CyberWire Daily - PupyRAT is back. So is the Konni Group. Twitter storm over claims that MBS hacked Jeff Bezos. Anti-disinformaiton laws considered. Canada is ready to impose costs on cyber attackers.
Episode Date: January 24, 2020PupyRAT was found in a European energy organization: it may be associated with Iranian threat actors. Another threat actor, the Konni Group, was active against a US government agency last year. Saudi ...Arabia maintains it had nothing to do with hacking Jeff Bezos’s phone. The EU and Ukraine separately consider anti-disinformation regulations. Canada may be ready to “impose costs” in cyberspace. And Huawei’s a threat, but what’re you gonna do? Justin Harvey from Accenture with an outlook on 2020. Guests are Hank Thomas and Mike Doniger from SCVX, describing their plan to bring a funding mechanism know as a SPAC to cyber security. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/January/CyberWire_2020_01_24.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Puppy Rat was found in a European energy organization.
It may be associated with Iranian threat actors.
Another threat actor, the Kony
Group, was active against a U.S. government agency last year. Saudi Arabia maintains it had nothing
to do with hacking Jeff Bezos' phone. The EU and Ukraine separately consider anti-disinformation
regulations. Canada may be ready to impose costs in cyberspace. And Huawei is a threat, but what are you going to do?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday,
January 24th, 2020. Recorded Future has identified a puppy rat infestation in a European energy sector organization.
Its command and control was communicating with the infected organization's mail server
from late November through January 5th of this year.
Puppy rat is an open source tool available on GitHub.
It's effective against Windows, Linux, OS X, and Android systems,
and it's been used to obtain access to the victim's system,
collecting sensitive information and credentials from the infected network.
Recorded Future told ZDNet that they think it likely that the infestation represents espionage and reconnaissance.
ZDNet uses the plural companies in its coverage,
but Recorded Future's own report is quite circumspect about whom the attackers hit,
whether it was an association or a company, and whether more than one organization was victimized.
Puppy Rat has been observed for several years, at least since early 2017 when IBM described its use.
The remote-access Trojan has been used by Iranian threat groups,
APT-33, also known as Elfin, Magic Hound, or Holmium, and Cobalt
Gypsy, which Recorded Future says overlaps with APT-34, that is, Oil Rig. The researchers stress
that the current activity predates the recent escalation of U.S.-Iranian tensions that have
attended attacks on U.S. installations in Iraq and a retaliatory U.S. strike that killed the Quds
Force commander, Major General Soleimani. So, the threat actor could well be working on behalf of
Iran, but of course attribution is difficult, especially when a tool has been made available
as open source. Palo Alto Network's Unit 42 research group reports that an unnamed U.S.
government agency was hit with what unit 42
is calling the fractured statue campaign it uses a novel downloader carrot ball that the researchers
say was employed along with the familiar carrot bat tool they regard it as probable that fractured
statue is attributable to the coney group a threat threat actor that Cisco Talos says has been active since at least 2014.
The threat actor took the name of the Kony rat it was early associated with,
but it's since branched out and evolved its tactics.
The recent campaign, which Unit 42 says was active between July and October of 2019,
initially used phishing emails that represented themselves as coming from Russian email domains.
The phish bait documents generally dealt with North Korean commercial relations
and were written in Russian, with some English sections thrown in.
Neither Russia nor North Korea should be assumed to be the source of the campaign.
Unit 42 summarizes what's known about the Kony group as follows.
Quote, Kony is a threat group operating in East Asia.
This group is known for using spear phishing attacks with documents related to North Korea,
but lately documents related to cryptocurrency also have been observed.
Kony is also the name of their custom rat which leverages anti-analysis techniques
and intelligence gathering features, end quote. None of this tells us who's responsible. Cisco Talos, in their earlier
assessments of the group's activities, concludes only that, quote, clearly the author of the malware
has a real interest in North Korea, end quote. But as we've seen in the Middle East espionage
campaign directed against Arabic-speaking targets, an interest in a country is very imperfectly
connected with attribution to that country.
So, while North Korea may well be behind the fractured statue campaign
and the Kony Group's other works, firm attribution would be premature.
Reuters writes that the Saudi foreign ministry has again dismissed claims
of Crown Prince Mohammed bin Salman's involvement in hacking Amazon founder Jeff Bezos' phone as absurd.
That is, they didn't do it, and especially the Crown Prince didn't do it.
But investigations are in progress,
and it certainly seems that something was done to Mr. Bezos' device.
Is it possible the Crown Prince may himself have been hacked,
either his phone or a WhatsApp account, as some have suggested?
Well, sure, maybe. And it does seem odd that a crown prince would directly get his digital hands
dirty. On the other hand, who better to hack the richest man in the world's device than a fellow
billionaire who's met him at the places where billionaires go to meet? In any case, as BuzzFeed
notes, Saudi-aligned Twitter accounts have been doing
a lot of anti-Bezos woofing, with accusations of insincerity concerning his expressions of mourning
for the late Jamal Khashoggi, a discreditable personal life as evidenced by the intimate
pictures someone provided to the National Enquirer, and so on. BuzzFeed thinks the
accounts doing the tweeting are a part of a coordinated and inauthentic campaign,
presumably directed from Riyadh.
So does the United Nations Special Rapporteur
on Extrajudicial Killings.
Agnes Calamard told BuzzFeed,
quote,
Mr. Bezos has been the target of such campaigns before.
NBC News reported that they began shortly after Jamal Khashoggi, who had been a columnist for the Bezos-owned Washington Post,
was assassinated inside the Saudi embassy in Istanbul,
a murder which occurred on October 2nd of 2018.
Twitter at that time took down a large number of the accounts involved.
The platform has yet to take large-scale action in this latest round.
Forbes wrote yesterday that Grafika reported some 8,500 tweets by fans of MBS,
that is, fans of Crown Prince Mohammed bin Salman.
A common theme was a threat to boycott Amazon.
Ukraine is considering a comprehensive law designed to suppress disinformation.
Radio Free Europe Radio Liberty says that critics are concerned the measure will also effectively suppress journalism.
Ukraine is in a tough spot.
will also effectively suppress journalism.
Ukraine is in a tough spot.
As a former Soviet republic,
it has direct and immediate memory of what disinformation is and how a disinformation campaign can be mounted.
And were its historical memory to be as short as, say, ours is,
it need only look to the Russian hybrid war in Crimea
and the Donbass for an education.
Farther west, the EU is also deliberating adoption of measures that would counter disinformation.
Facebook doesn't like them, New Europe says,
and characterizes the proposed regulations as a threat to free speech.
To be sure, that's not exactly what the lawyers call an admission against interest,
but put the ad hominem aside and consider how are you going to legislate against disinformation
without doing the violence to free speech Facebook warns against?
Licensed journalists?
If that's the goal, there's useful advice to be had from the neighbors to the east, say, around Moscow.
Canada's government is preparing to impose costs on those responsible for cyberattacks on the Dominion,
according to 660 News.
The bad actions in cyberspace on which costs might be imposed
would presumably include the sort of influence operations
the Canadian Centre for Cybersecurity has been warning against.
Canada's communications security establishment,
the country's counterpart to Britain's GCHQ,
the American NSA, the Australian Signals Directorate,
and New Zealand's GCSQ, the American NSA, the Australian Signals Directorate, and New Zealand's GCSB, has been
given a charter to operate against targets in cyberspace. The documents that refer to imposition
of costs suggest that such operations would be best done in concert with allies.
And finally, The Economist looks at Huawei and concludes it's a threat, but says the risks can be managed.
That's roughly what the UK seems ready to do, permitting Huawei into 5G networks,
but only in less sensitive peripheral regions and only in the context of ongoing security vetting. Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. Thank you. And they formed a new company called SCVX. Their plan is to bring a funding mechanism known as a SPAC to cybersecurity,
which they say is new to the space.
So a SPAC, Special Purpose Acquisition Corporation.
That's Mike Doniger.
Is essentially a blank check company.
So what it is, is we raise a blind pool of capital on Wall Street in the form of an IPO.
And by definition, you're not allowed
to know what you're going to buy. There's very strict rules behind that. However, you can target
a specific space. And so some are more general in what they approach, let's say, agriculture or
chemicals or something very broad. We decided to take a very specific approach
in targeting the cybersecurity space. And in that, created an infrastructure around that with
our board, which we'll get into, with Hank and his team, to have a lot of expertise in a very
targeted area. So why a SPAC versus other methods of gathering capital of making investments?
If you are a target company and you're looking for the next evolution in your financial,
you know, lifehood, you have a couple options. You can obviously continue to raise venture
capital money or private equity money.
The cyber space in general doesn't like a lot of leverage because they're high growth companies.
And so it tends to be more venture capital than private equity.
And then as you hit that kind of series C, series D part of your evolution, you know, and your valuation starts to get upwards towards that billion dollar range, you know, the venture capital money is not as readily available at that point. And these
companies are extremely expensive to continue to grow with large sales forces and getting,
you know, a footprint inside that Fortune 1000. Well, Hank, let's dig in here. I mean,
take us through the thesis. Yeah, so the thesis is that the average CISO has
more than 75 tools in their war chest right now. The security stack has become unwieldy. It isn't
necessarily itself always integrated like it should be. If you're JP Morgan and you're spending
billions on cybersecurity, you have the ability to properly integrate things, but move down from that, and you're struggling to integrate
maybe the tools you have with the other security tools,
to integrate them with the rest of your IT stack.
You're really just kind of like in crisis management mode all the time.
I'm not saying everyone's in this situation,
but that's kind of the general feeling in cybersecurity these days,
is like, you know, what bad is going to happen next?
And we think that, you know, go to RSA for the last 20 years, like many of us have, or go to any of these security conferences and you see these rows and rows of things, right?
That if you're not in the sector, you know, how can you tell these things apart?
And if you are, you still sort of struggle to a certain extent. But we know that within those rows and rows and rows of things, there are some really awesome platform, and we can get into what a platform really means, cybersecurity companies that we could, if injected with the proper amount of capital and maybe the right new thinking to how to take it to the next level, you could build a really cool security control platform that
you could hang a number of other things off, let's call them ornaments, that give it far
more capability than it has today.
And people are talking about this already.
And this is a conversation I had before we started seriously talking about doing this
back the last four years at RSA, where we said, what if we could only roll these four
companies up?
And our goal is to
find one really cool company right now that meets most of our criteria, if not all of them, invest
in that company, help them develop a strategy to integrate a few other critical security controls
into that platform, and then create something that doesn't really exist in the industry today.
There's obviously been no shortage of investment dollars in cybersecurity over the past few years.
And as we touched on earlier, SPACs have been growing in popularity as well.
By your estimation, this is the first time we've seen this combination of a SPAC targeting cybersecurity.
We definitely think so. We definitely think we're the first.
Mike Doniger.
Definitely targeted directly at cybersecurity.
There may be one or two other SPACs that are technology-focused
or defense-focused that cybersecurity may fall in their subsphere,
but no one to our knowledge has really targeted and put a board like this
and put a team like Hank's team at the task.
So in terms of from a practical point of view,
maybe trying to help both
you all out and the folks who think
that they may be a potential
candidate for you, to try to save
everyone some time, do you
have some general do's and don'ts
like these are the things we're interested in
and these are the things, please, let's not
waste each other's time as
we're setting up these meetings and trying to get these things going.
Yeah, I would say if you're not at least a series, you know, C round capital size cybersecurity company, you're probably too early.
That's Hank Thomas.
That's sort of the first financial gate to look at.
I think that, you know, having a, being a force in a particular sector and primarily the commercial sector. So
say, say having a large footprint in the financial services industry, or maybe you're a major player
in the critical infrastructure protection sector, or you are, you know, have a, have a sort of a
niche security control that doesn't necessarily have a lot of competition yet, but have also
established a strong presence across multiple commercial sectors. Those would all be things
that we would be interested in looking at. So you spin up the SPAC, you make your initial decision,
you buy your company, you invest in your company. What is the amount of flexibility you have at that
point? What directions can you go in? Yeah, So, you know, that company will be capable of using both the expertise we have in place
through our board, using some of the capital that's been injected into bring on additional
expertise, survey the landscape and say, you know, what are the things that kind of kept us
where we were before we IPO'd?
And now we have the flexibility to use this newly found capital to go out and acquire a couple of those missing components,
integrate those successfully into what we're doing,
and then become a platform that is more viable to either a particular industry sector or across multiple industry sectors.
Something that's more viable technically and more interesting, you know,
to the public markets as well.
That's Hank Thomas and Mike Doniger from SCVX.
We'll have an extended version of my interview with them running here in the next few days.
You check it out.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and
adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.