CyberWire Daily - Fancy Bear's Roman Holiday. RAT phishing in Ukraine. AWS S3 bucket leaks robocaller data. Bug or abuse? NIST to withdraw outdated cybersecurity publications. Content moderation.
Episode Date: July 19, 2018In today's podcast, we hear that Fancy Bear has taken a Roman Holiday, and the Italian Navy may be taking note. A criminal espionage campaign is underway, with Ukraine's government as its target.... An exposed AWS S3 bucket leaks voter information. A security firm and a vendor dispute whether an issue is a vulnerability or a case of user abuse. NIST announces its intention of withdrawing some obsolete cybersecurity publications. Congress presses tech companies about content moderation. Daniel Prince from Lancaster University on rewriting digital histories. Guest is Matt Cauthorn from ExtraHop on a new worm spreading through Android devices.  For links to all of today's stories, check out the CyberWire daily news brief - https://thecyberwire.com/issues/issues2018/July/CyberWire_2018_07_19.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Fancy Bear takes a Roman holiday and the Italian Navy takes note.
A criminal espionage campaign is underway with Ukraine's government as its target. An exposed AWS S3 bucket leaks voter information. Thanks for watching. publications, and Congress presses tech companies about content moderation.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, July 19, 2018.
CSE CybSec ZLab reports finding FancyBear, also known APT-28, Sednit, Pondstorm, Sophocys, Strontium, and Russia's GRU,
engaged in an espionage campaign directed against the Italian Navy.
The Russian intelligence service is said to have installed an updated version of its familiar ex-agent malware in naval systems.
The campaign is being called Roman Holiday.
Its goal appears to be the usual sort of collection against military systems. The campaign is being called Roman Holiday.
Its goal appears to be the usual sort of collection against military systems.
ESET researchers are analyzing three remote access tools
used in ongoing campaigns against targets,
mostly government agencies, in Ukraine.
The tools are called Quasar, Sobakan, and Vermin.
ESET characterizes the campaign as one of criminal espionage.
The tools are used to access and exfiltrate sensitive files from government systems.
ESET describes the three tools as follows.
Quasar is an open-source remote access tool that you'll find on GitHub.
ESET has found Quasar binaries in use as far
back as October 2015. Sobhakan is closely related to Quasar. It's heavily modified,
largely by removing some functionality to make its executable smaller, while leaving room for
some additional evasion techniques. Berman is a custom backdoor. ESET says it first appeared in 2016.
Like Quasar and Sobhakan, it's written in.NET,
with its code protected to an extent against analysis using commercial or open-source protectors.
None of these rats are particularly sophisticated, but they're effectively constructed.
Like so many other forms of malware, they're spread principally by social engineering,
with the payload typically carried by a maliciously crafted document transmitted as an
attachment to an email. ESET says the attacker's skills aren't especially advanced, and they don't
appear to have access to zero days, but then you don't need MADS skills or zero days to be effective.
The file names in the attachments are designed to be
attractive to the recipients. Some examples the researchers provide are, as translated,
directive on providing security for military personnel of Ukrainian army and their family
members, a new draft of directive regarding verification of seizure, and purchasing
department Don OVK, Increase of Credit Limit.
If that don't fetch them, then we don't know Kiev.
When is a misconfiguration a bug and when is it abuse?
It's a question worth thinking about.
One would hope products came with defaults that favored security and privacy,
but at some point there's a question of user responsibility.
It's now generally held that if you're using Amazon Web Services and you leave your data
in an S3 bucket that you've made generally accessible to the internet at large, well,
that's on you.
One such case was disclosed this week by perennial hunters of sloshing buckets, security firm
Chromtech.
of sloshing buckets, security firm Chromtech.
A database containing U.S. voter information was found exposed in an unsecured AWS S3 bucket by Robocent, a robocalling firm specializing in selling its services to political campaigns.
The material, which has now presumably been secured, included audio files of the sort
one might use in a robocall, but more disturbingly it also contained names, addresses, dates of birth, gender,
and the inferred political orientation of some thousands of registered voters.
Another case is more ambiguous, or at least more contentious.
Trustwave's Spider Labs say they've found a vulnerability in Reprise Software's RLM license management tool.
Reprise says they won't patch anything because there's no vulnerability there at all.
RLM, says Reprise, is designed to run in a segregated, non-privileged account.
It's not supposed to be given administrator-level privileges, which is what SpiderLab saw.
They're entirely clear on that point with all of their users, they told Security Week,
and in their view, the exposure and remote access vulnerabilities Trustwave reported
are a matter of user headspace and timing, not a problem with RLM.
That, says Reprise, isn't a bug, but rather an abuse of their product.
So, tools don't compromise data. Admins do. The U.S. National Institute of Standards
and Technology, NIST, will draw 11 SP800 cybersecurity publications on August 1.
Some of the publications address technologies that are outdated, deprecated, or otherwise no
longer in widespread use. Others are based on superseded laws,
regulations, or executive orders. Others fail to address newer technologies or security products.
And some have been superseded by the NIST cybersecurity framework. The publications
date back to 1995, with the most recent publications having been issued in 2008.
You can find a list of the soon-to-be-withdrawn SP800 publications on the NIST website.
There's been recent news of a worm making its way through Android devices.
Matt Cawthorn is VP of the security engineering team at ExtraHop,
where they've been tracking this worm, and he joins us to share what they've found.
It's the Android Remote Debug exploit. I think it's the ADB. There's two variants. One, it's,
you know, in good faith for the developer community, Android devices allow you to
enter this debug mode and get a root shell, an accessed shell, with privilege on the system,
typically via USB. But there's another mode that allows you to do so
over Wi-Fi, which is where at least part of the problem comes in. So obviously, if you're exposing
this remote access via Wi-Fi, then anyone that's sort of not paying attention or is a little bit
negligent maybe on the manufacturer side could leave it open and ready for exploit. So that's the main problem is
you get access to way, way, way too much data, kind of everything via this mechanism.
And we've got some vendors who are shipping the products with this feature enabled.
Unfortunately, yes, which vendor defaults and this disposition, the default disposition of a lot of
these devices is just not secure.
You know, you're a manufacturer and you want to produce a product for the market and you want to
get that to market quickly. You want to focus on developing features. The downside of that is,
you know, security and the disposition of one of these devices. A lot of these are set-top boxes,
as of this morning, at least, for example. You make a shortcut or you're doing some debug and you forget to disable this functionality,
and now you've given root access to the internet, effectively. So yeah, and there's a miner that's
out there, of course, because that's quite the rage these days. And it'll convert these devices
into cryptocurrency miners.
I think many of the listeners, and myself included, I have a Roku at home, and I install it, and you kind of set it and forget it.
And you might not update it as much as you could or should.
In a way, it's ironic because everyone is kind of a mini sysadmin now, even in the consumer space. If you consider all of the connected
devices in a given household or organization, whether it's a full tilt IT shop or not,
everybody's kind of a, they need to be diligent with the systems that they run. And I don't know
that we think about things that way. The problem is going to rage on and it's going to take
different forms and it's going to do different things. But the core problem
of really, really robust high velocity development cycles that are out there. And so the barriers to
entry for an adversary or for bad intent are quite low, or even negligence that enables bad intent.
All I can say is if you have, you know, check in maybe, I don't know, maybe like at a monthly cadence,
if possible, to check in and make sure you've got updates installed. Because I can tell for sure,
as of this morning, there's a lot of devices out there that have not been updated, or maybe even the manufacturers haven't even addressed the issue to begin with. That's Matt Cawthorn from ExtraHop.
Members of the U.S. Congress press the tech industry
on content moderation.
Their concerns seem to center
on the prospects
of influence operations.
That hostile foreign influence
operations are ongoing
is surely correct.
They're always ongoing
and have been
for a very long time indeed.
Whether they're best dealt with
by legislation, policy,
technical filtering, or by the sort of efficient marketplace of ideas that classical liberals like John Stuart Mill would have prescribed is much up for grabs.
Discuss among yourselves.
Are there any lessons to be drawn from the history of the last 100 years?
Much of that baleful history remains within living memory.
Much of that baleful history remains within living memory,
from journalistic airbrushing of Stalin's Holodomor in Ukraine,
to the widespread apologies for and denials of Pol Pot's democide in Cambodia,
to various forms of Holocaust denial that persist to this day.
Or are there lessons to be drawn from the history of various belief manias that flare up and then die back, like those repressed memories of alien abduction once widely thought to become accessible through
hypnotic regression. Those are perhaps less tragic in their implications than the others,
but they can have sad effects on their own smaller scale. Seriously, what can the history
of public opinion teach us about the current controversies?
And to our American audience, given that influence operations are essentially marketing in battle dress,
how is it that the country that invented modern mass marketing should seem so helpless when it comes to putting the epaulets on Madison Avenue?
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology. Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. And joining me once again is daniel prince he's a senior lecturer in cyber security at lancaster
university daniel welcome back um we wanted to talk today about digital histories and specifically
the rewriting of those digital histories what can you share with us today? Well, thanks for having me back on. So what
started me thinking about this track is my uncle runs an archivist company producing
basically the hardware that takes photographs of our documents, our historical documents.
And in a conversation with him, he was saying how really the world's changed. And some of our public libraries are really concerned that there aren't going to be these documents that record specific decisions.
So like official memos that were sent during the Second World War, for example.
We won't have that. We have only email now.
Everything's done via email, these electronic documents.
We have only email now. Everything's done via email, these electronic documents. So much of our digital lives, the histories that we have, blogs and things that we've done are held online. And so we have things like the Wayback Machine that allows us to see what websites used to look like. But the concern here is the ability to go back and change these records of what our past used to be like.
And that's really important for us to understand
just as a social context going forward what happened.
And so our ability to be able to communicate exceptionally fast
using email, using instant messenger,
is actually corrupting our ability to be able to go back and look at our history.
Now, that's the standard case of just what could happen in sort of day-to-day life.
But then the concern becomes, what if individuals or organizations or nation states did that proactively? What if we started
to move into the realm of misinformation? What if we started to see the manipulation of digital
historical records or the suppression of certain digital historical records to identify a specific
type of propaganda? Could we actually detect that? Would we know?
So when certain messages started to come out,
could we go back and actually look at some of the material
that is online to say, is that accurate?
And we're starting to see some of that
with the sort of the post-truth environments.
We're starting to see some of that with things like Snopes,
the fact checkers that are online.
But the veracity of that information is vitally important for us as a society to really be able to understand our past so that we can start to think about where we want to go to in the future.
And it strikes me that even being able to verify what is the, I guess, in a digital environment, is there a master copy of something?
Is there an original?
Are they all copies?
Yeah, and that's one of the things that the people kind of play on.
You know, there's this redundancy aspect.
Once it's into the Internet, it's copied and replicated multiple times, which is one aspect of it.
But when we start to think about cybersecurity, the confidentiality, integrity, and availability,
it's that integrity and that availability which is so key for our sort of social understanding
of our policies and our culture that it is quite troubling.
Because a lot of the information that's online, there is no real integrity system that sits
around it for the recording of public
documents. And then the other aspect is it's so easy to take information offline, key pieces of
information, so the availability comes in. And so what I'm concerned about is taking the integrity
and the availability aspect of publicly available information, so we don't need to worry about confidentiality
and making sure that the veracity of the information
that we as a society have
and the trust we have in that information
is there so that we can make appropriate decisions going forward.
And so we're not just buying into people's,
or certain organisations or nation states' political agendas.
The other challenge is around the multiple copies is,
are we sure that the copy that you have in your particular geographical area
is the same as the copy I have in my geographical area?
And we have seen examples of how information has been controlled
because of things like national laws.
Certain search results aren't able to be displayed in certain locations.
This has an impact, as we know, the way that search results are displayed
have an impact on the way that people think about the problems and the environment they have.
And so that subtle control, for all good reasons in some cases,
can really impact the society's impression or thoughts around a particular subject.
And so I'm really concerned around the integrity and the availability
of publicly available information.
Yeah, it's a fascinating topic for sure.
Daniel Prince, thanks for joining us.
with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey
Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to Thank you.