CyberWire Daily - Charming Kitten’s smishing and phishing. Solorigate updates. Supply chain attacks and the convergence of espionage and crime. Greed-bait. Ring patches bug. Best practices from NSA, CISA.
Episode Date: January 15, 2021Well-constructed phishing and smishing are reported out of Tehran. Estimates of SolarWinds compromise insurance payouts. Notes from industry on the convergence of criminal and espionage TTPs. Social e...ngineering hooks baited with greed. Ring patches a bug that could have exposed users’ geolocation (and their reports of crime). Advice on cyber best practices from CISA and NSA. Robert M. Lee has thoughts for the incoming Biden administration. Our guest is Sir David Omand, former Director of GCHQ, on his book, How Spies Think: Ten Lessons in Intelligence. And an ethics officer is accused of cyberstalking. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/10 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Well-constructed fishing and smishing are reported out of Tehran.
Estimates of solar winds compromise insurance payouts.
Notes from industry on the convergence of criminal and espionage TTPs.
Social engineering hooks have been baited with greed.
Ring patches a bug that could have exposed users' geolocation and their reports of crime.
Advice on cyber best practices from CISA and NSA.
Robert M. Lee has thoughts for the incoming Biden administration.
Our guest is Sir David Omond, former director of GCHQ,
on his book, How Spies Think, Ten Lessons in Intelligence.
And an ethics officer is accused of cyberstalking.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, January 15th, 2021. Iranian cyber campaigns have been overshadowed by the probably Russian Solaragate operations,
but Charming Kitten was active over the holidays.
ZDNet cites a Certfa Labs report on Christmas and New Year-themed fishing and smishing that appears to have enjoyed some success.
The campaign represents the second time Charming Kitten has been able to hide behind legitimate
Google URLs.
Certfa, which specializes in monitoring Tehran's online activities, says that the campaign
was interested in members of think tanks, political research centers, university professors,
journalists, and environmental activists in the countries
around the Persian Gulf, Europe, and the U.S.
The smishing aspects of the campaign used texts that represented themselves as Google
account recovery messages.
The text itself is idiomatic and plausible, without the typographical or usage eccentricities
that so often mark smishing, and the URL which the victim
is invited to follow in order to confirm their identity also looks more legit than usual,
given that it begins with the reassuring google.com. The phishing was comparably well-constructed and
plausible. It was also more varied and to some extent tailored to cater to the probable interests and predispositions of the recipients.
These emails generally communicated holiday greetings.
Both the phishing and the smishing used redirect services, the better to bypass email security systems.
The holiday campaign represented, Sertfa thinks, a continuation of earlier efforts,
and Charming Kitten can be expected to remain comparably active and inventive in the coming months. As Soloragate remains under investigation,
BitSight tells CRN that one aspect of the campaign,
the supply chain attack that backdoored SolarWinds Orion platform,
could cost insurers some $90 million.
If that seems low, consider that a large fraction of the most seriously affected victims were U.S. government agencies that
normally don't carry cyber insurance, and also consider that the incident is still relatively
new, with a great deal more investigation to be done. Intel 471 argues that SolaraGate displays the continuing convergence of criminal
techniques and cyber espionage tactics. Supply chain attacks started as a technique in the
cyber criminal underground and their utility in espionage is now also evident. Started in the
cyber criminal underground is perhaps overstated. Supply chain attacks haven't been overlooked
by intelligence agencies, as Intel 471 itself notes. 2016's NotPetya incident, in which software
updates for the Ukrainian accounting software package MEDOC were compromised to spread malware
that masqueraded as ransomware, was a software supply chain incident credibly attributed to
Russian intelligence services.
And there have been, over the past decade, numerous accounts of hardware supply chain poisoning,
some of which have been partially confirmed, some debunked, and others left undetermined.
Again, as Intel 471 says, the tactics, techniques, and procedures of a supply chain attack
are attractive to both criminals
and intelligence organs. There's another reason for the confluence. There appears to be an
increasing tendency for governments to outsource development of some attack tools. That's attractive
for a number of reasons, economy and deniability figuring prominently among them.
Bitdefender describes a resurgence of the Remcos remote access Trojan
engaged, as rats so often are, in credential theft. In this case, Remcos used COVID-19 fish bait in
its spam and concealed additional malicious payloads steganographically in popular viral
images. The campaign also featured anti-reverse engineering elements.
Remcos has been out and making a nuisance of itself since 2017 at least.
Bitdefender says the current ongoing surge began late last summer.
Remcos has seen a good deal of use by criminals.
In another example of the convergence of crimeware with spyware,
it's also been used by APT33, thought to be run by Iran, and the Gorgon Group, which researchers have associated with both criminal gangs and Pakistani agencies.
Coronavirus fish bait has also been used in large-scale business email compromise campaigns.
Proofpoint reports that the lures generally
appealed to greed rather than fear. Typical bait with the act now urgency that characterizes social
engineering and business email compromise dangles predictions of a coming vaccine-driven global
economic boom, offering big profits to savvy early birds. Other bait suggests investment opportunities in distressed companies,
sure to turn profits post-turnaround, or even the mundane notice about a vaccine-related shipment.
Ring, the smart doorbell unicorn acquired by Amazon, says that it's fixed a privacy issue
with its next-door neighborhood watch functionality. TechCrunch reports that hidden geolocation data and message metadata
could have been exposed via a bug that enabled those who knew where to look to retrieve the data.
The vulnerability was worrisome in that it could have exposed the locations of the homes
of those who, for example, reported crimes.
U.S. federal agencies, and by implication those in the private sector who do business with them,
have been given two more bits of guidance on sound practice.
The Cybersecurity and Infrastructure Security Agency has recommended using ad blockers
and taking other steps to secure browsers as a means of protecting against malvertising.
CISA's advice comes in three parts.
First, standardize and secure web browsers
according to leading practices. This reduces attack surfaces, simplifies monitoring, and makes
both configuration and patch management easier. Next, use ad blockers. This not only reduces the
risk of malvertising itself and attendant malicious redirects, but cuts the risk of
unauthorized data collection and improves client-side performance. And finally, isolate
browsers from operating systems, with many attendant gains in security, flexibility, and efficiency.
NSA has warned against regarding DNS over HTTPS, known by the acronym DOH, as a security panacea.
ZDNet says that the bottom line of NSA's advice is for organizations to host their own DOH
resolvers and avoid sending DNS traffic to third parties.
And finally, there's a cyber-stalking case in Florida.
ThreatPost reports that the former ethics officer for the city of Tallahassee
has been arrested and charged with cyber-stalking a former inamorato who also worked for the city.
The arrest was made Monday, and the judge has ordered her to stay away from the sometime object of her affections
and also to keep off the internet until her trial is over.
The former ethics officer, who had been responsible for, among other things,
training Tallahassee's civil servants and office holders in, well, ethics,
should be considered innocent of the misdemeanor until proven guilty.
Still, one is tempted to think, physician, heal thyself. innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with
agents, winning with purpose, and showing the world what AI was meant to be. Let's create the
agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with
Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Sir David Omond is visiting professor at King's College London and former director of GCHQ,
the UK government's intelligence and security organization.
He's author of the recently published book, How Spies Think, Ten Lessons in Intelligence.
Sir David Omund, thank you for joining us.
It's a pleasure.
Well, let's begin with the book here.
What prompted you to write the book, How Spies Think?
I started writing this book after seeing how, first of all, the British Brexit referendum and then the 2016 US presidential election were being reflected in social media.
And I was getting increasingly cross at the way that I saw this rising tide of half-truths and
distortions trying to persuade us online of what we ought to think
and want, not to mention some outright falsehoods and deceptions, and not just coming from Russia
aimed at widening divisions in society and increasingly setting us at each other's throats.
Well, the book sets up a framework that you all used in British intelligence that you maintain is useful for all of us as we try to deal with this misinformation quite often.
Can you take us through, I mean, how does someone trained the way that you were approach this sort of information?
approach this sort of information? I've coined an acronym, SEES, S-E-E-S,
for the four kinds of output that rational analysis can give a decision maker.
And the first S in SEES is situational awareness, facts on the ground. But facts on their own tell you nothing. It's only when you explain them, when you put them in a context, that they actually have meaning for us. And this can be
really quite difficult. This is E, the first E in C's, the explanation of what you're seeing.
I mean, every defence lawyer knows this. But if you've got a good explanation and enough
data, then you can estimate how things might evolve. And this is for the decision maker,
really what they want to know. It's looking ahead. It's saying, on the basis of these assumptions,
this is what we expect to see happening next. And this answers questions
that start with why or what for. But whilst you're focused on those first three, situational
awareness, explanation and estimation, something totally unexpected is liable to come and hit you
on the back of the head. So I round off the acronym, the final S, with strategic notice.
That is giving the decision makers some advance warning
of things that might come and disturb them,
dangerous developments in the future.
Taken all together, if you have those four outputs,
which are taken all together, if you have those four outputs,
then you can, I think, take good evidence-based decisions.
What do you hope that people take away from it?
What do you hope that someone who reads the book learns from it?
Well, the top-line message would be,
be much more aware in this digital era as you use social media.
Be aware of what is happening to you.
You are being emotionally manipulated.
And whether it's for the purposes of commercial purposes,
advertising that is targeted at you,
whether it's political advertising that's targeted at you, or indeed whether it's hostile
interference in your democracy targeted by an adversary country. Be aware of that. Not everything
you read is true. And I think that sense of just being more careful. And that leads inevitably into the kind of analysis
you need to carry out, the kind of thinking,
let's call it just thinking.
You just have to be a little more careful
how you think in this era.
And politicians have to be more responsible about,
although they can try and manipulate us emotionally using social media, for example,
they shouldn't. They should get back to a much more rational conversation with their voters.
Well, the title of the book is How Spies Think, 10 Lessons in Intelligence.
Sir David Omond, thank you so much for joining us.
It's been a pleasure.
intelligence sir david omond thank you so much for joining us it's been a pleasure don't forget we have extended versions of many of our cyberwire interviews as part of cyberwire pro you can find
out more about that on our website the cyberwire.com Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And I'm pleased to be joined once again by Robert M. Lee.
He is the CEO at Dragos.
Rob, it's always great to have you back.
We have got a new presidential administration coming into Washington.
And I wanted to get your take on advice that you would have for an incoming administration from the ICS point of view.
What sort of advice would you share?
Great.
So I've been giving advice to those that have asked in the transition team and similar.
I'm happy to share it publicly.
There's a couple key things I think are really relevant.
And really, I'll start at the strategic level and then dig into maybe some more tactical areas.
So number one, at a strategic level, when you think about cybersecurity, whether it's infrastructure-related or not,
one of the core problems we've consistently had is a misunderstanding of roles and responsibilities of the private sector and the government. And the reality is the government's involvement,
contributions, and sometimes just direct funding of efforts in the private sector
have been really well met.
I mean, there's been a lot of things that they've done
that have absolutely helped the community.
At the same time, when you have success,
or maybe you have a big mandate from somebody like Congress,
and you try to go satisfy that mandate,
you very naturally start running into conflict with the private sector.
And fundamentally, I'm a strong advocate
that tax-paying entities should not be competing with tax-paid entities.
And it's not just on the ethics of that statement,
it's actually in the fact that one of the United States' greatest strengths
is the ability to have a well-functioning government and a well-functioning private sector.
Hollywood has done more for diplomacy
by teaching kids in Norway English than an embassy
in that location would. The Silicon Valley and Maryland
cyber hubs, if you will, of technology and
innovation and the things that come out of that
far outpace and outperform
any innovation that's happened in government.
And that's a good thing.
We even saw government take great advantage of this
with the Defense Industrial Base.
We don't build airplanes.
We go and talk to Raytheon and Northrop and Boeing
and we partner and we figure out how to create
best-in-class weapon systems.
And so in the same way, my probably guiding advice is, number one, clarify the roles and responsibilities, because there's fights in our agency that's confusing.
When I get CEOs of power manufacturing companies that ask me, like, who are we supposed to call?
Because when the FBI comes in, they say, call me when there's an incident.
DHS comes in, call me for this.
DOE comes in, call me for this.
And we have sector-specific agencies,
and we should very much figure out
and stick to roles and responsibilities.
At the same time, stop telling the private sector
that you can do things that you can't.
Hey, we'll be your incident response team.
You've got four people on the team,
you don't even have the legal authorities, stop it.
And so figuring out how to balance that,
or the idea that government's going to be creating technology
that competes with the private sector, absolutely ridiculous.
So said simply, if you call the ball, you got the ball.
If you say, hey, I'm on it, you've got to own it.
And the private sector will instantly wash their hands of it
and go, cool, they've got it.
But if you can't scale the mission everywhere, and you can't really do what you're calling, You've got to own it. The private sector will instantly wash their hands of it and go, cool, they've got it.
But if you can't scale the mission everywhere,
you can't really do what you're calling,
then you've got to not do it,
otherwise you're going to confuse the heck out of folks.
Digging in beyond that,
I would say that cybersecurity can be and should be nonpartisan.
We have seen this to great effect.
When I went and testified at the U.S. Senate Energy and Natural Resources Committee in 2018, it was Republican and Democrats at a very decisive time in the United States, right?
2018, 2019, 2020, definitely very polarized politics.
And the committee was great.
And you couldn't pick out which ones were Republicans or Democrats
on the ways they were asking the questions
because everybody cared that we wanted to have secure and reliable
electric and gas and water infrastructure.
Everyone agreed with that.
We might have debated about the how,
but we all agreed that this was worth doing
and something that had a role for the private sector and a role
for government. So keeping that bipartisan or nonpartisan nature of cybersecurity needs to be
forefront. And we need to make sure that we're playing to our strengths. Those are kind of the
two biggest themes. I've got plenty of tactical suggestions. I make them, hey, here's what's going
on here. Hey, please don't stand up yet another committee.
Don't stand up yet another agency.
We have too much stuff.
You need to button it up, if anything.
There's all sorts of tactical things,
but at a strategic level,
if we make cybersecurity nonpartisan,
if we play to our strengths,
and if we clearly define those strengths
and roles and responsibilities,
we will be in a much better place nationally.
All right. Well, Robert M. Lee, thanks for joining us.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Discover your own backyard.
Listen for us on your Alexa smart speaker too.
Don't miss this weekend's Research Saturday and my conversation with Selena Larson from Dragos
on a pair of activity groups they've been tracking who now possess ICS-specific capabilities and
tools to cause disruptive events. That's Research Saturday. Check it out. The Cyber Wire podcast is
proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Ivan,
Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here
next week. Thank you. and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.