Phishing, cryptojacking, and commodity malware. New supply chain security measures. And have you heard about this Black Friday thing?

Dave Bittner: [00:00:03] A Fullz House for Thanksgiving. Google finds that nation-state phishing continues at its customary high levels. DeathRansom, the low-end ransomware that didn't actually encrypt files, has now begun to do so. The Stantinko botnet adds cryptomining functionality. Microsoft reflects on Dexphot and the sophistication it brings to ordinary malware. Supply chain security rules are coming to the U.S. A lawsuit in Tel Aviv. And some final notes on Black Friday. 

Dave Bittner: [00:00:37]  And now a word from our sponsor, Authentic8. Authentic8, the creators of Silo, now have an app called the Silo Research Toolbox that builds a separate, isolated browser session. This allows researchers to collect information from the web without risk to their work network. With Silo Research Toolbox, researchers can go anywhere on the web and collect data without revealing their identity or exposing their resources. It runs, looks and is just as powerful as a local browser, with none of the risk. The bottom line is that any website you visit on the open, deep or dark web will not know any details about you, your computer or your internet connection. Silo is built fresh at every start and is completely destroyed at the end. It never exposes your IP address and never carries any information with you from session to session. If you are required to keep your online investigations completely anonymous and safe from cyber threats, you should consider checking out the Silo Research Toolbox at authentic8.com/cyberwire. That's authentic8.com/cyberwire. And we thank Authentic8 for sponsoring our show. 

Dave Bittner: [00:01:51]  Funding for this CyberWire podcast is made possible in part by McAfee, security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee, the device-to-cloud cybersecurity company. Go to mcafee.com/insights. 

Dave Bittner: [00:02:13]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, November 27, 2019. Security firm RiskIQ has offered an updated warning about a recently discovered cybercriminal outfit they've called Full(z) House. The gang operates in two ways - credential and private information phishing and then skimming or phishing pay cards during e-commerce checkouts. Their goal is fullz - that is, pay card information plus extensive associated PII. 

Dave Bittner: [00:02:45]  Phishing is a common nation-state tactic as well. Google, which tracks more than 270 government-run groups operating on behalf of about 50 countries, reports that between July and September, it issued more than 12,000 warnings to victims in 149 countries, as close to everywhere as makes little difference. Google notes that this is about the same warning rate, give or take 10%, they observed during the same period in 2017 and 2018. So the interests and levels of activity displayed by the world's intelligence services seem to be holding steady, at least insofar as this snapshot indicates. 

Dave Bittner: [00:03:24]  BleepingComputer offers an account of a new strain of ransomware, DeathRansom, that's upped its game. When it first started out, DeathRansom wasn't an encrypting strain of ransomware at all. The earlier infestations, researchers observed, didn't really encrypt the victims' data, but merely appended a .wctc extension to affected files. If you simply stripped out the extension, the files became usable again. But DeathRansom last week began actually encrypting the files. Researchers see a possible connection, at least in terms of infection vectors, to stop ransomware, which has used adware as its way in. 

Dave Bittner: [00:04:03]  Researchers at the security firm ESET have found a cryptojacking campaign that operates through YouTube videos' descriptive texts. The operators behind the Stantinko botnet have added some Monero-mining functionality to their malware. Most of the victims of this cryptojacking have been in Russia, Belarus and Kazakhstan. 

Dave Bittner: [00:04:22]  Microsoft reflects on lessons learned from a year tracking the polymorphic Dexphot threat. In sum, ordinary threats are showing increased sophistication. The goal of Dexphot may not be particularly sophisticated, since one of its more characteristic bits of functionality is cryptomining, but it's evasive, persistent and hard to expel. And it's the kind of criminal threat that one sees on the digital main street. 

Dave Bittner: [00:04:48]  Francesca Spidalieri is a cybersecurity consultant at Hathaway Global Strategies and senior fellow of cyber leadership at the Pell Center from Salve Regina University in Rhode Island. We spoke recently about the challenges universities face keeping up with the pace of rapid advances in cybersecurity, as well as the role they play supporting their local community. 

Francesca Spidalieri: [00:05:10]  A lot of the large data breaches we hear regularly, the headlines, usually we hear the big corporations, but it's really the small and medium businesses that have the most to lose in the aftermath of a breach. So we decided to dedicate our time and research and effort in helping the community of small and medium-sized businesses and smaller organizations to better understand the cyber threats inherent to their organization and the context in which they operate. And we launched a series of programs, from lectures and seminars and tabletop exercise. We do more in-depth research. We provide policy recommendations to both of those businesses that come and engage during our events. But also, our congressional delegation has been part of the Rhode Island governor cybersecurity commission. So as a think tank, we engage on a variety of fora to provide expert information, thought, leadership, policy recommendations, research. 

Dave Bittner: [00:06:13]  So it's really important to have that outreach that extends not only to the broader cybersecurity community, but to your local community as well. 

Francesca Spidalieri: [00:06:24]  Absolutely. In fact, our local community's all welcome to attend our event. We try to raise awareness among senior leaders and decision-makers, as well as other senior-level people across society about not just the technical issues of cybersecurity, but also about the economic, political, regulatory challenges of operating in a digital age. 

Dave Bittner: [00:06:47]  I know you're involved with some of the graduate programs there and some of the coursework and so on. What is the challenge that you face in keeping that work current in an area that's changing as rapidly as cybersecurity is? 

Francesca Spidalieri: [00:07:02]  Well, thank you for that great question. First of all, I have to say that I'm very proud to work for a university that was among the first in the United States and certainly in the New England region to recognize that addressing cybersecurity required not just IT expert with computer science and software security skills, but also professionals with an understanding of the political context, institutional theory, behavioral psychology, ethics, law, economics and other sciences. So when we started including courses and seminars in the curriculum at Salve, we thought about the issues as a multi-disciplinary subject. And so we start adding courses in the administration of Justice and Homeland Security Department. We added courses in the business department, more recently in the healthcare administration department. And we try to keep those courses constantly up to date by engaging with those companies that need the professionals that they often cannot find in the broader community. 

Dave Bittner: [00:08:06]  You also work on the Rhode Island Joint Cyber Task Force. Can you give us an overview? What does that team set out to accomplish? 

Francesca Spidalieri: [00:08:14]  Yes. So the Rhode Island State Police has a very capable computer crime unit that responds and investigates cybersecurity incidents and help companies and organizations defend from cyber threats as much as they can. A few years back, they also established a joint cyber task force. This taskforce brings together members of the Rhode Island State Police crime unit that I just mentioned with individuals representing higher education, hospital, finance, utility, defense, the Rhode Island National Guard. And we provide a forum, similarly to what we do at the Pell Center, to share information, provide analysis and update on cyber threats. But it's also a way for the organization to meet the first responders, the law enforcement officials that would be coming in if there was a major incident. The group also oversees educational initiatives, tabletop exercises. They have a great cyber range. So there is a lot of different ways for the community to engage through this joint cyber task force. 

Dave Bittner: [00:09:19]  Yeah. It's interesting to me how you mentioned sort of the breadth of programs at the university that you have extended knowledge of cybersecurity into. And I think it really speaks to this need for a variety of viewpoints and perspectives within the field. What sort of recommendations do you have for folks who are looking to expand their level of education, either starting out in school or looking for a graduate program? What sort of mindset should they have coming into a program like yours? 

Francesca Spidalieri: [00:09:53]  They have to understand that cybersecurity affects all of our organization. Every business today is a digital business. But not everybody needs to become a computer scientist or engineer. There needs to be a cyber component to most disciplines. And that's what we have been trying to do at Salve Regina University. So I understand it's very difficult sometimes to navigate the field because - it's almost not clear career path, compensation structure. When we say we want to work in cybersecurity, there are no generally accepted qualifications. There is really a lack of clarity about job description. So I first try to help students from mid-level career professionals, the ones who now pursue a career in cybersecurity to understand, what is it they actually like to do? If they're more technical people, then I might recommend certain certification, whether it's to become a pen tester, a network analyst. But there are also a need for business professional, legal professional, law enforcement officials to understand the cyber context in which they operate. So Salve, for example, was the first university in the United States to make it a core requirement for all of our MBA students to take a cybersecurity course. When I designed that course - it's called management of cyber opportunities and threats - what we had in mind was to train that mid-level professional that needs to be able to talk to both the server room, the IT professional, but also the boardroom, the senior leaders that were not trained in computer science and engineering, but nonetheless need to make the most important decision within the organization about risk management, incident response, whether to fund or not certain projects that will affect the cybersecurity posture of their organization. 

Dave Bittner: [00:11:40]  That's Francesca Spidalieri from Salve Regina University. 

Dave Bittner: [00:11:46]  Following the direction provided this spring by Executive Order 13873, the U.S. Commerce Department has proposed rules for securing the IT and communications supply chain. That executive order gave the Secretary of Commerce a leading role in supply chain security, with authority to prohibit or mitigate transactions that involve technology that was designed, developed, manufactured or supplied by some person or entity owned by, controlled by or subject to the direction of any foreign adversary. The goal of such restrictions and mitigations is to reduce the risk of sabotage or subversion of catastrophic effects on critical infrastructure or of risks to security or safety. A public comment period on the new procedures will open shortly. 

Dave Bittner: [00:12:33]  You will recall Facebook's recent filing of a lawsuit against lawful intercept vendor - spyware vendor, if you prefer - NSO Group. Facebook alleges that NSO Group used some of Facebook's properties to distribute its surveillance tools. As it filed the lawsuit on behalf of its subsidiary WhatsApp, Facebook also suspended a number of NSO Group employees' individual personal Facebook and Instagram accounts. Those employees have now filed a countersuit against Facebook in Tel Aviv District Court, asking that the social network unblock them. They call the suspension collective punishment. It is, they say, a hurtful and unjust move by Facebook. Their resort to legal action, the employees say, comes only after Facebook ignored repeated requests they made directly to the company. 

Dave Bittner: [00:13:21]  Of course, it's the beginning of the big shopping season this Friday - Black Friday, as we've oddly come to call it. Yesterday, we shared some of the online safety tips the U.S. Cyber Security and Infrastructure Security Agency is offering. Security companies are also offering suggestions. And they come down to many of the same reminders. Keep your software up to date. Don't buy from dodgy sites. Beware of clicking links in email messages, and use multi-factor authentication. What kinds of purchases are likely to get you in trouble this time of year? 

Dave Bittner: [00:13:51]  Researchers at Kaspersky have been looking at what the crooks are up to and are paying particular attention to the botnets that distribute Trojans. There's a great deal of spoofing going on, and the spoofing seems concentrated on clothing, jewelry and toys. Close behind are brands associated with travel, hotels, ticket booking sites, even taxicab companies. So keep a sharp and skeptical eye out. And, of course, happy Thanksgiving to you all. We're taking the rest of the week off to spend with our friends and family. We'll see you back here next week. 

Dave Bittner: [00:14:28]  And now a word from our sponsor, McAfee. Ideas don't come for free - budgets are begged for, long hours are required, the months - maybe even years - of research, the sheer human effort of it all. The changes, the revisions, the reworks, the results, the adaptation, the innovation, the collaboration all lead to the final moment when it pays off and it's perfect - your company's work, as long as it's not compromised. From device to cloud, McAfee harnesses the power of 1 billion threat sensors to design security that moves beyond intelligence to insight, so you can move beyond optimizing security products to optimizing your security posture, and not just react to threats, but remediate threats that matter. Intelligence lets you respond to your environment. Insights empower you to change it. McAfee, the device-to-cloud cybersecurity company. Go to mcafee.com/insights. That's mcafee.com/insights. And we thank McAfee for sponsoring our show. 

Dave Bittner: [00:15:41]  And joining me once again is Daniel Prince. He's a senior lecturer in cybersecurity at Lancaster University. Daniel, it's always great to have you back. We wanted to touch today on business innovation and cybersecurity. What do you have to share with us today? 

Daniel Prince: [00:15:55]  It's great to be back. So at Lancaster, I'm running a project which is really looking at how businesses can innovate their business practice through cyber innovation. And I borrowed a concept that we have here in the U.K. around - from cybercrime, looking at two sides of that, so cyber-enabled and cyber-dependent cybercrime. And what we've got here is what I'm calling cyber-enabled and cyber-dependent cyber innovation, because for me, cybersecurity is one of the most innovative kind of IT disciplines out there at the moment, constantly having to try and reinvent the way that we defend, coming up with new technologies, both to actually stop attackers, but also to try and actually build the best protection we can. The attackers are certainly evolving, and so are we on our side. 

Daniel Prince: [00:16:52]  So what I'm doing is - with a group of people here at Lancaster and with three other universities in the north west based around Manchester Metropolitan University, the University of Manchester and the University of Salford - is where we're running a program of support, working with companies to really instill cyber innovation at the core, looking at how they can use cyber-enabled innovation. So increased protection means that they can do things better and faster. Or cyber-dependent innovation, so can they use new cryptographic techniques to provide tracking services for goods and products? Can they come up with new authentication mechanisms for smart door locks, things like this? 

Daniel Prince: [00:17:38]  So really putting cyber innovation at the heart of the business, rather than having it as something that sits kind of almost alongside. And, for me, that's one of the key things with just dealing with cybersecurity. And hopefully this will be part of the answer of putting cybersecurity at the core of the business. 

Dave Bittner: [00:17:56]  So, really, getting to the point where cybersecurity can even be a differentiator for businesses? 

Daniel Prince: [00:18:03]  Well, that's one of the key things that we talk to businesses about. How can you take the fact that you're doing all of this good work in cybersecurity and make that a market differentiator for your product, for your service, for your company? Because it's a crowded marketplace. And if we can use cybersecurity to really help that company to stand out from the crowd, that's certainly one area that we can we can push on. But what we talk about within the project, which we call the Cyber Foundry, is defend, innovate and grow. So the first step has got to be about defense, so making sure the company's got the right kind of protections in place. Then how do we innovate using cybersecurity? And then how do we grow that company? So those are kind of our three mantra keywords, if you like. 

Dave Bittner: [00:18:44]  And for the companies themselves, that would kind of messaging do you imagine them putting out to their customers to put the word out that this is how they're doing things? 

Daniel Prince: [00:18:53]  So, again, it really depends on what the company's trying to achieve. So, yeah, we can work with them to think about how that cybersecurity defense message is a key part of their sales technique, but also thinking about how the defense is a key part of their business strategy going forward. Yes, it's a lot about marketing messages and making sure that everybody is aware of what they're doing, but also for some of the larger companies about clear market signaling that they're taking cyber innovation seriously. So for some companies where they've got cyber innovation as a core part of their business strategy and being able to say that, it goes beyond marketing messages and actually tells people that they've got cybersecurity instilled in the core of their business. 

Dave Bittner: [00:19:39]  All right. Well, Daniel Prince, thanks for joining us. 

Dave Bittner: [00:19:46]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:19:58]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.