CyberWire Daily - NSO Group’s Pegasus was installed in a zero-click exploit: iOS users should patch. Vermillion Strike hits Linux systems. Enforcing the law against cybercrime.
Episode Date: September 14, 2021Citizen Lab finds, and Apple patches, a zero-day used for zero-click installation of Pegasus spyware. A Cobalt Strike beacon has been turned to cyberespionage use against Linux targets. The Russian go...vernment could, it seems, take action against cybercrime, but its will-to-enforcement seems to be inconsistent. Ben Yelin from UMD CHHS with more on Apple's CSAM controversy, our guest is Mel Shakir from Dreamit Ventures on selling to CISOs, and their customer sprints. REvil makes nice with grumpy affiliates. And criminals’ commitment to the common good seems weak. That’s not a surprise, is it? For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/177 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Citizen Lab finds in Apple Patches
a zero-day used-for-zero-click installation of Pegasus spyware.
A cobalt strike beacon has been turned to cyber espionage use against Linux targets.
The Russian government could, it seems, take action against cybercrime,
but its will to enforcement seems to be inconsistent.
Ben Yellen from UMD CHHS with more on Apple's CSAM controversy.
Ben Yellen from UMD CHHS with more on Apple's CSAM controversy.
Our guest is Mel Shakir from Dream Adventures on selling the CISOs and their customer sprints.
Our Evil makes nice with grumpy affiliates.
And Criminal's commitment to the common good seems weak.
That's not a surprise, right? From the CyberWire studios at DataTribe, I'm Elliot Peltzman, filling in for Dave Bittner,
with your CyberWire summary for Tuesday, September 14th, 2021.
During its investigation of a Pegasus spyware infection of a Saudi activist's iPhone,
the University of Toronto's Citizen Lab has found a zero-day, zero-click exploit against iMessage.
They call the exploit forced entry, say it targets Apple's image rendering library, and claim that it's effective against Apple iOS, macOS, and watchOS devices. Forced
entry is a zero-click attack requiring no obvious user interaction. Victims may be unaware that
their devices have been affected. Malicious files masquerading as GIFs were the infection mechanism, As Apple put in their description of the vulnerability,
In this case, the arbitrary code would be the Pegasus Intercept product.
The Wall Street Journal reports that NSO Group, maker of Pegasus,
has apparently been exploiting the vulnerability since February.
The company, asked for comment, simply told the journal,
quote,
End quote.
Which is one way of looking at it.
Citizen Lab and Apple made fairly short work of patching.
Citizen Lab forwarded Apple's suspicious artifacts on September 7th. Apple confirmed that they included a zero-day exploit on the 13th.
And late yesterday also addressed the vulnerability
with an update to iOS 14.8. Users are advised to upgrade their devices as soon as practicable.
Subsequent releases of iOS will also be designed, Cupertino says, to keep this particular backdoor
firmly shut. We have a roundup of industry reaction and advice to force entry in this afternoon's pro-privacy briefing.
Intezer has discovered a criminal version of Cobalt Strike's beacon, Vermilion Strike, they're calling it, used by unknown threat actors against both Windows and Linux systems.
Vermilion Strike may be the work of a gang,
but its sophistication and evident interest in espionage could also suggest that it might have been developed and deployed
by a nation-state's intelligence service.
But both provenance and attribution remain unclear.
Intezer thinks the Linux attacks most noteworthy
if only because their lower detection rates can lead to Linux exploits being overlooked.
Quote, Vermilion Strike and other Linux threats remain a constant threat.
The predominance of Linux servers in the cloud, and its continued rise,
invites APTs to modify their tool sets in order to navigate the existing environment.
End quote.
CSO thinks that recent events have revealed that Russian government is fully capable of shutting down cyber gangs, if it wants to,
and that some disruptions of criminal activity may indicate that U.S. sanctions are having some limited effect.
That Russia could, if it wished, take action against cybercrime seems beyond serious dispute.
Controlling the gangs would seem to be more a matter of want-to than it is can-do,
as football coaches are wont to say about tackling. But encouraging signs of better behavior
seem thin. CSO cites as evidence of a little bit of want-to Roskomnadzor's blocking,
a week and a half ago, of several VPN services that were used for various purposes criminal
under Russian law, including drug trafficking, child pornography distribution, extremism,
and promotion or facilitation of suicide. The services blocked included some familiar names.
Hola VPN, ExpressVPN, KeepSolidVPN Unlimited, NordVPN, SpeedifyVPN, and IPVanishVPN.
None of these, we can't help but observe, are Russian operations. They hail, respectively,
from Israel, the British Virgin Islands, New York, Panama, Philadelphia, and Dallas.
Nary a Chelyabinsk among them, which offers a partial explanation, perhaps,
of the want-to on display in these cases. It's also worth noting that they all have
legitimate users, and users which and whom, Roxcomnidzor says, it's whitelisted.
CSO also cites the arrests of some senior FSB figures in December 2016 and January 2017 as evidence of potential want-to,
but those personnel were arrested and convicted on treason-related charges.
They'd been sharing information on cybercrime with Western law enforcement agencies.
Those arrests occurred before the latest round of U.S. protests and sanctions, however.
before the latest round of U.S. protests and sanctions, however.
One of the Russian gangs that was imperfectly controlled,
R-Evil, is now pretty clearly back in business, ThreatPost confirms. They say that the decryptor released to Kaseya was all a mistake, the fat-fingered fumbling of one of their operators,
who's now presumably on whatever counts as a performance improvement plan in the underworld.
who's now presumably on whatever counts as a performance improvement plan in the underworld.
Whether Fingers of Size actually had anything to do with it or not,
R-Evil is back, and trying to make it all up with their disgruntled affiliates,
who've complained to the gangland arbitration panels that apparently form from time to time in various dark corners of the dark web.
R-Evil seems to have refunded payments to criminal affiliates
who felt they've been
shafted by comping them to make them whole again. So expect to see more R-Evil.
And finally, various gangs have sought to wear Robin Hood's hat, claiming they act not against
the common good, but only against the wealthy. Wealthy elite, as the shadow brokers used to say.
And by the way, where are those guys?
We kind of miss them.
But a recent cyber attack on Jefferson Parish, Louisiana courts
should move us toward reluctant skepticism
about whether such public spirit is widespread in gangland.
An unspecified gang took advantage of the distraction of Hurricane Ida
to install unspecified malware in the court's networks,
NOLA.com reports.
The courts are expected to recover soon.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time
visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Let's face it. If you're on the sales and marketing side of the house,
one of the challenges you likely face is getting quality time pitching your wares to CISOs.
Mel Shakir is Managing Director for Security Investments at Dream Adventures,
a venture fund for startups.
When I recently spoke with him, he emphasized networking and, not surprisingly,
taking advantage of opportunities provided by VCs like himself.
My background, again, is in cybersecurity.
I've spent almost 20-plus years working in this field and have a deep intrinsic
knowledge in the cyberspace itself. That matters because even for us to be able to pick the right
companies that we want to invest in, that is an important part of the equation. Also, you know,
good understanding of the trends and where the industry is going, anticipating, you know, what
the CISOs needs are now and what they're going to anticipating what the CISO's needs are now
and what they're going to be in the future.
All of those things factor in when we make an investment in the company.
So again, these are highly filtered.
I do product deep dives.
In early calls, many of these startups who reach out to us, they get surprised that I'm
not just talking about all the other aspects of the business.
The very first question I ask is, can you do a product demo?
I want to do a deep dive of the product, get me excited about the product,
then we'll talk about everything else.
So yes, having a deep understanding of the product, the technology, that is important.
I need to be able to communicate that also to the CISOs.
Are there any common mistakes that folks make in their interactions
with CISOs? Are there things that you shouldn't do because it'll
really just turn them off at the outset? Yeah, I
think CISOs are very technical by nature.
One of the things I always tell founders is take your A team
when you're meeting CISOs, for one.
The other important thing is preparation.
Before you go to meet with a CISO, have an understanding of why they are meeting you.
And there are a number of ways you can get to that information.
You could be, in some cases, you might be able to reach out to the CISOs and get that information.
But you could reach out to their team members, right? Or able to reach out to the CISOs and get that information, but you could reach out to their team members or you could reach out to the partners.
You have to do some due diligence.
The kind of legwork the sales team and the business teams will do to be prepared.
So be prepared for those meetings.
Also try to have an understanding of the broader vision and roadmap for the CISO
and try to understand how you're the broader vision and roadmap for the CISO and try to
understand how you're going to fit in in their world. So preparation is a key if you're going
prepared and if you're talking about your solution which is not in context with what the CISO's
needs are, what his vision is, you're certainly going to turn him off. And the other important thing is when talking about traction,
every CISO wants to know whether your product is being used by other CISOs,
especially ones that they might know.
So you have to be careful about that.
It's not very hard to anticipate what the network of a CISO is going to be.
If he's based out of the Northeast,
he's likely to know CISOs in the area where he resides, right?
Because there are lots of local forums that they would be meeting.
If you have had interactions with them, real ones,
that they are going to be able to reference and validate,
then make those references.
Not just throwing out names and logos,
because they will verify that.
That's Mel Shakir from Dreamit Ventures.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security.
But more important than that, he is my co-host over on the Caveat podcast.
Ben, it's great to have you back.
Good to be with you, Dave. We recently had a special edition of Caveat where we spent the entire episode talking about Apple's announcement that they were going to do some on-device scanning for CSAM, which is child sexual abuse materials.
Do I have that right?
Yes.
And of course, that was quite controversial and garnered a lot of coverage from folks who are concerned about privacy.
There's been an update here.
What's the latest, Ben?
So Apple has partially reversed its decision.
So I don't think we should over-exaggerate what they're doing here.
You know, it's been reported in some news sources that Apple has walked back their announcement.
I don't think that's entirely accurate.
What they're saying is we need more time to study it.
We're going to hit the pause button on our plans.
We want to figure out a way to monitor for this exploitative material,
but in a way that doesn't violate user privacy.
So the big objection is to the program where Apple would be scanning on your devices through your photos, your iCloud photos,
for sexually exploitive pictures that match pictures on a database maintained
by organizations like the Center for Missing and Exploited Children.
Obviously, that's an extremely worthy goal.
I think Apple thought that they were being good Samaritans by developing this program,
and it seems like they didn't really anticipate that there would be a backlash.
Right.
This was a pretty widely publicized decision.
They sent out information on the
technology to advocacy groups. I mean, you know, to put it relatively mildly, they were kind of
bragging about what they were doing. It was and is a clever technological solution. Absolutely,
to an extremely worthy goal. Right. You know, we cannot minimize the importance of keeping this type of material out of the hands of bad actors.
Because there was this backlash, Apple, in wanting to maintain its reputation as the foremost protector of user privacy, realized that they had gone a step too far.
And I think the lesson here is activism matters.
is activism matters.
This company, you can hold organizations and companies reliable by raising hell when something happens that you disagree with.
Activist groups such as the Electronic Frontier Foundation,
EPIC, sprung into action, got petitions together, wrote op-eds,
and it had a really big impact.
And as I said to you on the Caveat podcast,
sometimes you can have more of an impact on private sector decisions than you can on your own lawmakers because there's more accountability.
I mean, if you have a problem with what Apple has done, you can move on to the next product.
Right.
And I think Apple is very attuned to that.
So that's, to me, the broader lesson here.
in here. We don't know what Apple's going to do going forward, whether they will fully reverse this decision or whether, you know, while we're all sleeping on some Friday night, they're going
to reinstate the program. Right. Well, that's an interesting question. I've seen some folks
sort of cynically say that it could be Apple's next step is to sort of wait for the heat to
blow over and then just quietly enable this in some future software update.
Do you think at this point they could get away with that?
I mean, I think it's possible they try to do that.
I think because this has already happened and they've already raised the ire of privacy
and groups and security advocacy groups, no matter what they do now, there's a watchful
eye on Apple's behavior.
So I don't think we're in a situation where cut three months ahead in December, it's Christmas Eve and Apple tries to avoid the publicity.
Right.
I don't think that's going to happen.
Yeah.
I mean, interesting to see Apple walk back something like this, which I think we can agree is sort of contrary to their corporate impulse.
Right. Right. Right. like this, which I think we can agree is sort of contrary to their corporate impulse, right?
Right.
Right?
You know, as I said, they came out with this, and I think they thought it was a very clever technological solution to a serious problem, and it is.
And the backlash maybe makes them take a closer look at the issue, but maybe hopefully themselves
as to how they approach these sorts of things in the future.
I think it's a wake-up call for Apple.
And it's really all due to our caveat podcast.
Let's be honest. We know they listen to it.
That's right.
I just can't get Tim Cook to stop writing me.
I'm just like, all right, Tim, I get it.
I know. Leave us alone, Tim.
My inbox is full of
effusive praise.
Tim Cook.
All right. Well, Ben Yellen, Tim Cook. All right, so needy.
All right, well, Ben Yellen, thanks so much for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Listen for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland,
out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technology.
Our amazing Cyber Wire team is
Trey Hester,
Puru Prakash,
Justin Sabey,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Volecki,
Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, Dave Bittner, and I'm Elliot Peltzman.
Thanks for listening. Thank you. insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.