CyberWire Daily - Shamoon 3 and Charming Kitten. Czech CERT issues warning concerning Huawei, ZTE. Influence ops and a Facebook boycott. PewDiePie’s followers versus the Wall Street Journal.
Episode Date: December 18, 2018In today’s podcast, we hear that Shamoon 3 and the renewed activity of Charming Kitty strike observers as the long-expected Iranian cyber retaliation for reimposition of sanctions. The Czech CER...T says Huawei and ZTE both represent a threat. Huawei insists it didn’t do nuthin’. Facebook faces a boycott in the wake of Senate commissioned reports on Russian trolling. And PewDiePie’s followers deface a Wall Street Journal page. Craig Williams from Cisco Talos with a look back at 2018. Carole Thieriault speaks with Rapid7's Tod Beardsley about their Industry Cyber Exposure report. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Shamoon 3 and the renewed activity of Charming Kitten strike observers
as the long-expected Iranian cyber retaliation for re-imposition
of sanctions.
The Czech cert says Huawei and ZTE both represent a threat.
Huawei insists it didn't do nothing.
Facebook faces a boycott in the wake of Senate-commissioned reports on Russian trolling.
And PewDiePie's followers deface a Wall Street Journal page.
a Wall Street Journal page.
From the Cyber Wire studios at DataTribe,
I'm Dave Bittner with your Cyber Wire summary for Tuesday, December 18, 2018.
Shamoon 3 seems to have affected a wider range of targets
than it first believed.
McAfee says the attacks affected victims in the oil, gas,
telecommunications,
energy, and government sectors in the Middle East and Southern Europe. Symantec reports more
signs that this Shamoon infestation came from Iranian threat actors, including its association
with attacks that used stone drill malware. Shamoon 3, as well as Charming Kitten's
reappearance with two-factor authentication defeating attacks,
have led some observers to conclude that the long-expected Iranian cyber-retaliation for reimposed sanctions is underway.
The Czech government's CERT has issued an unambiguous warning that Huawei and ZTE equipment represents a security threat.
The report specifically cites Chinese laws requiring companies
to cooperate with intelligence and security services
as grounds for excluding devices produced by either company from government networks.
Huawei, for its part, continues to regard itself publicly
as a victim of geopolitical competition,
singled out for special punishment by the U.S.
for reasons
having everything to do with trade and nothing to do with security.
The U.S. Senate commissioned reports on Russian influence operations point out extensive trolling
via Instagram, much of it directed toward African-American voters, as the Russian government
sought to exploit fissures in American civil society.
as the Russian government sought to exploit fissures in American civil society.
The NAACP has responded to those portions of the reports that indicated voter suppression efforts by returning a donation the organization had received from Facebook, which owns Instagram,
and called for a boycott of the social networking company.
The boycott, hashtag LogoutFacebook, began this morning and is scheduled to last for a week.
The NAACP says the boycott is a response to what it calls
the tech company's history of data hacks which unfairly target its users of color.
Facebook has said it intends to beef up its content moderation efforts
to police this sort of influence operations,
the two Senate-commissioned reports released yesterday outline.
The reports, one by social media and brand protection shop New Knowledge,
the other by the Computational Propaganda Research Project,
a joint effort by Oxford Researchers and Grafica, another social media analysis company,
fleshed out much what has been known concerning the operations of the
St. Petersburg troll farm, the Russian government-directed internet research agency.
What's new in the report is the extent to which the Russian influence operation depended upon
highly targeted, culturally literate marketing to U.S. political, ethnic, and cultural subgroups
over Instagram. This activity dwarfed, for example, the purchase of Facebook ads by Russian operators.
The shift in the propaganda's center of gravity to Instagram occurred in 2017,
when too much attention made Facebook a less attractive messaging platform.
The new knowledge study suggests the magnitude of the change. They found 187 million engagements with users on Instagram, as compared to 77 million on Facebook.
The reports were also interesting in that they suggest the Russian activity is ongoing and complex.
It involves an interesting mix of mass marketing, the electronic equivalent of direct mail, and traditional human tradecraft.
There were infiltrations of online games, browser extensions, and music apps.
The St. Petersburg trolls took to social media to encourage Pokémon Go players,
at its peak popularity during the 2016 election season, to adopt politically divisive usernames.
Russian-controlled accounts connected with individuals through merchandise
that carried messages by making follower requests, dangling job offers, and establishing helplines
that encouraged people to divulge sensitive information that could be used in subsequent
efforts. These last two in particular are updates of long-standing ways of recruiting agents.
Begin small, learn about the targets,
and habituate them to doing you little, more or less innocent favors.
But the rest is all marketing, and it seems the shame of the world that the country that for good or ill invented modern marketing
should see its rival run circles around it.
There's a new report recently published
tracking cybersecurity in Fortune 500 companies.
Our UK correspondent Carol Theriault has the story.
Rapid7 have just put out a brand new report, and I got a chance to chat with Todd Beardsley,
Rapid7's Director of Research, about what they were up to.
I've seen that you guys are issuing a new cyber investigative report called the Industry Cyber Exposure Report, Fortune 500.
This is a fancy title. So what were you guys looking for?
So for the last, I'd say, three or four years, Rep7 has produced something called the National Exposure Index, essentially a look at the whole Internet.
But for this report, we narrow that down to just Fortune 500 companies,
and we map out what IP space belongs to all of these companies.
We bucket them into particular industries,
so it might be retail or technology or wholesalers or something like that.
And then we take a look at the exposure among just the Fortune 500.
The Fortune 500 is a pretty good stand-in proxy for the U.S. economy.
They employ millions of people.
They represent almost a third of U.S. GDP.
And so we can look at the Fortune 500 and figure out, like, what exposure looks like for them.
And then we can kind of say some things about, like, how U.S. companies, like, treat the Internet and how they – what they expose to the Internet, how they're exposed.
And, you know, the kinds of things that those IT organizations, which tend to be very well resourced because they're Fortune 500, where they can get the most bang for
their buck when it comes to exposure.
Fascinating.
Okay, I have my bucket of popcorn.
Do you have a few tidbits from this report you can share with us?
The average company in the Fortune 500 exposes about 500 services to the internet.
What does that mean, though?
I will let you know.
Sorry.
No, no problem.
So like a service on the internet, so that would be something like a website or a DNS service or a SMB service, which is
how you do like Windows networking or SSH, which is like a secure remote shell.
You know, all of these services, like this is why you have the internet.
Like you want to be able to do this.
We figure like this is a pretty good baseline for us.
Like if you're a
Fortune 500 company, you have a couple billion dollars flying around, like you are likely to
expose about 500 services. Now there are some companies that expose way more than that, like
that hit like 2,000 to 3,000 services. And we would consider those companies to be more exposed
because they have more attack surface. They have more machines they have to keep updated. They have
more services they have to patch. They have more more... What kind of companies are way up there? We saw things like
companies that are in business services, in technology, unsurprisingly, will expose a lot
more. But we have companies that are in the apparel bucket, don't expose much. They may have
a website, a DNS server, and that's about it. Okay, so what takeaways do you think people get from reading this report?
We look at not just volume, but we also look at a couple particular services.
One of them is SMB, which stands for Server Message Block.
And it is a protocol used almost always by Windows
that is pretty much an everything protocol.
It does authentication, it does file sharing,
it does printer management.
And SMB, for a long time,
has been a favorite target for attackers.
And Microsoft knows this.
And so we're at a point today where we say,
like, do not ever expose SMB.
There's no business reason, there's no technical smb there's no business reason there's no technical
reason there's no practical reason to have smb exposed to the internet today then we go count
you know and we count among the fortune 500 like who's actually still exposing smb and the number's
not zero which is a bummer we also see um like insecure old protocols like telnet which is a
protocol from like 1978 uh that is used usually for remote
management.
You Telnet to a computer to do operating system things.
You reboot it or whatever.
Telnet is very much deprecated by a newer protocol called SSH, which does almost the
same thing, but it does it with cryptography.
And so Telnet has
no business being on the modern internet today, because it's old, it's impossible to secure in
any reasonable way. And so we're on a crusade to get rid of Telnet. I think you can take a look
at the findings from the Fortune 500 and apply them directly to your enterprise.
Cover a couple other things in the report,
but I would just recommend people go download it. Indeed. Thanks to Tom Beardsley of Rapid7.
This was Carol Theriault for the Cyber Wire.
We've heard and passed on much sound advice against placing too much importance
on attribution of attacks to specific actors. It's often said that unless you wear a badge and carry a gun,
attribution really doesn't matter that much.
That's certainly true in part.
One of the first things one naturally wants to know when attacked is who did it.
But all too often, knowing who did it means little in terms of defending yourself
or recovering from an attack.
Of course, attribution is interesting when it reveals an attacker's
tactics, techniques, and procedures. That can be useful, and that's some solid value anyone
might take from threat intelligence. But here's another way attribution, in the whodunit sense,
may matter terribly. Your cyber insurance policy might not cover an act of cyber war.
Mondelez International, a major food company that was hit hard by NotPetya,
submitted a claim for more than $100 million in losses it incurred as a result of that attack.
According to Reinsurance News, however, Zurich Insurance is disputing the claim
on the grounds that the policy they wrote for Mondelez
excluded coverage for a hostile or warlike act by any government or sovereign power.
NotPetya has generally been attributed to Russia, and that attribution has been convincing enough for Zurich to hold its payout.
There will be much more to be said on the matter.
As Reinsurance News points out, the burden of proof here is on Zurich. But it's worth noting that there's a good chance any cyber insurance policy you may have could contain a war clause.
The large print giveth, and the small print taketh away.
Finally, we're still following the followers of PewDiePie,
who continue to disport themselves as what Mr. Cluley has taught us in another context to call cockwombles. Hacking
printers to urge people to follow YouTube star and noted impresario of the Tide Pod Challenge
PewDiePie? Check. Hacking printers to encourage such following and at the same time to assume
the moral and technical superiority that comes with telling people they've been pwned and aren't
they glad someone told them so they can up their sorry game?
Check and double-check.
Defacing a Wall Street Journal page
to display a poorly written message
saying the journal apologized
for its animated versions about Mr. Pie?
You betcha.
And that last one achieved a kind of harmonic convergence
of loserdom since it closed with the message,
we also need your credit card number,
expiry date, and the lucky three digits
on the back to win the chicken dinner
in Fortnite.
Dance on, all ye cockwombles.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks.
to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io. once again by Craig Williams. He's the director of Talos Outreach at Cisco. Craig, it's great to
have you back. You know, we're coming up quickly here on the end of the year and thought it might
be helpful to look back at the year in review and track some of the things that you all saw this
year and how that informs what you're going to look for in the year to come. Yeah, thanks for
having me. So, you know, the one I wanted to talk about was basically our VolDev team just knocking it out of the park this year.
For those of you who don't know, our vulnerability discovery team basically looks for bugs and products that people use every day.
And this can be anything from a library that's used in, say, an iPhone, a Mac computer, to specialized software that few people touch.
And the reason we look at it is because people need to make sure that devices are patched.
And we found bugs in very old libraries that touch huge numbers of things just because
no one's ever looked.
And so part of what the Vol team does is finding that, working with vendors to coordinate disclosure,
get patches out there. And in doing so, we've patched a record number of things this year.
For our advisories, we've gone from 201 advisories to 245 this year. But from a CVE perspective,
it's even higher because of the way that Mitre asked us to assign CVEs. We've gone from 202 to 394. So think about that. That's more than one CVE per day. Wow. When you put it in terms like that,
it's really amazing how many bugs these folks found. I mean, give me some insight. What's the
return on this investment for the Talos Group and for Cisco to invest in this sort of thing? I mean,
it's not that you're
only going and poking around in your own devices to look for these things. This is a community
project. Right. Well, that's actually a common misconception. So at Cisco, we have our team
looking at non-Cisco software. And then we have another team in our advanced security initiatives
group that actually look at Cisco software. So we actually have a specific team for that who's
super productive and they do their own blog posts. But when we look have a specific team for that who's super productive
and they do their own blog posts. But when we look, we look for things that are not Cisco.
And to give you an idea of what we get out of this. So, you know, my favorite one of all time,
I think, was the LibTIF vulnerability. So if you're not familiar with LibTIF, it's one of
those ancient graphics libraries. Like it, you know, probably dates back into the 80s, if not
before.
Oh, yeah.
And so what we found was basically a buffer overflow in Latif so you could effectively send someone a malformed iMessage
and potentially get code execution on the device.
So when you think of it in terms of that,
getting that fixed is pretty important
because the reality is we are not the only ones looking.
It is not unusual for us to have a vulnerability collision,
which means when we discovered it and reported it, well, someone else discovered it and reported it
at the same time. And so if you think about the fact that that happens relatively regularly,
you really start to get an idea of how many different teams around the world are looking
for these. And that's not even counting criminal organizations. That's teams of good guys trying
to do the same research. Now, looking ahead towards next year, do you anticipate continued acceleration?
Absolutely. You know, one of the things that's most important to VolDev is finding new and
more efficient ways to find these type of bugs and to help vendors identify these security issues.
So I think we're going to continue to see these numbers climb. I hope that we continue to knock
out high severity, you know, remotely exploitable bugs so that there are less out
there for adversaries. Yeah. All right. Well, Craig Williams, thanks for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, Thanks for listening.
We'll see you back here tomorrow.
Thank you. into innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.