CyberWire Daily - Critical bug disclosed in Palo Alto products (a fix is available). StronPity (a.k.a. Promethium) is back. A big Bitcoin scam. Lots of PII newly offered in the dark web. Australia and India look to their defenses.
Episode Date: June 30, 2020NSA and CISA agree: take Palo Alto’s advisory about its PAN-OS operating system seriously. StrongPity is back and active against targets in Turkey and Syria. A big Bitcoin scam is using spoofed news... outlets and bogus celebrity endorsements to lure victims. A large trove of PII has appeared in the dark web. Ben Yelin from UMD CHHS on whether or not the EARN IT Act violates the constitution, our guest is Brad Stone with Booz Allen Hamilton on how technology is changing the battlefield and why cyber is becoming so important in the DoD space. Finally, both Australia and India look to shore up their defenses against cyber threats from China. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/126 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Thank you. Our guest is Brad Stone with Booz Allen Hamilton on how technology is changing the battlefield and why cyber is becoming so important in the DoD.
Finally, both Australia and India look to shore up their defenses against cyber threats from China.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 30th, 2020.
At DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 30, 2020.
Palo Alto Networks yesterday disclosed a flaw in Pano S,
the operating system that runs on its firewalls and enterprise VPN appliances.
The vulnerability, CVE-2020-2021, is assessed as very serious,
rated a 10 out of a possible 10 in the CVSS V3 scoring system,
both easy to exploit and remotely exploitable. The company has also explained ways in which users can secure their systems. As Palo Alto explains it, quote, when security assertion
markup language SAML authentication is enabled and the validate identity provider
certificate option is disabled unchecked improper verification of signatures in pan os SAML
authentication enables an unauthenticated network-based attacker to access protected resources
u.s cyber command has urged all users to patch as soon as possible and warned that exploitation by foreign intelligence services can be expected soon.
CISA has also distributed the alert.
IT News credits researchers at Monash University with tipping Palo Alto off to the problem.
The issue is fixed in PAN OS 8.1.15, PAN OS 9.0.99, PanOS 9.1.3, and all later versions,
so the solution is readily available.
Upgrade to a current version.
The Prometheum APT, also known as StrongPity,
although that name has also been used for one of the group's tools,
is back, ZDNet and others report.
This time around, StrongPity is active against targets in Turkey and Syria.
The latest wave of attacks features new Trojanized installers.
It also shows a capability to search for and exfiltrate files from victims' machines.
It's been employing watering hole tactics to selectively target victims in Turkey and Syria
using predefined IP lists,
and it has adopted a three-tiered command and control infrastructure
that's enabled it to mask, to a certain extent, its operations and escape forensic investigation.
Prometheum is a cyber espionage and surveillance operation believed to have been active since 2012,
although it came to public attention in October 2016
with a watering hole campaign against targets in Belgium and Italy. Researchers at Bitdefender
and Cisco Talos believe it to be state-sponsored, and that represents a consensus view. Which state
does the sponsoring, however, is unclear, and the answer may not be a simple one. Cisco Talos
believes, for example, that it's possible that Promethean could be a crew of hired guns,
cyber mercenaries working under contract for a nation-state
or a set of nation-states.
It's had an extensive target list.
While Middle Eastern and North African nations
have figured prominently among its targets,
Promethean has also been active in Europe, Asia, and the Americas.
It has recently been implicated in surveillance of Kurdish populations. Prometheum has been known to use
both internally developed tools and lawful intercept products in its operations.
Group IB reports a widespread Bitcoin scam that's exposed personal data on thousands of victims.
They're distributed over 21 countries, but by far the most have been in the UK and Australia. Group IB explained that
victims' phone numbers, which in most cases came with names and emails, were contained in
personalized URLs used to redirect people to websites, posing as local news outlets with
fabricated comments of prominent local personalities about a cryptocurrency investment platform that helped them build a fortune.
The scam begins with an SMS text message with a shortened link,
often a message that spoofs a well-known media outlet.
Following the link takes the victim to a page tailored to their geographical region.
The content purports to be exclusive media content of interest to an altcoin speculator.
The final stage redirects the unwary to enroll in a fraudulent Bitcoin investment scheme.
The losses for people gulled into fraudulent speculation are obvious. Less obvious,
but equally real, is the reputational damage the spoof celebrities and media outlets suffer
as their names are hijacked
into the service of crime. Brad Stone is Senior Vice President at Booz Allen Hamilton, and he
joins us with insights on how technology is changing the global battlefield and why cyber
is so important in the DoD. The DoD at its core starts with some of the same problems that any other large organization happens to face with, and that's protecting the enterprise.
So at its core, the DoD, just like a large bank or just like other agencies, has to protect
its core IT infrastructure, building off of their IT security.
What assets do I have?
What data am I protecting?
Who's on my network?
But it builds from there, given what
the DoD is all about. As we kind of go from that core enterprise, we move into a broader set of
platforms and devices that are critical for what the DoD does on a daily basis.
So thinking about how you secure these interconnected platforms and devices
to not only have the readiness to protect our nation, but to really have that
advantage in driving the locality that is a key metric of defense success.
And because of that view of this being a mission environment, there's the third element of
cyber being a warfighting domain.
So starting with that IT enterprise, moving into a broader set of platforms that are having to secure and understand embedded vulnerabilities,
but ultimately getting at a point where you're going toe-to-toe with an adversary to achieve a mission objective.
So it starts at that same kind of cyber level that many of us tackle, but it takes it up to another level.
Because really, at the end of the day, the Department of Defense is about saving and protecting lives. How does an organization with the scale of the Department of Defense
maintain an ability to stay nimble, to be able to be both reactive and proactive in an increasingly
rapidly developing theater of war? It's really a team sport between the public-private partnerships,
but within the DoD, they attack it in multiple ways. So tying back to the core enterprise IT
with large organizations are protecting that enterprise, driving the network operations.
But now with the new cyber mission force that has been stood up under cyber command,
you've got a set of trained warriors that are able to go in there and add the additional expertise and experience to go in and fight the fight, whether that's an incident response or threat hunting.
So they're attacking it just like they have for years with almost a defense in depth kind of a strategy, but they're also doing that organizationally.
But again, it's always about a team sport
and the adversaries know where the weak links are
and that there's constantly preparation and testing.
A lot of investment into ranges across the department
to look at these things and prepare
not only for today, but for the future.
Can you give us some insights as an organization
that does a lot of business with the Department of Defense? Can you give us some insights as to organization that does a lot of business with the Department of Defense?
Can you give us some insights as to what sort of things they're looking for from an organization like yours in terms of that partnering?
What sort of things are they looking to rely on you?
What are their expectations?
There's a few things that we really focus on in that partnership.
One is this is such a complex ecosystem.
It's really about helping our clients understand how to be effective. But a lot of that can come
down to speed, simplicity, and driving towards outcomes. So, they look at an organization like
ours that's helping them maximize their investment. They might have bought significant amounts of tools,
but they're misconfigured and integrating them together
such that they are simpler for those warfighters to leverage,
but then still equally effective with the right understanding
of detecting threats and responding to them to ensure their safety.
So when we talk about going into doing a range or a training event,
it's that understanding of the mission context with those cyber vulnerabilities and that trade
craft combined together allows our clients to understand risk. And risk in the Department
of Defense ties back to readiness. And readiness is ultimately the measurement that the DoD is
looking to understand where it stacks in a global environment.
That's Brad Stone from Booz Allen Hamilton.
Lucy Security says it's found data from 945 websites for sale in dark web markets.
Up to 14 million victims may be affected.
The information includes usernames, full names, phone numbers,
hashed and non-hashed passwords,
IP and email addresses, as well as physical addresses.
It's contained in two databases that together amount to roughly 150 gigabytes of unpacked SQL files.
They were released this month, on June 1st and June 10th.
The content of the databases, and remember, they represent material culled from almost a thousand sites,
appear to have been procured by different hackers.
Investigation is proceeding.
Australian concern about Chinese operations in cyberspace has not abated.
A Chinese activity comprising a range of espionage activities has prompted an equivalent range of defensive responses.
The most recent response has been in terms of resources. Prime Minister Morrison's government has pledged, ZDNet reports,
1.35 billion Australian dollars. The expenditure will be spread over 10 years, and a lot of it
will be spent on the Australian Signals Directorate, where470 million will be allocated to the creation of 500 jobs.
A further $278 million will be used to help ASD go after offshore cybercrime, to help expand
intelligence capabilities, and to develop a national situational awareness system to respond
to threats on a national scale. The Situational Awareness Package is known as CESAR for Cyber-Enhanced Situational Awareness and Response.
The use, to which the remaining $500 million will be put, are expected to be specified in the forthcoming 2020 cybersecurity strategy due out later this summer.
And finally, India, whose policy on allowing Chinese tech into its domestic markets has hardened considerably since recent shooting skirmishes along the Indian-Chinese border,
is preparing for a wave of cyberattacks orchestrated from Beijing, the Economic Times
reports. Authorities have been issuing alerts and warnings to this effect for more than a week.
Whatever develops, New Delhi expects the worst from Beijing.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges
faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Ben Yellen.
He is from the University of Maryland Center for Health and Homeland Security.
Also my co-host over on the Caveat podcast, which if you have not yet checked out yet,
what are you waiting for?
It's an awesome show.
You really have to check it out.
Yeah.
We do have a good time over
there and cover some important issues. Ben, I want to touch base with you this week. Got news. This
is from the EFF, the Electronic Frontier Foundation, and they have put Congress on notice that they
believe that the Earn It Act violates the Constitution. What's going on here?
Yeah, so the EARN IT Act was a piece of legislation proposed earlier this year by
Republican members of Congress. And the sensible purpose of the act was to get online platforms to
crack down on things like sexual exploitation, cyber criminals, etc. But what opponents have alleged,
you know, for good reason, is that this bill is a Trojan horse to undermine encryption. Even
though encryption isn't actually contained within the legislation, it would give the Attorney
General the power to compel online service providers to break encryption or be exposed to legal liability.
So this presents in the view of the Electronic Frontier Foundation a bunch of constitutional issues.
They talk about how the bill would identify various best practices for online service providers,
and just instituting those best practices would be sort of an impermissible regulation of editorial activity, which is something that's usually up to the discretion of that platform.
They talk about how this bill would remove Section 230 immunity.
We've talked about Section 230 on our podcast and on this podcast from the Communications Decency Act, it generally shields
tech companies from liability for content management decisions that they make on their
platform. What this bill would do would be to remove that immunity if online platforms don't
comply with the government's best practices. And what EFF is saying, I think reasonably, is
that sort of meddling in editorial choices
would be a violation of the free speech rights and expression rights of those platforms.
Another thing that this bill would do is it would hold these online service providers
responsible for certain types of content, certain types of user-generated content.
Obviously, the content that's being regulated in
this bill are things that we would find morally objectionable, sexual exploitation, etc., etc.
Right.
But in order to have a content-based restriction under the First Amendment, according to our
Supreme Court, it has to pass strict scrutiny, which in non-legal parlance means you have to
have a darn good reason to regulate that behavior.
And in the mind of EFF, this bill would fail that test. And then they identify some Fourth Amendment issues with this bill as well.
They say it would turn online platforms into government actors that search users' account without a warrant based on probable cause,
based on probable cause, you know, partially because it's allowing these providers to search,
screen, or scan for instances of online sexual exploitation. That's a laudable goal, but it is something where a company kind of mandated by the government would be surveying people or searching
people without any probable cause to do so. So they have put members
of Congress on notice that they think this bill fails to pass constitutional muster. I haven't
gotten any indication that this act is really going anywhere in Congress. Congress kind of has
its mind on other things, the COVID response, policing reform, appropriations bills, and we're also in an election year.
But I also, you know, I do think it's important for advocacy groups to always be on watch for
laws like this, especially ones where the average person would see it and say, oh,
cracking down on online sex predators. That's great. Who, you know, who wouldn't support that?
It is incumbent upon these advocacy groups to point out potential
constitutional issues. And I think that's what they've done here. Yeah. All right. Well,
thanks for explaining it to us. Ben Yellen, thanks for joining us. Thank you.
Cyber threats are evolving every second and staying ahead is more than just a challenge. Thank you. to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.