CyberWire Daily - Cozy Bear never really left. Iran denies it suffered a US cyberattack. Malicious WAV files. Darknet dragnet hauls in child exploitation ring. Graboid infests Docker hosts.
Episode Date: October 17, 2019Cozy Bear isn’t back--Cozy Bear never really left at all. Iran says the Americans are dreaming: there was no cyberattack in retaliation for Iran’s implausibly deniable missile strikes on Saudi oil... fields last month. Malicious audio files are dropping cryptominers and reverse shells into victim systems. An international dragnet collars hundreds in a darknet child exploitation sweep. And Graboid is out there, worming its cryptojacker into susceptible Docker hosts. Robert M. Lee from Dragos on their contribution to the Splunk Boss of the SOC (BOTS) capture-the-flag (CTF) competition. Guest is Chris Hickman from Keyfactor on Public Key Infrastructure. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/October/CyberWire_2019_10_17.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Cozy Bear isn't back.
Cozy Bear never really left at all.
Iran says the Americans are dreaming.
There was no cyber attack and retaliation for Iran's implausibly deniable missile strikes on Saudi oil fields last month.
Malicious audiophiles are dropping crypto miners and reverse shells into victim systems.
An international dragnet collars hundreds in a darknet child exploitation sweep.
And Graboid is out there worming its cryptojacker into susceptible Docker hosts.
Graboid is out there worming its cryptojacker into susceptible Docker hosts.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday,
October 17th, 2019. CozyBear, Fancy's quieter cousin, is back, or as ESET puts it in a study released this morning, Cozy Bear never left. Operation Ghost was discreetly successful in penetrating and collecting
against a number of European diplomatic targets,
including at least one country's Washington embassy.
Cozy Bear, which ESET calls the Dukes and others APT-29,
is probably a unit of Russia's SVR foreign intelligence service,
although the FSB is also
sometimes associated with the group. Both the SVR and the FSB are institutional descendants of the
old Soviet KGB. Operation Ghost was characterized by patient determination and careful use of
steganography. Cozy Bear came to widespread attention when its tracks were detected in the U.S. Democratic National Committee during 2016.
Fancy Bear noisily blew the gaff for both groups.
Had Fancy Bear not stomped through with nary a concession to quiet decorum,
Cozy Bear might have rested quietly, undisturbed, and alertly observant in the political party's networks for many more months.
and the political party's networks for many more months.
There's been nothing new on that U.S. cyber attack against Iranian propaganda capabilities since two U.S. officials talked to Reuters about it on background.
But Iran's Minister of Communications and Information Technology did tell the Fars News Service
that as far as Iran could tell, nothing happened.
Quote, the Americans must have dreamed it. End quote.
The security firm BlackBerry Silance has discovered malicious code that evades detection by hiding in WAV audio files.
The payload is often an XMRIG Monero CPU miner.
The other payload commonly dropped is a Metasploit code that establishes a reverse shell.
BlackBerry Silance researchers found both payloads in the same environment,
which suggests to them that the hoods responsible are running a two-pronged campaign to deploy
malware for financial gain and establish remote access within the victim network.
Hiding in a WAV file seems to have been effective in moving the malware undetected through defenses,
which is one reason why this episode is being widely understood as
a variation on the steganographic obfuscation more commonly associated with image files.
Managing an organization's public key infrastructure can be one of those necessary
but unglamorous security-related jobs, and as time goes on, the complexity surrounding it can
spin out of control. Chris Hickman is chief security officer at Key Factor, and he offers these insights on PKI.
Public infrastructure is a set of policies, procedures, highly skilled and trained individuals, people that come together to implement a set of technologies designed to secure assets within the organization and identify
those assets and people in a way around a shared key set, which is a public key and a private key.
So the concept being that your keys uniquely identify you or your device. You have one that
remains private at all time, and then you have one that you can
send out, if you will, to identify yourself to other people. And there's a relationship between
the public and private key that allows you to have a very secure connection or very secure identity
or very secure authentication, digital signature, or encryption.
And so what are the benefits that come with that? And what are some
of the challenges associated with it as well? So the benefit is it's standardized, it's universally
used across platforms and devices. It's a technology that's been around for a fair bit of
time, going back into commercially available since the late 90s, early 2000s. So it's proven technology.
And while the standards have progressed and cryptography has changed,
PKI is one of those technologies that's kept up with those changes
so that it's as secure today in the way it's implemented today as it was back then.
The challenges, however, is it's a set of unique requirements.
And as I said, it's not just technology. It's a
combination of policies and procedures, training people, and then implementing technology in a way
over top of that, that allows you to have the confidence within the organization that what
you implement on day one is a secure everyday therefore. There is uniqueness in the way PKI
works. Great example. There's specialized hardware like hardware security modules. There is uniqueness in the way PKI works. Great example. There's specialized
hardware like hardware security modules. There's servers that need to be offline. And all of those
things sort of culminate into organizations often getting in over their heads. We see organizations
struggle with implementing software and technologies that have a life cycle beyond a couple of years. So a good example is
when you implement a PKI, you're establishing a cryptographic route of trust across the
organization that can be valid up to 20, 25 years. That requires a tremendous amount of thought and
planning. As we often see in organizations, people come and go and their roles change.
The knowledge that they have about how to run the specific PKI within an organization
tends to go with them.
People end up making decisions to support the business's requirement for uptime and
the business's requirement for issuing certificates for this new business or line of business
or this new application and so on and so forth. And they end up making decisions that compromise or reduce the overall level of trust.
So what are your recommendations then for folks who want to get on top of this,
who want to take a smart approach to it?
What do you suggest they do?
So we see a lot of organizations struggling to take what they've already got, which is a
PKI all too often that was built for a very specific purpose in an application.
Somebody said, hey, we need certs, let's click next a few times and build a PKI.
And that becomes the de facto standard in the organization.
And over time, people just sort of say,
hey, I need a cert for this, I need a cert for that.
And it sort of becomes the enterprise PKI.
More often than not, we find customers then struggling
to do things like scale, right?
Where they have an application now
where they need a cert on every single device
to do secure management, let's say,
of that device as an example, and they can't
scale to the tens of thousands or hundreds of thousands of certificates that are required,
and they don't think about the management. All too often, people are looking at certificates of
how do I get them to that device, not how do I manage them when they're on that device.
So we recommend to people, first of all, that they take a little bit of a step back,
and they take a look at, OK, what has happened historically?
Where am I at? What confidence do I have if I have an existing PKI in that PKI?
How do I feel that it is still secure from the day that I built it?
And how does that translate into my current needs and requirements?
And then what do my future requirements look like, and how confident am I
that I have the ability to service them? Then once that I have serviced them, how am I going to
manage that to make sure that all the decisions that I make don't lead to me degradating the
overall security of the system? At that point in time, we often find that customers make a decision
either to basically start over, and when we say start over, not necessarily repeat the same mistakes,
but to look for a better way to that crypto asset into their environment or the benefit of it
while reducing the risk and the overall resourcing associated with that.
They'll often make a decision to say, OK, you know what?
We're going to need to issue certs.
We don't know how to run a PKI.
Let's look for some help to do this. And
that's very often where we have a conversation with them about the ways that they can be
successful with the technology, have the policies and procedures, get their people trained up,
but not have to take the day-to-day care and feeding into account and freeing up those
resources to do other things in the organization. That's Chris Hickman from Key Factor.
in the organization. That's Chris Hickman from Key Factor.
Paige Thompson, the accused Capital One hacker, will be tried this coming March.
Prosecutors have opposed moving the defendant out of custody to a halfway house because the amount of evidence they've acquired, between 20 and 30 terabytes of data,
are so daunting that they make the defendant a flight risk.
An international dragnet took down hundreds of people
who posted and consumed child pornography on the darknet.
The law enforcement action extended to 38 countries,
the U.S. Department of Justice said in an announcement yesterday,
and resulted in the arrest of 338 people.
The ringleader was one Zhang Weng's son,
proprietor of an apparently loathsome site known as Welcome to Video.
The site was a money-making operation where users could purchase material using Bitcoin.
The Bitcoin sales were the site's undoing.
U.S. Internal Revenue Service criminal investigation special agents tracked the Bitcoin transactions,
which enabled them to locate the relevant Darknet server, identify the website's
administrator, and track them physically to South Korea, where Jong-woo's son resides.
He faces a U.S. federal indictment, but he's already doing time in a South Korean prison
for his activities. Washington may get to take a crack at him, but only after Seoul is done with
the guy. The IRS takes the occasion to point out that Altcoin doesn't amount to some kind of cloak of invisibility.
As IRS Criminal Investigation Chief John Fort put it,
quote,
And Justice Department officials observe that the darknet isn't some inaccessible resource, partners to track down these disgusting organizations and bring them to justice, end quote.
And Justice Department officials observe that the darknet isn't some inaccessible refuge for outlaws.
Law enforcement can reach them there, too.
It's an ugly story all around.
Two suspects committed suicide before their search warrants were executed,
and there were children being actively exploited.
The Justice Department said the law enforcement action resulted in the rescue of at least 23 minor victims
residing in the United States, Spain and the United Kingdom.
So congratulations to the authorities on the rescue and may the children find peace and healing.
After all of this nastiness, we return with relief to more ordinary crime that, in contrast, can seem almost wholesome.
Security firm Palo Alto Networks yesterday described the Graboid worm, a cryptojacker that infests unsecured Docker hosts.
The researchers came across about 2,000 such unsecured hosts in the course of their study.
Palo Alto sniffs that Graboid may be capable of short bursts of speed,
but overall is relatively inept.
Unsurprisingly, Graboid exploits improperly configured hosts,
so please look to your Docker configurations, friends.
A cultural note, the name Graboid is a well-chosen homage
to the horror classic Tremors,
an underappreciated bit of cinema that our film
desk gives two thumbs way, way up, and would give even more if they had additional thumbs.
That's what the desk says anyway. The giant worms in Tremors were normally pretty torpid,
but seismic vibrations would spur them into a brief frenzy of activity.
We salute Palo Alto Networks for cultural literacy and good taste in movies.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Robert M. Lee. He's the CEO at Dragos. Rob, it's always great to have
you back. I noticed that you all have teamed up with Splunk to develop some interesting learning
opportunities for the ICS community. You're going to be contributing to something called Boss of the Sock at Splunk's upcoming conference
coming up here soon in Las Vegas. A lot of respect and love for the Splunk team over the years. I
think they've done a really good job not only creating a good product and similar, but they've
always been good about engaging the community. And when I think of things that I like about Dragos
and our own company, it's that
community-driven approach.
One of the things that Splunk
did was create this boss of the sock, or
bots, and it's
essentially taking a data set
related to attacks and things that
are taking place and almost creating a CTF
out of it. Very similar, I think in theory,
very kudos to
Ed Skotis and the SANS team and what they did with NetWars.
But taking kind of that capture the flag kind of feel to a defensive challenge and bringing it out to the Splunk audience and people around the world.
I think they trained people in a variety of countries last year doing this all over the year.
And so they approached me and basically said hey we'd love to
help educate people about ics like this industrial control system stuff our our industrial world
i don't think a lot of people have gotten a lot of access to those data sets uh can we partner
up on it we said absolutely so it's kind of two phases here the first is we had them come into our
office in maryland and we have a variety of real industrial ranges
using industrial equipment from our partners and others.
And what I define as real is the fact that there's actual physical process.
It's not just systems and virtual machines,
but it's real equipment, real gear.
One of the ranges we have is a beer brewery
for science and analytics purposes, of course.
How convenient.
We produce a wide variety of beer at Dragos, like TCP IPA and Little Bobby Bach.
And so we wanted to let them play around in that environment.
And we did some attacks against it, and they were able to gather off data.
And so phase one is to bring that ICS data set to
that Splunk audience. Now, we're also a Splunk partner where our technology, the Dredis platform,
has an app or a connection into the Splunk system so that the alerts and things that we see in
industrial networks can connect up so the folks in the enterprise SOC can see it as well.
can connect up so the folks in the enterprise SOC can see it as well. And so phase two is the bots participants will be able to get the view of that Splunk app. So all the data will be run through
the Dragos platform. And that way there's context and insight and actual environmental context
there for them. So it's not just random protocols and data, but, oh, it's a, you know, here's a
DMP3 or IEC 104 or whatever protocol,
you know, running to a specific piece of equipment. Now they can understand all that. So
phase one, overload them with data, get the feet wet in ICS. Phase two, put the Dragos platform in
there as well so they can get the additional context and really just start exposing people
to more of this industrial world and the challenges we face.
And is that really the take-home here that through that exposure perhaps spark an interest in people?
Absolutely.
I think when we look at this, there's obviously the value to Dragos of marketing,
and there's the value of hopefully showing people the value of our product.
But we don't really spend a lot of time on that stuff.
We probably should.
I think marketing and sales definitely has a place,
but what I prefer to do is,
is take more of an educational approach and just show people what they should
be doing.
And if we're the right answer for them,
then great.
So what we'd like to get involved on is more of the education stuff.
Even if you're not going to be a customer,
I want you to know about industrial systems.
Even if you don't work at a site that is industrial, you should have an understanding
about how your world operates. One of the things that I love about the security community and the
security practice is we have a lot of creative and insightful and curious people that are lifelong
learners. And so to give them a whole new thing that they've never been exposed to before is a really unique and exciting opportunity that I hope will bring people into the industrial community.
And hopefully we'll see more transplants over into our field and get more people excited about our industrial world.
All right. Well, Robert M. Lee, thanks for joining us. trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back
here tomorrow. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.