CyberWire Daily - APT side hustles and evidence of espionage. NSO replies to the Pegasus Project, and AWS removes NSO from its CloudFront CDM. Other data breaches and ransomware incidents.
Episode Date: July 20, 2021The US says China contracted with criminals to carry out cyberespionage campaigns. Norway says China was behind an attack on its parliamentary email system. China denounces accusations of cyberespiona...ge as slander, and says it’s the real victim, because the CIA is the one stealing IP from China. AWS expels NSO Group from its CloudFront CDM. NSO denies it permits its intercept tools to be abused. Saudi Aramco sustains a data breach. Ben Yelin describes calls for bans on government use of facial recognition software. Our guest is Tom Kellermann from VMware on the potential cybersecurity threats facing the Olympic Games. And an MSP struggles with ransomware. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/138 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. says China contracted with criminals to carry out cyber espionage campaigns.
Norway says China was behind an attack on its parliamentary email system.
China denounces accusations of cyber espionage as slander and says it's the real victim
because the CIA is the one stealing IP from China.
AWS expels NSO Group from its CloudFront CDM.
NSO denies it permits its intercept tools to be abused.
Saudi Aramco sustains a data breach.
Ben Yellen describes calls for bans on government use of facial recognition software.
Our guest is Tom Kellerman from VMware on the potential cybersecurity threats facing the Olympic Games.
And an MSP struggles with ransomware.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, July 20th, 2021. The U.S. has said that China's Ministry of State Security contracted at least part of its exploitation of Microsoft Exchange servers
to criminal organizations.
In many cases, those gangs were permitted to profit directly from
their activities, a White House statement charged. Quote, the United States is deeply concerned that
the PRC has fostered an intelligence enterprise that includes contract hackers who also conduct
unsanctioned cyber operations worldwide, including for their own personal profit.
As detailed in public charging documents unsealed in October 2018 and July and September 2020,
hackers with a history of working for the PRC Ministry of State Security
have engaged in ransomware attacks, cyber-enabled extortion, cryptojacking,
and rank theft from victims around the world, all for financial gain.
In some cases, we are aware that PRC government-affiliated cyber operators
have conducted ransomware operations against private companies
that have included ransom demands of millions of dollars.
The PRC's unwillingness to address criminal activity by contract hackers
harms governments, businesses, and critical infrastructure operators
through billions of dollars in lost intellectual property,
proprietary information, ransom payments, and mitigation efforts.
End quote.
This is more an APT side hustle than it is the sort of privateering
the U.S. has accused Russia of tolerating.
Reuters reports that among the governments calling out China for cyber espionage is Norway's,
which yesterday publicly attributed a March 10 attack on the parliamentary email system to Beijing.
This official attribution has been expected for some time.
Chinese intelligence services have been the leading suspect in this incident since early in their investigation.
Norway made its attribution in
connection with the general accusation by more than 30 nations that China had been engaged in
widespread and damaging cyberattacks. China this morning answered the widespread condemnation of
its operations with a denial and to Coquay accusations of American misconduct, the Washington Post reports.
The rhetoric is in the increasingly familiar wolf-warrior style.
Beijing spokesperson Zhao Lijian said, The United States ganged up with its allies to make unwarranted accusations against Chinese cybersecurity.
This was made up out of thin air and confused right and wrong.
It is purely a smear and suppression with political motives.
China will never accept this, end quote.
Beijing also reacted with displeasure at the U.S. indictment published yesterday
of four Ministry of State security operators on charges related to theft of intellectual property.
It's the U.S. and its allies, Zhao said,
who are actually the people engaged in industrial espionage.
Quote, China firmly opposes and combats any form of cyber attacks and will not encourage, support, or condone any cyber attacks.
End quote.
Zhao added that the U.S. CIA has, for the past 11 years,
been engaged in hacking aerospace research facilities,
the oil industry, internet companies, and various government agencies.
That has had considerable malign effect, Zhao said,
and severely compromised China's national and economic security.
Zhao called upon the nations of the civilized world
to acknowledge that they're the ones at fault, to stop the slander, and to beware of Chinese retaliation.
He said, quote,
China once again strongly demands that the United States and its allies stop cybertheft and attacks against China, stop throwing mud at China on cybersecurity issues, and withdraw the so-called prosecution.
on cybersecurity issues and withdraw the so-called prosecution.
China will take necessary measures to firmly safeguard China's cybersecurity and interests.
End quote.
The denials and counter-accusations aren't particularly plausible,
but they're a lot feistier than their Russian equivalents,
which usually come down to something along the lines of show us the evidence so we can all investigate this together,
which is a lot more boring than stop throwing mud. Not more plausible, just more boring.
Amazon Web Services told Motherboard that the cloud provider has revoked NSO Group's access
to its infrastructure. AWS said, when we learned of this activity, that is, the targeting of journalists, dissidents, and others with NSO Group's Pegasus intercept tools,
we acted quickly to shut down the relevant infrastructure and accounts.
NSO Group had used Amazon Web Services' CloudFront content delivery network.
It will no longer be able to do so.
Amnesty International has published the forensic investigation it
conducted into apparent use of Pegasus against the targets described by the Forbidden Stories
Pegasus Project. The University of Toronto's Citizen Lab published what it characterized
as an independent peer review of Amnesty's work. That review generally concurred with Amnesty's conclusions.
NSO Group has categorically denied accusations of abuse reported by The Guardian and others,
specifically stating that the leaked data cited in Forbidden Stories reports had no connection to any list of persons or devices targeted by NSO Group's Pegasus tool, and
that the data had any number of benign uses and explanations.
Their letter to The Guardian said,
quote,
NSO does not operate the systems that it sells to vetted government customers
and does not have access to the data of its customers' targets.
NSO does not operate its technology, does not collect nor possess,
nor has any access to any kind of data of its customers.
Due to contractual and national security considerations, NSO cannot confirm or deny the identity of our government customers,
as well as identity of customers of which we have shut down systems.
End quote.
NSO, after denying that its products were used in connection with the murder of Jamal Khashoggi,
a killing which NSO called heinous,
and reiterating its claim that its products can't be used for surveillance of U.S. citizens,
said it was committed to doing all it can do to ensure that customers use Pegasus appropriately.
Quote,
NSO group will continue to investigate all credible claims of misuse and take appropriate action based on the results of these investigations. This includes shutting down of a
customer system, something NSO has proven its ability and willingness to do due to confirmed
misuse, has done multiple times in the past, and will not hesitate to do again if a situation warrants.
This process is documented in NSO Group's Transparency and Responsibility Report,
which was released last month.
The governments of Rwanda, Hungary, and Morocco told The Guardian that they either didn't use Pegasus
or that they didn't understand what the paper was asking them about.
Pegasus or that they didn't understand what the paper was asking them about.
India's government replied to The Guardian by suggesting that their coverage exhibited bad faith.
A criminal organization that styles itself 0X is offering a terabyte of proprietary data stolen from Saudi Aramco. Bleeping Computer says the gang claims the data includes personal information on over 14,000 employees, business documents, and engineering information.
According to Saudi Aramco, 0x obtained the data from third parties via exploitation of an unspecified zero day.
The attack did not involve ransomware and does not appear to be an extortion play, although a deadline the group
imposed looks like a prelude to a ransom demand. The crooks called the deadline a puzzle for Aramco
to solve. And finally, CloudStar, which the record describes as a cloud and managed service provider
with a large customer base in the mortgage, title insurance, real estate, legal, finance,
and local government sectors, continues its recovery from a ransomware attack it detected
Friday. The incident has interfered with real estate transactions, and the record,
betting on form, thinks recovery may be a matter of weeks as opposed to days.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Thank you. The Olympic Games have arrived, with the final preparations for the festivities in Tokyo taking place as we speak.
As we learned from the most recent games in Korea, the Olympics represent a large, irresistible target for bad actors in the cyber realm.
cyber realm. For details on what we might expect going into this year's Olympic Games,
we checked in with Tom Kellerman, head of cybersecurity strategy for VMware and member of the U.S. Secret Services Cyber Investigations Advisory Board.
Well, the Olympics present a huge challenge from a cybersecurity perspective, particularly when you
have rogue nation states that are going to manifest their angst for not being allowed to participate in the games through cyber attack.
This is compounded by the reality that this will be one of the first Olympics where the majority of viewers and majority of the audience will be virtual
and primarily using computers, phones, tablets to watch the games.
So how might that manifest itself?
What sort of things are folks on the lookout for here?
I'm very concerned about cyber attacks from North Korea and Russia.
Russia, because of the fact that they're not allowed to participate in the Olympics
under the Russian flag as punishment for the doping scandal.
And North Korea, obviously, because they're a
rogue nation state, they have tremendous angst towards Japan, historical angst, and this is
their time to make a statement. And they'll do so with their grade A hacker group, you know,
hidden cobra. That all being said, what I'm most concerned about is the platform
by which we observe the Olympic Games being polluted and turned into watering holes.
So whether Xfinity, you know, Comcast Xfinity's platform gets backdoored and then used to push
malware or ransomware against the audiences who are implicitly trusting that feed, that's a great
example of something that could occur.
Do you think we might see something like DDoSing where they could come at some of these networks
to keep the feeds from successfully going out?
I do think denial of service will be a significant challenge, but more importantly,
I'm concerned about those networks and their virtual platforms, their multimedia platforms being commandeered to be pushing out ransomware against the audience.
We're seeing roughly 50% of all investigations nowadays that when an organization is breached by a cyber attack, that that organization's infrastructure is then in turn used to attack their customers, what we call island hopping.
in turn used to attack their customers, what we call island hopping.
What is your sense in terms of the Olympic Committee and the host country themselves of being adequately prepared for this?
The Japanese have a history of being proactive when it comes to cybersecurity.
In terms of the Olympic Committee's security posture, I have no idea.
I doubt they've paid as much attention to cybersecurity that they have to
physical security, whether it's from terrorist attacks or the pandemic itself. And I do think
that the dependence on multimedia platforms and the dependence on mobile applications for tracking
and security at the games could present a greater attack surface for hackers
around the world. What sort of things have we learned from past Olympics games here? And we
haven't had that many that have been in this online digital age that we find ourselves in
here today. But what do we know from the last couple rounds? What we've learned is that countries who feel like they've been scorned or
shunned from the games by the Olympic Committee for past actions or malfeasance or the reality
that they're, you know, autocracy that is anti this type of, you know, sporting event, more than
often than not, they react in cyberspace. And what I'm concerned about now is that we're going to see attacks that go beyond denial of service and attacks that go beyond just merely trying to steal monies from the audience and the participants.
But more importantly, I could see a phenomenon where you see a major cloud provider's infrastructure used to deliver ransomware attacks or see destructive attacks against the games
themselves in a cyber construct. Well, hopefully, you know, the committee and all organizations are
conducting regular threat hunts within their environments to ascertain whether or not a back
door or a behavioral anomaly exists now, one that could manifest into a more systemic
contagion and or delivery mechanism for destructive attacks and or ransomware.
That's Tom Kellerman from VMware.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant. And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security
and also my co-host over on the Caveat podcast.
Hello, Ben.
Hello, Dave.
Interesting story here from the Daily Dot, written by Andrew Weirich,
and it's titled,
Calls for Biden to Ban Facial Recognition Grow After GAO Reports Findings.
What's going on here, Ben?
So the GAO, the Government Accountability Office, released this report
that found that 20 federal agencies either owned or used facial recognition technology,
and that six of those agencies had employed the technology during the Black Lives Matter protests in the summer of 2020.
So not only were they reporting that this technology is widely used within federal agencies,
but that there was a lack of oversight on the part of these agencies.
And 13 agencies had reported to the GAO they didn't know
what non-federal facial recognition systems were being used by their employees. So a few things
are happening here. Basically, the GAO is saying, we need a way to track whether non-federal systems,
you know, systems that aren't subject to stringent federal oversight are being used by employees,
systems that aren't subject to stringent federal oversight are being used by employees,
figure out what the risks are of these systems,
and put into place checks to make sure these systems aren't being abused.
And of course, the context of all of this is we know some of the pitfalls of facial recognition technology.
It has, of course, been found to have racial biases. Right.
It has, of course, been found to have racial biases.
And, you know, while the federal government hasn't really taken action to curb the use of facial recognition technology, we have seen cities, states, localities start to curb or put rules and regulations on the use of this tool because of its potential for abuse.
tool because of its potential for abuse. So this GAO report, I think, is going to be pretty widely read among some of the more civil libertarian-oriented members in Congress.
There was legislation introduced in the previous Congress to try and rein in the use of facial
recognition technology, and that effort has been replicated in the current Congress.
A bill has been proposed, just introduced in the last month, that would put a moratorium on the technology by the federal government.
Until, in the words of one political leader, we figure out what the heck is going on.
where Congress puts in a moratorium on the use of facial recognition technology unless the specific technology or system is approved by an act of Congress,
among other things, as part of those reform pieces of legislation.
We've seen some agencies kind of using end-arounds.
If there's a piece of technology that they want to use,
but maybe it's not directly accessible to them, they will engage with a contractor who then gets to use that.
Is this addressing any of that sort of thing?
Yeah, it does. are saying is unless we put widely applicable broad rules on law enforcement's use of facial
recognition technology, they are going to keep finding these loopholes. So that's why the
administration and Congress need to take action now because otherwise the agencies themselves
are going to be unfettered in trying to do an end around current regulations.
The fact that 13 of the 14 agencies they interviewed aren't tracking which commercial facial recognition products
their employees are using is a pretty big wake-up call
that there is just not sufficient oversight here.
Of course, you understand why law enforcement
needs to use facial recognition technology, wants to use it.
Right.
It's very useful in apprehending criminals, especially when you have thousands, millions of pictures and images
and you're trying to match up potential criminals to their faces.
You can understand why it's an effective tool.
Right, who was where when.
Exactly.
But, you know, without having any sort of uniform rules in place
about how this technology is used,
about what systems in
particular are being used, then it certainly is a recipe for disaster. So I think, and you know,
that's what the GAO is for. They put out these reports because members of Congress don't have
the time or resources to do that research themselves necessarily and figure out, you know,
these oversight gaps.
Is there generally,
is there bipartisan support for this sort of thing?
Are folks on both sides of the aisle cautious when it comes to facial recognition?
Yes.
I will say two things, though.
There's bipartisan support for more regulation
of facial recognition software
and bipartisan opposition.
Oh, interesting.
I just think it doesn't fall neatly along partisan lines.
I think it's kind of a horseshoe thing
where you have extreme left-wing civil libertarians
saying this has significant racial biases.
We need to put a stop to this
before it perpetuates systemic racism.
Right.
And then on the other side,
people on the right wing who say,
this is Big Brother, this is government overreach, this is targeting, you know.
There's something here for everyone to hate.
Exactly.
And then there's, you know, people in the middle of the horseshoe on both sides of the aisle
who are like, I kind of like to have this as a, you know.
We can see how this is an effective law enforcement tool.
Yeah.
So it just doesn't really neatly divide along those partisan lines, which I always find
interesting.
Yeah.
Yeah.
That is interesting.
All right.
Well, Ben Yellen, thanks for joining us.
Thank you. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Justin Sabey, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Bilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Thank you. innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.