CyberWire Daily - The Triton actor seems to be back. Project TajMahal is after diplomatic secrets. California’s motor-voter program and a DMV hack.
Episode Date: April 10, 2019FireEye says that the Triton actor is back. There’s some ICS malware staged in an unnamed “critical infrastructure” facility, and it looks as if the people who went after a petrochemical plant i...n 2017 are back for battlespace preparation. Kaspersky describes Project TajMahal, a cyberespionage effort against a Central Asian embassy. And California’s motor-voter program hits a hacker-induced bump in the road. Johannes Ullrich from SANS and the ISC Stormcast podcast on protecting yourself from hidden cameras when vacationing. Guest is Dr. Ratinder Ahuja from ShieldX on Elastic Microsegmentation. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/April/CyberWire_2019_04_10.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
FireEye says the Triton actor is back.
There's some ICS malware staged in an unnamed critical infrastructure facility,
and it looks as if the people who went after a petrochemical plant in 2017 are back for battle space preparation.
Kaspersky describes Project Taj Mahal, a cyber espionage effort against a Central Asian embassy,
and California's motor voter program hits a hacker-induced bump in the road.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, April 10th, 2019.
FireEye announced this morning that they were investigating activity by the Triton Actor,
whose operations they've discovered in a critical
infrastructure facility. Which facility and where that facility is located aren't specified in the
report, but FireEye stresses that it's not the same plant in which Triton malware was first detected.
It's worth noting that FireEye doesn't say that the destructive Triton malware itself was found
in the facility, but rather that they found the Triton actor and some use of the Triton framework.
The attack showed the now familiar mix of commodity and custom-built code,
and this particular infestation is noteworthy for the steps it took to evade detection
and establish long-term persistence in the systems it targeted.
FireEye's report lists seven distinct tools with 15
components among them. They appear to have been pulled together in a way designed to evade
detection by security tools and to establish persistence in the targeted environment.
The researchers emphasize that the Triton actor has a deep interest in ensuring prolonged and
persistent access to the target environment.
That's not unusual for campaigns directed against industrial control systems,
especially ones mounted by nation-states,
and the Triton actor seems to be an intelligence organ.
FireEye notes that nation-states are likely to stage such incursions into industrial control systems as contingency operations.
Another way of putting this would be to say that we're seeing battlespace preparation.
Just as an air force would want its target folders prepared as far in advance as possible,
and to have the ordnance it thought itself likely to need for battlefield air interdiction
staged into the theater of operations in advance, so too with ICS malware.
Find the targets you think you'll need to hit, get the malware in unobtrusively and
in persistent form, and then it's there when you want it.
So which nation-state is probably implicated in this case?
Not, we'd conjecture, the operators behind Gossip Girl, the supra-threat actor researchers
at Google's Corporate Sister Chronicle described earlier this week as involved with the various versions of Stuxnet, Dooku, and Flame. Instead, Triton,
which has also been called Trisis, has been attributed by FireEye and others to the Russian
government. FireEye rather delicately points this out in their report on the latest infestation.
Triton's earlier appearance in an operation against a petrochemical facility said to be in a Middle Eastern country was alarming for the way
it affected safety systems. The malware was targeted against the Triconic safety instrumented
system produced by Schneider Electric and widely used in plant safety operations. That incident
didn't kill or hurt anyone, but compromising a safety system is nasty business.
What the Triton actor was up to in this latest incident is so far unclear,
but the activity again showed an unpleasant targeting of safety-instrumented systems.
As organizations move toward the cloud for data storage and services,
they can find themselves re-evaluating how they protect their
assets. Dr. Ratinder Ahuja is CEO at ShieldX Networks, and he advocates a technique called
elastic micro-segmentation. So over the last few years, enterprises in looking at situations like
Equifax have come to a conclusion that they need to supplement their boundary security strategies
with a more pervasively deployed security strategy.
So meaning most enterprises have deployed security controls at the boundaries of the data center.
So firewalls, intrusion threat prevention, data loss prevention, and various controls.
But for a couple of reasons, those boundaries get bypassed.
One of them is under the right set of circumstances, there's a failure of the controls
and the attacker can get in,
just like what happened at Equifax.
But more recently,
as you adopt a multi-cloud architecture,
that boundary itself becomes elastic.
So that is extending out into the public cloud.
So you have private data centers
connecting to the public cloud.
So you're dealing with a data center boundary
that is scaling out and moving out into the public cloud. So you're dealing with a data center boundary that is scaling out and moving
out in the public cloud. So this then again warns that you have controls that are equally elastic
and equally agile. And enterprises have started saying, well, can I bring these controls closer
to the workloads? So if you have, for example, a PCI zone, and those have in the past been very
rigidly defined structures. So
you have a set of controls around a set of assets. But as these assets want to take advantage of the
elasticity of the cloud, they would like to migrate them into the public cloud,
take advantage of the agility promise of the cloud. So then this concept came along,
which says, why can't I create micro-perimeters around my workloads? So as they migrate, my security intention goes along with it.
So one such technique is called segmentation or micro-segmentation,
where you take assets that were in a flat environment
and you place boundaries around them.
So again, if you do that in a static fashion,
that would again defeat the purpose
because you'd be configuring those micro perimeters over and over again so the approach that shieldex took was to first
discover your environment all with full automation and this discovery then helps us understand what
the layout of the applications is and more importantly automatically generate policy
security policy and then we transform the security policy,
what we call your security intention,
into a set of controls that are coupled to your intention.
So this is where the concept of elasticity comes in,
that as these workloads migrate,
as these applications scale up and down,
our continuous discovery transforms your intention
into a set of controls, including micro segmentation
and threat prevention and preventing the kill chain from progressing laterally.
And hence, we call it the elastic micro segmentation because it's not rigidly defined.
It's defined your intent.
What do you mean when you say intent?
How does that fall into place?
If your assets were fairly static, you could say, could say, here's how I want to protect them.
But in the multi-cloud, where you have DevOps and CloudSoft teams that are adopting these
multi-cloud architectures with the idea of harnessing the agility promise of this cloud.
So now security is even more orthogonal to these application development teams.
So what security can now hope for is to say,
I need a system which can capture my security intention and then the full automation,
discover things as they happen, and then transform that attention to actual controls because they can
no longer mandate where certain things show up. So you can no longer say, well, every time you
bring up a web server, you have to talk to me first because those web servers will scale up
to talk to me first because those web servers will scale up because the machine decides that we need more, that they need more capacity. So that is why what we have come to the conclusion
is that we need a system where the security teams can express their intention and then have a fully
automated system transform that intention into actual controls by watching the environment and
learning from the environment and then creating those controls to satisfy the intent.
So the security team doesn't have to go wire things up anymore
because they cannot in these agile cloud worlds.
So you need this automation to transform intent into actual controls.
That's Dr. Ratinder Ahuja from ShieldX Networks.
Another apparently state-directed APT framework
is being reported by researchers at Kaspersky Lab.
This one seems more interested in relatively conventional espionage, the theft of information from its target.
The researchers call it Taj Mahal, and they say it's both quiet and sophisticated, having been operated since at least 2013.
The package is delivered in two modules, Tokyo and Yokohama.
Tokyo gets deployed initially, and then it's followed by Yokohama
if the target is sufficiently interesting to warrant further collection.
So far, an unnamed Central Asian country's diplomatic networks have been affected.
Kaspersky sensibly notes that we shouldn't take this too seriously
as definitive evidence of narrow interest or restricted operations.
They think it likely there are other victims out there they simply haven't found yet.
After all, Taj Mahal is, Kaspersky says, sophisticated, and a lot of work went into it.
It strikes them as unlikely a nation-state would make such a heavy investment in an espionage campaign of such apparently
limited scope. Wired calls Taj Mahal a Swiss army knife, a tool with lots of distinct components
that perform distinct functions. Kaspersky hasn't attributed the operation to any particular nation-state,
but since we're accustomed to looking for clues in the names of threat actors,
we should probably get that particular red herring
out of the way to begin with.
We all know that if it's a bear, it's Russia,
if it's a panda, that means China,
and that kitty cats tend to hail from Iran.
But in this case, there seems to be nothing of the sort going on.
There's no particular indication that Taj Mahal
means an Indian government op,
and there's even less than no particular indication
that calling the two big modules Tokyo and Yokohama point to Japan.
They're just names, for now anyway,
because you've got to call these things, well, something.
California's Motor Voter Program,
which would enmesh the state's driver and voter registration systems,
is now thought to be insecure,
with the Department of Motor Vehicles hacked and compromised.
The Los Angeles Times says the tip-off came when someone noticed a DVM server phoning home to Croatia.
So our California desk is no better at geography than any other graduates of their Los Angeles high school,
but they're pretty sure there's no exit for Zagreb on the 405, so maybe the 110,
because all those underpass pillars around San Pedro can get confusing, but probably not there
either. So the DMV picked up on that pretty quickly, too. An email obtained, as journalists
say, by the LA Times included a remark from one of the DMV staffers who sounded the alarm. It went like this,
quote, my Latin is a bit rusty, but I think Croatia translates to hacker heaven, end quote.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer Thank you. slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
your company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Johannes Ulrich. He is the Dean of Research
for the SANS Institute. He's also host of the ISC Stormcast podcast. Johannes, it's always great to have you back. We saw some stories come by
recently about hidden cameras that have been found in some Airbnb apartments. And you got some tips
for protecting yourself against these sorts of things. So what are your suggestions?
Yeah, so essentially, you have to be aware that these cameras may exist, and you definitely want to be on the lookout for them.
So first thing, of course, to do is look for any odd devices that you find in the apartment that are sort of out of place.
Let's say a fire alarm sensor in the bathroom.
Usually you don't have fire alarm sensors or smoke detectors in the bathroom.
So that would be sort of one thing to look a little bit closer at.
Maybe also oddly placed sensors and motion sensors and the like, because they often include these little cameras.
The second thing you could do is just run a little network scan on the Wi-Fi network.
Now, usually they offer a free Wi-Fi network in these apartments.
So what you should do
is just break out good old Nmap or
whatever your favorite port scanner is and
run a quick port scan on
the inside, check if there are any open
web servers.
That often is an indicator that you may
have a camera or some other
device that you probably want to take a
closer look at.
Now, the last thing you could do is just from within the Wi-Fi network again, go to a website
like Shodan.
Also check what your IP address is, your external IP address.
And then look up on Shodan on this IP address.
Has Shodan found anything like cameras or so in the past?
That sort of gives you a quick
external look at this. This may not be 100% effective because often these are consumer
connections with dynamic IP addresses, but it gives us another data point to check if maybe
the owner of this apartment was smart enough to sort of hide these cameras on the network internally,
but they want to connect to them. So maybe they didn't protect that properly.
Yeah, it's I mean, it's really, it seems to be a growing problem. It's sort of this intersection of
the availability of these inexpensive, small, well disguised cameras, and also the uptick in
things like Airbnb.
well-disguised cameras and also the uptick in things like Airbnb.
Yeah, and the host also may feel like they have legitimate reason to protect themselves with these cameras to prevent damage to their apartments.
Of course, we have also seen in some of these news reports that they were obviously used
maliciously and then some of these video streams were actually sold for pay-per-view video streams.
Yeah, it's interesting because what I understand from some of those stories is that
it's not out of bounds for an Airbnb owner to have a camera in the residence,
but they have to tell you about it.
Correct. Now, there's, of course, a lot of local restrictions on that.
Even personally, with security cameras in my own home, I always recommend against putting them
inside the house, just for the privacy risk and the risk that someone may gain access to these
cameras without authorization. Yeah, that's a good insight.
All right, Johannes Ulrich, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.