CyberWire Daily - False flags and attack kit hijacking. Maze ransomware in Pensacola. China’s own OS. Crypto Wars update. TrickBot phishing. And Krampus spoils Christmas.
Episode Date: December 12, 2019Flying false flags, and borrowing someone else’s attack tools as the mast you use to run them up. The Pensacola cyber attack has been identified as involving Maze ransomware. China moves toward buil...ding its own autarkic operating system. US Senate Judiciary Committee hearings take an anti-encryption turn. TrickBot is phishing with payroll phishbait. And Krampus malware is punishing iPhone users as they shop during the holidays. Tom Etheridge VP of services from CrowdStrike, introducing himself. Guest is Dean Sysman from Axonius on S3 security flaws. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/December/CyberWire_2019_12_12.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Flying false flags and borrowing someone else's attack tools as the mast you run them up.
The Pensacola cyber attack has been identified as involving
maze ransomware. China moves towards building its own autarkic operating system. U.S. Senate
Judiciary Committee hearings take an anti-encryption turn. Trickbot is fishing with payroll fish bait.
And Krampus Malware is punishing iPhone users as they shop during the holidays.
shop during the holidays. From Cyber Wire Studios at DataTribe, sitting in for Dave Bittner,
I'm Bennett Moe with your Cyber Wire summary for Thursday, December 12th, 2019.
Attribution is difficult enough under the best of conditions, and it becomes even more challenging when the pirates, the privateers, and the nation-state's virtual men-of-war fly false flags.
So much attribution depends on an accumulation of circumstantial evidence that, for example,
code reuse or employment of a certain command and control server might easily lead one astray.
One example of false flagging is the use by Russian security and intelligence agencies of Iranian cyber-attack tools and infrastructure.
security, and intelligence agencies of Iranian cyber attack tools and infrastructure.
Recorded Future has been watching how that has played out,
and this morning published an update on what it's calling Operation Gamework,
a report on how that hijacking has proceeded.
Three Iranian threat actors have had their operation kit co-opted by a group Recorded Future's Insect Group tracks as Blue Alpha.
The first two Iranian operators are APT-33, also known as Elfin,
and APT-35, or if you prefer, Charming Kitten, both of which are directed by the Iranian
Revolutionary Guard Corps. The third is a group tracked as Muddy Water, whose right place in the
organizational chart is less clear, but which by general consensus is held to be working for Tehran.
Recorded Future has seen convincing signs that
Blue Alpha's activities show considerable overlap with the Gamaradan group, which itself has been
tied to attacks against Ukrainian targets, and which the Ukrainian Security Service has linked
to Russia's FSB, that country's federal security service. Recorded Future's conclusion is that
Blue Alpha is itself an FSB operation, and that it succeeded in getting its hands on Muddy Water, Elfin, and Charming Kitten,
probably without Tehran's cooperation and possibly without Tehran's knowledge.
Why would FSB bother with this?
For several reasons.
They've apparently already compromised Iran's operators with implants into their tools and infrastructure,
which makes Iran's APTs both available and accessible.
They're also convenient.
Tehran has taken considerable trouble to direct successful cyber operations
against its principal regional rival, Saudi Arabia.
And Russia is interested in the Saudis as well.
And finally, of course, using someone else's kit makes it easier to fly a false flag.
One of the famous Russian threat groups that's been associated with the FSB is, of course, Cozy Bear, famous as the outfit that first made inroads into
the networks of U.S. political parties during the last presidential election cycle. The Florida
Department of Law Enforcement has sent out a notification that the cyber attack the city of
Pensacola sustained on December 7th was, in fact, a ransomware attack. Ars Technica says
that the ransomware was a variant of maize, a strain that came to prominence earlier this year
in attacks against Italian targets. It was apparently a broad targeted phishing attack
that led to the infection. The criminals prospect a large number of email addresses with spam.
When they get beaconed that someone has clicked a link, they see if the organization the clicker belongs to is likely to be first, deep-pocketed, and second, poorly prepared.
If the answer to both is yes, then the attack proceeds in a more focused and determined way.
It seems, by the way, that early speculation about the possible connection with the terrorist
murders at the Pensacola Naval Air Station and the cyber attack was unfounded. That the shootings
and the cyber attack occurred within hours of one another appears to be mere coincidence.
There's been a lot of discussion lately about cloud security, so Dave Bittner spoke with Dean
Sisman, CEO and co-founder of Exonus, about the challenges of securing S3 buckets. Here's Dean.
So it all starts from when we moved from the on-premise or the high-parameter type of security to the cloud and the no-parameter type of security.
There are two major shifts that are causing the change in security that we're seeing as applied to S3 buckets.
One is that the environment can be accessed from anywhere, right?
the environment can be accessed from anywhere, right? So somebody can go online and access the cloud environment, even in an authenticated manner from a Starbucks Wi-Fi. And the second aspect is
that the environment is extremely dynamic. So most of the time, it's not even people who create the
assets, it's code that's written by developers or architects or whatever it is. So when we think about the storage aspect, which is what S3 is
of Amazon Cloud, or this is true for everything. If you look at the security team, their ability
to keep track of which storage buckets and which access points their organization has
becomes extremely difficult because it's no longer able to do it manually.
So what ends up happening is there are a lot of just publicly open storage buckets.
And these are just, you know, lists of files that anybody can access online. And nobody figured out that these should not have publicly accessible access.
And so what's the solution here?
How do we face this one?
Like all things, it all starts with understanding what you have.
We're in a very dynamic environment.
The first step is to say, if now we're automating the provisioning of this environment or we're automating the access of it, we should be also automating the visibility and monitoring of it. There should be some form of tool or some form of automation
that constantly keep track of which S3 buckets we're utilizing,
which ones are being created, which ones are being accessed,
and then apply the correct security policy to it.
Now, when these buckets end up being exposed, what typically has happened?
Is it an initial configuration flaw? Is it that something's changed along the way? It could be a number of things, and I don't have the statistics,
but I'd say one of the most common ones is just that nobody's just keeping track of it. It's a
miscommunication between the people who are setting these up, who usually just care about,
you know, achieving some form of task in their jobs, and security who are unaware of the fact that
somebody spun up all these storage options, and they just don't know that it's happened.
By default, usually the access becomes public, and then nobody's aware of the fact that there
could be a lot of confidential information in there. And what usually ends up is there are a
lot of both hackers and just other bodies who scan the range of the S3 buckets and start looking for information that could be confidential or shouldn't be publicly accessible.
And very quickly, they find these leaks and breaches end up happening.
So what are your recommendations for folks to stay on top of this?
How do they come at it?
applications for folks to stay on top of this? How do they come at it?
Yes, I would say if you have a very build-focused team, as in you'd rather build your own tools or build your own monitoring, you have to automate the process of monitoring and maybe even approving
the creation of S3 buckets. I mean, there are a lot of online guides on how to do that using AWS
console. But if you're more of a buy mentality,
or you just, you decide that this is a problem, you don't want to focus your time and resources on,
then there are a lot of tools out there that just help you cover and understand what your assets are
in the cloud, S3 buckets among them. And I wouldn't want to mention any specific ones, but obviously
that would be the best way to just make sure that you're constantly monitoring and this doesn't happen. One of the things that we don't
cover enough in the media when we talk about these things is how hard the jobs have become on the,
you know, the people are trying to defend us, right? And I'll explain what I mean is that
it's very sexy to say, okay, this breach happened. This is a disaster, right?
Like the negative emotions coming from this publication is very strong.
But one of the things we're not talking about enough is how organizations have moved very quickly to embrace technology while not realizing the cost associated with making it safe.
And the best analogy that I have is if you would have taken a Ferrari and used the brakes from a Chevy or like a 50s year old car, nobody will want to drive that car, right? Because it's so powerful and the engine is so strong.
You have to have the brakes that fit the speed of that car.
And same goes for cybersecurity.
Organizations are utilizing more and more technology in order to become more effective and more successful. But they don't understand the implications of how much investment you have
to make in the security side of it to account for those investments. That's Dean Sisman from Exonus.
China's approach to internet sovereignty proceeds. Computing reports that Tianjin
Kailin Information, or TKI, and China Standard Software, also known as CSS, have formed a joint
venture to produce a domestic operating system. The two companies are making their own contribution
to Beijing's push towards information autarky. Forbes summarized yesterday's hearing in the
Senate Judiciary Committee and sees the U.S. Senate's sympathies shifting towards the Justice
Department's restrictive position on encryption. Quote, it ain't complicated for me, Senator Lindsey Graham, Republican of South Carolina
and chair of the committee, told representatives of Facebook and Apple who were in attendance.
He explained, quote, you're going to find a way to do this or we're going to do it for you,
unquote. That's probably more huffing and puffing than it is firm legislative agenda,
but it does suggest some movement against permitting companies to use strong end-to-end encryption in their products. Finding a way
around strong encryption has been a matter of interest to the U.S. Justice Department since
the previous administration, at least, where former FBI Director Comey was the public face
of a push towards ordered liberty, that is, for giving investigators means of reading private
encrypted traffic when circumstances warranted it.
To be sure, Justice has always argued that such an ability would be hedged about with appropriate oversight and safeguards consistent with constitutionally guaranteed rights.
That's the liberty part in the ordered liberty.
But the other side in the crypto wars hasn't found that entirely reassuring.
entirely reassuring. It may have become less reassuring after the report of the Justice Department's Inspector General on the slipshod execution and oversight found in the FBI's
crossfire hurricane investigation into possible Russian influence in the 2016 Trump campaign.
But Justice may have found its persuasive heavy artillery in child protection,
for a long time the biggest gun in advocacy's rhetorical battery. It's hard to close your ears
to the guns when they're barking on behalf of the children. And in fact, we're hearing a similar
preparatory bombardment from across the Atlantic, where the Home Secretary is laying down a child
safety barrage in Westminster's debates over encryption. TrickBot, even after it's apparently
been hired by Pyongyang's hacker masters, has continued its fishy ways. IBM reminds us that
payroll-themed spam is spreading
the malware. Be skeptical and think before you click. Not everything that looks like payroll
is really payroll. Sure, we all want to be paid, but don't let greed and fear overwhelm good
judgment. And finally, the Media Trust has found a malicious campaign they're calling Krampus 3 PC,
named after the scary anti-St. Nicholas of Central
European folklore who visits households not with gifts and good cheer, but with punishment for
misbehaving children. Krampus uses a redundant redirection mechanism to more effectively collect
personal information. The campaign targets iPhone users, and whether they've been naughty or nice
doesn't matter to this Krampus, as long as they've been out shopping. Krampus operates mostly from compromised news sites, and its immediate bait is a pop-up coupon for discounts
at a retailer. Click, and it's got you. Maybe your credit card, probably your phone number,
and probably your geolocation, too. And again, if you must shop, then shop you must,
but think before you click.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge
of technology. Here,
innovation isn't a buzzword.
It's a way of life. You'll be
solving customer challenges faster
with agents, winning with purpose,
and showing the world what AI
was meant to be. Let's create
the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
BlackCloak.io.
Dave also spoke with our newest CyberWire partner, Tom Etheridge, VP of Services at CrowdStrike.
I wanted to start out by just spending a little time to get to know you a little bit, introduce you to our audience.
Can you take us through what your professional journey has been like, how you got your start, and what led you to where you are today? Certainly. Thanks, Dave. It's a pleasure to be here. My background is that I've spent probably the better part of 20 years working,
building services organizations for security software companies. I'm a three and a half year
veteran here at CrowdStrike. Prior to that, I've built services organizations for security technology uplift their existing capabilities around cyber
security and protection of their critical assets. Started my career in consulting actually prior to
joining NetEgrity back in early 2000 timeframe. I worked for about seven or eight years at KPMG,
cutting my teeth, working primarily in the government,
federal government and DOD space, providing all different types of consulting services to clients. And at that time, the security market space was really focused around
network security, perimeter defense. As I started to evaluate opportunities to look at
moving into that space, A lot of technology companies were
building more robust technologies and capabilities to help clients secure their overall critical
infrastructure. And that's when I decided to move into that market space, which was
really at its infancy back then. So what is your day-to-day like these days at CrowdStrike?
is your day-to-day like these days at CrowdStrike? So we are a very busy company and I run a very busy services organization. Our primary focus is providing incident response and forensic services
to folks that have been victimized by some of these cyber incidents in the market. We also run
more of a proactive advisory services practice as well that does everything from providing incident preparation and planning services, testing and technical assessment services to ensure organizations have the right tools and technologies and people and processes in place to improve their overall visibility, preparedness, and ability to respond to breaches.
We do a lot of work globally. I have a global responsibility. And the business that we're in
is obviously growing, a growth business. We have a lot of, unfortunately, a lot of victim
organizations that reach out to us and ask for support in helping them solve these really complicated problems.
How would you describe your own leadership style?
As you're heading up a team that has a global reach, how do you go about that?
Well, I'm a big believer in hiring the right people with the right skill set,
but also the right motivations.
We're a very mission-focused organization, and we embed that
in our recruiting and our sourcing of talented people to come join our team. I'm also a firm
believer in empowerment and enabling employees to bring their unique skills and experiences to the
table. We try to operate in a very transparent and open environment
and putting people in positions where they can be successful and help us scale and deliver
successful engagements to our clients, I think is part of what we eat, sleep and drink every single
day. Well, Tom Etheridge, thanks so much for joining us here at the Cyber Wire. We're looking
forward to chatting with you in the days to come. a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.