Taking down Thallium. Cloud Hopper: bigger (and worse) than thought. US tightens screws on the supply chain. The bite of winter and the scent of plums.
Dave Bittner: [00:00:00] Hey, everybody. Dave here. We here at the CyberWire are excited to announce our new subscription program, CyberWire Pro. That'll be coming out in early 2020. For those whose interests and responsibilities lead them to be concerned with cybersecurity, CyberWire Pro is an independent news service you can depend on to stay informed and to save you time. This offer includes such valuable content as exclusive podcasts and newsletters, exclusive webcasts, thousands of expert interviews and much more. And you can rely on us to separate the signal from the noise. Sign up to be one of the first in the know about the CyberWire Pro release at thecyberwire.com/pro. That's thecyberwire.com/pro. Check it out.
Dave Bittner: [00:00:48] Microsoft takes down bogus domains operated by North Korea's Thallium advanced persistent threat. The Cloud Hopper cyber-espionage campaign turns out to have been far more extensive than hitherto believed. The US wants Huawei and ZTE out of contractor supply chains this year. India will test equipment before allowing it into its 5G networks. And the California Consumer Privacy Act is now in effect.
Dave Bittner: [00:01:19] And now a word about our sponsor the Johns Hopkins University Information Security Institute. They're seeking qualified applicants for their full-time Master of Science in Security Informatics. The program covers the most current topics in information security with core courses covering security and privacy, cryptography, computer forensics, software vulnerabilities, ethical hacking and much more. It's a quality program, too, not just because it's from one of the world's great research universities, but because the institute is an NSA- and DHS-designated center of academic excellence in information assurance in cyber defense and research. To learn more, register for the virtual information session at applygrad.jhu.edu. That's applygrad.jhu.edu. The virtual information session takes place January 23. And we thank Johns Hopkins University Information Security Institute for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee - security fueled by insight. Intelligence lets you respond to your environment. Insights empower you to change it. Identify with machine learning. Defend and correct with deep learning. Anticipate with artificial intelligence. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:02:48] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, January 2, 2020. Happy New Year, everyone. It's good to be back. Microsoft has confirmed that the North Korean threat group Redmond tracks as Thallium has indeed been aggressively pursuing Windows users and that Microsoft has seized 50 domains Thallium used in its espionage campaign. Microsoft prefers elemental names for APTs and says that Thallium worked for the most part through spear-phishing that spoofed emails from Microsoft. One lesson to be learned from the campaign is the importance of attention to detail. Security-aware users are accustomed to looking closely at the sender's email address to spot communications that aren't from whom they appear to be. In this case, Thallium, which pretended to be sending unusual sign-in activity notices from Microsoft, used a domain that substituted an R and an N for the first letter, M, in Microsoft. That could be easily overlooked if one was rushed or inattentive. So bravo, Microsoft, for securing the takedown.
Dave Bittner: [00:03:56] The Wall Street Journal on Monday published its investigation into the Cloud Hopper cyber-espionage campaign that Reuters reported in December 2018. The US Justice Department at that time indicted two Chinese nationals, both of whom remain at large, and alleged that the duo had been working for the Chinese Ministry of State Security's APT10. It now appears, according to the Journal, that the espionage was far more widespread than originally reported. The known victims back when Reuters broke the story included IBM, Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corporation, HPE, and DXC Technology. And it should be mentioned that none of them were notorious security slackers.
Dave Bittner: [00:04:43] The US Justice Department in its indictment alluded to fourteen other companies that allegedly fell to the ministrations of the hackers. Two gentlemen who are believed to have been employed by the Huaying Haitai Science and Technology Development Company, which itself served as a cyber operations contractor to the Chinese Ministry of State Security's Tianjin State Security Bureau. APT10 seems to have been particularly interested in compromising managed service providers. This is entirely sensible as a target selection strategy, given the extent to which enterprises have continued to increase their reliance on managed service providers. Anne Neuberger, who leads the National Security Agency's Cybersecurity Directorate, is quoted by the Journal as offering a Willie Sutton-esque motive for the targeting: Why rob banks? Well, that's where the money is.
Dave Bittner: [00:05:35] At least a dozen cloud providers, for example, were hit, and their customers' data were open to inspection by the Ministry. Since each cloud provider will have many customers, the total number of organizations affected can be expected to be large, indeed. The Journal reports that the cloud providers in particular were less than fully forthcoming with both federal investigators and the providers' customers. And this experience is said to have moved the US Department of Homeland Security to push for regulations that would require more cooperation in the future. Some of the affected providers, notably HPE, strongly denied that they had given anything less than their full cooperation to investigators. The Journal quotes an HPE spokesman as saying, "to suggest otherwise is patently false." The Chinese operators' take appears to have been a mix of industrial and traditional espionage collection. Apart from whatever trade secrets may have been culled from the affected companies, the US government now says, according to the Journal, that some 100,000 US Navy personnel records were also exposed.
Dave Bittner: [00:06:40] The World Economic Forum rated both data theft and large-scale cyberattacks among their top-five global threats in 2019. And it's likely they'll stay on the list for 2020. Dave Burg is a principal at EY, serving as their America's cybersecurity advisory leader. He shares his insights on the global aspects of cybersecurity risk.
Dave Burg: [00:07:03] I think we find ourselves today in a situation where the cyberthreat that companies in the United States and around the world face continues to be very serious. It needs to be an area where executives are increasingly aware and interested in asking questions. But I think we are increasingly not doing enough. I also see many companies working very hard to make sure that as they develop new products and services, they're thinking about dealing with cybersecurity and various privacy related risks. But we're just - all in all, I - we're just not where we need to be as a society.
Dave Bittner: [00:07:41] And where do you suppose that - who does that rest with? I mean, is it private industry not stepping up? Is it nation-states not stepping up? Is there plenty of blame to go around?
Dave Burg: [00:07:52] I think there's blame to go around. But, I mean, I'm a believer that market forces are ultimately going to solve this problem. And I think that very smart companies are going to wind up putting cyber first and getting to a place where either their business partners or consumers are essentially guaranteed safety and security because of the capability of the way that products and services and technology work together. I think there are interesting avenues at a nation-state level where those countries who can afford to do more to protect businesses that operate within their providence could or should or will do more. And that will wind up to becoming a strong competitive advantage both, I think, in the near term, mid-term and long term.
Dave Bittner: [00:08:39] I've heard a lot of people say that they would like to see action there at the federal level so that we don't end up with this patchwork of state laws. And I'm curious what your insight is on how that extends to the global marketplace. I mean, is there someone positioned to take the lead to establish what are the agreed upon global norms going to be?
Dave Burg: [00:09:02] Well, you know, look. I think that, in reality, the European Union got out in front first by driving GDPR, and then you had the CCPA follow. And we've certainly seen more interest in the United States government to push various consumer privacy protection regulation even at the federal level. I do think that a federal movement - a US federal movement in this space would be meaningful. And it would be significant. Because in my capacity, in my career, I've had an opportunity to travel around the world extensively to meet with companies but also regulators around the world. So I think that any additional movement by the US federal government would really, I think, be a very strong and positive step that the rest of the world would likely soon follow.
Dave Bittner: [00:09:55] What sort of advice are you giving your clients on ways for them to best prepare themselves for what's to come in the near future here?
Dave Burg: [00:10:03] You know, I think that one of the most important strategic conversations that I'm having or that we are having is - I think it's to be pushing very hard to get the business owners or business units to really, truly, fully embrace cyber from the moment that they have a strategic thought. I think the other is that as businesses change is you see more and more pushed to the cloud or more and more use of new technologies that are sitting out in what would be considered IoT or OT space. The most sophisticated companies are incorporating those new products and services and the security implications, again, from the very beginning moment.
Dave Burg: [00:10:44] I think the third piece of advice that I would share is that resilience and recovery is very much not just in vogue but critical to business vitality. And so we learned a couple years ago from the seriousness of the NotPetya attacks how important it is to be able to get a business back up and running. We see in heavily regulated industries like in financial services, there's a very strong push to be able to demonstrate resilience and recovery. I think it's incredibly important.
Dave Burg: [00:11:15] So, you know, we used to talk about business and continuity planning and disaster recovery. Those things are actually back. They're back in force. They're incredibly important. They're actually very hard to do well. And I think it's something that must be focused on, not as an academic study but, in fact, proven over and over again, tested. Those are the three, I think, main things I would recommend companies focus on.
Dave Bittner: [00:11:44] That's Dave Burg from EY.
Dave Bittner: [00:11:47] The US General Services Administration has announced that its procurement schedules to be refreshed on January 15 of this year will include bans on doing business with companies whose offerings include substantial or essential components from specified Chinese companies, notably Huawei and ZTE. FedScoop points out that this will affect companies whose supply chains are too enmeshed with those of the proscribed companies. Federal contractors should look closely to their supply chains and their subcontractors. The new rules will move them into poorly charted compliance terrain.
Dave Bittner: [00:12:22] India, for its part, will subject to equipment proposed for 5G networks to security trials, a development the Economic Times reports has been welcomed by Huawei, which expects to be able to pass such tests in a pinch. The company, which had a good 2019 despite the security controversies it encountered, says it expects 2020 to be difficult. But the company's CEO has a brave face. Quote, "If not for the bone-deep bite of winter, where would we get the heady scent of plums?" - end quote. Our gardening desk says they usually expect the heady scent of plums in April. But all blossoming, of course, is local.
Dave Bittner: [00:13:02] And to return to compliance, the California Consumer Privacy Act, the CCPA, went into effect yesterday. How this American GDPR will affect businesses in practice remains to be seen. But remember, you may not be interested in California, but California is interested in you.
Dave Bittner: [00:13:21] And finally, we're happy to be back with our normal schedule of podcasts after the holiday break. Did you miss us? We missed you. Thanks for listening. And we wish all of you health, happiness, success and prosperity in 2020.
Dave Bittner: [00:13:40] And now a word from our sponsor, ExtraHop - delivering cloud-native network detection and response for the hybrid enterprise. With over half of enterprise security budgets going toward threat detection and response in 2020, the challenge is investing in solutions that can scale, migrate and adapt with your business. Cloud-native security solutions from ExtraHop are purpose-built to help your team respond to threats across the hybrid attack surface. Everywhere your enterprise exists today and wherever it goes tomorrow, ExtraHop is there to secure it. Request your 30-day free trial of cloud-native threat detection and response at extrahop.com/trial. That's extrahop.com/trial. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:14:36] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. And he is also my co-host on the "Hacking Humans" podcast. Hello, Joe.
Joe Carrigan: [00:14:45] Hi, Dave.
Dave Bittner: [00:14:46] You have a really interesting story to share with us this week. This comes from Financial Advisor IQ. And it's about someone paying some consequences for some financial missteps.
Joe Carrigan: [00:14:59] Right.
Dave Bittner: [00:14:59] What's going on here?
Joe Carrigan: [00:15:00] There was a financial adviser who was employed with UBS, which is a large financial firm.
Dave Bittner: [00:15:05] Right.
Joe Carrigan: [00:15:06] And this guy got in to the industry in 1999 and has been with UBS since 2008.
Dave Bittner: [00:15:14] OK.
Joe Carrigan: [00:15:14] So he's a long-term guy. One of his customers got their email compromised. And the scammers sent him an email, asking for him to transfer half a million dollars out of his customer's account to some third-party bank accounts.
Dave Bittner: [00:15:28] Asking this financial adviser to do...
Joe Carrigan: [00:15:30] Right.
Dave Bittner: [00:15:30] ...The transfer? OK.
Joe Carrigan: [00:15:31] So they acted as if they were the customer, sent an email saying, hey, I need to get half a million dollars moved into these accounts. And this email was not legitimate.
Dave Bittner: [00:15:41] OK.
Joe Carrigan: [00:15:42] He went ahead and sold some investments and then transferred the money out, only to find out that it wasn't the customer who sent the email, right? The customer then issued a dispute. Now, UBS has a policy that when this kind of event happens, you have to verbally confirm by calling the customer...
Dave Bittner: [00:16:02] Oh.
Joe Carrigan: [00:16:03] ...Which this investor did not do.
Dave Bittner: [00:16:05] OK.
Joe Carrigan: [00:16:06] Right? He did not follow the policy. And, in fact, the article says that he went so far as telling people that he had followed the policy.
Dave Bittner: [00:16:15] Oh.
Joe Carrigan: [00:16:16] Right?
Dave Bittner: [00:16:16] Interesting. Yeah.
Joe Carrigan: [00:16:17] So this doesn't have a bad ending for anybody but the actual company, UBS. The customer actually was reimbursed for their funds by UBS. And this adviser was dismissed by UBS for not following the policy.
Dave Bittner: [00:16:31] OK.
Joe Carrigan: [00:16:31] He has since found another job. But FINRA has now fined him and suspended him for 45 days. FINRA is the Financial Industry Regulatory Authority. They're not the SEC. They don't regulate trade companies. But they regulate how investment bankers behave.
Dave Bittner: [00:16:45] OK.
Joe Carrigan: [00:16:45] They're a consumer protection agency.
Dave Bittner: [00:16:47] I see.
Joe Carrigan: [00:16:48] They're a consumer protection organization within the US government.
Dave Bittner: [00:16:51] OK.
Joe Carrigan: [00:16:52] And they have fined this person $7,500 and suspended him for 45 days. He has agreed to the 45-day suspension and to pay the fine but without admitting or denying FINRA's findings.
Dave Bittner: [00:17:03] It's interesting to me that the company had policies in place...
Joe Carrigan: [00:17:09] Right.
Dave Bittner: [00:17:09] ...To try to protect themselves from this.
Joe Carrigan: [00:17:11] And their customers.
Dave Bittner: [00:17:12] And - yeah.
Joe Carrigan: [00:17:13] UBS has - I'm happy to hear that UBS has this policy in place.
Dave Bittner: [00:17:17] Right.
Joe Carrigan: [00:17:18] The fact that this guy didn't follow the policies has cost UBS some money because...
Dave Bittner: [00:17:23] And it's cost him.
Joe Carrigan: [00:17:24] And it's cost him. It's cost him 7,500 bucks - not nearly as much as the half a million dollars it cost UBS.
Dave Bittner: [00:17:29] Right.
Joe Carrigan: [00:17:30] But also cost him 45 days of work. That's a significant suspension.
Dave Bittner: [00:17:34] Sure. Yeah, I mean, I can imagine - if I give this guy the benefit of the doubt, I can imagine he's busy at work. He's going through...
Joe Carrigan: [00:17:41] I'm sure he is. Yeah.
Dave Bittner: [00:17:42] ...His day-to-day. He's under, you know, the types of pressures that we're all under with our jobs. And he cut some corners.
Joe Carrigan: [00:17:48] Right.
Dave Bittner: [00:17:49] Maybe this is a client that he works with all the time. This sort of thing is routine. There's never been a problem before.
Joe Carrigan: [00:17:56] Right.
Dave Bittner: [00:17:56] So what what's the worst thing that could happen?
Joe Carrigan: [00:17:58] Right.
Dave Bittner: [00:17:59] And kaboom.
Joe Carrigan: [00:18:00] Yep (laughter). It sounds to me like a complacency issue, Dave, which - kind of, I think, what you were alluding to here.
Dave Bittner: [00:18:05] Yeah.
Joe Carrigan: [00:18:05] You know, I don't think that this person will do this again. I think that's for sure.
Dave Bittner: [00:18:10] Yeah, yeah, yeah. And well, I also wonder, if you're UBS...
Joe Carrigan: [00:18:15] Right.
Dave Bittner: [00:18:16] ...Do you take another look at what's going on here? Do you - I mean, obviously, you use this as a lesson, a cautionary tale. You...
Joe Carrigan: [00:18:23] Right.
Dave Bittner: [00:18:23] ...Share it with the rest of your employees. Hey, you know, these things are serious. They're here for a reason.
Joe Carrigan: [00:18:28] Right.
Dave Bittner: [00:18:28] And here's what happens if you don't do them.
Joe Carrigan: [00:18:30] Yes.
Dave Bittner: [00:18:30] But I wonder, do you then - do you have some sort of verification that, you know, someone has to - do you have two-factor calls?
Joe Carrigan: [00:18:39] Right.
Dave Bittner: [00:18:39] You know, I mean, do you have to put another layer in or not?
Joe Carrigan: [00:18:42] Right. Now, because...
Dave Bittner: [00:18:43] I don't know the answer to that.
Joe Carrigan: [00:18:44] Yeah, like in this case, they talk about somebody who is his sales assistant. Do you then have the sales assistant also follow up with the customer to make a phone call and get verbal authorization? Is that...
Dave Bittner: [00:18:54] Or maybe the assistant verifies that the call was made...
Joe Carrigan: [00:18:58] Right.
Dave Bittner: [00:18:59] ...You know, or something like that where...
Joe Carrigan: [00:19:00] Or the assistant's in the room when the call is made.
Dave Bittner: [00:19:02] Exactly.
Joe Carrigan: [00:19:02] Yeah.
Dave Bittner: [00:19:02] Exactly. Right. Has to - and the assistant is on the hook, you know, for the liability there. Who know - I don't know. We're - I guess we're...
Joe Carrigan: [00:19:09] Yeah, you and I are sitting here...
Dave Bittner: [00:19:11] We're Monday morning quarterbacking this to death. If I...
Joe Carrigan: [00:19:13] Yeah, in an industry we really don't understand.
Dave Bittner: [00:19:14] That's right. That's right. Yes. So tune in tomorrow for...
Joe Carrigan: [00:19:18] Right.
Dave Bittner: [00:19:18] ...More talking out of our butts...
Joe Carrigan: [00:19:19] (Laughter).
Dave Bittner: [00:19:20] ...With Dave and Joe. But I think there's a valuable lesson here...
Joe Carrigan: [00:19:24] Yes.
Dave Bittner: [00:19:25] ...And interesting cautionary tale for those folks who are in charge of these sorts of things. The human factor, right?
Joe Carrigan: [00:19:32] Yeah.
Dave Bittner: [00:19:33] It was - processes were in place to protect against this. And all it took was somebody in a hurry...
Joe Carrigan: [00:19:40] Yep.
Dave Bittner: [00:19:40] ...Or lulled into a sense of complacency.
Joe Carrigan: [00:19:43] And a scammer gets away with half a million dollars.
Dave Bittner: [00:19:44] Half a million bucks.
Joe Carrigan: [00:19:45] Right.
Dave Bittner: [00:19:46] All right, interesting story. Joe Carrigan, thanks for joining us.
Joe Carrigan: [00:19:49] It's my pleasure, Dave.
Dave Bittner: [00:19:55] And that's the CyberWire. For links to all of today's stories, check out our CyberWire Daily News Brief at thecyberwire.com.
Dave Bittner: [00:20:02] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT - the leading insider threat management platform. Learn more at observeit.com
Dave Bittner: [00:20:13] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.