CyberWire Daily - DNSpionage. Cobalt Dickens’ unwelcome return. iOS spyware may be more widespread than believed. Governments move toward content moderation. Small towns, big problems.
Episode Date: November 28, 2018In today’s podcast, we hear that DNSpionage espionage tools are hitting Middle Eastern targets. Iran’s Cobalt Dickens returns to pester universities. Lawful intercept vendors receive more scruti...ny, and that scrutiny suggests iOS might not have escaped their attention as much as many had assumed. Facebook gets grilled in London. Nine Western countries issue a joint communique resolving to control “false and misleading” content on the Internet. And lessons from small towns. Ben Yelin from UMD CHHS reviewing government requests of Google’s Nest to turn over user information. UK correspondent Carole Theriault speaks with Graham Cluley about police monitoring criminals using the Ironchat secure messaging service. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2018_11_28.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A tool going by the name DNSpionage hits Middle Eastern targets.
Iran's Cobalt Dickens returns to pester universities.
Lawful intercept vendors receive more scrutiny, and that scrutiny suggests iOS might not have escaped their attention as much
as many had assumed. Facebook gets grilled in London. Nine western countries issue a joint
communique resolving to control false and misleading content on the Internet, and a lesson from small towns.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, November 28, 2018.
Cisco's Talos Group is tracking a threat actor
running what Talos calls DNSpionage malware against Middle Eastern targets.
Lebanon and the United Arab Emirates have attracted the most attention.
At least two espionage campaigns are in progress.
One fishes victims with bogus job listings that induce the users to open malicious Microsoft Office documents.
The other redirects the DNS of legitimate domains.
Talos, which regards the unknown threat actor as painstaking and focused,
has been unable to draw connections with other known threats.
The malware the malicious documents are dropping in these campaigns is, as Talos puts it,
an undocumented remote administration tool.
It supports DNS tunneling as a command and control channel. The malicious
DNS redirection the attackers used affected sites belonging to Lebanon's finance ministry,
Middle East Airlines, a Lebanese carrier, and the United Arab Emirates Police and
Telecommunications Regulatory Authority. What the actors behind DNSpionage were after is unclear,
but whoever they were, they were persistent and capable, and clearly devoted some attention to preliminary reconnaissance.
The lesson the researchers at Talos drew, for the rest of us, is the obvious one that endpoint and network protection should be as strong as possible.
As Talos warns, quote, this is this one known and indeed familiar, is back.
The Iranian threat group Kobalt Dickens is actively prospecting targets in universities.
SecureWorks' counter-threat unit says they are after credentials
and that they're using familiar social engineering tactics. The universities Cobalt Dickens is after
are found in Malaysia, Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United
Kingdom, and especially the United States. The threat group, which is linked to the Iranian
government and its Revolutionary Guard, figured prominently in the news this past March,
when the U.S. Justice Department indicted nine individuals and a contractor,
the Mabna Institute, for an earlier Kobalt Group campaign against universities.
There's no shortage of online private messaging systems
that offer claims of end-to-end fully encrypted communications,
promising their users invulnerability to prying eyes. Law enforcement likes to remind us that
these particular capabilities are often attractive to folks who are up to no good.
Dutch police recently revealed a campaign to thwart criminals hiding behind encrypted
communications. Our UK correspondent Carol Theriault has the story.
Rarely do you get a behind-the-scenes explanation as to how cybercops track the bad guys.
It makes sense if the strategy is working, why blow its cover by blabbing about it?
So it was rather exciting when Dutch police announced that they had been eavesdropping
on a secret messaging service used by cybercriminals. This was a pretty big
operation, as you shall see. But what was the most interesting thing was why in the world did
the Dutch police come clean about their secret source? I managed to get a few extra juicy details
from my Smashing Security podcast co-host, Graeme Cluley, who had written an article on this very
topic for Bitdefender. Graeme, thanks for joining us on Cyber Wire.
My pleasure. Nice to be here.
Now, can you give us some inside information?
What's going on here?
Why have the Dutch police announced this
if they had tabs on all these suspected criminals?
Well, it's fascinating, isn't it?
So what they managed to do is they managed to hack into
what should have been a securely encrypted method for the criminals to communicate with each other,
something that criminals had been using for months and months and months.
And you have to ask, well, why would they now have blown their own whistle, as it were, and revealed that those messages are compromised?
And the reason is that the police got wind of the fact that some of the criminals were actually planning to kill one of
their fellow criminals believing whoa whoa whoa whoa this we have murder here exactly they they
believed that it was one of their fellow criminals who was snitching to the police and revealing the
secrets so the police had to say actually we've been looking at all of your communications for
some time it's not one of you who's actually blown the whistle on yourselves.
There's a lot of encrypted messaging services out there, such as Telegram or Signal.
Which one were these guys using?
They were using one called IronChat.
So IronChat comes as part of a package that you can purchase from a company whose website has now been shut down.
They've also
been arrested, called Black Box Security. And what Black Box Security will do is they will
sell you a subscription to their service. If you pay them $1,500, that will give you a six-month
subscription. You get an Android phone, which has particular apps installed upon it, including this IronChat secure communication application.
It's a remarkably ugly app as well.
It's got probably the worst and least attractive user interface you could ever have imagined.
But basically, it's a secure phone with a secure messaging service.
Yes, that's right.
But it was using Black Box Security's own server as part of the communication. And one way or another, and we don't know the precise details, the police managed
to compromise that system or take it over. And they were able to see the messages which were
being sent. Over a quarter of a million messages between criminals were being monitored practically
live by the police. Well, that must give them a lot of insight into how to address these guys.
Well, yes. As a result of their surveillance, law enforcement agencies in the Netherlands
have seized automatic weapons. They've seized large quantities of hard drugs,
cocaine and MDMA, 90,000 euros in cash, and they've dismantled a drugs lab as well.
And they had to blow up this whole surveillance scam uh because someone was at risk well they've blown their own cover the
website's down the application won't work anymore so any criminals who use it are going to have to
switch to something else obviously the police ideally wouldn't have wanted that they would
have wanted to watch for as long as possible but i think they realized it's actually getting
dangerous now because criminals were being
arrested people were wondering in the criminal underground how are the police gathering this
information as i say there was a plot to kill one of the criminals um because they believed that he
may have been speaking to the police and so the police said actually no we know all of this stuff
we've been watching you for a while graham that's excellent this was carol ter Terrio for the Cyber Wire. It's like a mini episode of Smashing Security. It's kind of nice.
Citizen Lab have recently drawn attention to apparent abuse of NSO Group's Pegasus tool by
various governments. Kaspersky has now noticed that another company, government vendor NEG,
seems to offer an iOS implant.
NEG, which is based in Rome, had been known for its Android intercept tools.
It appears also to have done much the same with iOS.
This suggests to Kaspersky that iOS spyware may not be as rare as hitherto generally believed.
Facebook's transatlantic grilling proceeds, company emails Westminster seized from a third party,
indicate that the social network knew about and investigated Russia data harvesting in 2014,
two years before publicly acknowledging Moscow's interest in election meddling.
The big sit-down in London has provided the occasion for the immodestly titled International Grand Committee,
the occasion for the immodestly titled International Grand Committee inquiring into disinformation to release its Declaration on the Principles of Law Governing the Internet.
The committee's nine nations want tech companies fully answerable to organs of representative
democracy the way they see it.
The deliberate spreading of disinformation and division is a credible threat to the continuation
and growth of democracy and a civilizing global dialogue.
Tech firms need to recognize, as Spider-Man's Uncle Ben taught us, that with great power comes great responsibility.
We note that Uncle Ben was obviously a student of the great 19th century theorist of international law, Francis Lieber.
theorist of international law, Francis Lieber.
Social media companies in particular, quote, should be held liable if they fail to comply with a judicial, statutory, or regulatory order
to remove harmful and misleading content from their platforms,
and should be regulated to ensure they comply with this requirement, end quote.
The signatories include Argentina, Belgium, Brazil, Canada, France, Ireland, Latvia, Singapore, and the United Kingdom.
It's not just international grand committees, industrial titans, world powers, wealthy elites, and the like who worry about the Internet.
No one's too small to escape the ministrations of bad actors.
In compact, crowded New Jersey, police and other officials in the small town of Rockaway Township are working to recover from a ransomware attack.
It began on November 22nd with a partial recovery of some systems this Monday.
The police are still offline and township officials say they're in the dark about the extent of what happened.
The late mayor's phone and laptop have gone missing since Mayor Michael
Dockison died on August 15th. The Township Council thinks it possible that someone stole the devices
and used them to work their mischief on municipal systems. Meanwhile, up in sprawling, thinly
populated Alaska, the Matanuska-Susitna Borough Assembly voted to appropriate a million dollars to pay for recovery from a ransomware attack the local government sustained in mid-July.
They declined to pay the ransom and bit the financial bullet to upgrade their security and resilience.
The newly appropriated $1 million comes on top of $2.1 million the borough has already spent on recovery and remediation. The neighboring city
of Valdez, nearby by Alaskan standards, was also hit, but Valdez took a gamble and paid the ransom,
so they got off with just $27,000. As painful as it is, conventional wisdom says that Mat-Su,
as the borough is locally known, probably made the wiser call.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen. He's a senior law and policy analyst at the University
of Maryland Center for Health and Homeland Security. Ben, it's great to have you back.
We had an article come by from Forbes. This was penned by Thomas Brewster. And it's all about Google's Nest
unit and how they've handed over data to the government a few hundred times.
Yeah, I mean, I think that number is rather eye-popping. Most of the data was handed over
either voluntarily or via subpoena. So in the vast majority of cases, the government didn't
really establish probable cause to search these devices. And if the government has reasonable suspicion, they can get
a subpoena to collect that information. What's fascinating to me about Nest's devices and really
all smart home devices is it sort of presents a clash in Fourth Amendment principles. So we always
think about the Fourth Amendment first and foremost protecting the home.
It's somebody's fortress of personal privacy.
We don't want the police coming into our house without a warrant.
I think everyone would agree with that.
But then we have this competing doctrine, really this exception to the Fourth Amendment
called the third-party doctrine, where when we voluntarily
submit information to a business like Google, we lose our reasonable expectation of privacy in that
information. And we're voluntarily giving private information to our smart homes all the time.
Eventually, all federal courts and the Supreme Court is going to have to struggle with which
Fourth Amendment doctrine is stronger here.
Is it the doctrine about being protected in the fortress of your home because this is a smart home device?
It's only recording things that happen in this very, very private place.
Or do they take a third party approach, which is about even if this device is in your home, you are constantly feeding it information voluntarily, and that information is fair game for the government to collect.
I think we can possibly find some guidance in the Carpenter decision, which you and I have talked about a lot.
Chief Justice Roberts said that the government would need a warrant to collect that information is because collection of cell site location information was so ubiquitous and was so deep
and so broad, sort of fell out of that third party doctrine exception. And I think you could
make an argument that smart home devices are even deeper and broader, especially when we know that
it's recording at least snippets of, you know,
our intimate conversations that we're having around the household.
There are a couple other interesting tidbits from this article. One of them was that
Google said that they turned over less than 20% of the requests from the government. So it's not
as though they just hand it over when the government asks. Yeah. I mean, you know,
Google and basically all internet service providers, technology companies,
want to prove to their customers that they're doing their best to protect their personal information.
And Google seems to be doing that here.
They said they're analyzing every single request, even if it's done pursuant to a warrant,
to make sure that the request is not overbroad, that it's appropriate,
that Google is not releasing more personal information than it has to.
And I think that's important.
The customer itself is not going to be privy to this interaction between Google and the government.
So we're entrusting Google or whoever owns our smart device with our personal information,
and we're largely relying on them to fight on our behalf.
Yeah, they also said that they had never received a national security letter,
which is interesting because, as we've talked about, when you get a national security letter,
you're not allowed to say that you get a national security letter.
So it's kind of a canary.
Yeah, it's the fight club of electronic searches.
You are not allowed to talk about national security letters.
It's funny, and this article mentioned that they've never received one of those.
They've stated that affirmatively, but they wouldn't be able to state if they think we can deduce that Google has gotten a request for a national security letter.
What that means to me is the government might have evidence on everyday ordinary crimes gleaned from smart home devices, but at least as it applies to Google, they haven't yet had a case where they're looking specifically for national security
information from one of these devices. So, you know, that's going to happen eventually. There's
going to be a reasonable suspicion that somebody is involved in international terrorism. And,
you know, they ask their smart home device where the nearest Home Depot is and whether they have
explosives. Let's say nearest home goods store. Yeah, go to the explosives aisle at Home Depot is and whether they have explosives. Let's say nearest home goods store.
Yeah, go to the explosives aisle at Home Depot, right?
Yeah, exactly.
So I think it's inevitable.
It is interesting that it's not happened to this point, but I think the technology is
still relatively new.
So, you know, I think that's something we'll see in the next couple of years.
All right.
Well, Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. For today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions
that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data
products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.