CyberWire Daily - An overview of threat actors, two proofs of concept, and an IoT botnet bothers the cloud. Patch Tuesday notes. And control yourself, sir.
Episode Date: November 12, 2020BlackBerry tracks a mercenary group providing cyberespionage services. A rundown from Dragos on threat actors engaging with industrial targets. An Iot botnet is active in the cloud. A research team of...fers a new proof-of-concept for DNS cache poisoning, and another group of researchers demonstrates a novel power side-channel attack. Patch Tuesday notes. Joe Carrigan wonders if you’re likely to get your money’s worth when paying baddies. Our guest is Michael Daniel from the CTA on the merging fields of cybersecurity and information operations. And a pro-tip: you do know that they can usually see you on Zoom, right? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/219 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
BlackBerry tracks a mercenary group providing cyber espionage services,
a rundown from Dragos on threat actors engaging with industrial targets,
an IoT botnet is active in the cloud,
a research team offers a new proof of concept for DNS cache poisoning,
and another group of researchers demonstrates a novel power side-channel attack.
We got some Patch Tuesday notes.
Joe Kerrigan wonders if you're likely to get your money's worth when paying baddies.
Our guest is Michael Daniel from the CTA on the merging fields of cybersecurity and information
operations.
And a pro tip, you do know that they can usually see you on Zoom, right?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, November 12, 2020.
Several research reports have come out at midweek.
First, BlackBerry researchers are tracking what they believe to be a mercenary cyber espionage group whose campaign they're calling Costa Ricto.
BlackBerry doesn't speculate about which nation state or states
or which well-resourced non-governmental organization would be serving as their paymasters,
but they offer four reasons for thinking it's a mercenary operation.
It uses bespoke malware.
It shows systematic and continual development.
It appears to share some network infrastructure with APT28.
That's Fancy Bear, Russia's GRU,
and it has a highly diversified target list
that suggests more than one customer is using Costa Ricto's services.
BlackBerry sees cyber espionage mercenary activity
as a natural evolution of other trends in the criminal underworld.
If ransomware as a service has found a lucrative market,
why not espionage as a service?
Dragos finds that industrial control systems in various manufacturing and industrial sectors are
increasingly being subject to the attention of cyber threat actors. The researchers are following
five distinct threat groups. Four of them remain at this stage of their evolution, espionage as opposed to sabotage operations.
They list them.
Crycine, which other studies have called APT34 or Helix Kitten,
targets the petrochemical, oil and gas, manufacturing and electrical power generation sectors.
It's expanded its interests beyond the Persian Gulf.
It's thought possible that Crycine was connected with the Shamoon
destructive wiper attacks that afflicted Saudi Aramco in 2012.
Magnalium, also known as APT33 or Elfin, is active against the energy and aerospace sectors,
including their supporting sectors.
Like most of the other groups, it's a cyber espionage specialist concerned with stealing
information as opposed to disrupting operations.
Parasite, known also as Fox Kitten or Pioneer Kitten,
works against electric utilities, aerospace, manufacturing, oil and gas entities,
and government and non-governmental organizations.
Parasite hasn't directly disrupted industrial operations.
It targets vulnerable virtual private network appliances,
and Dragos thinks this argues an interest in gaining initial access to enterprise networks.
Wassonite, associated with the Lazarus Group,
hits electric generation, nuclear energy, manufacturing, and research entities.
Wassonite makes heavy use of D-Track malware.
It does a good bit of credential stealing.
It's principally a cyber espionage group
after intelligence and intellectual property.
And Xenotime, best known for the tricis attack
that disrupted a Saudi natural gas facility.
Dragos doesn't offer attribution of any of these to nation states,
but others believe chrysine, magnolium, and parasite to be Iranian,
Vossenite, North Korean, and Xenotime, Russian.
Their activities have focused on the Persian Gulf region,
but they've shown recent signs of expansion to other geographical areas of operation.
Lacework researchers describe MUSTIC, an IoT botnet infesting cloud services.
Signs point to MUSTIC being a Chinese criminal operation.
It was monetized through XMRig.
Two university teams have come up with proofs of concept that, while hardly an immediate threat, nonetheless, bear watching.
The first result is from California.
an immediate threat, nonetheless, bear watching. The first result is from California. University of California, Riverside has published a study of vulnerabilities that forecasts a return of
DNS cache poisoning. The researchers determined that 34% of the open resolvers on the internet
are vulnerable. This includes a heavy fraction, some 85%, of the most popular DNS services.
DNS cache poisoning works by interposing a malicious IP address into DNS caches.
A corrupted DNS record sends visitors to a site that looks like the real one,
but that's under malicious control.
It's a form of spoofing.
It was once a popular attack method,
but it fell out of favor when enterprises realized that they could fend it off
by randomizing either the number of the port sending the request or the numbers of other
locations involved in communicating among networks. Randomization defenses in browsers
have made DNS cache poisoning much harder to pull off. But the researchers at Riverside have found
a way in which DNS cache poisoning could exploit resolvers and forwarders in a new side-channel attack.
It's a proof of concept, but the results merit some consideration.
A second proof of concept comes from Europe.
A team of researchers at the University of Birmingham, the Institute of Applied Information Processing and Communications at Graz University of Technology,
and Communications at Graz University of Technology and the Helmholtz Center for Information Security
has identified a new power side-channel vulnerability,
Platypus, in Intel Central Processing Units.
Power side-channel attacks capture fluctuations
in processor power consumption
and use these to extract sensitive information from the CPU.
Cryptographic keys, for example,
might be among the data captured.
Power measurements done by malware have long been relatively inaccurate, and they also required
physical access to the target and the ability to connect the target to measuring tools like
an oscilloscope. What's different about Platypus is that two methods offer a simpler, more accurate
approach to power side-channel attack. The researchers wrote, quote,
In the first, they use the RAPL interface running average power limit,
which is built into Intel and AMD CPUs.
This interface monitors the energy consumption in the devices
and ensures that they don't overheat or consume too much power.
RAPL has been configured so that power consumption can be logged even without administrative
rights.
This means that the measured values can be read out without any authorizations.
In the second approach, the group misuses Intel's security function Software Guard
Extension, SGX.
This functionality moves data and critical programs to an isolated environment called
an enclave,
where they are secure, even if the normal operating system is already compromised by malware.
End quote.
So again, not an immediate threat, but one worth bearing in mind.
Tuesday was, of course, Patch Tuesday, and it was a relatively busy one.
Intel released 40 security advisories for its active management technology,
wireless Bluetooth, and NUC products.
Some of the bugs involved a critical risk of privilege escalation.
Out in Redmond, Microsoft fixed 112 flaws,
one of them a Windows Zero Day Google pointed out last month.
Google itself addressed two Chrome Zero Days,
and Adobe took care of issues in Connect
and Reader Mobile. The Connect problems were cross-site scripting vulnerabilities. The Reader
Mobile issue was an information disclosure vulnerability. Adobe is thought likely to
issue a follow-up round of patches. And let's take a quick look at the hot sheets.
Ah, here you go. A pro tip. One of the big features of Zoom
is that the people you're conferring with can, you know, see you. There's been a bit of house
cleaning over at Condé Nast, where one of the New Yorker's high-profile pundits was observed to be
spending a little time with himself during an election war game to the general horror of his colleagues.
Look, passion for the job is great,
but take but measure away and hark what madness follows.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more. GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Having made it past election day here in the U.S.,
online misinformation continues from a variety of sources, both foreign and domestic.
The Cyber Wire's chief analyst and chief security officer, Rick Howard,
recently got on the line with Michael Daniel, president and CEO of the Cyber Threat Alliance,
to discuss the merging fields of cybersecurity and information operations.
Hey, everybody. Rick Howard here.
I am pleased to welcome to the show Michael Daniel.
He, in 2017, became the president and CEO of the Cyber Threat Alliance,
a nonprofit cyber intelligence sharing organization for security vendors,
an ISAC or ISAU for cybersecurity vendors.
And prior to that, he served as special
assistant to President Obama and the cybersecurity coordinator on the National Security Council
staff. Michael, thanks for coming on. Yeah, thank you for having me.
So you have an interesting take on this development of information or misinformation
and disinformation that has sort of been plaguing the world these past five to ten
years. And there have been, you know, admittedly all kinds of suggestions about how we might curtail
this stuff. Everything from limiting free speech to holding social media platforms accountable for
the information going across their networks. But you have a really interesting idea about
who we should recruit into the cause. Can you tell us about that?
Sure. Certainly, I think that information operations is a separate discipline from cybersecurity,
but they're very closely related fields. And as a result, I think that both sets of disciplines
need to actually gain a working knowledge of the other, meaning that
cybersecurity practitioners, network defenders, and the like need to develop a basic understanding
of misinformation and disinformation, the tools that are used to propagate it, what it looks like,
and some of the basic tools for defending against it. Is there any advice you can give
the newbies listening to the show, what they should be thinking about?
I think that checking out places
that have started to work very hard
against misinformation and disinformation,
like the work that Facebook has been doing,
like the work that the company Grafica has been doing
is really important and starting to-
Yeah, and some of the work at Stanford
and some of the places to look, yeah.
Yeah, absolutely.
And Belfer Center up at Harvard has done some very good work
in the election space.
But starting to pay attention to that line of work as well
and how do you recognize the basic warning signs?
How do you know when your company or the network
that you might be defending, the network that you might be defending, the
organization that you might be defending, right?
Because you're not really just defending the network, you're defending the organization.
How might you know when the organization that you're defending might also be subject to
an information operation?
And how do you know then when to go get help from the real experts, right?
And how do you know then when to go get help from the real experts, right?
So that you can handle the basic triage, but you know to reach out to the more sophisticated, the more qualified, the higher skilled practitioners to bring them in just like you would higher skilled cybersecurity experts in a given area if you detected a particular kind of cyber threat.
And that's really how I view it.
Similarly, on the other side, if you've got people that are working very hard in brand protection and countering misinformation from an organization, and they begin to realize that it's actually
powered by cybersecurity activity, then they need to know enough to say, hey, I'm recognizing the
signs of malicious cyber activity here. We need to go get some help from the cybersecurity experts.
And that will make both sides much better off in terms of how they're interacting with each other.
Well, what I really love about the cybersecurity field is there's always something new to learn and something to challenge us with.
So I love that part of it.
And here's a new skill set that we can all put under our bailiwick and try to become masters of.
So, Michael, thanks for coming on the show and really interesting ideas.
Yep. Always happy to talk to you, Rick.
That's our own Rick Howard speaking with Michael Daniel, president and CEO of the Cyber Threat Alliance. Thank you. cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
You know, last week on the Cyber Wire, we made mention of this article over on Krebs on Security from Brian Krebs.
And it's titled, Why Paying to Delete Stolen Data is Bonkers.
I wanted to dig into this article with you and go over some of the details because I'm guessing you have some thoughts on this.
I do. I do.
I would like to say that, once again, I have predicted something.
Not that that's difficult to do in this industry.
It's one of the easiest things about working in the security field is you just pick something that's really bad and say, that's going to happen.
Okay. Fair enough. All right.
A lot of times you're right.
Okay. Fair enough. All right.
A lot of times you're right. And when ransomware started exhibiting the trend of going to also being data breach extortion, right?
Yeah. I said, if you're going to pay, make sure that you're paying just so you get your data back from being encrypted.
But you should not let the economic pressure of being told that they're
going to publish your data if you don't pay up, you should not let that be part of the decision
making process because you have absolutely no guarantee that they're going to delete your data
when they're done with it. They could take your money if the only reason you're paying them is
so that they don't release it. They can take your money and then turn around and sell your data anyway. And that's exactly what this article is
talking about. And that's what this report says. It came from Coveware, that they're seeing,
even after you pay the money, the hush money, they are still turning around and selling the data.
Now, how is this different from, for example, you example, you pay to have your data decrypted, pay them some money, and then they come back and either decrypt it again, or after you pay them, they say, oh, you know what? We're not going to decrypt it until we get more money.
And if you're dealing with somebody who you have paid to decrypt your data and they don't decrypt it, that's kind of a rare occurrence, but it does happen.
But that's a risk you take whenever you are paying ransom to a ransomware attacker.
As far as getting attacked again, getting encrypted again, that's a separate incident, a separate event.
And what we're talking about here is, in fact, there's even a quote in here from Fabian Wosar, who's the chief technology officer at Emsisoft.
And he says, the bottom line is ransomware is a business of hope.
The company doesn't want the data dumped or sold, so they pay for it, hoping the threat actor deletes the data.
Right.
And this threat actor can come back to you over and over and over again. There's another good quote in the article
from the Coveware report that says,
unlike negotiating for a decryption key,
negotiating for the suppression of stolen data
has no finite end, right?
There's just no way to do it.
And that was one of the points I made
is that these guys can come back to you
and essentially say, you know what?
Now you have to pay us a subscription fee
to keep your data private,
right? Because once they have it, they have it forever. And Fabian Wosar makes the point that,
technically speaking, whether or not they delete the data doesn't matter from a legal standpoint.
You have still incurred a data breach. Yeah, there's no way that you can guarantee to
the folks whose data has been stolen that it's been deleted.
There's no way to prove that.
That's right. That's absolutely right.
And a lot of companies think, okay, well, we suffered a data breach.
Let's try to cover this up and pay the hush money to these guys and hope that they delete it.
And my point has always been that's no good.
You have no guarantee that that's going to happen.
Now this Cobra report is saying that they're going to go ahead and sell your data anyway a lot of the time.
So I stand by what I originally said and what Krebs is saying here and everybody else is,
if your sole reason for paying a ransom is to keep the data private, give it up.
The data is gone and they're probably going to sell it anyway.
Don't have false hope.
Don't have false hope.
And be responsible.
You have suffered a data breach, and you have to report that.
Right, right, right.
Take the appropriate action.
Exactly.
Yeah, yeah, good point.
Yeah.
Well, it's an interesting article over on Krebs on Security.
It's called Why Paying to Delete Stolen Data is Bonkers.
Joe Kerrigan, thanks for joining us. It's my pleasure, Dave.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
It's mm-mm good.
Listen for us on your Alexa smart speaker, too.
It's mm-mm good.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, Peter Kilby,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.