take advantage of those needs. 

David Dufour: [00:13:00]  That's absolutely right. And, you know, we are looking across the board at different types of folks in the industry, from, you know, mathematicians, people who understand human behaviors - we're seeing a lot of them get involved with the machine learning folks to be able to develop, you know, user base stuff. Totally not being my normal, snarky self here, we need a lot more technical PR, technical marketing folks to come out to be able to really educate the consumer and the industry because a lot of us engineers aren't really good at communicating that. And you need people with that technical background and understanding, but in, you know, all types of fields. 

Dave Bittner: [00:13:41]  Don't let the technical stuff scare you away from perhaps pursuing a career that's related to cyber. 

David Dufour: [00:13:47]  That's exactly right. And right now, there's really not a better place to be than getting involved in cybersecurity in some way. And another thing, David, that a lot of people - you know, once you're in the industry, you realize you're actually helping people, and that feels pretty good, too. 

Dave Bittner: [00:14:02]  Yeah, it's a great point. David Dufour, as always, thanks for joining us. 

David Dufour: [00:14:06]  Thank you for having me, David. 

Dave Bittner: [00:14:12]  Now a word from our sponsor KnowBe4. Email is still the No. 1 attack vector the bad guys use, with a whopping 91% of cyberattacks beginning with phishing. But email hacking is much more than phishing and launching malware. Find out how to protect your organization with an on-demand webinar by Roger A. Grimes, KnowBe4's data-driven defense evangelist. Roger walks you through 10 incredible ways you can be hacked by email and how to stop the bad guys. And he also shares a hacking demo by KnowBe4's chief hacking officer Kevin Mitnick. So check out the 10 incredible ways and learn how silent malware launch, remote password hash capture and rogue rules work, why rogue documents, establishing fake relationships and compromising a user's ethics are so effective, details behind clickjacking and web beacons and how to defend against all of these. Go to knowbe4.com/10ways to watch the webinar. That's knowbe4.com/10ways. And we thank KnowBe4 for sponsoring our show. 

Dave Bittner: [00:15:26]  My guest today is Caleb Barlow. He's CEO and president of cybersecurity services firm CynergisTek. Prior to that, he was vice president of threat intelligence at IBM Security. I've spoken with Caleb Barlow before. But this time, I wanted to focus on what the transition was like to being the CEO of a public company and how his experience in security informs his leadership style. 

Caleb Barlow: [00:15:51]  You want to ask a lot of questions. You know, you want - especially once you get past that first set of interviews and you realize you've got the job, you really want to understand, all right, where are the bodies buried? What do I need to worry about? And, you know, I think as a leader today, whether you're taking a role as a CEO or, frankly, you're taking a new leadership role, we have to shift our paradigm a little bit as security professionals. I mean, I have told this story probably a hundred times. And I'm sure you've heard this before, Dave, of, you know, as a - you know, if you're in a bear attack, you don't need to outrun the bear. You just need to outrun your friends. You know... 

Dave Bittner: [00:16:28]  Right. 

Caleb Barlow: [00:16:28]  Security professionals use this metaphor all the time. I actually think we need to stop using that metaphor because this is no longer about if I'm breached. This is really about I'm going to get breached. It isn't a question of if it will occur. It's really just a question of when. At a lot of companies, it's happening all the time. So we really need to think about when in that bear attack - because it's not just a bear. It's probably a whole pack of bears, right? 

Dave Bittner: [00:16:54]  Right, that's what I was thinking. What if there are two bears? 

Caleb Barlow: [00:16:56]  Exactly. What if there are two bears or a whole pack of bears, right? 

Dave Bittner: [00:16:59]  Right (laughter). 

Caleb Barlow: [00:16:59]  We've got to shift our thinking because that's the landscape we're dealing with now. And now we've got to think about, like, how are we going to prevent that from occurring? How are we going to mitigate the damage? And most importantly, how are we going to respond to that moment of crisis? So a lot of what I started to look at as I came into this role were, well, what is our security posture? And I think, interestingly enough, there are a lot of questions that you can ask now that, you know, as - that you couldn't have asked two or three years ago - so things like, hey, is the network segmented? Do you have EDR? Is two-factor authentication on everything? And every security professional listening to this podcast knows, you know, three years ago, you couldn't have asked those questions. You would've been asking, hey, do you have AV, right? 

Caleb Barlow: [00:17:45]  But nowadays, you really can ask those questions. And if you don't get good answers to those questions, then OK. Here's a task we need to go deploy to get these things done because those are kind of the new basics. I mean, I can't imagine being in a company today that doesn't have two-factor. And unfortunately, there's a lot of companies that don't. The other thing too that I really spent a lot of time on was looking at the latest security assessment, and, you know, that's a good benchmark. Obviously, if you compare that to NIST, that's a great way to kind of see where you are. In any company, there's going to be the places you're strong and the places you're weak. And hopefully, the areas where you're weak aren't the places where you've got the crown jewels or, you know, where there's a high-risk vulnerability. But that's the first step is just to kind of get a picture of, where am I at? And how big of a problem do I have that I'm walking into? 

Dave Bittner: [00:18:41]  How do you manage that transition though? - because, I mean, I could imagine coming in, that's a good point of deflection to say, OK. I'm taking over as CEO. I'm going to get to know everyone here, and some changes are going to be made. They're necessary, and we're going to do some new things. And I can imagine people reacting and saying, yes, that absolutely makes sense. But at the same time, you're going to - you don't want to increase friction either. You don't want you coming into the company to generate the reaction of, oh, boy, here we go. You know, now it's going to be - everything's going to be so much harder, and we're not going to be able to do things the way we've always done them. 

Caleb Barlow: [00:19:19]  Oh, here comes this security guy. And everything's going to be so much harder, right... 

Dave Bittner: [00:19:23]  Right. Right, exactly. 

Caleb Barlow: [00:19:23]  ...You know, because there's this constant balance. And I'll tell you - I think one of the have - things you have to do is being willing to step on your heels and listen to why decisions have been made because generally speaking, hopefully you're dealing with smart people that know what they're doing, and there's probably good reason. I mean, I'll tell you - I had a bunch of questions around the vendors that were being used and why some of the choices were being made, mainly just because my own naivete of, I hadn't worked with those vendors before, so I naturally didn't trust them. And you know, the team was able to walk me through a lot of the decision-making process, how they did their evaluations. And you quickly look at things and go, all right. You know, that's a pretty good decision. 

Caleb Barlow: [00:20:04]  But I'll tell you something else that was really interesting - is I started asking questions not only around, what do we have? Where are the crown jewels? How is data stored? How is it protected and segmented? Access control - you know, all the things you think you'd normally ask your CSO. But I also started to ask questions like, do we really need this data? Why do we have it? You know, what's it costing us to store this? What do we get out of keeping it? And we're better off just getting rid of some of it. And Dave, it was fascinating because I don't think anyone had ever asked that question before. You know, should we maybe put some record retention guidelines on some of this stuff and purge it out over time if we don't need it? And as silly as that sounds, as basic of a question as that sounds, it's amazing how much that can de-risk your long-term posture because I think a lot of companies, as we all got excited about AI and having lots of data, we just collected it all. 

Dave Bittner: [00:21:05]  Right. 

Caleb Barlow: [00:21:06]  Now you got to sit back and go, do I really want this data? Because the more data I have, the bigger risk I have too. 

Dave Bittner: [00:21:13]  Yeah. It's an interesting shift that I've noticed as well - this - going from this notion that data is valuable to data might actually be radioactive. 

Caleb Barlow: [00:21:25]  Oh, absolutely. And it all comes down to what it is. Is it health care data? Is it other forms of PII? Is it financial records? And also, what's the regulatory environment? Like, if - even if you're a U.S. company, if you're selling anything in Europe or doing anything in Europe, you've got GDPR to contend with. And the penalties there are just staggering. But people often forget in the U.S. alone, there's over 52 different breach disclosure laws. You don't want to go sideways with any of those. And now also as a public company, even Sarbanes-Oxley now has expectations on corporate officers around breach disclosure. You know, things can become material pretty quickly. And if executives are trading with the knowledge of a breach, this can also cause issues. And I think the first kind of public example of where we saw that and we really saw the SEC lean in was around Equifax, where, in that case, the CIO was even sentenced for insider trading. 

Caleb Barlow: [00:22:22]  What we're starting to see now - and this has historically been happening more outside the United States, a lot of which has been happening the Middle East. We've started to see some activity of this in Europe. And we're starting to see more and more of this now in the United States in the form of ransomware are destructive attacks, where you come in one idle Tuesday, and it's all gone; all of it - the backups, the primary systems, the servers, the workstations, the laptops. Even the phones don't work because they're voice over IP. Everything's gone. Now, what a lot of people have been thinking about from an incident response perspective was just up to the point of, oh, somebody stole the data. Let's go do forensics, figure out how they did it, maybe who was behind it and how much data they stole. That was the end of the story for incident response really up until the last year or two. Now it's all about, something is happening. Business is being impacted. I need incident command. I need incident remediation. And those are two very different disciplines. 

Caleb Barlow: [00:23:28]  So interestingly enough, though, we don't have to recreate what to do here. The incident command system was first developed by a guy named Alex Brunacini and Phoenix Fire Department, where he was trying to figure out how to deal with wildfires that were occurring in Phoenix and the surrounding areas where you'd have to coordinate response amongst all kinds of different fire departments. So he built this thing called the Incident Command System, and it's a method to make decisions and understand an organizational hierarchy when you have to put a hierarchy together all at once in a hurry. 

Caleb Barlow: [00:24:05]  Well, interestingly enough, in a large-scale incident in a company, you have the same problem because you can't rely on the structure of the company to respond to that incident. The CEO is on a plane for the next 12 hours. The next person in charge doesn't know anything about cybersecurity. And three of the other executives you can't get a hold of because all your systems are down, so you've got to have a way to respond where you're responding, in a lot of ways, from the bottom up with people that are specially trained in how to do this. And I think as companies realize more and more that this is a business recovery type of incident, we're starting to see those tools that come from the realms of incident response or the military and get re-translated into cybersecurity. And again, the good news is we don't have to reinvent how to do this. We just have to translate it into cybersecurity. 

Dave Bittner: [00:25:00]  That's Caleb Barlow. He is CEO and president of CynergisTek. 

Dave Bittner: [00:25:09]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:25:22]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.

[The correct name of JTF Ares's work against ISIS is Operation Glowing Symphony, not, as misstated here, 'Golden Symphony.']