CyberWire Daily - Sunburst looks worse: bad Bears in US networks, and that’s not just right at all. “Evil mobile emulator farm.” Report: Pegasus used against journalists.
Episode Date: December 21, 2020Cozy Bear’s big sweep through US networks gets bigger, longer, more carefully prepared, and worse in every way. IBM uncovers a big, conventionally criminal “evil mobile emulator farm,” and that�...��s no good, either. Citizen Lab finds more to complain about with respect to alleged abuse of NSO Group’s Pegasus tools. Awais Rashid from Bristol University on taking a risk-based approach to security. Rick Howard speaks with Cyral CEO Manav Mital on infrastructure as code. And tech executives are worried about Pandas and Bears and Kittens, oh my. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/244 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Cozy Bear's big sweep through U.S. networks gets bigger, longer,
more carefully prepared, and worse in every way.
IBM uncovers a big conventionally criminal evil mobile emulator farm, and that's no good either.
Citizen Lab finds more to complain about with respect to alleged abuse of NSO Group's Pegasus tools.
Awais Rashid from Bristol University on taking a risk-based approach to security. Rick Howard speaks with Cyril CEO Manav Mittal on infrastructure as code.
And tech executives are worried about pandas and bears and kittens.
Oh, my.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Monday, December 21st, 2020.
So
CISA updated Alert AA20-352A on Saturday to say that the SAML abuse cyber espionage campaign wasn't confined to SolarWinds Orion platform.
Quote, CISA has evidence that there are initial access vectors other than the SolarWinds Orion platform.
Specifically, we are investigating incidents in which activity indicating abuse of SAML tokens consistent with this adversary's behavior is present,
yet where impacted SolarWinds instances have not been identified.
CISA is working to confirm initial access vectors and identify any changes to the TTPs.
End quote.
According to Reuters, Microsoft found an earlier attempt on SolarWinds Orion software.
The researchers call it Supernova, believing the malware was compiled in March,
and describe it as an unsigned Orion imitator.
Supernova is thought to have been the work of a second threat group distinct from the SVR group responsible for Sunburst.
It's not known if Supernova was actually deployed operationally.
The SAML abuse campaign appears to have been under preparation for some time.
Yahoo cites sources on background who say the threat group conducted a trial run of their campaign
as early as October of 2019.
The number of victims continues to expand.
Bloomberg has put the most recent count at more than 200. Bloomberg also says that after initial checks, the financial services sector seems to
have been relatively unaffected by the campaign. Banks and brokers are treating it as a wake-up
call. U.S. Secretary of State Pompeo said publicly Friday that the SAML abuse campaign was pretty clearly the work of Russian intelligence services.
Hitherto, such identification had come from the private sector, CISA and NSA confining themselves to attributing this cyber espionage to a state actor.
President Trump discounted both the attribution and the severity of the incident as a whole,
tweeting that it could just as well have been a Chinese operation and that in any case matters were well in hand.
Few seem to agree with the president and Congress is looking for retaliation.
The range of responses will probably be sanctions,
indictments of individuals determined to have been behind the keyboards
or directing the people behind the keyboards and
active disruption of Russian networks that last class of action is unlikely to quickly become a matter of public record
While Russia may have been behind the sunburst and supernova campaigns
It is possible to look at China's track record for examples of how such cyber
espionage can yield useful intelligence. Beijing's style can seem indiscriminate,
collecting whatever can be collected. But according to an essay in Foreign Policy,
once it's done that, analysis and exploitation become essentially a set of big data problems
and solvable big data problems, at that.
Russian representatives have, as is their custom,
denied any involvement in an operation that has Cozy Bear's paw prints all over it.
Has Russia's President Putin addressed the incident?
No, not directly, anyway, but in remarks he made this weekend in recognition of the 100th anniversary of the founding of the SVR,
actually the founding of its ancestor organizations in the early years of Soviet power,
Reuters says Mr. Putin praised the SVR for its work in general.
I know what I'm talking about here, he said, in an evident allusion to his former career as a KGB agent,
and I rate very highly the difficult professional operations that have been conducted, end quote. So do a lot of other people, although they don't necessarily agree that this is a good thing.
IBM trustee researchers have discovered a large-scale bank fraud operation run from what they characterize as an evil mobile emulator farm.
More than 20 emulators were used to spoof well over 16,000 compromised devices.
The scale of the operation is unprecedented for crime of this type.
The gang responsible, probably based in Europe,
is capable and careful in its exploitation of inherently legitimate services.
Citizen Lab reports four groups, two unknown, one attributed to Saudi Arabia,
the other to the United Arab Emirates, monitoring Al Jazeera journalists with NSO Group's Pegasus tool.
Pegasus features zero-click installation and its capabilities extend to accessing passwords, taking pictures, geolocating infected devices,
and recording audio from those devices' microphones.
iPhones in particular were affected,
and while Apple told Computing that it hadn't been able to independently verify Citizen Lab's findings,
the company did say that the surveillance appeared to be highly targeted.
In the blog post that denounced Cozy Bear's cyber espionage campaign,
Microsoft also took a shot at NSO Group,
which it singled out as an example of private sector offensive actors,
whom Redmond characterized as dangerous, akin to 21st century mercenaries.
NSO Group has long maintained that it's in the lawful intercept business and that it sells
only to responsible governments, with its exports informed by determinations made by the Israeli
government. Computing quotes the company as saying, quote, where we receive credible evidence of
misuse combined with the basic identifiers of the alleged targets and time frames, we take all
necessary steps in accordance with
our product misuse investigation procedure to review the allegations. End quote.
What do people see coming in the near future? Whatever they're seeing, that view is refracted
through the pandemic, the holidays, and of course, Cozy Bear. The massive, long-running SVR intrusion
into U.S. government and corporate systems
has strongly shaped business views of where the biggest cyber threat lies.
A CNBC poll of technology executives last week
found that 50% of them regarded nation-state cyber operations
as the biggest threat their organizations face.
They're also alive to the counterintelligence failure
the sunburst and supernova incidents
represent. 32% of the respondents thought that defining a national cybersecurity protocol should
be the top priority for the incoming Biden administration and a new Congress.
Online threats emerging during the holidays aren't going to just go away in early January.
emerging during the holidays aren't going to just go away in early January. The holiday shopping season has seen a surge in online fraud that won't abate with the winter holidays. Not only have
periods of online bargains and special offers followed the familiar pattern of seasonal creep
expanding so that what was once a single Cyber Monday has become at least a solid fortnight,
but the pandemic will continue to drive trade out
of brick-and-mortar venues and onto the internet. That risk affects not only consumers and retailers,
but businesses whose workforce is now significantly remote are to consider, Arab News glumly points
out, that this workforce is likely to be doing a lot of that shopping on the same devices they use to connect to the enterprise.
Fake delivery notices are proving one of the most common scams, CNBC reports,
and this will continue as long as people continue, in their innocence, to fall for them.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting Thank you. showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000
off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
The CyberWire's own CSO, Rick Howard, has been talking to experts about DevOps and infrastructure as code and how that design philosophy applies to security.
Here's Rick.
I have been disappointed in the pace that the network defender community has adopted this infrastructure as code concept.
I first heard about it when I read Gene Kim's book,
The Phoenix Project, back in 2013,
a cybersecurity hall of fame book, by the way.
In it, Kim describes the philosophy of DevOps,
which is kind of a fancy name for infrastructure as code.
And with apologies to my fellow Mandalorian fans out there, I was convinced that this was the way.
Unfortunately, our entire community seems stuck in neutral about this topic.
I was talking to Manam Middal about this.
He is the co-founder and CEO of Cyril, a DevOps support company.
I asked him to describe what infrastructure as code is.
It is a process for managing and configuring infrastructure through text files in both human and machine readable format.
So historically, what you would do is, you know, rack and stack infrastructure either yourself or through remote hands.
Infrastructure either yourself or through remote hands.
And now all of the infrastructure resources are completely abstracted out by services that you can configure and treat it exactly the same way as software.
Manav agrees with me that the network defender community has shown up late to this party.
The security team certainly came very late to this party, Rick. And this goes back a few years.
Historically, even before DevOps,
you had three big silos.
There was a development team,
an ops team, and a security team.
And there was a waterfall release model
and a software release
would basically flow down
from development to ops
and then to security.
And development and ops
were the first two teams
that fused together
and brought this whole DevOps movement to bear.
It became this virtuous cycle,
which made releases faster,
but also enabled them to release more frequently
and fundamentally be more agile.
Infrastructure as code then came in
and put this up in a very high gear
and really helped them accelerate
everything that they were already doing. Now, for security, this became very challenging
because they were typically deploying their tools and services and monitoring capabilities
around the software and the stack that the development and ops teams to provision. And now, as the speed
of release increased, they were just left hanging out there trying to figure out how to keep up with
it. But recently, the security side of DevSecOps has seen some gains from the cloud deployment side,
specifically when it comes to the CIDC pipeline, which stands for Continuous Integration,
comes to the CIDC pipeline, which stands for Continuous Integration, Continuous Delivery.
And that led to this DevSecOps movement that allowed these three teams to very intimately collaborate with each other. In fact, some of the fastest growing, most popular, hottest startups that you've seen in the security space
have focused on enabling this DevSecOps culture.
the security space have focused on enabling this DevSecOps culture.
And with infrastructure as code, what has now come to bear is the security as code model, which integrates security directly into a team's CICD pipeline.
So you can do security testing, vulnerability scanning, auditing, authorization checks,
et cetera, directly into the application as it flows from test to code commit
to production. The DevOps movement got its name back in 2010 or so, but organizations have been
playing around with the concept as early as 2003. What is clear is that the InfoSec community is
still basically standing at the starting line. Nobody is saying that DevOps or DevSecOps in this case is a bad idea,
but it feels like we are all still trying to get our heads around the idea.
That's our own CSO, Rick Howard.
Be sure to check out his CSO Perspectives podcast.
That's part of CyberWire Pro. Thank you. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Professor Weiss Rashid.
He's the Director of the National Research Center on Privacy, Harm Reduction and Adversarial Influence Online at the University of Bristol.
Professor Rashid, it's great to have you back.
Today, we wanted to touch on this notion of the importance of risk thinking when it comes to security decision making.
What do you have to share with us today?
Security decision making goes on in organizations all the time and at different levels.
So, for example, when you are dealing with particular technical setups in your organization,
you would have to think about what kind of security mechanisms that need to be deployed.
If you're a board member, you have to think about how, in particular, strategic decisions you must consider cybersecurity
and how that may impact the business.
But one of the things that we have noticed in a piece of research that we've been doing is that
it's actually the risk-thinking strategies that matter greatly as to how effective the risk
decisions can be. And in our work, we have observed a number of different risk-thinking
strategies and teams, when they work together on making decisions about cybersecurity, they can, In our work, we have observed a number of different risk thinking strategies.
Teams, when they work together on making decisions about cybersecurity, they can, for example, exhibit what you will call isolated thinking.
In this case, what effectively is happening is that the teams are considering the various stimuli in isolation, so the information that they're being provided.
They are considering it in isolation rather than in a connected way. And then there are,
of course, other types of thinking that consider more of this in an interlinked way. And again,
at different levels of complexity. So the way you think about risks can actually have a significant impact into what your outcomes are and how good or bad those outcomes would be.
Yeah, I mean, it's interesting to me because I think we've definitely seen this shift in the
past few years of security professionals at larger organizations approaching security decisions in
terms of risk. And I think particularly when it comes to framing it in a way so that they are
speaking the language of the board, that the board of directors
thinks in terms of risk and managing risk and so on and so forth. So it's interesting to me that
it sounds like what you're pointing out here is that that mindset itself is not enough,
that you have to be mindful of the actual type of risk thinking that you take on.
mindful of the actual type of risk thinking that you take on. Absolutely. It's the richness of your risk thinking, for lack of a better term. It really, really matters. And, you know, for example,
we've seen that, you know, often teams of decision makers would also undertake what is sequential
thinking. So where they think of sort of various events or various pieces of information in an
order and use them to inform. And that helps to some extent. But really what is required is,
you know, what you would think of is something like radial thinking, you know, where you are
thinking about, you know, a core question and then generating multiple related ideas from it to see
what would happen. Or, you know, other types of complex thinking where when the discussion is going
on, there is quite a lot of cross-references to particular issues.
And it's how you make sense of the risk landscape or the threats that face your organization
or particular infrastructures, and the richness with which you consider it does matter.
Because if the risk thinking remains largely isolated and you
consider things in isolation, then you're not really considering the interconnection
between the various issues that arise.
How do people get started down this line of thinking?
Are there some good sources you can recommend for folks to learn about how to go about this
in the proper way?
Well, there is a rich body of research now out there on cybersecurity risk decision making.
I will recommend people to go, for example, to look at the Cybersecurity Body of Knowledge
project where there is a very extensive description of how to do risk management
and governance in these kind of systems. But the other thing that I would also say is that there
are various ways to approach it.
And one is that you can approach any decision making in a risk-first way. So you may think
about what the risks are and then explore ways of negating the risk and then consider what are
the kind of multiple things that come into play. But the other is that all risk is not bad, right?
So you may also consider the opportunities that are presented, right?
And then consider what are the risks that come from taking some of these opportunities
and how the kind of various, various paths evolve from there.
So all of this is a way to approaching risk thinking.
But again, individuals and teams can be quite retrospective, introspective in that sense
to think about as to are they considering things in isolation or are they actually also focusing
on the links between the various elements they are considering as they make decisions.
All right. Well, Professor Awais Rashid, thanks for joining us. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
It's beginning to look a lot like Christmas.
Listen for us on your Alexa smart speaker, too.
Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment called Security Hop.
I join Jason and Brian on their show for a lively discussion of the latest security news every week. Thank you. That's at recordedfuture.com slash podcast. Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.