CyberWire Daily - Fox Kitten campaign linked to Iran. LokiBot’s new clothes. Unsigned firmware. Iowa Democratic caucus post-mortem. SoftBank and the GRU. Hacker madness.
Episode Date: February 18, 2020Fox Kitten appears to combine three APTs linked to Iran. LokiBot is masquerading as an installer for Epic Games. Unsigned firmware found in multiple devices. Extortionists threaten to flood AdSense ba...nners with bot traffic. China says the Empire of Hackers is in Washington, not Beijing. Iowa Democratic caucus IT post-mortems continue. Japan connects SoftBank breach to GRU. And more on that hacker-madness poster from the West Midlands. Ben Yelin from UMD CHHS on wireless carriers selling location data. Guest is Kaitlin Bulavinetz from Washington Cyber Roundtable on facilitating conversations among the industry. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_18.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Fox Kitten appears to combine three APTs linked to Iran.
LokiBot is masquerading as an installer for Epic Games.
Unsigned firmware has been found in multiple devices. Extortion is threatened to flood AdSense banners with bot traffic.
China says the empire of hackers is in Washington, not Beijing. Iowa Democratic
Caucus IT post-mortems continue. Japan connects the SoftBank breach to the GRU.
And more on that hacker madness poster from the West Midlands.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, February 18th, 2020.
ClearSky outlines the Fox Kitten campaign,
which it calls an Iranian operation directed primarily against the U.S. and Israel.
Fox Kitten has been active, ClearSky says, for three years, and it's proceeded largely by exploiting VPNs and RDP. with medium confidence that the campaign represents a collaborative effort among three APTs,
APT33, Elfin, APT34, OilRig, and APT39, Chafer.
The sectors of interest to Fox Kitten appear to be IT, Utilities, Defense and Aviation, and Petroleum.
These are essentially the sectors Elfin, OilRig, and Chafer worked most heavily against.
are essentially the sectors Elfin, Oilrig, and Chafer worked most heavily against.
Trend Micro warns that LokiBot is distributing malware disguised as an installer from the Epic Games store.
Epic Games publishes Fortnite and other popular diversions.
Eclipsium has issued a study that suggests the prevalence of unsigned firmware in Wi-Fi adapters, USB hubs, trackpads, and cameras in use in computers from
Lenovo, Dell, HP, and other major manufacturers. Krebs on Security reports a new extortion scam.
This one targets website owners who display banner ads through Google's AdSense program.
The extortionists threaten to flood the ads with enough bot traffic to cause Google's automated tools to suspend the victim's account.
Google suggests that this won't really work, so the extortion threat is largely empty.
Google told Krebs,
We hear a lot about the potential for sabotage.
It's extremely rare in practice, and we have built some safeguards in place to prevent sabotage from succeeding.
Google says mostly invalid traffic,
that is traffic of the kind the extortionists threaten, is filtered before it affects
advertisers and publishers. So it's probably safe to put this scam in the scare category.
It works if it convinces you. Otherwise, not. As the U.S. continues to warn allies against
using Huawei equipment, china's foreign minister
replies by complaining that washington not beijing is the problem no one spies like the americans
they say citing crypto ag and the matter of chancellor merkel's cell phone foreign ministry
representative jing shuan said facts have proven once again that as the largest state actor of spying in cyberspace,
the U.S. is worthy of the name of the Empire of Hackers.
The sky is the limit with the U.S. when it comes to spying.
End quote.
Says they.
The Washington Cyber Roundtable is a non-profit industry liaison group
with a mission of connecting technology consulting and professional
services firms on cyber security and related issues they are perhaps best known for the
handful of events they host each year intimate invitation only gatherings where candid discussion
is the goal caitlin bulavanitz is managing director of the was Cyber Roundtable. The Washington Cyber Roundtable was started
over 11 years ago by our founder, George Myers, who recognized that there wasn't a venue for
government and industry cyber professionals to collaborate and share ideas because at the time, a lot of the challenges that were being faced in
the public sector were being solved in the private sector. So the Washington Cyber Roundtable, we
facilitate roundtable events for government and industry professionals to have candid conversations that are non-attributional
about cyber challenges. So that's been our mission and it's solving a unique problem
and helping move the needle in the right direction a little bit at a time.
And the events that you put together here, I mean, these are fairly unique in the scale of them. These are not
big rooms full of lots of people. These are intimate get-togethers.
That's correct. We limit attendance to 15 to 20 people. 25 is the absolute tops because we want
everyone to be able to have a conversation. So our events are invite only to our membership.
And then we also invite our past speakers.
So they like to chat with their peers in government and in industry.
Can you give us some insights on to the kind of the matchmaking process that you do here?
How you choose the connections that you're going to make to make
sure that you get these valuable conversations happening? Sure. So we naturally look to see
what is going on in the larger dialogue from a cyber policy perspective. And then we also have
an excellent team of advisors and our membership also can weigh in on what they're
seeing from a private sector perspective. Some of our past speakers will be great with telling us
event ideas. So we have a lot of feelers out to identify what might be a unique perspective that hasn't been raised yet,
but has value to contributing to the cyber national security conversation.
And what do you hear from the attendees of these sorts of events?
What sort of feedback are you getting from them?
From a WCR perspective, that it's a unique opportunity to engage in conversations from
our government speakers who will also offer the opportunity to do a follow-on report.
So if there are some ideas that need to be further explored or evaluated, we will engage
in that type of report.
So we have a lot of partners as well. So we're able to
go into deeper context and really get to kind of the different ideas that should be
expressed and should be explored, have an opportunity to do that.
What is the cycle? I mean, how many events are you hosting in a typical year?
So we hold about eight to nine roundtable events a year, and then we'll offer the follow-on engagement to further explore the ideas.
And then we plan our events. We'll plan things pretty far in advance, but we'll only send out the invites for one event at a time and just to
our membership on our invite list. I see. And so if someone wants to find out more, if this is
something they're thinking perhaps they want to become engaged with, what's the best way to find
out more information about the organization? So after our events, we'll do a brief summary on our website or on our social media on LinkedIn. That's really
the best way. We do have a number of great events coming up for 2020. So we're going to be having an
event with the Department of State and DHS on interagency collaboration on cyber and the digital
economy with a focus of the Indo-Pacific. We'll be also looking at undersea
cables and we'll be having an event with Congressman Langevin on the Cyberspace Solarium
Commission. Our goal is for attendees to have like an aha moment in our events. So it's not just
the talking points, but it's something that you can really dive deeper into. That's
Caitlin Bulavanitz from the Washington Cyber Roundtable. As Iowa Democrats work their way
through the re-canvassing of the Sanders and Buttigieg campaigns requested after this month's
difficulties with the Iowa Democratic Caucus, observers continue to work through what happened and why,
and what lessons, if any, the caucus holds for election security as a whole.
The Iowa Party notoriously struggled to reach a credible and accurate caucus result as it worked through the resistant medium of the Iowa Reporter app, a product of Shadow Incorporated.
The Washington Post has published its look into the troubled Iowa Democratic Caucus.
The paper concludes that, first, the problems were years in preparation, and second, that the
Democratic National Committee appears to have been more involved than it initially seemed.
The National Party, eager to avoid a repetition of 2016's intramural ill-feeling in which Senator
Sanders' supporters felt the game was rigged for eventual
nominee Hillary Clinton, pushed the state parties toward what they hoped would prove
more transparent processes. This especially represented a departure for caucuses like the
one in Iowa. The Post's investigation concluded that party officials, however, never effectively
vetted the basic tool used to collect and publish those results. The review found they hardly questioned why an app was necessary rather than a simpler reporting method,
though internal correspondence shows that DNC staffers were privy to discussions
about the testing and rollout of the technology.
Democratic National Committee representatives have consistently maintained
that their only role was to ensure the cybersecurity of Shadow Inc.'s software,
and on the reliability side, to create a backup system to double-check the delicate math from the app, as a precaution in case there was a hack.
If nothing else, the incident probably should teach everyone that security and reliability aren't necessarily the same thing.
security and reliability aren't necessarily the same thing.
Assuming that Iowa Reporter app was as secure as such things can be,
the fact that it was unlikely to be hacked doesn't mean that it could be counted on to work as advertised.
Which, of course, it didn't.
In what Nikkei reads as a warning against attempting to meddle with the Tokyo Olympics,
Japan's government has attributed the SoftBank breach to Russia's GRU. Prime Minister Abe's government has sought improved relations with Moscow, but the Foreign Ministry's attribution
of the incident to Russian military intelligence suggests that Tokyo remains particularly sensitive
to potential threats to the Olympic Games. The Games have been a Russian target since the 2018
Winter Olympics in South Korea.
Animus against the World Anti-Doping Authority's strictures against Russian teams
seems to have provoked Moscow with motive enough to hack.
Finally, we return to the odd case of the public safety hacker madness poster
the West Midlands Police issued in the UK,
the one that was immediately repudiated last week
by the National Crime Agency. The West Midlands police say they didn't do it, they tell you.
Here's their tweet on the subject. The poster, produced by a third party, was created as an
aid memoir to assist teachers with safeguarding in schools. It was taken from wider information
on cyber tools, which could be used to commit cyber attacks but equally have a legitimate purpose.
Well, okay, so they sort of did it.
But let all who've never created an aid memoir pass the first stone.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times
faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com
slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security,
also my co-host on the Caveat podcast.
Ben, always great to have you back.
Good to be with you, Dave.
We got word recently that the chairman of the FCC put Congress on notice
that some of the wireless carriers have apparently violated federal law
when it comes to selling customers' location data.
That is something you and I have tracked here over and over again.
What's going on here?
Yeah, so back in May of 2018, there were multiple reports that indicated that pretty much every major carrier, including the big guys, the Verizons, AT&Ts, Sprints, T-Mobile's, sorry if I'm excluding you, fellow mobile carriers,
were selling location data to resellers.
And those resellers could either resell it or give it away.
And, you know, that was a major breach and an invasion of privacy.
So you saw a lot of privacy advocates petition to the Federal Communications Commission
under the leadership of Ajit Pai to issue some type of criminal sanction
against these companies.
So basically what Chairman Pai is doing
is proposing a notice of apparent liability for forfeiture,
which is an official declaration from the FCC
saying that somebody's violated the rules
and they're going to be penalized.
And this means that these companies are going to be fined.
Now that's all the information we have at the moment.
It's been a couple of weeks now and we don't think that anything else has come out. So we
don't know which companies are going to be subject to this punishment. The reaction in the privacy
community has largely been, what took you so long? This was such an obvious breach of privacy
on the part of these companies that the FCC should have issued these fines a long time ago.
That seems to be the reaction of both some of the interest groups and of Chairman Pallone himself,
and not to mention some of the other commissioners of the FCC. It's a bipartisan agency.
So there are some, oftentimes you get dissenting commissioners as part of that agency. Why it took
so long is an open question, but it
is happening now. And we will see some of these companies be subject to FCC liability for the
first time. And they're going to get a hefty fine, probably more than a simple slap on the wrist.
Does anybody go to jail anymore, Ben?
Well, it's hard for an entity like the FCC to go to jail. I'm sorry, an entity like one of these companies to go to jail
because oftentimes it's hard to pin liability down on one individual.
But when we're talking about violations of federal communications,
commissions, regulations, that generally doesn't lead to jail time.
We're not going to see a CEO hauled out in handcuffs.
I know that's so appealing.
As gratifying as that may be.
If they weren't able to put Justin Timberlake and Janet Jackson behind bars for what happened at the Super Bowl,
then it doesn't look so good for Verizon.
Okay.
Oh, goodness.
All right.
Well, I mean, I suppose this is good news for those who are on the privacy sides of things.
Absolutely.
Better late than never.
It is.
It's absolutely welcome development.
You know, it took two years.
You know, we knew in May of 2018 that multiple carriers were violating these privacy protections that exist in statute and per FCC regulations.
And we finally are taking,
the FCC at least,
is taking this proactive step.
So in that sense, it is good news.
And, you know, better late than never, right?
Yeah, yeah.
All right.
Well, we'll track it as always.
Ben Yellen, thanks for joining us.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.