CyberWire Daily - Phishing with a RAT in the Gulf. More on how Jeff Bezos was hacked. Microsoft discloses data exposure. Ransomware continues to dump data. Windows 7, already back from the great beyond.
Episode Date: January 23, 2020There’s more phishing around the Arabian Gulf, but it doesn’t look local. Reactions to Brazil’s indictment of Glenn Greenwald. The forensic report on Jeff Bezos’s smartphone has emerged, and t...he UN wants some investigating. Microsoft discloses an exposed database, now secured. Ransomware gets even leakier--if it hits you, assume a data breach. And Windows 7 is going to enjoy an afterlife in software Valhalla--you know, around Berlin. Tom Etheridge from CrowdStrike with thoughts on incident response plans. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/January/CyberWire_2020_01_23.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
There's more fishing around the Arabian Gulf, but it doesn't look local.
Reactions to Brazil's indictment of Glenn Greenwald.
The forensic report on Jeff Bezos' smartphone has emerged,
and the UN wants some investigating.
Microsoft discloses an exposed database, now secured.
Ransomware gets even leakier.
If it hits you, assume a data breach.
And Windows 7 is going to enjoy an afterlife in software Valhalla.
You know, around Berlin.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, January 23, 2020.
There are some developments in the phishing campaign observed against Arabic-speaking targets last week.
Researchers at Cisco Talos late last week posted an analysis of Zonrat.
They noted its unusual staged deployment, its focus on Arabic-speaking targets,
and the fact that it appeared to be custom malware, not a commodity attack tool.
This morning, deep learning firm Blue Hexagon published a description of a fishing campaign that appears to be prospecting targets in the Gulf Cooperation Council, using Iranian
news focused on the death of General Soleimani as fish bait. The countries of interest include
Saudi Arabia, Bahrain, and the United Arab Emirates. The payload was what Irfan Asrar,
head of cyber threat intelligence and operations at
blue hexagon characterized as a highly modularized remote access trojan it made clever use of public
resources including at least one major digital marketing firm asrar believes the campaign is
the same one talus identified but that it's adopted a different set of themes.
The presence of Iranian news as fish bait might suggest an Iranian threat actor, but Blue Hexagon believes Iran can be ruled out.
They've found code similarities with attack tools previously deployed by what Blue Hexagon
characterizes as East European threat actors.
Thus, the Iranian themes are both attractive to targets in regional rivals
and serve as a useful false flag as well. Brazil's indictment of Glenn Greenwald continues
to attract negative reactions in the press, which see it as a threat to journalists everywhere,
as in effect amounting to a criminalization of their interactions with their sources.
A New York Times editorial published Tuesday is a fair representative of their interactions with their sources. A New York Times editorial published
Tuesday is a fair representative of general media opinion. While some interactions with sources can
be criminal, this seems a very long stretch indeed in the case of Greenwald. Support for the
indictment does appear in the comments sections of some of the articles that describe the indictment.
Those anti-Greenwald commenters, for the most part,
object to what they assess as Greenwald's political animus against Brazil's populist president,
Bolsonaro. But claims that interactions with sources can amount to criminal conspiracy
seem less of a stretch in the case of Julian Assange. Greenwald himself has suggested that
the U.S. charges against the WikiLeaks proprietor did foreshadow the charges Greenwald now faces in Brazil,
but few in the media appear to agree, seeing the two cases as significantly different.
Assange isn't charged with just talking to people or advising them to keep things on the QT.
He's accused of active cooperation in accessing non-cooperating systems.
But a lot of websites run by pro-Assange activists
and others of like mind are with Greenwald on this one, saying in effect, see, we told you so,
and by the way, free Assange. The UN has asked the US to investigate the spyware incident involving
the phone belonging to Amazon founder Jeff Bezos, The Guardian reports.
Motherboard has obtained a copy of FTI Consulting's forensic report on the device and notes this conclusion,
Bezos' phone was compromised via tools procured by Saud Al-Qahtani.
Motherboard describes Saud Al-Qahtani as
a friend and close advisor to Saudi Crown Prince Mohammed bin Salman.
He was also president and chairman of to Saudi Crown Prince Mohammed bin Salman.
He was also president and chairman of the Saudi Federation for Cybersecurity,
Programming and Drones,
and was known to procure offensive hacking tools on behalf of the Saudi regime,
among them tools made by the Italian company Hacking Team.
The forensic investigation used a Celebrite UFED-4PC Ultimate and Physical Analyzer to inspect the phone's contents, but they apparently were not provided the encryption key.
Some experts consulted by Motherboard note that the investigators may not have got the root access they needed to fully inspect the phone, since good state-sponsored malware wouldn't betray itself by appearing in backup files.
NSO Group's Pegasus tool has been the usual suspect,
but the basis for that conclusion, while convincing to many, remains largely circumstantial.
The forensic report doesn't say it found Pegasus.
It simply notes that Pegasus could have been used, and that it's also possible hacking team's Galileo might have been used.
As the report puts it, advanced mobile spyware such as NSO Group's Pegasus or Hacking Team's Galileo can
hook into legitimate applications and processes on a compromised device as a way to bypass detection
and obfuscate activity in order to ultimately intercept and exfiltrate data. The success of
techniques such as these is a very likely
explanation for the various spikes in traffic originating from Bezos' device.
Comparatech found five Microsoft Elastisearch servers exposed online on December 29.
Microsoft secured them over the next two days and disclosed details of the incident yesterday.
The data were held in a customer service database.
Some 250 million records were exposed.
Comparatech says Microsoft was quick to respond when notified,
and Microsoft has given Comparatech a nice tip of the hat in its own disclosure.
Redmond says that it follows standard redaction procedures
for the information stored in such databases,
and that in this case most of the records appear to have been redacted in accordance with company policy.
Nonetheless, Microsoft goes on to say,
While the investigation found no malicious use,
and although most customers did not have personally identifiable information exposed,
we want to be transparent about this incident with all customers
and reassure them that we are taking it very seriously and holding ourselves accountable.
End quote.
The company plans to take four actions immediately.
First, it will audit the established network security rules for internal resources.
Second, it will expand the scope of the mechanisms that detect security rule misconfigurations.
Third, it will add additional alerting to service teams when security rule misconfigurations. Third, it will add additional alerting to service teams when
security rule misconfigurations are detected. And fourth, it will put additional redaction
automation in place. And it recommends that everyone else who owns a database that could
be exposed inadvertently to check to ensure that it's properly secured and not hanging out there
open to inspection. A ransomware infestation must now be considered a data breach
until investigation proves otherwise.
Bleeping Computer notes that both Mays and Sodinokibi
are now leaking data belonging to victims who failed to pay up.
Dark Reading writes that organizations are increasingly disposed to pay,
whether they're fueling a bandit economy has apparently become less important than suffering the double whammy of business disruption and then the regulatory
odium of a data breach. And they're making the business decision that paying the ransom
is cheaper. The insurance industry has also twigged to the new reality. It's getting more
expensive to transfer the risk of ransomware, as U.S. underwriters generally are raising premiums for their coverage.
Reuters reports increases amounting to as much as 25%.
Hey, hey, hey, hey, have you heard?
Dracula has risen from the grave.
Because you just can't keep a good man down.
No, not really, just...
Anyway, take it from Uncle Dave, kids,
there's no such thing as vampires and revenants and zombies and stuff.
But there is such a thing as software that's beyond its end of life.
What's risen from the grave already is Windows 7.
The old operating system may have gone west,
but what ho, it's going to enjoy an afterlife,
courtesy of the German government,
which apparently just can't quit it.
Berlin will pay Redmond €800,000 in 2020 for extended security updates
for the roughly 33,000 PCs still running Windows 7, reports say.
We hesitate to speculate about the number of IoT devices around the world that will also keep Windows 7.
Those are inherently much harder to update.
And seriously, kids, we're sorry if we scared you about the vampires.
Uncle Dave is bad.
No, really, there are no such things as vampires,
just retired versions of the Windows OS.
Oh, my God. Faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Learn more at blackcloak.io.
And joining me once again is Tom Etheridge.
He's the VP of Services at CrowdStrike.
Tom, it's always great to have you back.
You know, you and I, in a previous conversation, we were talking about the 11060 concept of responding to incidents
and how much timing matters. And one of the things
that struck me in our conversation was that it seems to me that in order to respond quickly,
you have to practice ahead of time. It's that old practice like you play thing from sports.
What sort of insights do you have for us when it comes to that?
So Dave, your comments are spot on. Muscle memory is a concept
that we talk to clients about consistently in terms of being able to test over and over
an organization's ability to respond to a cyber incident should one occur in their environment.
It's really important to validate or test out things like your incident response guide or playbook, making sure that you understand which key stakeholders in the organization need to be engaged during an incident, what type of legal support you'll need, what type of communications and PR support you might need should notifications and reporting be required,
and understanding really how to optimize and improve all the elements of a cyber response.
You know, it strikes me that kind of like how I really wish I went to the gym more than I do,
that everybody has best intentions.
I think this is an area where I can imagine it being easy for some organizations, despite having those best intentions, that this sort of practicing is an easy thing to push aside.
Do you have any recommendations for organizations to make sure that they're keeping up with this, make sure that it stays on the schedule?
keeping up with this, make sure that it stays on the schedule? Certainly. One of the techniques that we use here at CrowdStrike is we offer a retainer service to our clients that can flexibly
be used for all of the service offerings that we offer to help customers prepare and test out their
incident handling capabilities. Techniques such as red teaming and adversary emulation,
exercises where we can mimic threat actor tactics and techniques and really test out whether an
organization has the defenses to be able to detect that, understand what's going on quickly and be
able to respond in an efficient manner is something that we offer as part of
that retainer service. And many of our clients actually schedule regular red team or pen testing
exercises to ensure that they're up to speed and that their application lifecycle includes the
right kind of security controls to make sure that they're able to detect and prevent these
breaches from happening.
Tabletop exercises are another great way to bring in other stakeholders from across the
organization, not just the IT organization or the security team, but to bring in the
legal team, the PR and the communication staff to bring in other key executives into the
incident handling process to make sure that
everybody's aligned and on board and that there's not finger pointing or balls being dropped when
an incident really does happen. Yeah, I can imagine also that when you've made that investment
or even engaging with an outside company like you all at CrowdStrike,
that once that investment is made and your folks are on the calendar and coming,
that sets up a situation of a different level of commitment than perhaps if someone was just trying to do it all in-house.
Absolutely.
We work pretty hand-in-hand with clients to build a roadmap
for how they can plan these types of activities and events throughout the course of their calendar year.
It's also a great way to continue to drive investment from the leadership of the organization,
even the board of directors around pointing out areas where improvements need to be made, focusing investment dollars into the right areas so that
the organization has a plan for how they're improving their overall maturity and ability to
be prepared for these types of events. All right. Well, Tom Etheridge, thanks for joining us.
Thank you, Dave.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back
here tomorrow. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.