CyberWire Daily - Fancy Bear bogus sites taken down. Some in the US Congress think they want hack-back laws. Cyber and sanctions. Operation Red Signature. Doxing Chinese Intelligence. Buggy medical devices.
Episode Date: August 21, 2018In today's podcast, we hear that Microsoft has sprung its bear trap, again, and caught Fancy Bear. This time the targets are more to the right than the left. The US Senate holds hearings on cybersecur...ity—hacking back is expected to be on the table. The UK wants more sanctions on Russia. US Senators are looking into reducing sanctions' collateral economic damage. Operation Red Signature pokes at South Korean supply chains. Intrusion Truth doxes Chinese intelligence officers. Medical device bugs. Rick Howard from Palo Alto Networks with tips buying cybersecurity products. Guest is Travis Rosiek from BluVector on fileless attacks. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/August/CyberWire_2018_08_21.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Microsoft springs its bear trap again and catches Fancy Bear.
This time the targets are more to the right than to the left.
The U.S. Senate holds hearings on cybersecurity.
Hacking back is expected to be on the table.
The U.K. wants more sanctions on Russia.
U.S. Senators are looking into reducing sanctions collateral economic damage.
Operation Red Signature pokes at South Korean supply chains.
Intrusion Truth doxes Chinese intelligence officers.
And more news on medical
device bugs.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Tuesday, August 21, 2018.
Microsoft announced late last night the takedown of six sites associated with Russian influence operations in the U.S.
Redmond's Digital Crimes Unit ran the operation,
which concentrated on bogus sites established over the last few months to impersonate public policy organizations.
This time, conservative organizations received attention.
The Hudson Institute, a conservative think tank that's investigated corruption in Russia.
The International Republican Institute, a democracy promotion not-for-profit.
And three sites built to look as if they were affiliated with the U.S. Senate.
The sixth site was non-political. It spoofed Microsoft.
Microsoft initially went no farther than
attributing the operation to APT-28, but others, and subsequently Microsoft itself,
have pointed out that APT-28 is the same Russian government threat actor also tracked as Strontium
or, our favorite, Fancy Bear. These are all, of course, associated convincingly with the GRU,
Russia's military intelligence organization.
So how do these takedowns work? Is this a case of hacking back, like a cyber letter of mark and reprisal?
No, it's more lawfare than warfare, not that this should take anything away from the people at Microsoft who executed the takedown, and let us say, bravo, Microsoft.
What they did in this case, and they've done much the same in others,
is to obtain and execute a court order
transferring control of the offending domains to themselves,
thereby neutralizing the activity.
By Microsoft's tally, they've done this 12 times over the past two years,
shuttering 84 websites set up by the GRU.
Redmond quotes the special master a federal judge appointed in the case to the effect that there is
good cause to conclude that these activities by the strontium APT28 fancy bear threat actor
are likely to continue. Microsoft notes that both major political parties are being targeted
and the company expects the Russian threat actors to broaden the scope of their attacks as U.S. midterm elections approach.
So, lawfare and not mark and reprisal.
But there's some sentiment being expressed today on Capitol Hill in favor of legislation
that would allow companies that suffered cyberattacks to hack back at their tormentors.
Senator Sheldon Whitehouse, a Democrat of Rhode Island, issued prepared remarks he intends to
deliver this afternoon at hearings of the Senate Judiciary Subcommittee on Crime and Terrorism,
which is deliberating cyber matters today. The senator says, quote,
We ought to think hard about how and when to license hackback authority so capable,
responsible private sector actors can deter foreign aggression.
End quote.
He calls this active cyber defense.
Thus he sees hacking back as a national security move.
That is, after all, what deterring foreign aggression amounts to.
Leave aside for the moment that this might be seen as what SES types, especially the lawyers among them, call an inherently governmental responsibility. There have certainly been
private sector activities with national security implications before. Private military contractors
would represent an extreme example, as would privateers, who've been out of fashion and legal
authority since the latter part of the 19th century.
But there are other examples.
Before there was a well-established U.S. intelligence community,
if you wanted to get something out of the ordinary done,
the government was likely to retain a white-shoe Wall Street law firm,
the way Teddy Roosevelt did when he wanted a canal in Panama.
And of course, contractors pay a significant role in U.S. cybersecurity.
Booz Allen Hamilton just got a billion-dollar task order
under the government-wide Continuous Diagnostics and Mitigation
Dynamic and Evolving Federal Enterprise Network Defense contract vehicle.
That's a defense award, not one for hacking back,
but you get the drift here.
And by the way, congratulations, booze.
And of course, Microsoft has been dining out on fancy bear takedowns for two years.
So what would one want done that a law authorizing hacking back might enable?
And that isn't already being done.
Hackback skeptics point out the problems with turning computer network operators loose on one another.
It might be difficult to contain retaliatory malware,
and the temptation to hack back in anti-competitive ways might prove difficult to resist.
In any case, we'll watch Senator Whitehouse's proposals with interest.
Our hometown of Baltimore was a famous nest of privateers at one time.
That was during the War of 1812.
Nowadays, people around here work under government-wide acquisition contracts,
not letters of mark and reprisal.
We continue to track reports of cyber adversaries
making use of fileless malware to evade detection.
Travis Rosick is chief technology officer at Blue Vector,
and he offers his perspective on fileless-based
attacks. In the Ponymon Institute, they've stated that fileless attacks are 10 times more likely to
be successful than more of the traditional file-based attacks. Now, let's just back up a
little bit. From your point of view, how do you define a fileless attack? From my perspective and
what comes to mind when I think of a fileless attack,
so if you think of the attack lifecycle or the different stages of an attack,
one piece of it, what they would consider fileless in nature.
So from an adversary's perspective, the cyber defenders are typically in a reactive mode,
and fundamentally over the years, it's very much focused on using signature-based mechanisms to identify attacks that have helped in other places and preventing them from happening again.
So adversaries are very opportunistic, and they leverage mechanisms that allow them to adapt and evolve rather quickly.
So in the case of the fileless attack, there's no files written to the host or the disk.
You know, part of the attack executes in memory only.
And it also leverages trusted applications within a system.
So a very common one is leveraging PowerShell.
So every IT admin uses PowerShell within a Windows environment.
It's a trusted utility and it's used for lots of different things.
So their sweet spot they like to target is that gray area.
What makes it the most difficult
to ascertain benign from malicious?
They know that a trusted tool
that's always going to be in the environment,
they don't have to download capabilities
that could cause more attention to themselves,
which makes it very difficult for an instant responder or an analyst to identify that the adversary is in the environment or acting.
The other challenge is a lot of these things don't necessarily create logs or things to go in and
look at to see what happened on the system, nor do they really leave a footprint to search for
hashes or other mechanisms. So it's very difficult. So the legacy security industry, you know, from a signature-based, file-based model,
has really been trying to catch up.
And clearly, it's not catching up as fast as the adversaries are being able to be successful.
And so what are the successful ways to go at this?
How can you detect a fileless attack within your system or your organization?
Like anything, there's no silver bullet to cybersecurity, despite a lot of marketing
you see from different vendors out there today. And one of the most painful things is really
good cyber hygiene, proper network engineering and design. You know, the key is always to
protect your critical information and segmenting or isolating core parts of your business from the
things that are high risk. So, for example, part of your core IP or personal customer data that should be protected is air-gapped or very tightly controlled and restricted from the systems that surf the internet or receive tremendous amounts of email on a daily basis.
So having proper network design is one good way to help do that.
The speed of detection is always critical.
So getting a heads up that there is some type of malicious code coming into the environment
or to targeting endpoints within your enterprise,
getting that head start to kind of do the analysis or do more focused monitoring of those endpoints
potentially can give you a jump start to doing that forensics
analysis or doing triage. Because if you try to respond to it after the fact, like as I mentioned
before, there is really limited amount of data that's left behind. So without having those
breadcrumbs and log files, etc., it's really difficult to really identify what happened.
That's Travis Rosick from Blue Vector.
A British mission to the U.S. will push for more sanctions against Russia.
Her Majesty's government remains rightly exercised about the Russian hybrid war that found its lethal way to English soil.
The U.S. Senate is working to ensure that existing and planned sanctions
don't rain collateral economic damage on U.S. and allied countries. And it's not all Russians today.
Trend Micro has published a comprehensive look at Operation Red Signature, which they call,
quote, an information theft-driven supply chain attack targeting organizations in South Korea,
And Motherboard describes Intrusion Truth,
apparently a hacktivist group engaged in doxing members of Chinese intelligence services.
Motherboard seems convinced, based on their exchanges with Intrusion Truth,
that they are indeed the hacktivists they say they are.
It would be interesting to rule out the possibility that that group is a hostile intelligence service, an intelligence service hostile to China, that is. A thought experiment,
one could hire a company to dox a hostile intelligence service. Would that be hacking
back or would that just be government contracting? Motherboard notes that some of the
Chinese officers doxed subsequently showed up in U.S. federal charging documents. Coincidence or not,
they're not sure. Finally, if you don't have enough to worry about, U.S. CERT is warning of
vulnerabilities in Philips Intellispace Cardiovascular and Accelera Intellispace Cardiovascular products.
Philips says it's working to squash the bugs,
which appear mostly to be of the privilege escalation
and admin credential varieties.
If you want to make people's flesh creep,
use medical device and hacking in the same sentence.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by rick howard he's the chief security officer at palo alto networks and he also leads unit 42 which is their threat intel team rick welcome back um
you wanted to sort of take us through an approach to buying cyber security products um you know i
think all of us who have mobile devices, we're familiar with app stores.
And you've got this notion of an app store for buying cybersecurity products. What's going on
here? Yeah, I think the industry is about ready to change, right? We are pretty much reached the
maximum point of not being able to buy any more cybersecurity products. You and I have talked
about this in the past, that, you know, small past, that small organizations with two guys and a dog in the back room, they have
15 to 20 security tools deployed. Medium-sized companies have about
50, and big companies like big banks or big government, they
have over 150 security tools, and none of
us can manage one more point product. It's too hard to
do.
In order to deploy their solution as a network defender, I have to deploy it in my network.
I have to give it complete visibility.
And I have to have my internal InfoSec teams integrated with all the other security tools that I have already deployed.
When buying a tool that doesn't integrate, that puts the load, the burden on managing all that on your local InfoSec team. And like I said before, those guys just can't take
any more work. So what I think is going to happen in the industry is this idea of a cybersecurity
app store. And the perfect place to deploy these things is at the firewalls. Because
everybody has firewalls and they're at the exact right spot
they need to be to be able to do any kind of interesting
security algorithm that might show up, right? And the reason that
is, is because firewall vendors, Palo Alto
Network, but all the firewall vendors have been experimenting with moving their
intelligence collection piece and their processing piece looking for bad guys up to the cloud over the
last five years, right? We're all essentially becoming SaaS operators, right? Because we
essentially have unlimited collection capability up there, an unlimited processing capability up
there, because we tried to put all that down
on a firewall, they would fall over because of too much stuff to do, right? So all of us have
been doing that for the last five years, right? And then all of us have been experimenting with
adding new functionality in the cloud, okay? Meaning adding a new algorithm, a new application
in the cloud so that we don't have to put that down on the firewall itself. And so the next logical
thing that we're going to start seeing here in the future is
all the firewall vendors are going to be opening that up to third parties,
meaning they're going to open it up to their customers, they're going to open it up to their
partners, and if this goes the way I think it's going to go, they're going to
open it up to their competitors because it's going to be, if you, and it's going to work just like the Apple app store,
your firewall becomes like the iPhone. And if you want to deploy, let's say the next behavioral
analytics engine, you can go pick the Palo Alto networks app, or you can pick the semantic app,
or you can pick the, you know, Fred's app, you know,
the guy down in the garage with two guys and a dog back there, right? You can run them all at
the same time and decide which one you like and say, Hey, I like Fred's. Okay. And just leave,
and just leave that one on and turn the other two off. And there's no fuss or no must. You don't
have to deploy a box. You don't have to train your staff. It's all running on the existing
infrastructure anyway. So I truly believe that we're going to see a complete change, a complete flipping of the cybersecurity vendor consumption model.
We're going to be at a spot where we're not going to where we are today, where we can't add one more.
We're going to be adding hundreds more because it's going to be so easy to do and to evaluate.
So that's where I think it's going in the future.
going to be so easy to do and to evaluate. So that's where I think it's going in the future.
So you think, does this require a certain level of standardization where, you know, for these,
I guess, in effect, the sort of plugins, right? I mean, they plug into your firewall. And so the suppliers, the vendors would have to meet a certain standard to be able to
work with Company X's firewall to be able to, I guess what's in it for them is opening themselves up to this market.
Exactly right.
Network defenders are going to have to pick a vendor they like that does the basic infrastructure.
And I'm thinking it's going to be one of the firewall vendors.
And then once they choose that, they're going to trust that vendor to vet everything,
just like most of us trust Apple and Google to vet their own apps in the App Store. All right. Well, it's certainly interesting to think about. As always, thanks
for sharing the information. Rick Howard, thanks for joining us. Thank you, sir.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly
produced in Maryland out of the startup studios of DataTribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your