CyberWire Daily - Facebook takes down "inauthentic" Russian and Iranian fronts. Twitter blocks Iranian false-flags, and FireEye explains why they think it's Tehran. Triout Android spyware described. Hacking back?
Episode Date: August 22, 2018In today's podcast we hear that Facebook has taken down more inauthentic pages—some are Russian, but others are Iranian. Twitter blocks Iranian accounts for being bogus. Russia denies, again, any in...volvement in information operations against the US. US Army Cyber Command's boss wonders if his job isn't more "information ops" than "cyber." Bitdefender describes Triout, an Android spyware framework. And some in industry caution the Senate not to expect them to get frisky hacking back. Craig Williams from Cisco’s Talos team, discussing MDM (mobile device management) vulnerabilities. Guest is James Burns from CFC Underwriting on cyber security insurance. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/August/CyberWire_2018_08_22.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Facebook takes down more inauthentic pages.
Some are Russian, but others are Iranian.
Twitter blocks Iranian accounts for being bogus.
Russia denies, again, any involvement in information operations against the U.S.
U.S. Army Cyber Command's boss wonders if his job isn't more information ops than cyber.
Bitdefender describes Tryout, an Android spyware framework.
And some in industry caution the Senate not to expect them to get frisky hacking back.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, August 22, 2018.
Last week, U.S. National Security Advisor John Bolton said that Iran, China, and North Korea were involved in election meddling along with Russia.
This week's takedown suggests that he was right, at least about Iran.
Now two of the familiar four, Russia, sure, but also Iran, seem to have been caught setting up online fronts aimed at the manipulation of public opinion,
mostly in the U.S., but in Latin America, the Middle East, and the U.K. too.
The day after Microsoft's announcement that it had taken control of six domains
used for Russian disinformation operations,
Facebook reported that it had taken down 652 pages, accounts, and groups
which were engaged in inauthentic behavior aimed at influencing U.S. opinion.
This is the second round of such takedowns in as many months.
Last month, Facebook was reluctant to offer attribution.
They're not being so coy this time around.
The company said directly that the inauthenticity they squashed emanated from Russia and Iran.
There's no evidence of coordination between the two states, however,
as both appear to have acted independently.
Tehran's front accounts purchased about $6,000 in ads to run on Facebook and Instagram
and organized some 25 events.
Iranian activity seems directed toward creating a climate of opinion favorable to Tehran
as opposed to influencing elections.
Twitter also took action overnight against 284 accounts engaged in coordinated manipulation,
disinformation staged in many cases by Iran.
This campaign used a network of front news organizations established for the purpose
and also organized a number of events. The themes
were obvious choices for Iran, anti-Saudi, anti-Israeli, anti-Trump, and pro-Palestinian.
A number of the impersonators posed as progressive supporters of U.S. Senator Sanders,
independent from Vermont. The Iranian information campaign was uncovered by researchers at FireEye,
which noted that Google Plus and YouTube were also affected.
FireEye duly noted in its own blog that attribution, of course, is an inexact science,
but the security company did say that it concluded with medium confidence
that Tehran was indeed behind the phony accounts they flagged to Facebook and Twitter.
They've traced several front media organizations apparently run by the Islamic Republic.
In the U.S., the leading organizational identity, they assumed, was Liberty Front Press,
which represents itself as an independent news service
devoted to reducing the influence of money in politics and similar goals.
Much of its coverage is unremarkable,
apart from a persistent animus against Israel and Saudi Arabia.
The Liberty Front press is accompanied by a large number of associated
and coordinated social media accounts.
As it lays out its reasons for thinking all of these are Iranian fronts,
FireEye usefully proposes a definition of inauthentic.
They use the term to, as they say,
Their content, FireEye points out, is a mix of original material and news pieces pulled,
sometimes with alterations,
from other outlets. To return to the Microsoft takedown, Moscow, through its mouthpieces at the
Interfax news agency, dismissed the domain seizure as nothing more than a politically motivated
stunt. The Russian government continues to deny having anything to do with the influence operations
essentially everybody else thinks they are doing. Moscow's demands to see the evidence when it's accused
of hybrid warfare are reminiscent of nothing so much as the Afghan Taliban's posture of even-handedness
when, post-9-11, it told the U.S. to send over any evidence it might have of Osama bin Laden's
orchestration of the terror attacks so that they,
the Taliban, might take proper action, all with due process and in due course.
It's perhaps worth noting that such influence operations are likely to be misunderstood if
they're regarded as the digital analog of a Chicago machine ward healer passing out free turkeys
in the 10th ward to get out the vote, or some downstate
block captain registering names from tombstones in a local graveyard.
The goal is instead fundamental disruption and erosion of confidence in institutions,
not necessarily any particular electoral outcome.
It's also noteworthy that Lieutenant General Stephen Fogarty, who leads U.S. Army Cyber
Command, thinks his command should get a new name, that really we're past the age of cyber
and into the age of information warfare.
He mentions as possibilities either Army Information Warfare Operations Command
or Army Information Warfare Dominance Command,
but he's presumably open to suggestions.
There are technical approaches to managing risk and protecting your organization from cyber attacks,
but a rapidly growing area of business protection is insurance against cyber events.
James Burns is cyber product leader at CFC Underwriting.
For some time now, say for the past three to five years,
it's been the fastest growing product line
within the global insurance industry. So we're at a stage where we've got more
insurers than ever before offering some sort of cyber insurance solution,
which is a good thing in many ways, because it means there's choice there for clients.
But it can have a negative impact in that it's still a very young market. So there are lots of different providers who may not necessarily call their products the
same thing, which can sometimes lead to confusion. And as an industry, how do you all contend with
the fact that there aren't really 100 years of actuarial tables for you all to look back on?
Absolutely right. And I guess that's part of being part of a nascent product line.
But what we do do is use the data that we have as best we can.
We also obviously benefit from the fact that a lot of the risk
that we're considering is technology-driven,
and we benefit from the fact that technologies at our disposal today
are far more advanced than actuaries had when trying to assess other product lines 50, 60, 70 years ago.
Now, as people are shopping around for cybersecurity insurance, what are some of the things that they find to be confusing?
I guess a lot of the terminology can be confusing because, you know, especially for smaller and mid-sized clients where they perhaps don't have in-house security teams or even in-house IT, a lot of the exposures that we're offering protection against can be quite jargonistic in nature because we're dealing with digital age and not all insurance buyers are as au fait with lots of the terminology as some are. So that can be a big struggle. I think explaining what the exposure is
to many companies can be quite confusing as well because a lot of companies don't know what the
impact of a cyber event might be until they've actually suffered it. So in some instances,
you're talking in hypotheticals.
This is potentially what might happen.
So trying to bring that to life is a big part of our industry's job.
But like I said, we're seeing more and more claims come through every month now.
So being able to regale real-life experience in terms of what has happened to certain companies and
what impact that's had on their businesses is really helping to clear up that confusion.
Now, for the person who's been tasked with going out there to research and purchase
cyber insurance for their company, what's your advice? How should they approach it?
I think they've got to start by taking a look at their own business. So they've got to look at what
potential exposures they might be open to
and then what the potential impact of that exposure might be.
So if you're an organization that collects a large volume of sensitive data,
for example, maybe somewhere in the healthcare industry or in the retail industry,
then you're going to be exposed to having a data breach
and potentially all the types of cost and fallout
that come associated with that. If by contrast, you're working for an organization in a more
traditional industry, such as manufacturing or heavy industry, you might not actually collect
any data whatsoever. So your data breach exposure is fairly low, but you could have a huge exposure
to operational disruption if a cyber attack shut down your systems so you couldn't produce your products.
So I think the most important thing is for a business to look at what they are, who they are.
And that's almost the easy part in a way because business owners and execs know what their businesses are inside out.
Once they've established that, they can then look at the exposures present and go about selecting an appropriate cyber insurance policy accordingly. That's James Burns from CFC Underwriting.
While information operations may have temporarily at least pushed traditional cyber news to the
side today, there's still plenty of old school hacking to be seen, and how odd it seems to be saying old-school hacking.
We'll mention two items. First, Bitdefender reports its discovery of a new Android spyware
framework it's calling Tryout. Tryout can deploy malware onto Android devices,
where it gives its controllers extensive surveillance and information-stealing capabilities.
Second, hearings of the U.S. Senate Judiciary Committee's subcommittee on cyber yesterday
featured, as expected, renewed calls by lawmakers for some sort of hack-back legislation,
which the salons prefer to call active defense.
At least one industry representative, Thomas Fanning, CEO of Southern Company,
the Atlanta-based electric utility holding company,
told the subcommittee that he's talked with senior federal government people about hacking back
and that he still believes that kind of retaliation belongs in military and not corporate hands.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home? Black Cloak's award
winning digital executive protection platform secures their personal devices, home networks,
and connected lives. Because when executives are compromised at home, your company is at risk.
In fact, over one third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Craig Williams.
He's the director of Talos Outreach at Cisco.
Craig, welcome back. You all recently put out a report talking about MDM, which is mobile device management, and some vulnerabilities there.
Why don't we just start with some basic stuff here. Can you describe to us, what are we talking about when we say MDM?
So a mobile device manager is just basically a system that's been designed to allow someone to control your mobile device.
Traditionally, this would be the company you work for.
And I do want to stress, this isn't a vulnerability.
This is more or less, it's working as designed.
And users are just being tricked.
But so if you were an employee at Cisco, right, you would install the mobile device management on your phone.
Cisco would then be able to erase your phone remotely.
Now, of course, because iOS is designed with security in mind, it doesn't allow you to directly access the data, right? Your data is still protected. But what it does allow the company to
do is push down things like company apps. And so attackers have figured out that they can actually
use this to push down apps that look like real apps that have been modified using a sideloading
technique or by rewriting something that appears to be a different app. And then they can effectively
spy on the user. So the threat that we found was basically a campaign targeting people in India.
The actor, they made some strategically poor decisions by leaving things like the log directory
world readable. So we were
able to actually look at the log file and verify that there were 13 devices on earth that had been
compromised by this server, which, you know, when you see something like that,
it's pretty concerning, right? Because anytime you see a campaign that's that targeted,
the hair should stand up on your arm a little bit and you should wonder, well,
what are they doing with this? As we dug into it, we found out that it was basically, you know, they were spying on people.
What they were doing with the server was pushing down backdoored WhatsApp and Telegram applications, as well as another application called PrayTime.
WhatsApp and Telegram, of course, grabbed our attention.
I mean, these are apps designed for secure messaging. These are apps
that people want to use if they're afraid of having their data intercepted. And these are
apps that people would send pictures that they were only intended for the specific recipient
through. The actor was intentionally modifying those applications so that they appeared to be
legitimate. And yet while they still functioned accordingly,
they were also siphoning off all that data to the attackers, including things like contact
information, location, chat logs, pictures, SMS, all that good stuff.
Now, in terms of this mobile device management software, was the user of the iPhone intentionally
downloading this for legitimate reasons or was or they
fooled into doing that as well? We believe they were fooled into doing it. We actually have the
pictures of someone being infected on our blog post. And it's it's an ordeal. You have to be
tricked to do this. This is not something you can do by accident. You know, the phone basically
tells you, are you sure you would like someone to take over your phone? And the user has to click
yes. And the phone will tell you this is a bad idea. And the user clicks yes anyway.
And then at that point, the attacker has control of the phone. And so they could wipe it. They
could steal data off it through apps. And we thought that was the end of the story.
But as we dug a little bit further into it, we were able to find a little bit of a deeper rabbit hole.
And so what we ended up finding was that this was part of a much broader campaign. We were able to link this to an existing APT group called Bahamut that was reported by Bellingcat and Amnesty
International. And effectively, what we believe happened was when they did the initial Bahamut research, they only found the Android versions.
And so we think that this iOS version was basically an evolution of that threat where they added some additional capabilities.
We found some additional MDM servers while we were looking for this.
And we actually found another version of this malware that actually added another really interesting twist to the story.
They added some additional apps that they were stealing data from. But the one that really caught my attention was they wrote
a malicious Safari browser. Weird, right? Talk about a foundational app on your phone.
Right. And this is not trivial. This isn't something somebody just modifies an existing
binary and slaps together. This is somebody put some effort into this. Somebody spent hours thinking this through and planning this out. But basically,
this Safari app targeted very, very specific sites, you know, potentially sensitive sites
like ProtonMail, Reddit, Amazon, Mail.com, Yahoo, right? Sites that people presumably think are
relatively private, maybe not Reddit on that one, but you know, relatively private,
like ProtonMail, and it sent those credentials to the bad guys.
Really, this sounds like it's a terrible situation. The reality is this is MDM working as designed
for a device that wasn't secured properly. And so it turns out that in most enterprise applications,
you're already going to have an MDM certificate installed.
And naturally, the right way to deploy an MDM certificate is to not give the users the password to remove it. So if you have Cisco Security Connector or any of our competitors' MDM on
your phone and it's been locked down by your company with a password you don't have,
this isn't a threat to you. You don't need to worry about these. But unfortunately, for a lot of home users and some enterprises that haven't deployed them
correctly, this is still an issue. Well, it's an interesting read for sure. The title of the
article is Advanced Mobile Malware Campaign in India Uses Malicious MDM. As always, Craig
Williams, thanks for joining us. Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. Thank you. next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. Thank you. act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.