CyberWire Daily - Sabotage, not cyber? Cosmic Lynx pounces on some big companies with BEC. Purple Fox upgrade. Coordinated inauthenticity in the journalistic supply chain.
Episode Date: July 7, 2020Explosions at Iranian nuclear sites remain unexplained, but look increasingly like conventional sabotage as opposed to cyberattacks. The Cosmic Lynx gang sets a high bar for business email compromise.... The Purple Fox exploit kit gets an upgrade. Ben Yelin describes a 5th amendment compelled decryption case that may be headed to the Supreme Court. Our guest is Hugh Thompson, Chairman of the RSA Conference Program, on the human element of cyber security and lessons learned shifting a conference online. And a network of coordinated inauthenticity and fictitious personae is found pushing an Emirati official line. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/130 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Explosions at Iranian nuclear sites remain unexplained,
but look increasingly like conventional sabotage as opposed to cyberattacks.
The Cosmic Lynx gang sets a high bar for business email compromise.
The Purple Fox exploit kit gets an upgrade.
Ben Yellen describes a Fifth Amendment-compelled decryption case
that may be headed to the Supreme Court.
Our guest is Hugh Thompson, chairman of the RSA Conference Program
on the human element of cybersecurity and lessons learned shifting a conference online.
And a network of coordinated inauthenticity and fictitious persona
is found fishing an Emirati official line.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, July 7th, 2020.
I'm Dave Bittner with your CyberWire summary for Tuesday, July 7th, 2020.
The explosions and fires last week at Iran's Natanz nuclear facility and some other installations continue to remain officially unexplained.
The BBC reports that Tehran says it knows what caused the fire at Natanz, but that Tehran
isn't saying.
It looks, however, more like physical sabotage than
either an accident or the kinetic cyberattack that was the subject of weekend speculation.
And whoever's speaking for the self-described Iranian dissident group, the Homeland Cheetahs,
appears to have had advanced knowledge of the incident, but the putative group materialized
from nowhere and increasingly looks like a false flag. The Washington Post quotes an anonymous Middle Eastern security
official who spoke on condition that both his identity and nationality be concealed,
to the effect that the damage was caused by a bomb placed inside the facility.
The operation, that source says, was an Israeli effort to send a message that would deter Iran from accelerating its pursuit of nuclear weapons.
Aghari describes Cosmic Links, a Russian gang responsible for 200 business email compromise attacks in 46 countries over the past year.
year. Tempted as we might be to think that overworked county clerk's offices and gentle little mom-and-pop small businesses are the natural prey of the BEC scammer, Cosmic Links
has bigger fish to fry. As Agari puts it, quote, unlike most BEC groups that are relatively target
agnostic, Cosmic Links has a clear target profile, large multinational organizations. Nearly all of the organizations Cosmic Links has targeted have a significant global presence,
and many of them are Fortune 500 or Global 2000 companies."
They're also selective with respect to the people they prospect.
About three-quarters of them hold the title Managing Director, Vice President, or General
Manager.
The gang shows a regular pattern. They use the bogus intention of acquiring an Asian company as the pretext of their
request. They impersonate the victim company's CEO in an email, asking them to work with external
legal counsel to arrange the payments necessary to closing the acquisition. That external counsel
is the hijacked identity of a
real attorney. Agari says the imposture involves an actual British law firm. Once the hook is set,
the corporate mask is induced to send payments to mule accounts Cosmic Links controls.
The average Cosmic Links ask is $12.7 million, two orders of magnitude larger than the average seen in BEC attacks in general,
which normally run about $55,000. The mule accounts are usually in Hong Kong,
sometimes in Hungary, Portugal, or Romania, but never in the United States.
Large or small, organizations should consider the training and policies
that can help protect them against business email compromise.
For those of us who attended the 2020 RSA conference in San Francisco earlier this year,
it's a safe bet that it was the last major gathering most of us attended before COVID-19 shut everything down.
For organizations like RSA, who run multiple conferences around the world, this presents the obvious challenge of how to continue doing so in a safe way
while still providing the value attendees demand.
Hugh Thompson is chairman of the RSA Conference Program,
and he joins us with lessons learned shifting their upcoming Asia Pacific and Japan conference online.
Full disclosure, the Cyber Wire is a media partner with RSA.
We are just in unprecedented times.
You know, we were very fortunate to have RSA conference in the U.S. earlier in the year.
But now we find ourselves in a period where most people are at home,
maybe home for a significant amount of time,
but they still need the kind of content that RSA Conference provides and the kind of connective
tissue that we provide for the industry. So we're finding ourselves asking, how do you reproduce something that's such a human experience?
That's the interaction of people and the transferring of knowledge and calibration to something that people can consume at home and really get a lot of value out of.
And that's what we've tried to do.
That's what we've strived to do.
And that's what we've tried to do.
That's what we've strived to do.
And we'll have a big launch of it in our upcoming RSA APJ conference.
Do you suppose when we find ourselves on the other side of this and people feel as though they can get back together safely, are there going to be changes to large conferences like RSA?
Or are people going to approach them differently?
I think so. I think that if you are an organizer of a large conference, one of the first questions you have to ask is,
how do you make the virtual experience rich? Whether you have an in-person component or not,
I think that's going to be critical. And there's some fascinating benefits to it.
One is that it really opens up the attendance to many, many more folks.
For example, for RSA Conference, we see every year that part of a security team from a large company can go to the conference.
And then maybe the following year, a different set of people from the security team can go to the conference. And it's a budgetary issue. It's an availability of resources issue.
But with an event being virtual or at least having a strong virtual component, you can actually bring a lot more people together.
And I've heard this from many other folks
that are organizing these large virtual events
is the amount of attendance, the amount of registration,
the amount of interest.
I think we're building the community in a meaningful way.
And what we're seeing is the humanity of this space shine through.
And that's incredibly encouraging.
I think most folks who are outside the security industry don't realize how human and how collaborative a space that it really is.
And we're really seeing that come to the forefront during these times.
That's Hugh Thompson from RSA. The 2020 RSA Asia Pacific and Japan Virtual Conference kicks off July 15th. Security firm Proofpoint reports that the Purple Fox exploit kit has
gained capabilities exploiting two known and patched Microsoft vulnerabilities. Purple Fox, described this past September by Trend Micro, appears to be a
successor to the widely used RIG Exploit Kit. The crew behind Purple Fox apparently decided it made
business sense to bring Exploit Kit development in-house. Proofpoint has now observed Purple Fox exploiting CVE-2020-0674 and CVE-2019-1458.
The former is a memory corruption vulnerability in Internet Explorer that Microsoft fixed on
January 18th. Proof-of-concept exploits have been published since then. The latter vulnerability is
a Windows Privileged Escalation bug Kaspersky observed being
exploited last October in the Operation Wizard Opium watering hole attacks. Microsoft fixed
that one in December's 2019 Patch Tuesday release. And the obvious message here is the simple one,
patch. These aren't zero days. An investigation by the Daily Beast has exposed a journalistic persona,
one Rafael Badani, represented as an international affairs expert
whose bylines have appeared in the Washington Examiner,
Real Clear Markets, American Thinker, and The National Interest.
There is, however, no such guy at all.
Rafael Badani's online pictures were scraped from the unknowing site of a San Diego entrepreneur
who had no idea his image was being appropriated.
And Rafael Badani's profile claimed degrees from George Washington and Georgetown Universities,
but sorry, no, he didn't attend either.
In fairness to Rafael Badani, how could he have attended? After all,
poor guy doesn't even exist, and trust us, it's tough to get through a university program when
not only are you not there, you're not anywhere. You thought distance learning was tough? Try
non-existence learning. The Badani persona wasn't a lonely one-off either. It, he, it figured in a network that boasted a lineup of at least 19 other policy catfish,
whose general line was to praise the United Arab Emirates and advocate a harder line toward Qatar, Turkey, and Iran,
and toward those nations' proxies in the Levant.
and toward those nations' proxies in the Levant.
Their work also appeared in Human Events, the Post Millennial, the Jerusalem Post,
Al-Arabiya, and the South China Morning Post.
The catfish were often linked to the Arab Eye and Persia Now,
which served as central sites for sourcing their work.
Some of the news outlets, notably the Washington Times, have taken down the contributed content with a brief notice.
Others still have it up.
Twitter yesterday took down a number of accounts associated with the coordinated inauthenticity,
but the whole episode serves as a useful cautionary tale of the relative ease with which it's possible to place pieces,
especially as op-eds, in news outlets.
It's even easier if their editorial boards are
disposed to a sympathetic hearing of your message. You may have heard the old saw,
the enemy of my enemy is my friend, or the underworld platitude, keep your friends close,
but your enemies closer. Here's another one for us to consider. Keep the enemies of your enemies
closest of all. They may not have
your best interests at heart. Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
your executives, and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Ben Yellen. He is from the University of Maryland Center for Health
and Homeland Security. Also my co-host over on the Caveat podcast. Ben, always great to have you back. Good to be with you, Dave.
Interesting story here. This came across my desk via Oren Kerr, who's a well-known,
I guess, legal pundit on Twitter. Is that a fair way to describe him? Yeah, he's a law professor at UC Berkeley. I'm a great admirer of his, even though we differ on some political issues, but he is probably the foremost legal expert in this country on Fourth Amendment and Fifth Amendment issues relating to technology.
Well, he brings up a case here from the Indiana Supreme Court who has split with a Massachusetts court with a case that may be heading to the Supreme Court.
And it's all about compelled decryption.
What's going on here, Ben?
So the case, as you said,
comes from the Indiana Supreme Court.
It was a woman who was placed under arrest.
Law enforcement took her iPhone.
They thought that iPhone contained incriminating evidence.
Detective couldn't get into the iPhone
because the iPhone was locked.
Law enforcement got a warrant to force this person to enter in the passcode to unlock her phone. She refused,
and the trial court held her in criminal contempt. So this, of course, concerns the Fifth Amendment
right against self-incrimination. The Fifth Amendment says the government cannot force you
to be a witness against yourself. This only applies to testimonial
evidence, so things you say, the contents of your own mind. And there's this related doctrine
as it comes to compelled decryption called the foregone conclusion doctrine. So the government
can force somebody to submit testimonial evidence if the government already knows the testimonial
aspect of the act
and isn't trying to actually learn anything through that compelled act. The question in
these cases is what counts as what is the actual testimony being sought through compelled decryption
here. What Oren Kerr has argued is that the only testimonial act involved is the person admitting that they know their own passcode.
If the government is aware
that the person knows their own passcode,
then there is no Fifth Amendment violation
because it is a foregone conclusion
that a person knows their own passcode.
Presumably, they've been able to open that phone in the past.
There's all different types of information.
You're not forcing a person to reveal anything new by compelling them to decrypt their device. The
conflicting view, and this is a view that has been adopted by a number of other scholars,
says that testimony is not just the knowledge of one's own passcode, but the contents, the knowledge of the contents on one's
own device. And in a separate jurisdiction, a 2011 case, a federal court actually adopted that
alternative view that the Fifth Amendment does apply in these circumstances because you're not
just revealing that you know the passcode, You're revealing that you are aware of the information that is on the device,
the potentially incriminating information,
and you are making that information available to the government.
The Indiana Supreme Court is taking this alternative view as well,
and this goes against the jurisprudence of other state courts,
specifically, as you mentioned against the jurisprudence of other state courts, specifically, as you
mentioned, the Massachusetts Supreme Court, they're saying that a suspect surrendering an unlocked
phone implicitly is communicating not only that they know the passcode, but that they know the
files on that device exist, that incriminating information exists, and the suspect is admitting
that they possess those files and are aware of
those files. And in the view of this court, that counts as testimonial evidence that would invoke
the right against self-incrimination. So the upshot of all this is now we have competing case law
coming from state supreme courts, and at least Professor Kerr and I think many other scholars
are predicting that
this is sort of on a collision course for the Supreme Court. Eventually, the Supreme Court is
going to have to decide, based on their own view of the issue, which one of these approaches best
fits with the original intent of the Fifth Amendment right against self-incrimination.
So I, you know, whether it's this Indiana case that
actually makes it up to the Supreme Court or whether it's a different case, I think this is
something that we're going to see the Supreme Court wrestle with in the coming years.
Do you have a take on it? Do you feel like it should go one way or the other?
I sort of, I disagree with Professor Karan on this issue,
and I kind of agree with the alternative view of different scholars,
that the testimonial act is admitting that you know incriminating information is on that device.
It's not just the knowledge of your password.
It's sort of like being forced to reveal something very personal, like a diary, knowing that you
know the contents of that diary. Not that you know how to actually physically open, you know,
the notebook that you've written that diary in, if that makes sense. So, you know, I think the
spirit of the Fifth Amendment is not letting the government force somebody to testify against themselves, to incriminate
themselves. It's a fundamental tenet of our criminal justice system and of the due process
of criminal defendants. And I think that would be violated if this foregone conclusion doctrine
is applied as it relates to compelled decryption.
Wow. Yeah, interesting to see this one make its
way through the courts. Yeah. And I would love to see the Supreme Court resolve this issue one way
or another, just because we do have this pretty fundamental split between state Supreme Courts.
Yeah. All right. Well, Ben Yellen, thanks for joining us. Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default-deny approach can keep your company safe and compliant.
And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep
you informed. Listen for us on your Alexa smart speaker too. The CyberWire podcast is proudly
produced in Maryland out of the startup studios of DataTribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.