CyberWire Daily - Buhtrap gets into the spying game. US cyber operations against Iran considered: there are both strategic and Constitutional issues. Election security. Water bills. And again with the WannaCry.
Episode Date: July 12, 2019Buhtrap moves from financial crime to cyber espionage. There may have been as many as three distinct US cyber operations against Iran late last month. The US legislative and executive branches continu...e to try to sort out Constitutional issues surrounding cyber conflict. The US Intelligence Community tell Congress that there are “active threats” to upcoming elections. One city’s cyber woes will be expressed in water bills. And WannaCry may ride again, if you don’t patch. Mike Benjamin from CenturyLink on DNS scanning they’re tracking. Guest is Martha Saunders, President of the University of West Florida, on how her institution is adapting to meet the workforce needs for cyber security professionals. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/July/CyberWire_2019_07_12.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Bootstrap moves from financial crime to cyber espionage.
There may have been as many as three distinct U.S. cyber operations against Iran late last month.
The U.S. legislative and executive branches continue to try to sort out constitutional issues surrounding cyber conflict.
The U.S. intelligence community tells Congress that there are active threats to upcoming elections.
One city's cyber woes will be expressed in water bills.
President of the University of West Florida joins us to tell us
how her institution is adapting to meet the workforce needs for cybersecurity professionals.
And WannaCry may ride again if you don't patch.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, July 12, 2019.
BootTrap, the threat group previously known for criminal raids on Russia's financial sector, has moved on to cyber espionage, targeting organizations in Eastern Europe and Central Asia.
ESET says BootTrap has recently been exploiting a local Windows Privilege Escalation Vulnerability,
CVE-2019-1132, against its victims.
Bleeping Computer reads the move from theft to espionage,
which may have been in progress for some time,
as an instance of the growing interpenetration of criminal gangs and intelligence services in many parts of the world.
That interpenetration may involve
leaks and false flag operations. As ESET's timeline indicates, Boutrap's backdoor was
first noticed operating against Russian businesses in April of 2014. In the fall of 2015, it was used
against Russian financial institutions, and shortly thereafter the first intrusions into unspecified
government networks were observed. The group's source code leaked in February of 2016,
and now it's appearing in espionage operations. Lawfare takes a look at U.S. cyber operations
mounted as a response to Iranian attacks on shipping in the Gulf region, and of course
Iran's shoot-down of a U.S. global Hawk drone.
They conclude that perhaps three distinct actions took place.
Here are the operations that have been reported.
First, there was apparently an attack against the command and control system of missile units.
Second, there were allegedly attacks against the networks of an intelligence organization
closely linked to Iran's Revolutionary Guard.
And third, there are said to have been attacks directed against the networks of Kataib Hezbollah,
a paramilitary organization linked to Iran's government.
Lawfare notes that U.S. Cyber Command has issued no statements on the matter
and seems, as the journal put it,
quote, content to wait out the news cycle without correcting the record, end quote.
We note the vagueness of the target descriptions that have appeared in the media.
Computer systems used to control rocket and missile launches
could mean any number of things, for example.
A digital command network, a fire direction computer,
a voice-over IP phone a battery commander might use to get instructions from higher-ups,
the device a launcher section chief uses to receive email.
All of these are some combination of them.
We tend to imagine these operations as being similar to hacks conducted against other enterprises,
and perhaps such vagueness, from Cyber Command's point of view, is a feature, not a bug.
The operation displays the sort of strategic ambiguity that can be valuable in deterring an adversary.
You might want to let the adversary know that you have the capability of disrupting their operation,
but you'd probably want to leave them guessing about the exact cards you held.
But strategic ambiguity is one thing.
Constitutional ambiguity is quite
another. The U.S. executive and legislative branches are still sorting out, with the kind
of check-and-balance acrimony customary in such matters, exactly what authorities the president
has to conduct cyber operations without explicit congressional authorization. The question isn't
clear. Representative Langevin, Democrat of Rhode Island,
is the most recent member to call for an accounting,
but he's not asking for a declaration of war either.
Just proper constitutional oversight,
and what counts as such oversight is always a matter for interbranch wrangling.
Representative Langevin has offered an amendment to the National Defense Authorization Bill.
If it sticks, the bill would give the administration 30 days to fork over copies of all of the National Security Presidential Memoranda concerning Defense Department operations in cyberspace.
Presumably, that means offensive operations, which is where the dispute lies.
U.S. intelligence community officials briefed Congress this week on potential threats
to the 2020 elections. Their consensus was that, of course, there's a risk of interference in the
upcoming elections with unspecified active threats in the offing. The briefings themselves were
classified, but their upshot seems fairly clear from press reports. The threat foremost in the
collective congressional mind is Russia. The intelligence officials are said to have addressed both threats and the measures
being taken at the federal level to counter those threats. The Federal Election Commission has
decided in this regard that political campaigns may legitimately accept cybersecurity services
from vendors at a discount or even for free. The concern had been that such
offers might constitute an illegal in-kind contribution, but the FEC says no, it doesn't,
at least provided the vendors offer comparable services under similar conditions to other
non-political not-for-profits. Among the effects of Baltimore's ransomware incident,
the Baltimore Sun reports, will be very large water bills, as the city slowly brings its billing systems back online.
Residents are told they'll receive a bill covering three or more months. Smart money is on more.
Your water tab will be a whopping big one, Charm City, which is what happens when a municipal government throws the dice on security and craps out.
Finally, there are renewed warnings this week about the possible return of WannaCry, but
WannaCry is no problem anymore, right?
I mean, it hit two years ago.
After all, the eternal blue vulnerability it exploited to spread was patched a long
time ago, right?
Well, yes, and the malware as it was
would affect only unpatched systems.
Unfortunately, there remain an awful lot
of unpatched systems out there.
Recent Shodan searches estimate
that the number of unpatched endpoints
in the U.S. alone is running as high as 400,000.
So let's say you're among the great unpatched.
Please patch.
If not for your own sake, do it for the rest of us.
Herd immunity wants you.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving
customer challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their
controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform Thank you. already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Mike Benjamin. He's Senior Director of Threat Research at
CenturyLink's Black Lotus Labs. Mike, it's great to have you back. I wanted to touch base with you
today about DNS tunneling and hoping that you could describe
to us, first of all, what it is and why folks are choosing to use it.
Yeah, thanks, Dave.
So we all know DNS.
Every computer uses it to resolve hostnames, to IPs, and find mail servers and all this
other stuff in our environments, whether it be our house or business.
And so many of us don't think much about it being there.
Many folks don't even restrict to what can query what through their environments.
However, you'll find environments that allow DNS through,
but don't allow any other services out or in.
In many cases, they're content filtering and man-in-the-middle proxying HTTP traffic,
but letting DNS through.
And so that's a dangerous scenario because that allows someone to send arbitrary traffic.
And you might think, it's DNS, how can it be arbitrary?
But the question asked of the DNS server is provided by the user or the host.
And so DNS tunneling is a situation where the host name that they look up can contain encoded characters.
You think about basic binary encoding with base 64.
Base 64 messages can be split up into host names, run thousands of queries.
And if you control the server that's authoritative for that question, you've now successfully sent data through an environment where you should not be able to send data. And so it's a very common attack that we see for a pen tester group coming into an environment to
show why DNS should be locked down. But we also see it used for exfiltration of data by more
sophisticated actors, and it can be pretty loud inside an environment.
Now, what is the rationale for why folks would leave DNS accessible when
they'd be filtering other things? They're not thinking of it as an attack vector. That's the
most simple example. The other is that when they host authoritative zones inside a business,
you'll find many businesses have a sort of private zone for their internal data centers,
their internal host name resolution.
They often don't think about the fact that those are recursive resolvers to the open internet.
And so they may be locking down the name lookup to just that handful of hosts.
Those things, because the very nature of DNS tunneling, they don't ask the same question.
They're not cached questions.
They don't ask the same question.
They're not cached questions.
And so therefore, if I break my base64 message into 10,000 queries, all 10,000 can make it through to the authoritative server, and I can still succeed.
So fully locking it down can be a difficult thing to do.
Now, when folks are trying to hide data within these DNS queries, how are they going about doing that?
Yeah, that's a great question. I've said now twice that base64 is a simple way to do it. However,
most folks will know that you can decode a base64 message. So they will then XOR it,
they will then even encrypt it. And so anything that can get it through to a host name resolvable set of characters is viable. And any obfuscation, encryption, any other methodology can allow that to happen.
And so while it might be very easy to go grab a group of data and try to brute force it with some simple base 64 and XOR decoding, the encrypted messages can be far more difficult.
And so there is, you think about encryption
methodologies, it's not a very difficult thing to do. So pretty low threshold for fully obfuscating
what's going on inside that payload. And in terms of mitigation, what are your recommendations there?
Well, the first is logging. You know, you'll find that as a security community, we all talk about
protection and then monitoring. So we need to
monitor what's going on inside of DNS servers. The nice thing about DNS tunneling is it tends
to be very loud. So I mentioned that the actor needs to control the authoritative name server.
And so in a typical attack here, what you'll find is that there'll be tens of thousands of queries
all to one domain. That should stand out as an anomaly in those log
sets. You'll also find often that the domain that's utilized tends to be a newly registered
domain or something that at least has a very low volume in a baseline. And so simple statistic
anomalies on domain lookups can immediately make these sort of attacks jump to the top of the list.
All right. Well, interesting information. Mike Benjamin, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
My guest today is Martha Saunders. She's the president of University of West Florida,
a public institution with nearly 13,000 students. They've made significant
investments in their cybersecurity programs and have been named a National Center of Academic
Excellence in Cyber Defense Education by the NSA and the Department of Homeland Security.
We're in Pensacola, right on the Gulf, about 20 miles from the Alabama line, so in the panhandle.
about 20 miles from the Alabama line, so in the panhandle. We have about 13,000 students by national standards that would make us midsize. By Florida standards, we're kind of on the small
side. Our part of Florida, there's very strong military influence here. And one of the reasons
cybersecurity has hit so fast and so hard for our university is partly because of that connection.
And so what part does cybersecurity play with UWF?
We started our Center for Cybersecurity really not even five years ago.
We are always tuned in to workforce needs, what we need to be doing next. We realized that that was certainly
a growing area and with lots of demand and lots of opportunities. So we started the center,
not quite sure which direction we were going to go, and quickly took hold here. We got our CAE designation in record time, and we are now
one of the eight CAE regional resource centers in the nation, and we serve the southeast in that
capacity. We partner a lot with the state. We partner with industry. We partner with other universities as well to do
a number of things. We train students. We have the only CAE-designated Bachelor of Science in
Cybersecurity in the state. And we also offer, we'll soon offer a Master of Science in Cybersecurity.
But the niche that has really been very compelling and high demand for us is to find ways to upskill and reskill individuals and organizations for cybersecurity jobs.
We all know that there is a high demand. There are a lot of
jobs waiting to be filled. And we can't just go raid each other's stables for workforce.
There's just too much demand. And so it became very clear that there were great opportunities
to upskill existing workforce and reskill in order.
And we're doing that with the state and doing an awful lot of training in that way.
So what are the unique needs and demands of folks who are coming to you who may be in a mid-career change
or are looking to go after cybersecurity careers and may not be right out of high school?
I think the challenge is making the right connection for them.
People come into this area from a lot of different directions, a lot of different paths.
It is highly multidisciplinary.
So we could have someone coming from a political science background that
would find a perfect niche, but we have to match their existing skills to the job demand. And
that's labor intensive. It requires good counseling and good coaching.
How does a university like yours keep pace with the velocity of change in cybersecurity?
It is moving fast and we stay connected and we listen. One of the advantages of a university
like ours is that we are quite agile. We can move responsibly. We have advisory committees
that come in from industry and say, all right, I know we told you last week your students need to be learning A, B, and C.
All right, now it's D, E, and F.
How quickly can you adapt?
And we can move very, very quickly.
So I think that has been a good opportunity for us in that we listen and we can respond readily.
And what do you see as the future of
education in cybersecurity? What's on your horizon? I think that cyber, like anything else,
as we know it today, will evolve and change. Our job at a university is to be ahead of the change,
to be ready to adapt for that change. And there certainly
are plenty of challenges out there. Hiring qualified faculty is a challenge that I'm sure
many universities face. Also, getting the proper security clearances for our students so that they
are ready to go straight into a job has been an
interesting challenge as well. And what is your advice for that person who thinks that
cybersecurity is something they want to explore and they want to start shopping around for a
university like yours? Any tips for things they should be looking for? I think it is such a
diverse field now. I would certainly advise them start looking
around, do your searches, see what each university offers, what credentialing a certain industry may
offer. One of the areas that I think is greatly in need are small businesses. The same stresses
are there, but how do you prepare small businesses for the challenges
and the threats of security challenges? So I think a student would also want to think about the
industry that may interest them. Maybe they're interested in health care and that what kind of
challenges, cybersecurity challenges might exist there. And think about where they want to live,
what industry they might want to serve, and back up from there. Plenty of opportunities for them.
Yeah, I mean, that's an interesting insight. I think it makes me wonder, at a facility like
yours, an institution like yours, are there opportunities on campus where if someone has
an interest in healthcare and cybersecurity, that those are things they can explore simultaneously?
Yes.
And we do that, again, through our Center for Cybersecurity.
We have people on hand to counsel the students and say, why don't you, you know, here are the skill set you're bringing to us.
Here are some directions that you might want to go.
That, again, requires, it is labor intensive. It requires making sure that we are listening
equally to the industry and what they're telling us and then to our students and what their needs
are. That's Martha Saunders. She's president at University of West Florida.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions
that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in. Thank you. Gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.