CyberWire Daily - A cyber espionage campaign is to use DNS hijacking. More observations on l’affaire Bezos. Operation Night Fury versus e-commerce hackers. Farewell to Clayton Christensen.
Episode Date: January 27, 2020Someone has been running a DNS hijacking campaign against governments in southeast Europe and southwest Asia, and Reuters thinks that someone looks like Turkey. Experts would like to see a more thorou...gh forensic analysis of Mr. Bezos’ iPhone: that hack may look like a Saudi job, but the evidence remains circumstantial. Interpol’s Operation Night Fury dismantles a gang that had been preying on e-commerce. And ave atque vale, Clayton Christensen, theorist of disruptive innovation. Robert M. Lee from Dragos with 2020 predictions (reluctantly). For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/January/CyberWire_2020_01_27.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Someone has been running a DNS hijacking campaign
against governments in Southeast Europe and Southwest Asia,
and Reuters thinks that someone looks like Turkey. Experts would like to see a more thorough
forensic analysis of Mr. Bezos' iPhone. That hack may look like a Saudi job, but the evidence
remains circumstantial. Interpol's Operation Night Fury dismantles a gang that had been
preying on e-commerce. And farewell, Clayton Christensen, theorist of
disruptive innovation. From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with
your Cyber Wire summary for Monday, January 27th, 2020. Reuters, citing British and U.S. officials speaking anonymously, reports that a major cyber espionage campaign is in all likelihood the work of Turkish services.
The effort targeted some 30 organizations, including government agencies in Albania, Greece, Iraq, and Cyprus, as well as some domestic Turkish groups, including at least one Freemasonic lodge, thought sympathetic to the
failed 2016 coup. The campaign made large-scale use of DNS hijacking. Reuters sources told the
news service that their assessment that the campaign was a Turkish operation depended on
three things. First, the victims included the governments of countries that are strategically
and politically important to Turkey.
Second, the attacks resembled earlier attacks that used infrastructure connected to Turkey.
And third, and most interestingly, because the sources wouldn't talk about it,
information contained in confidential intelligence assessments that they declined to detail.
Reuters says that it reviewed public DNS records.
The news service says it was able to find that the victims they identified
had traffic to their websites hijacked and redirected to servers controlled by the attackers.
Much of the traffic so redirected was traffic for login portals,
suggesting that credential harvesting was at least one of the goals of the operation.
The Turkish government declined to comment,
but one official did venture to observe that Turkey itself had been the victim of cyberattacks,
which is surely true.
So has the rest of the world, pretty much.
We received emailed comments from Dave Weinstein, CSO at security firm Clarity,
and the former CTO of the state of New Jersey.
He noted that Turkey had not been known as a major player in international cyber conflict
and that Ankara had tended to focus on its domestic priorities.
But now, he says, the country is emerging as a more active and externally focused actor.
He sees another larger issue in the report, however.
He thinks it follows a trend
in hijacking attempts that exploit inherently insecure aspects of the internet. As Weinstein
puts it, quote, the DNS system relies in large part on trust, an element that state actors
are apparently both willing and able to compromise for the sake of intelligence collection.
Observers would still like to know more about what actually was found on Jeff Bezos' phone.
The device FTI Consulting said, with medium to high confidence,
was compromised by Saudi Arabia's government.
It seems something was going on in the phone.
Text messages from the Crown Prince, for example,
suggest that he was better informed about Mr. Bezos' amours than he should have been,
and knowing things like that would be consistent with hacking. But this is circumstantial,
as is much of the other evidence the report cited. As several experts told Security Week,
the investigation didn't proceed beyond the circumstantial. The Wall Street Journal hears
from other experts to the effect that the investigation,
as described in the FTI report that became public last week,
quote, appeared to forego important investigatory steps that could have yielded a fuller picture of what occurred on Mr. Bezos' iPhone X.
End quote.
Saudi officials continue to maintain they had nothing to do with Mr. Bezos' iPhone X
and that if there's any evidence to the contrary, they'd very much like to see it.
On the other hand, a tweet storm significantly bot-driven is standing up for the kingdom, Forbes reports,
busily slanging Mr. Bezos and calling for a boycott of Amazon.
Such trolling can have its effects.
Whether a case of large-scale trolling is state-directed or state-inspired astroturf is always difficult to determine,
and sometimes it's even got a significant grassroots component.
The story is still developing.
As it develops, it may be shaped by a case in Tel Aviv,
where a court is hearing arguments over whether NSO Group should keep its export license.
The company's famous Pegasus tool
was mentioned in dispatches by FTI, which said it seemed likely, on circumstantial grounds,
that whatever got into Mr. Bezos' phone was Pegasus, delivered perhaps via WhatsApp.
A hacking team tool was mentioned as a second but less probable possibility.
Observers will watch what emerges during the proceedings,
but even many inveterate critics of NSO Group have been cautious
about drawing the conclusion that Pegasus was implicated in this particular incident.
Interpol's Operation Night Fury, with major assistance from security firm Group IB,
has taken down a cybergang that operated from six ASEAN
countries to hit online shopping with Get Billing Sniffer. Group IB explains that JavaScript
sniffers are used by criminals, quote, to steal customer payment and personal data such as credit
card numbers, names, addresses, logins, phone numbers, and credentials from payment systems,
end quote. The company's investigation found some 200 sites infected with the Get Billing sniffer.
Those sites, in keeping with the borderless quality of e-commerce,
are spread throughout the world, not just Southeast Asia,
but Australia, the Americas, and Europe.
Group IB thinks it likely that more infected sites will come to light
as five other ASEAN national police forces complete their own investigations.
Interpol said that the investigation they coordinated
led to authorities in Singapore taking down two of the command and control servers the gang was using.
It also enabled the Indonesian National Police to arrest three individuals.
Similar hunts for servers and perps are in progress
in several other ASEAN countries. And finally, we close on a somber note today.
Few concepts are tossed around as freely in our industry as the notion of disruption,
particularly in the context of disruptive technologies. But unlike many of the buzzwords that so fill business discourse,
disruption is actually a concept that has some content and rigor behind it.
The writer who formulated the concept, Clayton M. Christensen, professor at the Harvard Business
School, died last Thursday at the age of 67, losing his struggle with leukemia. His book,
The Innovator's Dilemma, is worth reading,
as is his essay, How Will You Measure Your Life? Our condolences to his family, friends,
and colleagues as we recognize the completion of a life that measured up pretty well indeed.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Robert M. Lee.
He's the CEO at Dragos.
Rob, it's always great to have you back.
We are starting a new year here, and I wanted to get your take on what are you looking ahead to
as you look towards the horizon?
What do you see coming in the ICS space for 2020?
Awesome. All right. Only for you, by the way.
All right. I want to start this off correct, that I get asked all the time for predictions
and what's coming by all the different magazines that talk to me
and publications and so on. I always turn it down.
But for the cyber wire, I will break my rule
and I will give you, with a finger in the wind, here's what I am seeing.
And so take it with a grain of salt, but here's what I think.
I think in the larger community, so not just ICS specific, but the larger community,
because of all the momentum we've seen in starting to talk about tradecraft
and thinking about threats beyond just malware exploits and vulnerabilities,
but actually for what they are, and humans on the other side of the keyboard,
because of that movement, and I acknowledge that not all the community is there yet, but
because of that movement, we are going to have to look back at what we've done to date.
And what I mean by that is we have made a lot of security investments and strategies
and implemented a lot of things around the community, especially in enterprise companies,
where we were doing it off of one basis of community, especially in enterprise companies, where we were doing
it off of one basis of knowledge, and now we have another.
And I think that is going to drive a much deeper look at collection and detection strategies
and response strategies, and not just, here's a tool, let me buy it, what do I think it
does?
I think on a day-to-day basis, analysts get abstracted way too much from collection. It's kind of the example where an analyst in front of a seam
takes an indicator, throws it through, and goes, yep, no alerts, we're good. When the real question
should have been, did we ever collect the data that would have been required to validate or
invalidate that question we just asked? And I think as we think about tradecraft and get to this higher order of thinking in the community, we are going to have to very critically look at the collection
of detection strategies we put in place. And my recommendation for those companies is think about
the response strategy first. Like what is the executive is going to ask questions about? What
are you going to need for your business? What are the actual business requirements? And work
backwards. Well, if I'm going to have that level of response, I've got to have this strategy towards detection. And if I've
got this strategy towards detection, I've got to have this type of collection. I think that's going
to hit a lot of companies in the face, but I think we're up for the challenge. On the ICS side, on
the industrial control system side of the operations technology community, I mean, I think we can kind
of pole vault forward and look at a lot of that. I made a prediction a year or two ago Dale Peterson put me on stage at S4
which is always a good conference there's really a couple really good conferences in the ICS community
I'm sure they're all great and wonderful but I generally love the SANS ICS summit and S4
and maybe CS3 Stockholm out in Europe but when he
asked me he was like make a prediction and I told him the same thing I was like I hate predictions he's like just do it
fine and I got on stage, he was like, make a prediction. I told him the same thing. I was like, I hate predictions. He was like, just do it. Fine.
I got on stage and I was like,
our security professionals one day will know more about our operations than our operators.
I just kind of said it in the moment, thinking,
oh, it's out there.
Then I stepped back and I was like, I think I believe that.
As I think about it, I'm like, actually what made really good security analysts anywhere else in the world was a deep understanding of how the system or system of systems worked in the first place.
And we're starting to see more and more operations and engineering, especially on the operations side, get abstracted from the environment where maybe the vendor or the integrator themselves built the ICS or integrated it the way they thought, and really we're just operating it and we're leaning more and more on
calling for help desk and it's harder to hire people and train people and layers of expertise
and more operating platforms and et cetera, et cetera, et cetera, where the level of knowledge
and operations, these are amazing operators. I'm not trying to say they're lesser than they've
ever been. They're actually better than they've ever been, but more generalists now than specialists
are moving in that direction.
And actually, it's the exact opposite of what we're seeing in the need of security, of more
specialization, especially with the level of automation and digital transformation that's
happening in the industrial world.
And I actually think that, not in 2020, but as we go about our journey industrial control
systems security folks will have to appreciate that they will at some point
or should know more about that plant inside and out as a whole than any other
one person in that facility and that's scary and amazing and crazy all at the
same time what about the overall sense of community itself? As the number of people working on these problems grow, is it your sense that that notion of community itself is becoming a component of greater importance?
It is, and I always hear when people talk about the community or a community, I always see people kind of snipe on social media or whatever.
And I don't think it's misplaced or malintended, but they kind of snipe, well, there is no community.
There's all these various little communities.
And I'm like, yeah, for sure, but we're still a community.
And my response to that is there's just different schools of thought.
It's not that we aren't one community it's that there are lessons learned and expertise
and against specific requirements that not everyone shares that's getting developed and
it's defining a school of thought like i had to publicly like really rant on this about like intel
like people are oh here's how you do cyber threat intel and it's like nope that's not the only way
to do it guys like actually like that one of the main reasons I wanted to make my SANS class, the
Forensics 578 one and the GCTI, the certification that goes with it, is to say
you do whatever you want. You do you, man, but this is a
school of thought of how to functionally and correctly inside this school of thought
do cyber threat intelligence and put a stake in the ground going, here's the
vernacular we use, the lexicon, here's the mental models
and the structured analytic techniques, and here's the type of requirements we see.
And you're not subsetting the community, you're just saying here's one option
as a full package of a school of thought.
And I think we're seeing the same thing in industrial control systems,
where I'm very opinionated about what it takes to go toe-to-toe with the adversaries.
I'm still not a fan of considering things like anomaly detection or protocol behavior analysis,
or whether they want to flavor the marketing terms, as a detection strategy for ICS.
You're going to get tens of thousands of false positives a day to an analyst,
and no analyst has ever sat there and gone,
you know what I want? I'd love to have 100,000 contextualist alerts to go through today.
That's not a real answer. But other people may have different requirements.
And so instead of saying, you're wrong, it's really just a school of thought. And I'm lucky
that SANS has been kind of a neutral player in this to codify that school of thought. And so
that's what we do on the SANS ICS curriculum. If you look across ICS 410, ICS 515, my class,
curriculum. If you look across ICS 410, ICS 515, my class, and ICS 612, the new class they have,
all of those certifications and process really is a school of thought. So I think it's a long-winded way to answer your question. As the community expands, we should be excited
about it, but we shouldn't think that it's bifurcating. We should just recognize that
there are competing schools of thought that are forming.
And we should all be just overjoyed that we have those opportunities
so that for each and individual one of our companies,
we can try to choose the best school of thought that works for our people and our company.
All right. Well, Robert M. Lee, thanks for joining us.
All right. Well, Robert M. Lee, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, Thank you. can keep your company safe and compliant. And that's the CyberWire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders
who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. Thank you. next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. Thank you. act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.