CyberWire Daily - Cyberespionage, in Central Europe and South Asia. Iranian state media sites seized. Sale of inspection and tracing tools leads to an indictment in France. Cooperation, foreign and domestic.
Episode Date: June 23, 2021ReverseRat looks like a state-run espionage tool active in South and Central Asia. The US Justice Department seizes thirty-three sites run by media aligned with the Iranian government. Poland offers m...ore clarity on a cyberespionage campaign it attributes to Russia. An intercept and inspection company’s executives are indicted for complicity with torture. NSA opens a Cybersecurity Collaboration Center for industry. Joe Carrigan examines Apple’s push to replace passwords. Our guest is Shehzad Merchant of Gigamon with a breakdown on security guidelines for hybrid cloud programs. And the FSB says it hopes for “reciprocity.” For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/120 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
ReverseRat looks like a state-run espionage tool active in South and Central Asia.
The U.S. Justice Department seizes 33 sites run by media aligned with the Iranian government.
Poland offers more clarity on a cyber espionage campaign it attributes to Russia.
And intercept and inspection companies' executives are indicted for complicity with torture.
NSA opens a cybersecurity collaboration center for industry.
Joe Kerrigan examines Apple's push to replace passwords.
Our guest is Shahzad Merchant from Gigamon
with a breakdown on security guidelines for hybrid cloud programs.
And the FSB says it hopes for reciprocity.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, June 23, 2021. Lumen's Black Lotus Labs have described a new Trojan they're calling Reverse Rat. The malware is deployed in cyber espionage operations against government and energy sector targets in South and Central Asia.
Its infrastructure is hosted in Pakistan, and Black Lotus Labs tentatively attributes the
campaign to Pakistan's government. ReverseRAT is regarded as unusually evasive with low detection
rates by monitoring software. Luhmann describes the Trojans' evasion techniques as including
use of compromised domains in the same country as the targeted entity to host their malicious files,
highly targeted victim selection after the initial compromise,
repurposed open-source code, in-memory components used for initial access,
and modification of registry keys to covertly maintain persistence on the target device.
How the first stage of the attack is delivered isn't entirely clear. It involves delivering malicious URLs that point to compromised sites,
and Luhmann conjectures that the baited documents probably arrive through some form of fishing or smishing.
The fish bait is varied, but documents alluding to events or organizations in India have been common.
Luhmann has also seen COVID-19 fish bait and topics likely to be of interest
to people working in the energy sector. Most of the victims were in India, with a smaller set of
targets in Afghanistan. Lumen assesses the reverse rat operators as not as sophisticated as the most
skilled state-sponsored actors, but the threat actor is by no means contemptible, and the researchers think they
bear watching. The U.S. Justice Department yesterday seized 33 websites used by the
Iranian Islamic Radio and Television Union and three more run by the Qatab Hezbollah.
Aligned with the Iranian government, the media outlets were operating in violation of U.S.
sanctions against designated terrorist groups. The domains Justice seized operating in violation of U.S. sanctions against designated
terrorist groups. The domains justice seized were owned by a U.S. corporation. Other sites
based abroad were beyond the scope of the warrants the feds executed. The immediate offense, note,
is sanctions violations, not engagement in propaganda or disinformation.
Polish authorities have offered more details
on the cyberattacks their country has sustained over recent months. They attribute the campaign
to UNC-1151, a threat actor associated with Russian intelligence services and generally
regarded as responsible for the Ghostwriter campaign. According to The Hill, Polish
intelligence services regard the campaign
as part of a larger effort aimed at destabilizing Central European governments. A spokesperson for
the Polish Minister-Coordinator of Special Services said yesterday, quote,
The findings of the Internal Security Agency and the Military Counterintelligence Service
show that the UNC-1151 group is behind the recent hacker attacks that hit
Poland. The secret services have reliable information at their disposal, which links
this group with the activities of the Russian secret services. The attacks involve the compromise
of email accounts. The Washington Post puts the tally of affected accounts at more than 4,300,
at least 100 of which belong to current or former Polish government officials.
Klopp is down, but not out, apparently.
Motherboard says the Klopp gang, that's C-1-0-P Klopp,
has resurfaced after some of its principals were arrested in Ukraine last week.
Other members of the gang have made a reappearance on their dark website,
posting what they claim is information stolen from some recent victims.
The gangsters aren't answering their email, or anyway, they're not responding to the
hey, what's up motherboard sent them, but they appear to be signaling that they're not out of the picture yet.
Still, we can hope, right?
Reuters reports that NSA has opened a cybersecurity collaboration center.
The new center aspires to closer ties with U.S. companies.
It's hoped that sharing information on attacks will be mutually beneficial, especially as
companies that operate portions of critical infrastructure increasingly come under attack. The head of Russia's FSB says Russia intends to
work together to hunt down cybercriminals. Reuters says the FSB hopes for reciprocity from the U.S.
The proof, of course, will be, as they say, in the pudding. Russia has always offered its cooperation
in investigating cybercrime and other affronts, but their prospective partners have tended to
regard the gift as Greek, like that big horse left behind on the beach outside the walls of Troy.
We shall see. Security Week reports that French authorities have indicted four former and current executives of Nexa Technology,
an intercept company formerly known as Amasis, on charges of complicity with torture carried out by Egypt and the Libyan regime of the late Muammar Gaddafi.
The charges are complicity in acts of torture and complicity in acts of torture and forced disappearances.
acts of torture and forced disappearances. Amasis had sold deep-packet inspection tools to Colonel Gaddafi's Libya, and the charges allege that the Libyan government used it for the surveillance
and arrest of opposition figures who were subsequently tortured. After its rebranding
as Nexa, the company is accused of selling a version of Amasis's Cerebro software
capable of real-time message and call tracing to the Egyptian government,
which is alleged to have used it in a similarly repressive fashion.
The problem lies in the selection of customer.
Whatever one thinks of the possibility that surveillance tools can be used legitimately and legally,
to whom they're sold matters a great deal.
It's difficult to say that their abuse by Gaddafi was unforeseeable by a reasonably
well-informed person.
And finally, the market research telecast has an account of the Nephilim ransomware.
It's the computer virus that robs but the rich, the headline says.
But when you read further, you'll realize that their motives aren't ones of altruistic restraint.
Still less any kind of preferential option for the poor.
They're more Willie Sutton than Robin Hood, more Depression-era Philadelphia than Sherwood Forest.
Nephilim goes after rich organizations because that's where the money is.
It's a self-interested preferential option for a big illicit payday.
If their name is to be taken as an allusion to the Nephilim of Genesis and Numbers,
do recall that those Nephilim, whether giants or fallen angels, weren't exactly positive role models.
So whether it's the happy land of Canaan or the corn exchange bank and trust company,
the giants are in for the big score.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform Thank you. discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
The journey many organizations are taking toward the cloud can include stops along the way,
Many organizations are taking toward the cloud can include stops along the way, mixing various elements from different suppliers.
Shahzad Merchant is chief technology officer at Gigamon, and he shares insights on the elements he sees leading to success in hybrid cloud deployments.
Today, cloud is foremost on people's mind.
Almost every CIO, every CISO you talk to has a mandate to move to the cloud.
And that typically means one of three things. The first is to migrate towards a private cloud infrastructure where they're essentially hosting their own applications in a private cloud
environment in their own data center. Or it can mean moving to infrastructure as a service, in other words, AWS, Azure, GCP, or it can mean moving towards a SaaS first model, right, which is you move
towards software as a service first, and what you cannot satisfy with the SaaS model, then
you leverage either infrastructure as a service, or you leverage a private cloud infrastructure.
But I think almost any company you speak to today is well on their journey towards this framework and this model. The degree to which they have made the transition
varies, but almost every company is on this journey. Is it safe to say that talking about
hybrid cloud, I mean, that covers a broad spectrum of possibilities? It absolutely does, right? It
absolutely does. It covers the spectrum of
hybrid from the perspective of your own private cloud and the public cloud, but it also covers
the spectrum of having multiple public cloud providers. You could have your applications
hosted in AWS, you could have some applications hosted in Azure, some in GCP, and that's a
different aspect of hybrid cloud as well, right? And so maybe you can talk about that as multi-cloud,
but really hybrid covers all of those spectrums.
And from your perspective,
what sort of things are you and your team tracking
in terms of some of the specific challenges
that folks are facing?
Yeah, and this is a really important conversation
because one of the biggest challenges we see today
in that customer journey is around security.
And the challenge really stems from one key problem.
And that is that in almost every cloud journey today, agility is trumping security.
In other words, how quickly can I move to the cloud?
How quickly can I deploy my applications and get them up and running in the cloud, is trumping the security requirements of running those applications in the cloud.
And that's a big challenge today because what is happening is people are forgetting the security lessons of the last 20 years
and are moving at a pretty quick pace.
And in the journey, we are resulting with a situation where we have significant gaps in the security posture of many of these companies.
Does it have to be an either-or situation?
I mean, is it possible to move, to be both nimble and secure?
It absolutely is.
So that is the crux of this, right?
And so the reason why agility is trumping security is because when we sit and think
about the cloud journey, cloud journey is typically driven by the persona of DevOps.
And DevOps run at a certain pace, but they've not come from an InfoSec background.
And in many cases, they don't know or truly understand the risks.
And on the other hand, InfoSec teams have not come from a developer mindset and don't
understand DevOps programmability and automation. So that's the real problem. And I do think that there is a happy medium
where the InfoSec teams and the DevOps teams can actually work together and accomplish both
security and agility. In fact, I like to equate security as having brakes on a car.
If you have brakes on your car, you can actually move pretty
fast. If your car doesn't have brakes, you're going to be very hesitant to move very quickly.
And so I think security is essentially the same paradigm. And so if you can bring the two together
and have your DevOps teams and the InfoSec teams work hand in hand, I think you will have a happy
medium where you can be pretty agile, you can move quickly, but you don't have to give up on the learnings of the last 20 years from an InfoSec perspective.
Are there any common things you see when you have those teams who have successfully integrated,
when you see those teams who are working together? Is there any things that they have in common,
elements that lead to their success?
Yeah, absolutely. I think, first of all,
everybody is incented to make sure that your applications, your deployments are secure, right?
If you run very quickly, but you leave holes in your security, that will come back and bite you,
and it will slow future deployments out there, right? So the common ground there is to make sure
that while you're deploying your applications quickly, the security of them is not forgotten.
And the good thing over here is that we have learned a lot of things in the last decade, the last two decades.
Defense in depth is pretty important.
Endpoint protection, identity and access management are necessary but are not sufficient.
There is an entire framework that NIST has developed.
Identify, protect, detect, respond, recover.
And following that framework is a pretty good guideline to making sure your security paradigm is well established in the cloud as well.
So there's a lot of common ground between the two.
And I think DevOps can actually help InfoSec by bringing their skills in rapid automation, in scripting.
by bringing their skills in rapid automation, in scripting.
And InfoSec teams can actually share some of their knowledge with the DevOps teams in terms of this NIST cybersecurity framework around identify, protect, detect, respond, and recover.
And I think the two can actually learn off each other, and we can lead to pretty resilient paradigms.
Where do you suppose things are headed?
It seems to me like, to one degree or another, hybrid cloud is here
to stay. But what do you
see for the future
in terms of where it's going to go?
You're absolutely
right. Hybrid cloud is here to stay.
It's an established paradigm
and an established model.
I think where we are going over here
is in building up the maturity
of dealing with the nuances of the hybrid cloud.
One of the big things around the cloud, for example, particularly the public cloud, is the shared security model.
In other words, if you're moving your applications into the public cloud, the security of those applications is shared between the cloud services provider,
where they take care of everything essentially below the hypervisor, and the tenant or the customer is responsible for security essentially above the hypervisor,
in other words, the application.
But there are cracks in that shared security model.
And those cracks are now slowly but surely becoming apparent.
And people are building the maturity to deal with those cracks and making sure that they
can fill those gaps by providing continuous visibility into what's going on with those applications.
So I think that's where we're really going,
which is building the maturity
to deal with the newer paradigms
that arise out of the hybrid cloud model.
That's Shahzad Merchant from Gigamon. Thank you. cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the Hacking Humans podcast. Hello, Joe.
Hi, Dave.
You know, something you and I discuss all the time over on Hacking Humans is the challenge that lots of people face when it comes to resisting the urge to reuse their passwords.
Yes, indeed.
to reuse their passwords, right?
Yes, indeed.
It looks like Apple is making a run at this issue.
There's an article over on Forbes written by Kate O'Flaherty,
and it's titled,
Apple to kill passwords with game-changing new face ID move.
Right.
That headline may be a little breathless. Yes.
Let's remember the reporters don't write the headlines
that's written by an editor uh so it's what's going on is that apple has now uh has this system
that they demoed at wwdc they had a session called move beyond passwords it was a developer session
and i don't i don't know this is anything new but what it is is it's Apple's keychain product that uses WebAuthn, which is a public-private key way of authenticating to websites.
So basically what this does is it stores your private passkeys in your iCloud keychain.
So they're always accessible to you no matter what Apple device you're using.
And the other thing it does
is it takes the authentication token
out of the hands of the server, right?
So if you think about this
from a service provider perspective,
right now, if I have a username and a password,
I have to store that password some way
on my server, right? And hopefully I'm using salted hashes that can be increased in difficulty
over time. But still, I have to have that authentication token on my server. Well,
with a key base, with a public key, private key situation, I don't have to have any authentication information, right?
I just keep a public key on my server.
And if that gets breached, no big deal, right?
I just have the public information has been stolen.
And the way this works is you, the user, log in to my service, right?
I take a nonce, a number,
right? And I run it through your public key and I say, here, here's the number. Tell me what it is.
And you, you, it's, it's called a challenge response, right? And based on your response,
I'll know that you have a, the, the private key, right? Uh, because I'll be able to decrypt your
response properly. Yeah. And if you can't do that,
then I know that you don't have the right private key. Therefore, you're probably not Dave. So I'm
not going to authenticate you. This is a lot better than passwords, right? And that's what
they're doing here with this new feature or that they're securing this with Face ID and Touch ID. So now the user logs in and there's a
video out there of how easy it is and how transparent it is for the user. And it's a
really good job of letting the user authenticate using public private key cryptography to authenticate
right away to a web page. And it's fast, it's easy. The user doesn't have to remember a password.
The key is that somebody is remembering the private key, right?
And that's where the concern is.
So here, I'm going to put on my Nostradamus hat now, Dave.
I'm going to predict the future here.
What's going to happen is more people adopt these kind of systems.
We're going to see
attackers going after the users to try to get access to these key stores somehow. That's what's
going to happen next. That's how this is going. So it's going to be important that companies like
Apple do a really good job of protecting those key stores. Apple traditionally has done a very
good job with security. Yeah. Well, I mean, it's an interesting thing to think about, right?
I mean, do I trust Apple and their security team with this key more than I trust, you know, Bob's Discount Pet Supply's website down the street?
With a password.
Right.
Right.
Right.
I'm with you on that.
I trust Apple more with the keys, you know, than I do Bob's Discount Pet Supply. And you know what? Bob's Discount Pet Supply would probably love just to have public keys for everybody. That would be great for them. So it's a good solution all around, I think. It makes the attack more difficult, which is good, but it doesn't make the attacks go away. We're still going to see attacks on individuals to try to gain access to individual key stores. Right, right. And as usual, the way
that Apple handles these sorts of things, if you are in the Apple ecosystem, this will be very easy
for you to use. And if you're not, good day to you, sir. That's 100% correct. The article does point out that you can also get the same kind of
protection with a YubiKey. YubiKey is pretty much the same kind of technology. It doesn't store the
keys. It kind of generates them on the fly. That's okay as well. But there is some talk in here about
biometrics in this article about the biometrics being non-changeable, right?
Like if my Face ID is breached or somehow that gets broken.
That's kind of tangential to this conversation because really all it's using is Face ID and Touch ID for is to give you access to your key chain key storage.
Yeah. Yeah.
Yeah.
And I think it seems to me that so far, you know, Face ID and Touch ID have both pretty
much stood the test of time in terms of being reasonably secure solutions to what they're
setting out to do.
I would agree.
They're pretty good.
Yeah.
Yeah.
As much as I rail against biometrics, we haven't really seen an attack that's feasible on these yet. Yeah. Yeah. Yeah. As much as I rail against biometrics, we haven't really seen an attack that's feasible on these yet.
Yeah.
Yeah.
All right.
Well, Joe Kerrigan, thanks for joining us.
It's my pleasure, Dave.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.