CyberWeekly: CISO Guide, New Trojan Backdoor Campaign, and Defending Against Executive Impersonation
CyberWeekly Newsletter: Weekly Edition
New CISO Guide
For many professionals in cyber security the ultimate goal is becoming a Chief Information Security Officer (CISO). So where do you start get to the top seat? After all, industry research suggests the average CISO tenure is only about 24 to 48 months. (A number of resources from the past few years put that tenure closer to 17 to 21 months.) IBM’s SecurityIntelligence published 6 steps to help CISOs get started with their new roles.
Take stock of technology
Assess your processes
Build out your team
Talk to key internal stakeholders
Get to know customers
Start thinking about your budget
Naturally, this doesn’t reflect a How To Guide on how to be an effective CISO. Anyone promoted the role will likely leverage their prior experience, internal resources, and their professional network to really develop the skills for their new role. However, these steps likely represent a great way to spend your first few months in a new CISO role.
Let’s be honest. While this SecurityIntelligence article says it’s for CISO, the advice is worthwhile for any newly-minted, cyber security executive. While the scale is greater with the CISO title, the needs of establishing yourself both internally and externally to your organization are similar. Check out SecurityIntelligence’s article for in-depth explanations for their 6 tips.
“SpeakUp” Trojan Spreads Globally
Security researchers at Check Point have discovered a new campaign exploiting Linux servers—including AWS- and other cloud-hosted machines—to implant a new Trojan dubbed, SpeakUp. In addition to affecting all Linux distribution SpeakUp also has the ability infect MacOS devices.
I don’t usually highlight individual malware in the CyberWeekly, so what makes SpeakUp exceptional? After all, it’s currently being used to install crypto-mining malware on machines in Latin America and East Asia… problematic, but hardly a security crisis.
SpeakUp—which leverages 6 different Linux vulnerabilities—has targeted more than 70,000 servers so far. As of Check Point’s report on Feb 4th, SpeakUp had no detection on VirusTotal. Moreover there is a very valid concern that this SpeakUp propagation is the beginning of something bigger.
SpeakUp’s Victim Distribution (Source: Check Point Software Technologies LTD)
This bit of analysis sums up the concern:
“SpeakUp’s obfuscated payloads and propagation technique is beyond any doubt the work of a bigger threat in the making. It is hard to imagine anyone would build such a compound array of payloads just to deploy few miners. The threat actor behind this campaign can at any given time deploy additional payloads, potentially more intrusive and offensive. It has the ability to scan the surrounding network of an infected server and distribute the malware.”
While initial infections have been been in Asia and Latin America, researchers believe the US (if not, the rest of the world) could be the next target. As cryptocurrency prices fall the likelihood of ransomware or some other cyber-attack being deemed more profitable than crypto-jacking increases. SpeakUp appears to have been written by a Russian-speaking malware developer, who goes by the nom de hack Zettabit. I suspect we’ll be hearing more about SpeakUp and Zettabit in the near future.
MacOS KeyChain Zero-Day
Those who follow me on LinkedIn may have seen my Friday post suggesting—yet again—that we should all be using password managers, along with an article from Popular Science claiming the same. Following the post a non-cyber security buddy messaged me for advice on picking a password manager. Enjoy the small victories. While Apple’s MacOS keychain is better, than people keeping their passwords on Post-It notes (or continually using the password “123456”), it isn’t the same thing as using a password manager.
This fact is highlighted by the recent discovery of a MacOS Keychain zero-day—dubbed KeySteal—by security researcher Linus Henze, an 18-year-old German. Don’t let his age fool you. According to Forbes, Henze has discovered other iOS and MacOS bugs in the past.
Henze’s discovery made a bit of press, because he’s holding out for a bug bounty from Apple as its bug bounty program is for iOS and does not reward vulnerability findings for MacOS. It feels fair that, if Apple—a $803 billion company—is going to benefit from the work of independent security researchers, those individuals should be compensated for their effort.
Furthermore, this episode highlights the importance of bug bounty programs. Independent researchers have two viable means to monetize their work: earning bug bounties or selling zero-days to bad guys. The industry clearly benefits from the former. If your company is considering its first bug bounty program, check out HackerOne and Bugcrowd for help developing it.
Cyber-Espionage and Executive Impersonation
Cyber-espionage is an unfair fight. Private companies are supposed to defend themselves from nation-state actors? Alas, this is the reality of cyber security in 2019. TechRepublic recently published advice on how businesses can protect themselves from nation-states actors attacks via three vectors: IoT devices, deepfakes, and wireless connectivity.
I take issue with deepfakes—AI-generated or edited video to create plausible forgeries used to depict events that never occurred—making the list. This really isn’t a credible threat for most companies. What is more useful, than defending against deepfakes, is defending against executive impersonation.
While executive impersonation is typically viewed an a flavor of Business Email Compromise (BEC), it is also effective by cyber-espionage tool. If your CEO, COO or any other executive asks you quickly to email your proprietary R&D research or product information before their meeting (starting soon), who’s going to say “no” to them? This can certainly be more devastating, than getting scammed into making a one-time money transfer.
Another threat of executive impersonation is that a threat actor may pose as one of your executives to interact with your stakeholders—customers, suppliers or shareholders—with malicious intent. TechRepublic’s advice for avoiding deepfakes can actually double as advice on avoiding executive impersonation:
Develop a reputation-monitoring capability to alert your public relations and communications teams of breaking negative news about your organization, true or not.
Conduct regular proactive outreach on social media to establish your public relations team as a trusted source of news to combat these misinformation campaigns.
Engage your leadership and communications teams in tabletop exercises to plan and practice handling the types of reputation attacks which are most likely to target your organization.
If executive impersonation is not currently considered a security risk for your organization, you probably want to add it to the list.
Cool Job of the Week
K2 Intelligence — Cyber Security/Privacy Analyst (Location: Los Angeles, CA)
Veteran-Preferred Job of the Week
JP Morgan Chase — VP, Cybersecurity Playbook Advisor (Location: Washington, DC)
Hope you’ve enjoyed this week’s edition of the CyberWeekly Newsletter. Please share with a friend or colleague.
Click here to subscribe to the CyberWeekly Newsletter.
Stay vigilant,
Oritse J. Uku, Editor-in-Chief
Disclaimer: The opinions expressed in this newsletter are my own.