CyberWire Daily - Iowa caucus problems induced by buggy counting and reporting app. Bitbucket repositories used to spread malware. Gamaredon active again against Ukraine. Charming Kitten’s phishing.
Episode Date: February 6, 2020Iowa Democrats continue to count their caucus results, and blame for the mess is falling squarely on Shadow, Inc.’s IowaReporterApp. Bitbucket repositories are found spreading malware. The attack on... Toll Group turns out to be Mailto ransomware. The Gamaredon Group is active, against, against Ukrainian targets. Charming Kitten’s been phishing. And there’s a new legal theory out and about: the pain-in-the-ass defense. (We know some colleagues who’d plead to that.) Justin Harvey from Accenture on DNS over HTTPS (DoH). Guest is Peter Smith from Edgewise Networks on defending against Python attacks. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_06.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Iowa Democrats continue to count their caucus results,
and blame for the mess is falling squarely on the Iowa Reporter app made by Shadow. Bitbucket repositories are found spreading malware. We know some colleagues who'd plead to that.
the pain-in-the-ass defense.
We know some colleagues who plead to that.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, February 6th, 2020.
Iowa Democrats continue to count their caucus results,
with 97% of the precincts accounted for this morning.
The problems at the caucus are now clearly attributed to Shadow's Iowa Reporter app,
which proved difficult to use and unable to transmit results correctly to state party headquarters.
Shadow's CEO, Gerard Nimira, told Bloomberg he was, quote,
really disappointed that some of our technology created an issue that made the caucus difficult, unquote,
but also defended Iowa Reporter app as sound and good.
He argued that the app worked, but that it just had problems with transmitting data.
So it wasn't the app, but just a bug in the code that transmits results data into the state party's data warehouse.
A data formatting error, specifically.
The app was great at adding up caucus preferences,
but it just had trouble sending the numbers to caucus central.
Most observers seem to regard that as a distinction without a difference.
The emerging consensus about Shadow's Iowa Reporter app is that it was hastily and
carelessly put together and inadequately tested. Clearly done by someone following a tutorial,
an off-the-shelf skeleton product,
and looks hastily thrown together
are among the assessment's motherboard quotes.
Shadow's Numera told Motherboard,
it's basically a calculator, so that's the approach we took to it,
defending the simplicity that many critics have derided.
This makes one wonder why the precincts didn't just use a calculator and phone the results in.
That's basically what they wound up doing anyway.
A calculator, of course, usually won't have an embedded comms capability,
which is what Shadow appeared to add,
but on the other hand, Mr. Nomura suggests that communication issues really weren't part of the app,
which again makes one wonder,
what did the app do beyond serve as an adding machine?
While the problems in Iowa seem clearly attributable
to a buggy, showy, flashy app and not to hacking,
that may not have been because Iowa Reporter app was secure.
The Iowa caucus may just have dodged a bullet.
ProPublica obtained a copy of the app
and sent it to security shop Veracode
for a security assessment.
Veracode found that, quote,
vote totals, passwords, and other sensitive information
could have been intercepted or even changed by hackers.
Mr. Namira says that his company subjected the app
to rigorous independent testing,
but at this point, that's a distinctly minority view.
The Nevada Democratic Party,
which had also purchased the app, has already said it won't use it when that state conducts
its own primary. The Daily Beast says that the Democratic Senate National Committee,
which had been considering shadow products, is said to have cut ties with the company.
And suspicion about using any mobile apps for election work is spilling over onto other unrelated products.
Senator Wyden, Democrat of Oregon, has written Oregon's Secretary of State to advise against using the Votes app in this year's elections.
Votes is a mobile application Oregon wants to use for submitting absentee ballots.
The idea is to send your vote in by smartphone as opposed to snail mail.
The idea is to send your vote in by smartphone as opposed to snail mail.
Forbes sums up the consensus on Shadow, its Iowa Reporter app, and the Iowa Democratic Party.
The caucus mess shows what happens when managers and developers ignore best practices.
At any rate, Shadow says it feels terrible about what happened.
We'll give the last word to Mr. Namira, who said,
I own that.
Security firm Cyber Reason has found a malware campaign that's been using Bitbucket repositories as its launching point.
Bitbucket is a version control repository hosting service Atlassian owns.
Developers working with the Mercurial or Git revision control systems
use Bitbucket for source code and development projects.
Cyber Reason found seven malware strains being distributed through Bitbucket.
Evasive Monero Miner, a quiet crypto-jacker.
Intel Rapid, a cross-currency altcoin stealer.
Predator, which steals credentials from browsers, compromises device cameras,
takes screenshots, and rifles cryptocurrency wallets.
Azerult, an information stealer with backdoor capabilities.
It's used for spying, credential theft, and again, cryptocurrency stealing.
Stop Ransomware, which also comes with downloader capabilities.
Vidar, another information stealer.
And Amidibot, a reconnaissance Trojan.
A bit more information has come out about the attack on
Australian logistics company Toll Group that's disrupted operations since Sunday. It's ransomware,
IT News reports, specifically the Mail2 strain. The Australian Signals Directorate says it's
unclear whether the Mail2 attacks are part of a larger campaign. Mail-2, also known as Kazakovkovkiz, is a strain of
ransomware within the COCO family. The toll group said yesterday that it's still working on recovery
and that it regrets the inconvenience to its customers. Sentinel Labs reports on renewed
activity against Ukrainian targets by the Gamerodon Group, a state-sponsored APT that Ukrainian security services associate with Russia's FSB.
The FSB is generally regarded as Cozy Bear's proprietor.
Sentinel Labs sees the activity as a bellwether for future hybrid war,
when kinetic fighting slows or freezes due to strategic, operational, or diplomatic pressures,
expect an intensification of activity in cyberspace.
diplomatic pressures, expect an intensification of activity in cyberspace. Forbes talked to Sentinel Labs and concluded that Ukraine has effectively become a proving ground. Russian cyber tactics,
techniques, and procedures that will eventually be used elsewhere are first deployed against
Ukraine. Foreign affairs suggest that the next field of Russian activity may be, surprisingly,
Belarus, long the most russophile state in the
near abroad, but a state that's begun to push back against Russian diplomatic moves to bring Minsk
even closer to Moscow. If foreign affairs and Sentinel Labs have got it right, there may soon
be cozy bear sightings from Gomel to Grodno. The folks at Edgewise Networks have been tracking
specific vulnerabilities to be alert for
when dealing with Python. Joining us to share their finding is Edgewise founder and CEO,
Peter Smith. Python backdoors are used in large part by nation-state attackers. Most recently,
we saw an attack against the government of Turkey by operatives from Iran.
And they leveraged a Python-based backdoor that was assembled via snippets from the internet as well as some custom code.
And they're using it to gain a foothold post-exploitation for remote command and control.
So what are the mitigations for this?
How do you go about protecting your organization
from these sorts of things? Well, you know, I think the default that people look towards is
firewalls. And one of the main problems with firewalls is the types of firewalls that you get
in the cloud in particular are layer three, layer four firewalls, which really means that they have
no ability to inspect the content of the traffic
that's being communicated.
And even when an organization uses NGFWs
with layer seven deep packet inspection
or content inspection,
it's really about positive identification
of malicious activity.
And the thing about a lot of these Python-based backdoors
is they don't have a clear signature that would indicate malicious intent and therefore they go unnoticed.
In one of the presentations I've done recently, we build a Python backdoor with a bootstrapper for persistence so that even if you try to remove it, it just keeps coming back. Fully encrypted communications with obfuscation with an encoding mechanism
and a full command and control system in 25 lines of Python.
And I think the point here is that it is so easy to create something new, unique, and novel
that a lot of the existing mitigation techniques that look for positive identification
of malicious activity, there simply is no signature to identify these activities as malicious,
so they go unnoticed. If you go to GitHub, there are presently 230 Python-based backdoors
that are available for download right now. At the end of the day, Python is the
power shell of the Linux and Unix world. It's incredibly pervasive. It's installed by default
on virtually every Unix and Linux operating system. It's more or less covert. Malicious scripts
are often confused for administrative tools. So EDR platforms, as an example, they might see invocation of Python, but not recognize
that this is something that is out of the ordinary.
And it's remarkably easy to develop and debug Python scripts.
So you can see that Python is this sort of universal language that covers all of the
Unixes and even macOS.
And by the way, it even extends to Windows.
One of the Python-based backdoors that I write for demonstration purposes,
without any modification, without any special handling,
runs perfectly on Linux and multiple versions of on macOS, and on Windows.
So it's this ideal framework for malicious actors to build malicious code.
That's Peter Smith from Edgewise Networks.
There's been another sighting of a familiar creature from the cyber bestiary.
Security firm Certfa Lab is calling
out Charming Kitten, the well-known Iranian APT, as the group responsible for a recent phishing
campaign that spoofed a Wall Street Journal writer's email to prospect targets for further
compromise. The fish bait is a bogus request for an interview. Certfa Lab's list of Charming
Kitten's interest is broad but still instructive. Quote,
So a familiar list of rivals, opponents, espionage targets, and interestingly, adherents of the Baha'i faith.
espionage targets, and, interestingly, adherents of the Baha'i faith.
And finally, accused Vault 7 leaker Joshua Schultz's trial has begun,
and the outlines of his defense are coming into focus.
Mr. Schultz, a former CIA employee who faces 11 federal counts in connection with the leak of alleged CIA hacking tools to WikiLeaks.
His attorneys are arguing, as reported by the Washington Post,
that the CIA's security was so miserably inadequate
that the Vault 7 material could have been leaked or stolen
by any number of people, and that the government can't really determine
who was responsible for what prosecutors call
the single biggest leak of classified national defense information
in the history of the CIA.
Why then pick on Mr. Schult? He was, his defense
team says, an easy person to scapegoat. Lead defense counsel Sabrina Shroff told the jurors,
he was also a pain in the ass to everyone at the CIA. Thus, just impossible, but not a disgruntled
employee who leaked classified material to get back at his bosses when they didn't stick up for him in a squabble with a colleague, as the prosecution alleges.
And so, the pain-in-the-ass defense enters legal history.
Not to make light of it, Mr. Schulte is certainly entitled to the presumption of innocence,
and that's one theory that would at least partially explain the scapegoating his defense team alleges.
But there's another serious point here.
As Ms. Schrott put it,
being a difficult employee does not make you a criminal.
And one must surely agree,
if being impossible were a crime, where would any of us be?
Especially our editorial staff.
Calling all sellers. Salesforce is hiring account executives Thank you. and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io. and i'm pleased to be joined once again by justin harvey he's the global incident response leader at
accenture uh justin it's always great to have you back um you know privacy is on a lot of folks
minds these days and i've been seeing people talking about um dns over https uh doh as i'm
seeing people call it um what sort of insights can you give us on this?
How much should we have our eye on this feature? I think we should definitely have our eye on this
feature. As it stands today, if you want to go to a website, let's say www.whitehouse.gov,
even if you're using HTTPS within your browser to access that website,
your ISP has monitoring in place to see your DNS request. DNS is not encrypted over the internet,
but of course, HTTPS is a means of encapsulating the content. So therefore, ISPs have been banking
on this for quite a while, where they're able to see
all of the sites that people are visiting, and then they can sell that information for marketing
purposes or for further analysis, of course, how to get products to reach those customers. And I
think that from a privacy perspective, there hasn't really been a technology or even a need to encrypt a DNS until now.
So the way that DNS over HTTPS works is essentially how it sounds. When you make an
HTTPS request to somewhere like www.whitehouse.gov, it actually encapsulates that DNS request and then
reaches out to a DNS service, thus making it hidden from view from anyone
in between you and the website.
DOH is not quite foolproof.
It doesn't quite give you all of the privacy you need.
It doesn't take away the need for secure VPN or proxy or HTTPS.
You still need to have all of those to be completely or nearly completely undetected.
When you go to a website, your ISP will still have access to see where you're going based upon IP address.
They just won't know what the associated domain with that is unless they do some reverse lookups.
Is there any downside to this?
Is it taking away some helpful visibility?
It can take away helpful visibility from the standpoint of cybersecurity if you're an employee, so certainly.
There's also another downside in the sense that we've had DNS, I guess you could say DNS over UDP, if you will, for 30 to 40 years, and it's become a mainstay.
for 30 to 40 years, and it's become a mainstay. And I think that with new technologies and with changing essentially the transport protocols of one of the most relied upon protocol on the
internet, I think that can lead to some unexpected outages or problems depending on how it's
implemented on a per vendor basis. And let's not forget the internet industry adage of,
if anything is wrong, it's always DNS. Right, right. Fair enough. Fair enough. All right. Well,
the march of progress continues, right? That's exactly right. And there are all six major browser
vendors that will be supporting DNS over HTTPS.
It's not enabled by default today.
In fact, Google Chrome is doing a small pilot with this, turning it on for a small segment of users by default.
If you're a casual non-techie, I would say watch this space over time.
I would say watch this space over time.
Perhaps in the next three, six, nine, 12 months,
we should see the maturation of these browsers' implementations over DOH.
But if you're a geek like me,
I don't see many downsides to turning it on today,
just as long as you remember that you have it enabled.
So if you're seeing some weird behavior by your browser,
maybe some outages or not able to access some websites,
remember, you might have to turn that module off to rule that out.
All right. Well, good advice. Justin Harvey, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
Thank you. Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data
workflows, helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.