Dave Bittner: [00:00:03] Spanish TV is temporarily replaced by Russian programming. APT20, Violin Panda, is back and playing a familiar tune. Rancor against Cambodia; the U.S. Congress gets frosty with China and Russia; how Zeppelin ransomware spreads; due diligence in M&A; Germany's BSI warns of an Emotet campaign; a suspect in the Dark Overlord case is arraigned in St. Louis. And the FBI collars a guy who ratted himself out over social media.
Dave Bittner: [00:00:38] And now a word from our sponsor, the upcoming Cybersecurity Conference for Executives. The Johns Hopkins University Information Security Institute and Ankura will host this event on Wednesday, March 25 in Baltimore, Md., on the Johns Hopkins Homewood campus. You can find out more at isi.jhu.edu and click on 6th Annual Cybersecurity Conference for Executives. Learn about the do's and don'ts of risk management with industry leaders and other cyber professionals. Check out the details at isi.jhu.edu. Click on the 6th Annual Cybersecurity Conference for Executives. And we thank the Johns Hopkins University Information Security Institute for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee - security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:01:48] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, December 19, 2019. Spain's state-owned broadcaster, TVE, says that a portal they'd inadvertently left open was exploited last week by parties unknown to air an RT-produced interview with self-exiled Catalan separatist leader Carles Puigdemont. Reuters asked, and RT says they didn't do it. Furthermore, RT, which is short for Russia Today, a Kremlin-controlled media outlet, says they don't know who did it. I give you my word, said RT's editor-in-chief, Margarita Simonyan. In fairness to RT, anyone can waltz through an open portal.
Dave Bittner: [00:02:33] Fox-IT has been looking at an operation they call Wocao, a China-based collection effort that's prospecting energy, technology and health care targets in at least 10 countries, including France, the U.K., the U.S., Germany and Italy. They've concluded with medium confidence that the group behind Wocao is APT20, a Beijing-controlled hacking crew that had been relatively quiet for the past few years. Also known as Violin Panda, APT20 was particularly active between 2009 and 2014, specifically against universities, health care and defense targets. It's now resurfaced, Fox-IT says, and has resumed industrial and economic espionage. Wocao is said to be a mildly indelicate Chinese epithet, which we'll translate to nuts, not only because we're a family show but also because tomorrow marks the 75th anniversary of the beginning of the Siege of Bastogne, and that's what General McAuliffe sent to his German opposite number when he was approached with a demand for surrender.
Dave Bittner: [00:03:36] Palo Alto Networks' Unit 42 has released a follow-up to its earlier report on Rancor, a Chinese cyber espionage unit that pays particular attention to targets mostly in Cambodia. Rancor is unusual in that it's taken some pains to craft novel strains of malware that hadn't been seen before. Unit 42 doesn't say which organizations within the Cambodian government were targeted, beyond saying to CyberScoop that the targets are the sorts of agencies you'd expect an intelligence service to take an interest in. Unit 42 tells CyberScoop that there's an irony beneath the apparent persistence, the expenditure of resources and the care taken to craft bespoke malware. None of the efforts to penetrate Cambodian networks have been fully successful.
Dave Bittner: [00:04:20] The U.S. Congress is in a stern mood with respect to China and Russia. The Washington Post reports widespread skepticism on Capitol Hill that Beijing can be trusted to live up to the explicit security guarantees - still less the implicit ones - in any trade accords so far negotiated. And Reuters notes that an unusually stiff sanctions bill directed against Russia cleared the Senate Foreign Relations Committee yesterday.
Dave Bittner: [00:04:46] BlackBerry Cylance researchers announced the discovery of Russia-connected Zeppelin ransomware last week. Yesterday, Morphisec offered some fresh insight into how Zeppelin is propagated - by leveraging the ConnectWise remote desktop application.
Dave Bittner: [00:05:00] With all the recent attention to ransomware attacks that have been hitting municipal governments and health care companies lately and especially with the recent trend of such attacks being accompanied by information theft, it's now considered prudent to regard yourself as a breach victim if you've found yourself infected with ransomware. There's another disturbing ransomware trend, too, this one noticed by Radware. When a private equity firm acquires a company, it, of course, issues a press release and announces the acquisition to the world. This is in the natural economic order of things. It appears, however, that such announcements are also alerting extortionists to the probability that the new portfolio company is also probably newly cash-rich, and a ransomware attack has often followed in the wake of such an acquisition. It happens on familiar Willie Sutton-esque grounds. That's where the money is. Radware advises PE firms that they should take this as an incentive to perform effective due diligence on the companies they plan to acquire.
Dave Bittner: [00:06:00] The team at GitLab are celebrating the one-year anniversary of their bug bounty program. Along the way, they've learned a thing or two about running a program like this - calibrating incentives, response times and so on. James Ritchey is security manager for application security at GitLab.
James Ritchey: [00:06:17] When we first opened it back in December 12, 2018, we got a huge response, you know, from the community. I think we received over 1,300 reports from over 500 security researchers. We awarded over $500,000 in bounties since going public in the past year. So, yeah, we definitely learned a lot of lessons, for sure.
Dave Bittner: [00:06:42] Any bumps in the road along the way that you can share?
James Ritchey: [00:06:46] Yeah, absolutely. I mean, one of the biggest things we learned was that, you know, we needed to scale. You know, there are so many reports and reporters, and there's only a handful of us on the GitLab side. So if we didn't scale, then we'd definitely be smothered by the volume of reports that we received - 1,300 is quite a lot. And our answer to that was to, you know, develop as much automation as possible, specifically scaling our communication and our procedures. For example, we were able to reduce our average time to first response from over 48 hours to less than seven hours. Besides scaling, another big lesson we learned was that, you know, we needed to increase HackerOne engagement and keep it at a high level. There's so many programs for the reporters to choose from on HackerOne, so why should they come to ours? You know, why should they stick with it? You know, you're competing for the attention of reporters from over, like, a thousand other programs on HackerOne for them to choose from.
James Ritchey: [00:07:47] An important thing we learned was to listen to the feedback from reporters that are currently engaged in our program. One of the top suggestions from them was to - basically, they wanted to speed up bounty payouts. And so, you know, previously, we were rewarding bounties once an issue was resolved, which - that could be, you know, one month. That could be three months. It really depended on the severity of the issue. And so after listening to that feedback, back in September, we changed how we reward bounties. So now, we pay a partial bounty of a thousand dollars upfront at the time of when we triage the report, and then the remainder would be paid once the report's resolved or 90 days had passed - whichever came first.
Dave Bittner: [00:08:31] You all recently made some adjustments to the bounty price. What drove that decision?
James Ritchey: [00:08:37] Over time, the security of our product has strengthened. And so essentially, we wanted to incentivize seeing more high and critical severity reports in the program. So back in November, we raised the bounties, specifically for high and critical vulnerabilities. So I think for criticals, we raised it from 12K to 20K and then for highs from 7K to 10K. And, you know, it wasn't much of a surprise. But, you know, higher bounties is one of the biggest factors for increasing hacker engagement in a bug bounty program.
Dave Bittner: [00:09:11] Yeah, money talks, I guess. It could get their attention.
James Ritchey: [00:09:14] Absolutely.
Dave Bittner: [00:09:15] Yeah. What does having a program like this say about - to GitLab itself, the way that you choose to communicate and take on a project like this?
James Ritchey: [00:09:27] Our mission statement at GitLab is that everyone can contribute, and that doesn't only mean through, you know, contributing code to GitLab itself. That also means contributing by, you know, submitting vulnerabilities to our program. So that's a big part of, you know - we want to be open and public for everyone to contribute.
Dave Bittner: [00:09:48] Looking back on the past year, are you satisfied with how it's going overall? Do you feel like it's been successful?
James Ritchey: [00:09:54] Oh, I would definitely say so. Yes. I mean, considering the amount of volume of reports received and then also the depth of those reports as well, we've received so many good findings. The level of technique has really surprised us on many of the findings, and many of those were from new reporters as well. So I think it's been a success overall.
Dave Bittner: [00:10:16] What are your recommendations for other organizations who may be considering, you know, heading down a similar path?
James Ritchey: [00:10:23] I would say start it earlier than later. Definitely have a bug bounty program. And I also encourage them to be transparent about those security issues as well. I think it's an important thing to show, though it's not easy balancing confidentiality and transparency. But, you know a lot of it comes down to time, like, you know, when they release the details. Like, for example, at GitLab, we release the vulnerability details 30 days after a patch has been published, essentially. The thing is that, you know, no one product or application is 100% secure.
James Ritchey: [00:10:59] But I believe that by being transparent, it illustrates our commitment to securing the product and the company. You know, you can see how many resources we've invest in security. You can see the vulnerability details 30 days after it's been released. You can see, you know, how we fixed it, when the issue was reported, how long it took us to fix it. You know, maybe other companies, by staying secret about all of these things - A, they're not being kept accountable. And B, we don't know how committed they are to securing their products. I think being transparent about security issues, you know, truly illustrates how invested we are and secure in GitLab.
Dave Bittner: [00:11:36] That's James Ritchey from GitLab.
Dave Bittner: [00:11:39] Germany's BSI security agency, the Federal Office for Security and Information Technology, has issued a warning that criminals misrepresenting themselves as BSI operators are distributing the Emotet banking Trojan in a spam campaign. The phishing emails contain either malicious attachments or malicious links, and they arrive as replies to emails the user had sent earlier, which the BSI says tends to lend them credibility. Emotet is attributed to the gang Proofpoint tracks as TA542 and CrowdStrike as MUMMY SPIDER. But that gang is also active in the criminal-to-criminal market and is willing to rent the Trojan to other operators.
Dave Bittner: [00:12:20] Nathan Wyatt, a British subject accused of being part of the Dark Overlord gang, was extradited to the U.S. and arraigned yesterday in the St. Louis courtroom of the U.S. District Court for the Eastern District of Missouri. He was charged with aggravated identity theft, threatening to damage a protected computer and conspiring to commit those and other fraud offenses. Mr. Wyatt entered a plea of not guilty. The Justice Department describes his alleged offenses as remotely accessing the computer networks of multiple U.S. companies without authorization, obtaining sensitive records and information from those companies and then threatening to release the company's stolen data unless the companies paid a ransom in Bitcoin. So The Dark Overlord is, to sum up, an extortion gang.
Dave Bittner: [00:13:05] So how are suspects collared? Well, often, someone snitches. But nowadays, if the crook - the alleged crook, we hasten to say - wants to know why he or she has come to the attention of John or Jane Law, alleged crook needs look no further than the mirror or, more accurately, that elaborately composed mirror that is their presence on social media. For your consideration - one Arlando M. Henderson, a presumably now former employee of Wells Fargo, resident in California, was apprehended by the FBI on suspicion of robbing Wells Fargo.
Dave Bittner: [00:13:41] What clever CSI-style scientific inferences led the bureau to Mr. Henderson - DNA, drone surveillance shots, matching biometric heartbeat signatures? Nope, nope and nope. They just happened to cross his rap performance on Instagram, in which Mr. Henderson disported himself with a big stack of cash and a Kalashnikov battle rifle. And if the Benjamins and the AK weren't enough, there was also the Facebook posting of himself posing in front of an expensive, if admittedly sort of vulgar, Mercedes ride. Also, cash was missing from a local Wells Fargo's vaults. You don't have to be Sherlock Holmes or even Columbo to put those three together and conclude that a conversation with the gentleman might be in order.
Dave Bittner: [00:14:29] And now a word from our sponsor, McAfee. Ideas don't come for free. Budgets are begged for. Long hours are required. The months, maybe even years of research, the sheer human effort of it all, the changes, the revisions, the reworks, the results, the adaptation, the innovation, the collaboration all lead to the final moment when it pays off and it's perfect - your company's work, as long as it's not compromised. From device to cloud, McAfee harnesses the power of 1 billion threat sensors to design security that moves beyond intelligence to insight so you can move beyond optimizing security products to optimizing your security posture and not just react to threats but remediate threats that matter. Intelligence lets you respond to your environment. Insights empower you to change it. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights. That's mcafee.com/insights. And we thank McAfee for sponsoring our show.
Dave Bittner: [00:15:42] And I'm pleased to be joined once again by David Dufour. He's the vice president of engineering and cybersecurity at Webroot. David, it's always great to have you back. You and your team at Webroot recently published a midyear threat report for 2019. Can you take us through what were some of the key findings there?
David Dufour: [00:15:58] Oh, David, as always, great to be back. One of the first things we saw is trusted domains. You know, the HTTPS with the - in your browser. Everybody sees the green lock in all the major browsers that shows that you're on secure connection. Well, just because you're on a secure connection doesn't mean you're on a secure site. So a lot of hackers are starting to really use each HTTPS heavily. I mean, it's been in use by malicious folks for a while, but it's becoming more and more prominent. And so basically - I like to kid, but just to put it out there, people are securing through the HTTPS the hacks that they're implementing on you. So you're getting securely hacked, which I don't if that makes you feel better or not.
Dave Bittner: [00:16:42] Right. While the hack's going on, at least your data...
David Dufour: [00:16:43] Exactly.
Dave Bittner: [00:16:44] Your data's safe in transit.
David Dufour: [00:16:46] Exactly. You can rest assured that the hacker is making sure your data can't be compromised.
Dave Bittner: [00:16:51] Right, right.
David Dufour: [00:16:53] But what we saw - nearly 25% of malicious URLs - you know, URLs are - the domain is the, you know, davidbittner.com (ph) or davedufour.com (ph). That's the domain. We saw that 25% of malicious URLs, which are like that .com/sports/videogames, those - 25% of malicious URLs are hosted on trusted domains. So you can actually look at the domain and believe the website is good, but a hacker has actually accessed the back end of that domain and deployed malicious software there that if you click on that, it's going to infect your machine. So it's something you've really got to be aware of. Not all trusted domains equate to trusted URLs.
Dave Bittner: [00:17:36] Now, you were also tracking some stuff here with Windows 7?
David Dufour: [00:17:39] Oh, yeah. Windows 7 - look. Windows 7 was a great operating system. It's just very antiquated, lots of malware on Windows 7. It's really time for folks to start thinking about upgrading to Windows 10. It's a great operating system as well. I'm not advocating for Microsoft, but we are talking about the Windows platforms here. We are seeing the exploits in Windows 7 have grown over 75%, and we continue to see malware taking advantage of those vulnerabilities in Windows 7.
Dave Bittner: [00:18:11] What do you say to those folks who are in a situation where it's not necessarily easy to upgrade? I'm thinking of people in industrial situations, you know, those kinds of things were that Windows machine may be tied to other devices.
David Dufour: [00:18:24] That is always a great and tricky question, David, because if it is an industrial machine that potentially can't be upgraded because of the fact that it's running equipment, you have to evaluate your risk allowance. Can you take it off of a public network so that people can't get to it through the internet or through your network and some other mechanism? And make those determinations. Maybe you have to work with your vendor to get it upgraded because you are exposed because it does need to be online. But you need to evaluate that and be very knowledgeable of the risk that you're open to, and that's a point I want to make there.
David Dufour: [00:19:01] A lot of times, people just kind of put their head in the sand. OK, so you've got a Windows machine. It's running Windows 7. There's potential for exploits, but you've got a business decision because you got to run your business, that you're going to let that potential sit there. Well, maybe you need to invest in some tools that monitor that machine at a higher level to make sure it's not being exploited. So those are things you can do, but the No. 1 thing is evaluate your situation.
Dave Bittner: [00:19:24] All right. Well, it's the midyear threat report. You can find it on the Webroot website. David Dufour, thanks for joining us.
David Dufour: [00:19:30] Great being here, David.
Dave Bittner: [00:19:35] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:48] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.