CyberWire Daily - DDoS at Russia’s MoD. Facebook disrupts Iranian catphishing operation. An intercept tool vendor’s activities are exposed. No signs of the US softening on Huawei bans.
Episode Date: July 16, 2021Russia’s Ministry of Defense says its website sustained a distributed denial-of-service attack this morning. Facebook disrupts a complex Iranian catphishing operation aimed at military personnel and... employees of defense and aerospace companies. Microsoft and Citizen Lab describe the recent operations of an Israeli intercept tool vendor. The US shows no signs of relenting on Huawei. Johannes Ullrich from the SANS technology institute has been Hunting Phishing Sites with Shodan. Our guest is Rick Van Galen from 1Password with insights from their Hiding in Plain Sight report. And there’s nothing new on the REvil front--the gang is as much in the wind as it was early this week. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/136 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Russia's Ministry of Defense says its website sustained a distributed denial of service attack this morning.
Facebook disrupts a complex Iranian catfishing operation aimed at military personnel and employees of defense and aerospace companies.
Microsoft and Citizen Lab describe the recent operations of an Israeli intercept tool vendor.
The U.S. shows no signs of relenting on Huawei.
Johannes Ulrich from the SANS Technology Institute has been hunting fishing sites with Shodan.
Our guest is Rick Van Gallen from 1Password with insights from their Hiding in Plain Sight report.
And there's nothing new on the R-Evil front.
The gang is as much in the wind as it was early this week.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, July 16th, 2021. TASS reports that a website belonging to Russia's Ministry of Defense was taken offline this morning by a distributed denial-of-service attack.
According to Reuters, the attack was stopped and access restored in about an hour.
Russian authorities attribute the attack to a source outside the
Russian Federation. Facebook yesterday said it had disrupted an operation by the Iranian threat
group Tortoise Shell, whose fake persona used Facebook in an initial catfishing approach to
military personnel and people who work in the defense and aerospace sector. As Facebook put it, fewer than 200 inauthentic accounts were disabled.
These accounts often posed as recruiters and employees of defense and aerospace companies
from the countries their targets were in.
Other personas claimed to work in hospitality, medicine, journalism, NGOs, and airlines.
The initial lure was generally the prospect of discussing employment opportunities.
The operation as a whole was patient, complex, and designed for plausibility.
Most of the intended targets were in the U.S., with some in Europe.
Tortoiseshell used Facebook to establish contact and trust,
eventually hoping to persuade its prospects to contact them in other ways and channels,
and those other channels were where the malware payloads were delivered.
Tortoiseshell is thought to have connections with the well-known Iranian threat actors APT-34,
commonly called Helix Kitten, and APT-3535 known to many as Charming Kitten. The tools Tortoiseshell
deploys against its targets include remote-access Trojans, device and network
reconnaissance tools, and keyloggers, many of which were developed by Mahakrayan Afraz,
a Tehran-based IT company associated with the Islamic Revolutionary Guard Corps.
It's not the first operation of this kind that in recent years
has been traced to Iran's Islamic Revolutionary Guard Corps.
Wired describes some of Tehran's earlier efforts along these lines.
Quote, Semantek noted back in 2019 that the group had also used some software tools
also spotted in use by Iran's APT-34 hacking group, which has used social
media lures across sites like Facebook and LinkedIn for years. Mandiant's Holtquist says
it roughly shares some characteristics with the Iranian group known as APT-35-2, which is believed
to work in the service of the IRGC. APT35's history includes using an American defector,
military intelligence defense contractor Monica Witt,
to gain information about her former colleagues
that could be used to target them with social engineering and phishing campaigns.
End quote.
Iran has historically used online methods in developing target dossiers
on persons of interest to its intelligence
services.
This most recent campaign seems to be squarely in that operational tradition.
Also yesterday, the Microsoft Threat Intelligence Center, Mystic, and the Microsoft Security
Response Center, MSRC, reported on the activities of a private sector offensive actor,
a company that would probably characterize itself as a lawful intercept vendor.
The company, which Microsoft assigned the name Sour Gum,
is selling intercept tools to governments that are using them to monitor the communications of journalists,
dissidents, and other people in bad odor with the regime deploying the intercept tool.
Microsoft wrote, quote,
Sour Gum generally sells cyber weapons that enable its customers,
often government agencies around the world,
to hack into their target's computers, phones, network infrastructure,
and internet-connected devices.
These agencies then choose who to target and run the actual operations themselves.
End quote.
Microsoft calls the intercept software itself, which exploits Windows Zero Days patched this week, devil's tongue.
Targets of the surveillance tool have been found in the Palestinian Authority, which had about half of the victims identified.
Israel, Iran, Lebanon, Yemen, Spain, specifically Catalonia, the United Kingdom,
Turkey, Armenia, and Singapore. As Microsoft observes, the location of a target isn't
perfectly correlated with the government using sour gum. International targeting of individuals
is common, and none of the countries listed are necessarily users of devil's tongue.
Microsoft acknowledged the University of Toronto's Citizen Lab for its assistance in the investigation
and Citizen Lab identifies Sour Gum as the Tel Aviv-based company whose original name was
Candiru. Candiru's past customers are believed to include Uzbekistan, Qatar, Singapore, Saudi Arabia, and the United Arab Emirates.
The company has been through several rebrandings since its founding in 2014.
In 2020, it assumed its current name, Saito Tech Limited.
Some of the corporate names appear to represent low-cunning gestures toward misdirection.
The corporate names appear to represent low-cunning gestures toward misdirection.
Citizen Lab and others reporting the incident have generally been sticking to the first name the company did business as.
Candiru's intercept tools aren't confined to Windows systems.
The register notes that the company also offers products that can monitor iPhones, Android devices, and Macs.
More than 750 domains are said to have been used to host Kandiru's surveillance software. Many of those domains misrepresent themselves as belonging
to media companies, advocacy groups, and civic organizations, which suggests that journalists
and activists, not criminals or terrorists, are the probable quarry.
Kandiru, or Saito, is the latest of a series of intercept tool vendors based in Israel to run afoul of legal and reputational trouble for their willingness to assist repressive regimes
conduct surveillance of domestic targets.
The best known of these is NSO Group,
currently engaged in a lawsuit brought in U.S. federal court by WhatsApp.
Huawei is unlikely to receive a reprieve from its present restriction from U.S. markets.
The present U.S. administration has, through the Commerce Department's Bureau of Industry and
Security, reasserted its predecessor's strictures against the Chinese company, Fox Business Reports.
its predecessors' strictures against the Chinese company,
Fox Business reports.
And finally, there's nothing new about our evil or Russia-based ransomware gangs, generally.
Secplicity has blogged its opinion
that our evil probably hasn't gone anywhere,
that such groups rarely disappear entirely.
So, perhaps the gang has temporarily gone to ground.
There have been no official announcements of takedowns or other enforcement actions against our evil.
Do you know the status of your compliance controls right now?
Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The folks at 1Password recently published a report titled,
Hiding in Plain Sight, How Secrets' Mismanagement is the Next Big Cybersecurity Threat.
The report outlines the challenges IT and DevOps leaders face
when keeping track of the wide spectrum of valuable secrets
they're charged with keeping and securing.
Rick Van Hollen is a security engineer at 1Password,
and he joins us with highlights from the report.
You know, at 1Password, we're always about making secrets management easy to everyone.
And we just started wondering what's going on with the folks that probably have the hardest time
and the most impactful consequences to mistakes in the process.
How are they doing secrets management?
And those folks, of course, are IT and DevOps folks.
So we reached out to them to see what they had to say.
Well, let's go through some of the details together. What are some of the
things that you uncovered here? You know, there's a bunch of interesting stuff in here.
So the first is just, you know, the scale of the problem. So 65%, almost two in three
respondents, they say they have more than 500 secrets to manage.
That's a large number.
And one in five even say that they don't know how many they have.
They have more than they can count.
How exactly do you define a secret in this case?
What would be categorized as that?
That's a great question to define it. So any secret is something that you most often use
to access other systems.
The traditional example, of course,
are just regular passwords.
But especially in IT and DevOps cases,
you can extend that to things like API keys
that must be shared amongst a bunch of people,
or SSH-prived keys, or client certificates.
Basically, anything that you use to go from one system to another. Now, if secrets management is
hard, if it's hard for people to find where they keep secrets, or they lose them, and they need
stuff being reset, that slows down project time. And longer project time leads to missing delivery dates,
and that leads to an overall rise of cost in making your product or service.
One of the things that struck me in your report here also was that very often,
for example, if an employee leaves an organization,
there may be a lag time between when they leave
and all of the things that they had access to get shut down.
There's a lot of information that can still be flowing that shouldn't be.
Yeah, that's a very common problem,
and I'm totally not surprised to see that in the reports.
It's just very hard to keep track of which secrets somebody who's leaving the company had access to.
And it's very, very hard to be complete.
And not only is it hard to be complete, it's also hard to be even near complete on rolling all the secrets that are necessary when somebody leaves.
And that's just because it's very difficult to keep track
of what this person was able to access in the first place.
So based on the information that you all gathered here,
what are your recommendations?
What can organizations do to better get on top of this?
Right, so I think what's really key here is to remove friction.
So a bunch of these numbers in our report,
they really strongly indicate
is that people are experiencing a lot of friction
working with secrets management.
And as a result, you're seeing workarounds
or lack of manageability, lack of auditability.
And what we really recommend is setting up a system
where secrets are automatically deployed into infrastructure,
where it's easy for everybody to get access to the secrets that they need access to,
and make sure that that system is actually something that is intended to keep track of secrets,
with the proper encryption and the proper access controls and the proper auditability.
with the proper encryption and the proper access controls and the proper auditability.
One thing that I'd like to point out,
and this ties into the reducing friction part of this,
is that you see, if you look at the distribution
of how many people are employing bad,
are admitting to employing bad security practices,
like sharing secrets between projects,
is that you see the number rise up amongst VPs,
which is quite telling because, you know,
who amongst IT and DevOps folks are the least tolerant to this kind of friction?
It's likely going to be the VPs.
But those are also in the position to actually make a change
in how secrets management is being done.
So I'd like to call on them to think about this problem
and take some action.
That's Rick Van Hollen from 1Password.
The report is titled,
Hiding in Plain Sight,
How Secrets Mismanagement
is the Next Big Cybersecurity Threat.
There's a lot more to this conversation.
If you want to hear the full interview,
head on over to CyberWire Pro and sign up for Interview Selects, where you'll get access to this and many more extended interviews.
Cyber threats are evolving every second, and staying ahead is more than just a challenge it's a necessity that's why we're thrilled to partner with threat locker a cyber security
solution trusted by businesses worldwide threat locker is a full suite of solutions designed to
give you total control stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. And joining me once again is Johannes Ulrich.
He's the Dean of Research at the SANS Technology Institute
and also the host of the ISE Stormcast podcast.
Johannes, it's always great to have you back.
You've got an interesting method,
an interesting technique for trying to hunt down
some phishing sites.
What can you share with us today?
Yeah, thanks for having me again, Dave.
So this is about trying to find websites
that impersonate your brand.
And there's nothing really you can do
against someone setting up a website like that.
The trick is, how do you find it? And then, of course, how do you initiate some kind of
takedown process or so for it? In some cases, you got it easy and the fisher was lazy and it's just
including images from your website directly, saving the fisher's bandwidth, but of course,
giving you hints that someone is loading these images
with an odd referrer, for example.
Well, the better fishers, they wised up to that.
They host their own images.
After all, they probably don't pay for hosting anyway.
So we have a nice tool here, Shodan.
Shodan turns out, indexes these little little fav icons. These are the little icons that
you often see displayed in the URL bar, depending on your browser. And well, the attacker, of course,
will copy that image from your site in order to have a good representation of your site.
And you can search Shodan for these images.
Shodan actually converts these images into a 32-bit number.
There's something called a murmur hash they're using here to do that.
So once you know what that hash is for your favicon, it's really easy to plug that into Shodan, get a list of all the sites that use that particular fav icon, and then of course you still have to figure out which one is actually a phishing site or just some marketing person setting up
a website without you knowing about it.
Right, right. Release the takedown notices.
I've seen them also go wrong, kind of where you basically don't
know about all the legitimate websites that necessarily
are used for your brand.
That can be a little bit tricky, too.
Right, I suppose, especially if you're an international brand, it could be that the
European division of your company is up to something that maybe you weren't tracking
that closely.
Yeah, and you often have that often cited shadow IT where people
aren't happy with the speed
at which you implement things
because of all those stupid security
checks. So they just
go out there and set up
their little website themselves. Also found
a couple development sites
that way, where you do hire a company
to develop a website for you
and they leave the development site exposed to the world, which is kind of
a nice find, too. So it's not always a phishing site that is a good find,
but something like these exposed development sites is also kind of
a good thing to find.
Interesting stuff.
Johannes Ulrich, thanks for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday program and my conversation with Nathan Howe from Zscaler.
We're going to be discussing their research on emerging attacks
and how best to counter them.
That's Research Saturday. Do check it out.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Justin Sabey, Tim Nodar, Joe
Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Thank you. uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data
workflows, helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.