CyberWire Daily - A new threat group, Avivore, is called out in the Airbus hack. Ransomware and VPN exploit warnings. EU tells Facebook to take down some content, everywhere. Spearphishing ANU. SandCat’s bad opsec.
Episode Date: October 3, 2019Who’s been hacking aerospace firms? Context Security suggests it’s a new Chinese threat actor, “Avivore.” The FBI issues a ransomware alert. The NCSC warns of active exploitation of vulnerable... VPNs. The EU issues a sweeping takedown order to Facebook. US Senators ask Facebook about deep fakes. Spearphishing at the Australian National University. FireEye may be for sale. And the SandCat threat group shows poor opsec. Craig Williams from Cisco Talos on maliciously crafted ODT files. Guest is Yoav Leitersdof of YL Ventures with insights on the VC market in Israel. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/October/CyberWire_2019_10_03.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Who's been hacking aerospace firms?
Context security suggests it's a new Chinese threat actor, Avivor.
The FBI issues a ransomware alert.
The NCSC warns of active exploitation of vulnerable VPNs.
The EU issues a sweeping takedown order to Facebook.
U.S. senators ask Facebook about deep fakes.
Spearfishing at the Australian National University.
FireEye may be for sale.
And the Sandcat threat group shows poor OPSEC.
may be for sale, and the Sandcat threat group shows poor OPSEC.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday,
October 3rd, 2019. In a year where CrowdStrike finds cybercriminals more active than state-sponsored hackers, Chinese intelligence services have been taking a leading role in industrial espionage.
Someone, and most signs point to China, has certainly been poking into the networks of aerospace companies and their suppliers.
Airbus is the most prominent of these firms that have been so prospected.
The company disclosed in January that business systems at its commercial aircraft division had been hacked
and that data had been improperly accessed.
Last week, Asian's France Press, citing security sources,
reported that the company had continued to sustain security incidents,
several of which affected its suppliers, among them the British engine manufacturer Rolls-Royce,
the French technology consultancy Expleo,
and two other unidentified French companies.
Most of the speculation about specific attribution has turned to APT10, also known as Stone Panda,
and which CrowdStrike earlier last month associated with the Tianjin Bureau of the Ministry of State Security,
MSS for short.
of the Ministry of State Security, MSS for short.
Other researchers thought the attackers most likely to belong to Jiangsu Province Ministry of State Security, JSSD for short.
The U.S. Department of Justice has indicted members of JSSD in the past for hacking,
and the group has a special interest in aerospace companies.
But the London-based security firm Context believes a different threat actor is
responsible. In fact, Context believes it's found a previously unremarked threat actor
that's engaging in living off the land as it island hops across targets in the aerospace
supply chain. They've given the group its own name, Avivor, that is, Eater of Birds,
which seems apt for something that preys on the aerospace sector.
Context acknowledges that there are some similarities among Avivor and both JSSD and Stone Panda,
but they've concluded that the tactics, techniques, and procedures, infrastructure, and tooling observed differ significantly,
and that while they can't rule out the involvement of the other two groups,
it seems likely to them that Avavor represents a different organization.
The group's attacks display good OPSEC, and the researchers note in particular
the group's attention to removal of forensic artifacts, a sign of its desire to remain as
obscure as possible. Contrast this with the somewhat willful noisiness of some other state actors.
Fancy Bear broke onto the scene, for example, with considerable eclat, not seeming to care a
great deal whether it was detected or not, and that was a matter of style, not incompetence.
Whoever Avivor is, the group is probably Chinese, probably state-directed,
and almost certainly concerned with industrial espionage.
Israel is a major player in the cybersecurity ecosystem,
with significant research and innovation originating in that country.
It's also a hot market for venture capital.
Yoel Leitersdorf heads up VC company YL Ventures.
Israel is the number two country in the world in terms of cybersecurity exports. And
that's just one measurement. I would say it's number two in absolute numbers in terms of number
of startups, cybersecurity startups. It's also number two in terms of venture capital funding
in cybersecurity. And that's especially impressive since Israel only has about 8 million people,
you know, much fewer than what the US has and many other countries have. The total amount of funding
for Israeli cybersecurity companies across all stages grew 22% from 2017 to 2018. In 2018, we had
over a billion dollars, actually 1.03 billion of total funding for security startups in Israel.
And as I mentioned, that is number two in the world.
Also in 2018, we had 66 new companies founded in Israel in cybersecurity, which is a growth of 10% over 2017.
The average seed rounds are getting bigger, so 3.6 million in 2018, up from 3.3 million in 2017. Most of the new companies are in emerging fields, meaning completely new fields of cybersecurity, which is very interesting because it's not more of the same, but rather we're seeing lots of new innovation.
Now, you compare that with any other region in the world, and these stats are extremely
impressive. I mean, especially the absolute numbers of dollars invested and number of
companies formed. You don't really have that anywhere in the world except for the U.S. And think about, you know, all the different regions in the U.S. where cybersecurity is strong, like, you know, the Virginia Corridor, Silicon Valley, Boston, all these areas.
Israel is a very, very small place.
So you can get from one end to the other in terms of what's interesting in the security industry
within about an hour's drive. When you look around at the state of things when it comes
to investing in cybersecurity, where do we find ourselves today? This is a very exciting time to
be in cybersecurity. I think it's one of the highest growth sectors in venture capital overall. It's driven by many factors.
I mean, I could say, you know, first of all, the movement to the cloud is really increasing the
security concerns that organizations have, and therefore their budgets. Another one is IoT,
Internet of Things. We're expected to triple the number of Internet
of Things by 2025 to about 22 billion devices, and a lot of them are unprotected. You know,
security spend worldwide is over $100 billion a year now, and that's growing year over year. I
think by 2021, we're going to be at $133 billion,
according to Gartner. The cost of cybercrime was about $600 billion in 2017 and is much higher now.
You know, the number of data breaches, that's a big driver. I'm sure you've seen a lot of that.
I mean, we've gone from about 800 in 2015 to about 1,600 in 2017. That's in just two years, the doubling of the number of breaches.
And security is now a top topic in boards of directors.
And, of course, there's a big shortage of cybersecurity professionals,
about 3 million people that are needed worldwide.
And so, you know, all these are driving demand for cybersecurity.
And, of course, the business we're in is investing in cybersecurity startups that are meeting
this demand.
So, I mean, our whole goal and reason for existence here is to supply the world with
some great solutions.
to supply the world with some great solutions.
In our case, these solutions originate in Israel,
which is the number two exporter in the world in terms of security solutions.
So that's the world that we're in.
That's Yoav Leidersdorf of YL Ventures.
There have been some official warnings of cyber threats in both Britain and the U.S. The U.S US FBI has issued an alert that ransomware represents a high-impact threat.
The Bureau urges victims to report the incidents to their local FBI field office,
and it strongly recommends that no one pay the ransom.
Doing so at this point is simply fueling the bandit economy that keeps ransomware in circulation.
The UK's National Cyber Security Centre warns of pervasive exploitation of widely used VPNs.
They are not scrub VPNs either, but rather the products of respected vendors,
Pulse Secure, Palo Alto Networks and Fortinet.
Both British and international organizations are being targeted,
and the NCSC says the victims include government, military,
academic, business, and healthcare organizations. They advise everyone using the affected VPNs
apply the latest patches, and all three vendors have them, and reset their authentication credentials.
The New York Times reports that the European Court of Justice ruled today that national courts may
order Facebook to take down and restrict access to content globally.
The case originated with an Austrian Green Party politician who requested removal of unflattering comments an unnamed individual had posted to a personal page.
The plaintiff alleged that three bits of content were impermissibly objectionable.
Specifically, she objected to traitor of the
people, corrupt clod, and fascist. The decision is sweeping and will have the effect of pushing
social networks toward treatment like publishers as opposed to common carriers. Skeptics note that
European law has tended to restrict disrespectful posts about politicians more readily than it has
quelled extremism or invasions of pure personal privacy.
But then it stands to reason that politicians might just be better resourced
than your average Zuzi Musterfrau or Janie Sixpack.
Facebook is also receiving attention across the Atlantic.
The social network yesterday received a letter from U.S. Senators Warner, Democrat of Virginia,
and Rubio, Republican of
Florida, asking for an explanation of its policies and technical capabilities with respect to deep
fakes and fabricated news generally. An Australian National University review of its data breach
concludes that the hackers got in by spear phishing a senior member of the university's staff.
The Australian Financial Review reports that ANU declined to name a culprit
but called the attackers sophisticated and probably interested in fraud.
10 Daily says the phishing victim simply previewed the email
and didn't interact with it in any other way.
Business Insider says FireEye has retained Goldman Sachs
as the security company explores putting itself up for sale.
FireEye stock has been up on the news, trading around $14 since it broke.
The likeliest buyers are thought to be private equity investors.
And finally, to return to the issues of OPSEC and state-directed threat groups,
here's one that seems decidedly not to have its security house in order.
It's the group security researchers at Kaspersky calls Sandcat,
which is believed to be a cyber operations unit of Uzbekistan State Security Service, the SSS,
which inherited a reputation for repression and brutality with its KGB DNA.
Kaspersky described its findings to Vice.
First of all, Sandcat used the name of an associated military group
to register one of the domains used in its infrastructure.
This is held to be bad by those in the business.
If you're registering a domain, use some anodyne but plausible front organization,
maybe the young person's chess clubs of greater Bukhara.
Second of all, they had installed Kaspersky security software in their systems,
and that software is reckoned both effective and intrusive,
with a pretty big footprint in the systems it protects.
Thus, Kaspersky had pretty good visibility into things that would raise any security eyebrows,
like buying a bunch of zero-days from third parties.
So the gaffe was blown pretty quickly.
Kaspersky researchers said they were surprised to see that Uzbekistan's SSS
had any cyber-operational capability at all.
Some of that can be written off to the casual disregard
with which the Central Asian members of the near abroad tend to be disregarded,
but those who have eyes to see, let them see. The researcher known as Phineas Fisher said in 2015
that he'd found a good bit of email correspondence between the Uzbek organs
and the Italian lawful intercept firm of Hacking Team. team. Winning with purpose and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Craig Williams.
He's the head of Talos Outreach at Cisco.
Craig, great to have you back.
You all recently published some information as a blog post titled,
Open Document Format Creates Twist in Maldoc Landscape.
What's going on here?
Well, so this is a very interesting one, right?
You know, we've all known maldocs exist,
and we all know that you need to be worried about them.
But what this particular attacker did was very, very clever.
They found an issue in, you know, an OpenOffice format called ODT,
or Open Document, and they were able to, you know,
basically discover that if you exploited the ODT file type, not only were you able to compromise OpenOffice, but Microsoft Office would actually fall victim to the same or a very similar bug resulting in them getting the execution that they wanted.
So think about this, right?
You get an ODT file and let's say you're super savvy, right?
You get an ODT file, and let's say you're super savvy, right?
And maybe even your security software warns you or you know that ODT is open office. And so you think, ha, ha, ha, silly hacker.
I run Microsoft Office.
I'm far superior and can't be compromised.
Well, you might click on it to see what it is because you know deep down that you're not running any sort of open software.
And so, therefore, you shouldn't be vulnerable. it is because you know deep down that you're not running any sort of open software and so therefore
you shouldn't be vulnerable however that's not the case here and so i think by using this format
to target both sets of victims the attacker actually has a much wider net than we would
normally consider and because it's an od format, a lot of the detection technology,
particularly in things like antivirus,
may not actually work as effectively as they should.
Hmm.
Now, do you have a sense that this is an intentional misdirection
or is it a happy accident for them
that it's effective within the actual Microsoft environment?
Oh, i'm pretty
sure that this is intentional okay uh you know the things that they're using are things like
powershell that are very generically used in word attacks and so i think what happened was they
basically found a particular technique that worked in both and decided to make use of it
because it it does double your potential pool of victims.
So what are we looking at here in terms of recommended protections?
Well, the gist of it here is, you know, the same type of advice we would give anyone for a malicious document campaign.
I mean, number one, don't ever click on an email attachment unless you're confident who sent it
and you know that they intentionally attached it.
attachment unless you're confident who sent it and you know that they intentionally attached it.
Number two, make sure you're running some sort of antivirus product so that if the file is known to be malware, it actually gets convicted and removed from your system before you can open it.
I suppose for number three, we could throw out there, make sure you have a firewall on so that
in the event you do click on it, perhaps it won't be able to reach out and grab the actual additional payload. I see. Do you have any sense for how successful this is or how
widespread it is? So this one we think we found pretty early. We did not see a ton of attachments
in our email telemetry. Now it is possible that they were very isolated, heavily targeted pockets
like we've seen in the past.
Very specific industries, very specific countries.
But from a global perspective, it does appear to be very limited.
So hopefully we got the word out in time.
The blog post is titled Open Document Format Creates Twist in Maldoc Landscape.
Craig Williams, thanks for joining us.
Thank you. Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.