CyberWire Daily - Cyber alert remains high as the US-Iranian confrontation cools. Information ops, wipers, and energy sector targeting.
Episode Date: January 9, 2020As kinetic combat abates in Iraq, warnings of cyber threats increase. US intelligence agencies warn of heightened likelihood of Iranian cyber operations. These may be more serious than the low-grade w...ebsite defacements and Twitter impersonations so far observed. One operation, “Dustman” has hit Bahrain, and it looks like an Iranian wiper. And some notes on the Lazarus Group, and a quick look at information ops across the Taiwan Strait. Emily Wilson from Terbium Labs with details from their recent report, “How Fraud Stole Christmas.” Guest is Karl Sigler from Trustwave in the risks of using Windows 7. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/January/CyberWire_2020_01_09.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
As kinetic combat abates in Iraq, warnings of cyber threats increase.
U.S. intelligence agencies warn of heightened likelihood of Iranian cyber operations.
These may be more serious than the low-grade website defacements and Twitter impersonations
so far observed. One operation, Dust Man, has hit Bahrain, and it looks like an Iranian wiper.
And some notes on the Lazarus Group, and a quick look at information ops across the Taiwan Strait.
information ops across the Taiwan Strait.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, January 9th, 2020.
As both the U.S. and Iran appear to have backed away from kinetic combat, the New York Times
predicts that cyber operations will become more attractive.
Iran's missile volleys against U.S. cantonment areas in Iraq may have been, as U.S. Joint
Staff Chairman General Milley said, intended to kill, but they fortunately didn't, and Iran said
it was satisfied that it had responded proportionally to the U.S. strike against
General Soleimani last week. CNN summarizes the cautions U.S. strike against General Soleimani last week.
CNN summarizes the cautions U.S. agencies, notably the FBI and the Department of Homeland Security,
have distributed this week.
The centerpiece of those warnings is a joint intelligence bulletin that went out to law enforcement agencies around the U.S.
CNN, which says it's obtained a copy, quotes the bulletin as warning,
quote,
CNN, which says it's obtained a copy, quotes the bulletin as warning, quote, In the event Iran were to determine to conduct a homeland attack,
potential targets and methods of attack in the homeland could range from cyber operations
to targeted assassinations of individuals deemed threats to the Iranian regime
to sabotage of public or private infrastructure, including U.S. military bases,
oil and gas facilities, and security organizations would be alert for.
Such warnings have reached a spooked and skittish audience.
Consider this week's incident in Las Vegas, where local speculation quickly turned to Iran.
The city's IT department tweeted that,
We experienced a cyber compromise at 4.30 a.m. Tuesday.
Our IT team is assessing the extent of the compromise.
When aware of the attempt, we immediately took steps to protect our data streams.
We will have a clearer picture of the extent of the compromise over the next 24 hours.
The Vegas station KSNV News 3 quickly spoke with local cybersecurity experts
who assured the station that Iran looked good for the attack.
Las Vegas doesn't think any sensitive or personal data were compromised,
but the investigation continues.
Cyber operations, of course, represent a gray zone
where attribution and responsibility can be hard to pin down.
There's some chatter on the Internet, the New York Times says,
by actors who claim to have connections with whoever defaced the homepage of the Federal Depository Library Program,
a site run by the U.S. government printing office.
They're going on about how their capabilities have hardly been exhausted
and that they're just waiting to be unleashed by the Islamic Revolutionary Guard Corps,
and that in some, you ain't seen nothing yet.
There's probably some truth to the last point,
because the Federal Depository Library Program wasn't exactly either a high-value or a high-payoff target.
But on the other hand, this sort of online woofing by inspired freelance amateurs
has been a feature of cyberspace since it was called the information superhighway.
So beware, take the reports of chatter seriously, but with an appropriately large grain of salt.
That said, there have been other information operations conducted either by Iran or by
independent actors working in Iran's interests.
Twitter has suspended two accounts it found impersonating journalists, the Daily Beast reports. The accounts were disseminating what the Beast describes as Iranian propaganda,
although as usual it's difficult in such cases to distinguish a state-run operation
from a hacktivist demonstration. Britain's Telegraph newspaper argues that Iran has
developed a significant
online disinformation capability over recent years. While calling it a capability that rivals
Russia's is surely overstated, Tehran's operators aren't contemptible, and they've shown a disposition
to learn from the best. Chances are you may have heard that Windows 7 is no longer supported by
Microsoft.
We've certainly been talking about it here, so it shouldn't come as any surprise.
And yet, for a variety of reasons, many organizations find themselves still running Windows 7.
Carl Sigler is manager of Spider Labs Threat Intelligence at Trustwave, and he shares his insights.
Windows 7 and Windows Server 2008 are reaching their end
of life this month. And what that means is that Microsoft is no longer going to be providing
primarily security patches for those platforms. So mainstream support for those platforms actually
ended a couple of years ago, where, you know, those platforms, Windows 7 and Server 2008,
were no longer getting any new features, any new updates, only security updates that are
critical were those platforms receiving. And as of this month, they're going to end even that.
So if you're currently using Windows 7 or Windows Server 2008, by the end of the month,
you will no longer be getting any security fixes,
which, of course, introduces risk to any environment that is still using those.
And where are the environments where we're most likely to find folks are still using
an operating system that's this long in the tooth?
All over the place. By our estimates, at least a third of large organizations currently have some footprint of
Windows 7 and Windows Server 2008 in those environments. We still see a lot of end users
that are using them. People obviously don't like to upgrade. A lot of people, especially when it
comes to technology, follow the principle, if it's not broke, don't fix it. And for Windows 7, Windows Server 2008,
if it's still doing what you need it to do, then no one really has the impetus to upgrade.
And so what's the reality here for folks who are running these systems?
What sort of actions should they take?
The most basic action you can take is to upgrade. If that's possible, it's highly recommended that you just upgrade.
For Windows 7, that upgrade path would be to Windows 10. So for the desktop operating systems,
if you're still in Windows 7 at home, you know that your organization is still using Windows 7,
you want to look for that upgrade path to Windows 10. For Windows Server 2008, you're looking to
upgrade to Server 2012 or hopefully 2016.
Although we're seeing a lot of organizations, rather than upgrading in-house, just moving to cloud platforms for a lot of services, which puts the security question into somebody else's hands entirely, which is also a good path for upgrade.
Yeah, that's interesting.
Are there any specific security issues that are known with Windows 7? In other words, as it's being put out to pasture, are there any lingering issues?
desktop services. And those services tend to be publicly exposed. If you're trying to get access to a remote desktop, you tend to need that access over the general internet or at least through your
VPN. So the services tend to be exposed to a certain extent. You know, we haven't seen any
major exploitation for BlueKey. But back when Windows XP was end of life. Shortly thereafter, we saw the WannaCry work go out, and it was trashing
those older systems that just didn't get that security patch. Bluekeep is a very similar
vulnerability. If exploits get developed for that, it's going to be very serious. Luckily,
there are patches for Windows 7 and Windows Server since the patches were released this past
year. It's really only a matter of time
before we see the next WannaCry or Bluekeep.
And for the next one that's coming up in the wings,
there's no security fix for those.
So there's really no avenue to patch it for Windows 7.
So I guess this is a better safe than sorry sort of situation.
If you've still got some of these legacy systems out there,
now's the time. And hopefully you've still got some of these legacy systems out there, now's the time.
And hopefully you've been planning for this. Again, the end of life for just new features
was back in 2015. So this is not a big surprise, hopefully, for a lot of these organizations,
and they have a plan in place. But if they don't, like you say, this is the time to do it.
For big organizations, that can be a little bit
harder. They have a lot of complexity. They might have networks all over the globe that they have
to upgrade. And it takes some careful planning. It could take a lot of time to get it implemented.
For smaller organizations, they may have a smaller footprint, but they may not have the
technical resources. A lot of those small businesses have a IT team of one person.
So it can be hard for those organizations as well.
So plan things out, think about it appropriately,
and see the best path to get those upgrades in place for you.
That's Carl Sigler from Trustwave.
There have been some consequential attacks that seem traceable to Iran,
citing a report by Saudi Arabia's National Cybersecurity Authority.
Multiple sources report that Dustman, a destructive Iranian cyber campaign,
has hit BAPCO, Bahrain's national oil company.
The media outlet ZDNet outlines the malware as a successor to earlier Iranian wiper campaigns,
notably Shamoon and its Zero Clear successor.
The Saudis called Dustman an evolved and improved version
of ZeroClear, a wiper discovered in the fall of 2019 that itself shares code similarities with
Shamoon. Shamoon, ZeroClear, and Dustman all use LDOS raw disk, which is a legitimate tool used to
interact with files, disks, and partitions. The three wipers gain initial access,
then use a variety of exploits to elevate their access to admin-level privileges,
at which point they use LDOS raw disk to destroy data belonging to the infected host.
Yahoo News points out that the cyber attack hit on December 29, 2019,
the same day the U.S. retaliated for the death of an American contractor in a rocket attack with airstrikes against Iranian proxies in Syria and Iraq.
Bahrain is close to the U.S. and even closer to Iran's principal regional rival, Saudi Arabia,
and Iran has shown a predilection for regional targets in the energy sector.
The original victim of Shamoon, remember, was Saudi Aramco.
Since many of the warnings from CISA have stressed the potential threat to industrial control systems and critical infrastructure,
it's worth noting a report the ICS security specialists at Dragos released this morning.
Dragos, we should emphasize, as a matter of policy, doesn't attribute the attacks or threat actors it studies to any particular nation-state.
But their findings are interesting, coming as they do during a period of heightened alert.
The researchers say that the threat actors Dragos calls Magnalium and Xenotime,
best known for targeting the oil and gas sector,
have shown signs of expanding their interest to the North American electrical power industry.
Xenotime's and Magnalium's most notorious actions were taken against Saudi Arabia's oil and
gas industry, but since the late fall of this past year they've been observed prospecting
targets in the United States.
In any case, one hopes that organizations, whether they're business, government, educational,
charitable, or religious in nature, do take the kinds of sensible precautions CISA and others have recommended.
It's worth reviewing them here quickly.
Disable unnecessary ports and protocols.
Monitor network traffic and email traffic.
Keep an eye out for phishing themes and tactics,
especially ones that might cater to fears related to current tensions.
And follow best practices that increase resistance to social engineering generally, get your patching up to date, and finally, keep backups current
and in an air-gapped location where they'll survive a destructive attack on your network.
It's not, of course, all Iran all the time, even this week.
Kaspersky has been tracking the Lazarus Group's apple juice campaign and concludes that North Korea is becoming more careful, more sophisticated, and more focused on the cryptocurrency sector as Pyongyang continues its policy of addressing financial shortfalls through cybercrime.
And Taiwan is in the homestretch of its national elections, with voting to be held Saturday.
elections, with voting to be held Saturday. China has increased its influence campaigns with the intent of influencing the vote in favor of parties thought to be disposed to
prove useful to the return of what Beijing is pleased to call the breakaway province of Taiwan.
That's what Beijing calls it, not us. We just call Taiwan, Taiwan. Winning with purpose and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Emily Wilson.
She's the VP of Research at Terbium Labs.
Emily, before the holidays, you all published a report that was called How Fraud Stole Christmas.
And you were looking at different types of data that consumers were worried about having exposed during the holiday season. You got some things you want to dig in here. What can you share with us today?
In putting together this report, we were primarily focused on asking consumers about their
spending patterns during the holiday season. What kinds of payment cards are you going to be using?
How many of them are you going to be using those over cash? Where are you most concerned that that
financial information might be exposed? Are you worried about online retailers, brick and mortar stores? How are you adapting your
behavior? All of this was payments focused. And so then we got to a question where we asked
consumers what kind of information they were most worried about being exposed during the holiday
season. And given the patterns that we had been tracking through the rest of the survey, I expected it to be payment card numbers, bank account information, maybe account credentials
for the number of people who were worried about online retailers. But it wasn't any of those
things. Consumers told us they were most concerned about their social security numbers. And I thought
that was interesting. Because in this holiday season where we are concerned about fraud, we're concerned about card skimmers, we're spending money at a variety of different retailers or shops that we maybe wouldn't shop from before.
We're buying things from different little pop-ups.
We're finding gifts here and there and spending all over the country and perhaps around the world.
But consumers circled back and said, no, I'm worried about my social security numbers.
Why do you suppose that is?
I think the reason that identity theft is front of mind for consumers right now,
in a way that maybe it wouldn't have been a couple of years ago, is twofold.
One, there have been some major breaches that have made mainstream news that I
think has made ID theft an issue front of mind for not just security-minded folks, not just people
who maybe work in high-risk industries who are dealing with this from a security perspective in
their day-to-day roles. But if we think about things like Equifax, that was a big shock, I think, to kind of the hive mind,
at least here in the US. And when I say Equifax, I mean not just the breach itself, but the way it
was handled and some of the issues with people trying to go in and claim their payment as a
result. I think this is something where people saw, perhaps for the first time, or at least for
the first time since something like OPM, the scale of data exposure that actually impacted them directly. That's one reason I think
it might be friend of mine. The other is that I think for all of the other breaches and security
issues, and that could be something like election security, it might be minor breaches, it might be
issues with companies like Wells Fargo
having account fraud. There are a variety of different, what I would consider kind of consumer
level breaches here that may have made local news. It may be part of the discussion now,
letting people know, hey, your accounts have been compromised. Not for tech platforms they may forget
that they are using, not for third-party
data breaches that only we in security care about, but things that are actually making their way down
to local journalism that are making the six o'clock news. You know, we see from this report that
people have acknowledged they've changed their spending patterns when it comes to unsecured point of sale systems like ATMs, for example. And I think
ID theft, I think personal information is the next wave of that. I think that we're seeing
the threat of exposure and compromise there trickle down to be more front of mind for consumers.
And I'm hopeful for that because I think that will give them the opportunity to
start to think critically about where they share information, maybe to have higher expectations
for the brands that they engage with. All right. Well, Emily Wilson, thanks for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge
it's a necessity that's why we're thrilled to partner with threat locker the cyber security
solution trusted by businesses worldwide threat locker is a full suite of solutions designed to
give you total control stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. Thank you. Thanks for listening.
We'll see you back here tomorrow. Thank you. in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo
is easy. Learn more at ai.domo.com