CyberWire Daily - Bear prints in Oslo and Silicon Valley. Deepfakes may be finally coming... maybe... CISA issues ICS alerts, some having to do with AMNESIA:30. A quick trip through Patch Tuesday.
Episode Date: December 9, 2020Norway calls out the GRU for espionage against the Storting. The SVR (probably) hacks FireEye. Huawei tested recognition software designed to spot Uighurs. 2021 predictions from Avast hold that next y...ear might be the year deepfakes come into their own. CISA issues a long list of industrial control system alerts. Joe Carrigan looks at the iOS zero-click radio proximity vulnerability. Our guest is Matt Drake, director of cyber intelligence at SAIC on what the recents elections can tell us about threat intelligence. And yesterday was Patch Tuesday--do you know where your vulnerabilities are? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/236 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Norway calls out the GRU for espionage against the Storting.
The SVR probably hacks FireEye.
Huawei tested recognition software designed to spot Uyghurs.
2021 predictions from Avast hold that next year might be the year deepfakes come into their own.
CISA issues a long list of industrial control system alerts.
Joe Kerrigan looks at the iOS zero-click radio proximity vulnerability.
Our guest is Matt Drake, director of cyber intelligence at SAIC,
on what the recent elections can tell us about threat intelligence.
And yesterday was Patch Tuesday.
Do you know where your vulnerabilities are?
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, December 9th, 2020. Security Week reports that Norway's PST, the country's domestic security and counterintelligence service,
yesterday stated that Fancy Bear, APT28, a unit of Russia's GRU, was responsible for cyber espionage directed against the parliament in Oslo, the Storting, back in
August. It was part of a campaign that may go back as far as 2017. The attacks weren't particularly
exotic. Fancy Bear got access to Storting email accounts the old-fashioned way by brute forcing
them. Fancy Bear has been busy elsewhere too. The security firm Intezer this morning reported that the GRU actor is using COVID-19 fish bait to distribute zebracy malware.
FireEye disclosed late yesterday that its red-teaming tools had been accessed by a sophisticated attacker the company believes to have been a nation-state.
Some of the tools stolen were open-source, others proprietary and held for in-house use.
The company said no zero-days or unknown techniques were taken.
The New York Times says the attackers were almost certainly Russian.
Unlike the intrusion into the Storting's email system, however,
sources familiar with the matter told the Wall Street Journal
that the intruders weren't the GRU, but in all probability were the SVR, Russia's Foreign Intelligence Service, and one of the Soviet KGB's direct offspring.
Cozy Bear, APT-29, is the best-known SVR threat actor.
Observers have shared several observations.
First, FireEye is by no means a clueless or inept operation.
This suggests that the attackers combined what the Johns Hopkins University's Thomas Ridd characterized
to the Wall Street Journal as confidence and recklessness.
Second, as CrowdStrike co-founder Dmitry Alperovitch said,
FireEye isn't the first serious cybersecurity
company to be hacked. He tweeted, quote, With the FireEye breach news coming out,
it's important to remember that no one is immune to this. Many security companies have been
successfully compromised over the years, including Symantec, Trend, Kaspersky, RSA, and Bit9,
end quote. It's safe to assume that FireEye won't be the last either.
It's the biggest theft of cybersecurity tools,
the New York Times points out,
since the shadow brokers looted the Equation Group material
from NSA in 2016.
Why would Cozy Bear be interested in FireEye red-teaming tools?
Of course, no one can be sure,
but one possibility is simply embarrassment of a capable security company
who's been called in to help in significant cyber espionage cases.
Another possibility is simple reconnaissance,
or perhaps such tools might have some utility in deniable false flag operations.
Wired sees the attack as a statement, either largely stymied or a relative
no-show during the recent U.S. elections. Russia would like the Americans to realize that the bears
are still there, at most snoozing, not hibernating. Maybe, but the timing isn't entirely clear either.
FireEye had nothing to say in response to TechCrunch's question
about when the attackers first gained access to its networks.
In any case, FireEye says it sees no signs of any of the tools having been used,
but that it's watching closely for any signs that the stolen material
is being either employed or distributed to other threat actors.
The company's quick disclosure is attracting good notices in Twitter.
The FBI has the incident under investigation.
Researchers at the security firm Cyber Reason this morning announced
the discovery of a cyber espionage campaign that's using Facebook, Dropbox, Google Docs,
and SimpleNote for command and control and the exfiltration of data from targets across the Middle East.
There are signs in the campaign's tactics, techniques, and procedures that point to the Mole Rats,
also known as the Gaza Gang, which Cyber Reason describes as an Arabic-speaking,
politically motivated, advanced persistent threat.
The Washington Post writes that Huawei tested
software designed to recognize ethnic Uyghurs and set off Uyghur alerts for Chinese authorities
interested in keeping track of the disfavored, predominantly Muslim group. The Post sources
its story to IPVM, a firm that tests and investigates video surveillance equipment.
IPVM, a firm that tests and investigates video surveillance equipment.
IPVM says it obtained its information from internal Huawei material.
Huawei said it was all just a test and the video security startup it worked with, a company called Megvi, said that its technology was never intended to target any particular ethnic group.
It's noteworthy that IPVM didn't get the information through hacking or any form
of corporate espionage. The company found it posted openly on Huawei's European website.
Huawei took the file down when IPVM asked them about it. It's a disturbing, albeit not unexpected,
report. It's also an object lesson in how informative open-source intelligence can be.
There's a great deal of agreement among security companies about what 2021 is likely to hold.
Avast is among the firms who've just published predictions, and like most others,
they see the COVID-19 pandemic as driving more attacks on home offices
and filling cyberspace with more virus-themed chum.
Vaccination scams should be especially prominent as effective vaccines enter distribution,
and there will be no shortage of fraudulent medical offers.
And since valuable data draw not only espionage but also various forms of denial of availability,
pharmaceutical and medical organizations will continue to be targets
of both criminals and nation-states. We've been warned against deepfakes for a long time,
but Avast thinks they'll finally show up, with significant effect, in disinformation campaigns
during 2021. The technology has advanced sufficiently to render them potentially
effective. The other technical advance Avast expects to see in the coming year is with respect to automation.
The firm is more circumspect than many others have been about AI proper,
pointing out that there has yet to be evidence of AI-based threats circulating in the wild.
But they do think that growing datasets and knowledge bases will enable some hybrid threats to emerge.
And of course, both adware and stalkerware will keep thriving.
The U.S. Cybersecurity and Infrastructure Security Agency has issued a large number
of advisories concerning industrial control system vulnerabilities.
As is usually the case with CISA advisories, they include links to and information about patches and mitigations.
One of the advisories covers the Amnesia 33 vulnerabilities reported yesterday by Forescout.
Another warning addresses a hard-coded credential issue in the proprietary software of some GE medical devices.
medical devices.
Yesterday was, of course, Patch Tuesday, and Trend Micro emailed us to share an evaluation that called Microsoft's patching historically light, 58 patches in all, with 9 rated critical,
46 important, and 3 moderate.
Adobe was similarly light, 4 patches, affecting Adobe Prelude, Experience Manager, and Lightroom.
So the year ends with more a whimper than a bang, as far as patching is concerned. Four patches affecting Adobe Prelude, Experience Manager, and Lightroom.
So the year ends with more a whimper than a bang as far as patching is concerned.
RebZone Security calls December's patch Tuesday the Good Riddance 2020 edition.
On the other hand, SysA really had a lot to say about ICS issues.
So let's not get cocky kids Calling all sellers
Salesforce is hiring account executives
to join us on the cutting edge of technology
Here, innovation isn't a buzzword
it's a way of life
You'll be solving customer challenges faster with agents
winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires Security questionnaire's done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home? Black Cloak's award
winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Matt Drake is Director of Cyber Intelligence at SAIC and former Section Chief of the Cyber
Division of the FBI. He joins us with insights on how the recently completed election
can inform a cyber approach to threat intelligence as we head toward the new year.
There weren't the kind of incidents or the concerns, I shouldn't say concerns,
but we didn't have some of the issues that we had in previous elections.
And I think that's partially attributable to just the work
that's gone in in the past few years, you know, at kind of all levels, whether it be, you know,
the local municipalities are, you know, 8,000 ballpark, you know, voting districts out there
with state officials, with federal officials, with county officials, the National Guard,
all of those entities kind of working together over the past few years to harden those systems
and have a better understanding of how everybody works together. And I think you're seeing the
results of that in this election. And is it fair to say that it's probably more that than restraint on the part of our foreign adversaries?
Yeah, you know, it's hard to – I don't have any insight into their thought process and what it is that they're going after.
But, yeah, I mean, I suspect that there wasn't maybe the same effort there was, but I suspect if there was, we were on top of it. It's always kind of hard to tell, you know, if they backed off or if they kind of put the same effort into it and
we were just ready for them. I really don't know, but it does seem to be certainly for whatever
reason, a more successful election season from a cybersecurity perspective. Well, I mean, with the things that you experienced
when you were with the FBI back in 2016 and now observing what you have in this election cycle
from the outside in 2020, what's your outlook? Are you optimistic going forward that we're headed
in the right direction, that we're getting things under control in a good way?
that we're getting things under control in a good way?
Yeah, I'm optimistic that the cybersecurity piece of it is working well.
There's a part of me that thinks that looking back to 2016,
the intent of those intrusions wasn't necessarily, though,
to get in and change votes.
The intent of the intrusions may have very well been to just undermine the public's confidence in the election process. And you can turn into
any channel you want these days, and you see that playing out. I think that has become the
greater concern. The cyber attacks in 2016 might have planted that seed and might still be doing their work today as the country is divided almost 50-50 on who won the election almost. questioning how elections are held, whether or not every vote is counted, whether or not every
legal vote is counted. It depends on how you even say that. So I do think the cybersecurity
part has gotten better. We've hardened the systems, and I think we've done a better job of
putting in processes that allow us to talk to all the stakeholders in this and get
information out quicker so people can react to it quicker. But I think from the cybersecurity
perspective, I do think that we've gotten much stronger. That's Matt Drake from SAIC. Thank you. to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Joe Kerrigan from the Johns Hopkins University Information Security Institute,
also my co-host on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
A really interesting story came out of Google's Project Zero recently.
I wanted to touch base with you on this.
This was a fascinating one to me.
Can you just give us an explanation?
What's going on here?
Yeah, so Ian Beer, who is a researcher at Project Zero,
Just give us an explanation.
What's going on here?
Yeah, so Ian Beer, who is a researcher at Project Zero,
found a buffer overflow attack in some C++ code in the Apple operating system
that allowed an attacker to run arbitrary code,
but the vulnerability was accessible via radio,
one of the radio services that the iPhone provides.
So you didn't need to actually touch the phone to do this
or even access it via a network. You could send a radio signal services that the iPhone provides. So you didn't need to actually touch the phone to do this or
even access it via a network. You could send a radio signal with a properly crafted payload
that would reboot the phone and allow access and let people access all kinds of information
on the phone. Yeah, it's a remarkable demo that they have here in their write-up too.
They have a whole like a dozen or so phones and they just, they all reboot.
in their write-up too, where they have a whole dozen or so phones and they all reboot.
Yep. Every single one of them. This vulnerability has been patched because it is Ian's and Project Zero's policy to disclose these vulnerabilities responsibly. And they did a great job doing that.
I don't want to spend time talking about the technical details of this attack. I want to
talk about the implications and some of the things that are interesting that Ian says.
First, he says there's a great quote in this article, a couple of great quotes.
I'm going to read directly from what he wrote here.
The takeaway from this project should not be no one will spend six months of their life just to hack my phone.
I'm fine.
Instead, it should be one person working alone in their bedroom was able to build a capability
which would allow them to seriously compromise iPhone users they'd come in close contact with.
And Ian spent six months during this pandemic time.
He was up in his room in his bedroom or his lab just doing this at home.
And he found the vulnerability.
And imagine if he didn't report this.
And one of the things he talks about in the article
is imagine the power you feel
if you just have this capability
and you're just walking around with it.
Well, and these have high value as well.
A vulnerability like this
can be sold to the highest bidder.
Yes, and there are companies out there
that look for these things.
And in fact, while Ian says
he didn't see any evidence of this
being compromised in the wild, he did notice that there was a tweet from Mark Dowd, who's the co-founder of Asthma Security, which is an Australian company, that tweeted about the patching of one of the vulnerabilities.
He reported to Apple, and that tweet came out in May.
So that was still while the vulnerabilities were undisclosed.
So when you disclose a vulnerability, you say, here are the vulnerabilities.
I'm not telling anybody else about this. Fix them. And Apple has a very good response to this. They go, yep, we'll fix these right away. This is a problem. And once they fixed
it, Mark Dow tweeted, hey, they fixed a vulnerability. Now, there's a couple of things
about this. One, whenever a patch for a vulnerability comes out, it's plainly visible to someone
who has good reverse engineering skills
what the vulnerability was in the operating system
because you have to fix it.
And you can reverse engineer the code,
compare the difference between the old code
and the new code and go, oh, they fixed this.
Oh, they fixed that because that's a buffer overflow, right?
But there's a Vice article from a couple of years ago
that says that Azimuth Security is
one of these companies that keeps these zero days. In fact, there's another company called
Zerodium, which has in the past actually offered bounties up to a million dollars for these kind
of things. One of the things that Ian says in this article is that unpatched vulnerabilities
aren't like physical territory. This is another quote. Unpatched vulnerabilities aren't like physical territory. This is another quote. Unpatched vulnerabilities aren't like physical territory occupied only by one side.
Everyone can exploit an unpatched vulnerability.
And this is the crux of the entire keeping vulnerability secret issue.
It doesn't make you more secure by keeping the vulnerability hidden from the manufacturer
or the people responsible for the code.
It makes everybody less secure.
Chances are you're not the only person that found this vulnerability. There are people out there who have also found it. There are people out there who are looking for it. I
guarantee you that. They're always out there looking for it. And when they find it, there
are unethical people out there who are going to try to utilize it. They're not going to report it.
So when you find it, if you're an ethical person, it's great for you to the first thing you do to report it.
Yeah, absolutely.
All right.
Well, for sure, this is an interesting bit of research here for Ian Beer.
We've reached out to him, hoping to get him on Research Saturday to discuss the work here.
Joe Kerrigan, thanks for joining us.
It's my pleasure, Dave.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Sometimes you feel like a nut, sometimes you don't.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Bond,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Vilecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick,
Jennifer Iben,
Rick Howard,
Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.