CyberWire Daily - Tortoiseshell threat-actor active in the Middle East. Simjacker less dangerous than thought? Decentralizing cyber attack. The Ortis affair. Mr. Snowden’s book deal.
Episode Date: September 18, 2019A newly discovered threat actor, “Tortoiseshell,” has been active against targets in the Middle East. The Simjacker vulnerability may not be as widely exploitable as early reports led many to beli...eve. The US Army seems committed to decentralizing cyber operations along long-familiar artillery lines. Joint Task Force Ares continues to keep an eye on ISIS. Canada seeks to reassure allies over the Orts affair. And the Justice Department wants any royalties Mr. Snowden’s book might earn. Daniel Prince from Lancaster University on cyber security as a force multiplier. Guest is Brian Roddy from Cisco on securing the multi-cloud. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/September/CyberWire_2019_09_18.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
A newly discovered threat actor, Tortoise Shell, has been active against targets in the Middle East.
The Simjacker vulnerability may not be as widely exploitable
as early reports led many to believe.
The U.S. Army seems committed to decentralizing cyber operations
along familiar artillery lines.
Joint Task Force Ares continues to keep an eye on ISIS.
Canada seeks to reassure allies over the Ordis affair.
And the Justice Department wants any royalties Mr. Snowden's book might earn.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, September 18, 2019.
Researchers at security firm Symantec report finding a previously undocumented threat actor, Tortoise Shell,
conducting what appears to be an espionage sweep through the IT supply chain. It's been active so
far, mostly in the Middle East and against Saudi targets. Eleven organizations were affected,
Symantec says, and in two of them the attackers achieved domain admin level access. An unusually
large number of machines were affected, in some cases hundreds,
which suggested to the researchers that the attackers were hauling in as many devices as they could
until they found those that were most interesting to them.
There are indications that the group was active as early as the summer of 2018.
Its most recent activity was observed in July of this year.
For the most part, it appears to be an information stealer, and much of what it's stolen seems likely to belong to the
reconnaissance phase of an attack. Tortoise Shell is unusual in that its tools are, to a significant
extent, custom-built. The basic tool the attackers are using is Backdoor Syskit, which they've
written in both Delphi and.NET.
It's not clear yet what the information vector is, but Symantec's best guess is that it may
be a compromised web server.
Symantec found the Poison Frog variant of the Bond updater Backdoor used by OilRig,
also known as APT34, also known as Helix Kitten, and this is an Iranian threat actor. But in this case,
that really doesn't even rise to the level of circumstantial evidence and says little about
attribution. That's because those tools were publicly leaked back in April. So who's behind
Tortoiseshell is so far unknown. Symantec says that it sees no particular indications that the
campaign is connected with any other known state or criminal actor.
We do note that a tortoiseshell is a kind of cat.
Did Symantec pick a feline name to suggest that, really, they think it's Iran?
No? Persian cats? Helix kitten? That sort of thing?
The Simjacker vulnerability Adaptive Mobile described last week may prove more difficult to exploit than had been thought.
A number of researchers tell Computing that the vulnerability lies in a legacy feature of SIMs that most mobile carriers no longer use.
Reports in Fifth Domain and Army Times this week suggest that the U.S. Army is contemplating a significant decentralization of offensive cyber operations.
Some comments from Army representatives are on the murky side,
but they indicate that the service increasingly thinks of cyber attacks the way it does calls for fire support.
That is, if we're to take the analogy seriously, that a call for cyber action could be made from a very low tactical
level, answered by a battalion-level organization, and answered relatively quickly. This would seem
to be an evolutionary development within army doctrine, which for some time has regarded
electronic attack as something you direct the way you direct artillery fire. But it's an interesting
development, to say the least. Fire support is
responsive in part because its possibilities are shaped by fire support coordinating measures
that specify what can be fired where and when, what permissions are necessary, and so forth.
Fire support is also responsive because the effects of fires are well understood.
You know, for example, that a no-fire area will have to be of a certain size to keep the effects of fires are well understood. You know, for example, that a no-fire area will have
to be of a certain size to keep the effects of, say, a sheaf of 155-millimeter high-explosive
rounds out of that particular area. It would be interesting to know what sorts of coordinating
measures are being put in place for cyber attack. And finally, of course, fire support is responsive
because it's regularly exercised and practiced.
The U.S. Army seems to be doing this at places like Fort Irwin and Muscatatook.
So hey, cyber gunners, what are the surface danger zones for a distributed denial-of-service attack?
Seriously, email us.
Anyway, ISIS may learn how this doctrine applies in practice.
Joint Task Force Ares, the U.S. organization hunting it in cyberspace,
says it's actively working against the sometimes caliphate
as it attempts to reestablish itself in various South Asian locations.
There's that old saying, there's no such thing as a free lunch.
The notion being that everything has some sort of cost,
even if you don't know what it might be right away.
And so it is with cloud services.
There are conveniences, security advantages, cost savings,
but there are also complexities and unexpected consequences.
Brian Roddy is head of cloud services at Cisco.
Typically, when people talk about using the cloud,
it's a fairly nebulous statement and people aren't really sure what they mean.
They think about, am I using Amazon to potentially run my applications? Or does it mean,
am I using something like Salesforce.com when I use my, say, customer's relationship management
software? Really, when we talk about multi-cloud,
it's embracing the fact that most people today are using a wide range of cloud-based applications
from different vendors. And on top of that, they're using infrastructure as a service from
places like Amazon and Azure and Google. And when we've surveyed customers, we found that more than half of them are using at least two platforms as a service. And so I suppose the challenge there is
getting on top of security across all of these different environments and platforms.
That's 100% correct. You know, it used to be when you had all your applications living inside of
your own data center, it was relatively easy to manage because you had access
to all the data and all the databases, all the applications, all the ways people were logging
into it. You could control access. But as soon as you start using multiple applications from
multiple vendors, as well as different cloud infrastructure providers, you've essentially
distributed all of your applications out to the world.
Now, there are some benefits to that.
On one hand, you've now made it so if any particular application gets compromised, they don't have access to all your applications.
So you've kind of decentralized your risk a little bit.
The challenge, though, is that by having so many different vendors, it's hard to have
any notion of consistent policy or consistent enforcement or visibility across all of them. And so a lot of the work that people are doing today
is how do I get the old controls back again? And how are they going about that? The organizations
that are finding success here, what's their approach? Well, usually it happens in a set
of steps, a set of phases. First and foremost, people need to get visibility on what applications people are
using. So there's a whole set of product offerings out there called shadow IT products that try and
give you a sense of what apps are people using, which ones are good, which ones are bad, which
ones are dangerous. And then once you get a map of what people are doing, then you start to gain
some control over it. So first you want to have some kind of single sign-on so people are using well-understood passwords that you can
revoke if they get compromised. And once you get those basic controls in place, then you start
thinking about how do I have more a policy orientation? How do I control the data that's
being uploaded into those environments? How do I secure the accounts? You know, it's an interesting thing.
We find that most of the breaches that happen, people don't break in.
They essentially log in with credentials that have been compromised.
So the other big area of focus for a lot of our customers is multi-factor authentication,
making sure it's not just a password required to get into these things,
but having at least two factors to make it safe.
not just a password requiring it to do these things, but having at least two factors to make it safe.
Now, is it possible for organizations to put kind of a unified front end on these types of operations?
You can do so in kind of a piecemeal way.
So you can have a common login with single sign-on solutions. You can also have a common way of enforcing data policies with a class of products
known as cloud access security brokers. What those products do, sometimes it's abbreviated as CASB.
What CASBs do are ways of allowing you to do data loss prevention across all different cloud
vendors, malware scanning across all cloud vendors, so you can have some amount of data control.
So those are the first big ways that you can have a common front end. But the other area people have
concern on is, is there a common set of security appliances or services that I go through before
accessing them? So it used to be in the past you'd have firewalls and secure web gateways and
sandboxes in your data center that kind of kept people safe before they went out to the Internet.
Nowadays, people are going straight to the Internet, sitting in coffee shops.
And the other area of consistent security is that how do I have that right network security policy?
And there there's a whole new class of cloud delivered secure Internet gateways that are designed to try and provide that same kind of protection across the board.
So you can see there's single sign-on, CASB, and this secure internet gateway.
So a bunch of products emerging to cover all the different new needs.
That's Brian Roddy. He's head of cloud security at Cisco.
head of cloud security at Cisco. In the matter of the espionage case against a high-level official of the Royal Canadian Mounted Police, RCMP Commissioner Brenda Lukey described the arrest
of Cameron Ortiz under the Information Security Act as unsettling. A joint investigation with
the FBI suggested that the Mounties had a rogue insider. The Bureau found email, apparently from
Mr. Ortiz, to the drug cartel
serving encryption shop Phantom Security that said, quote, you don't know me, but I have
information you may be interested in, end quote. A piece in the French-language Radio Canada
Service says, without much elaboration, that Mr. Ortis had debts and that his motive in offering
sensitive information was financial.
Commissioner Lucci has asked that people not judge the RCMP as a whole on this one bad apple,
but if bad apple he indeed turns out to have been, Mr. Ordis may have spoiled up to five big barrels.
During a campaign stop in Newfoundland, Canadian Prime Minister Justin Trudeau said, quote, we concerned are, of course, the other members of the Five Eyes group,
Australia, New Zealand, the United Kingdom, and the United States.
That other famous rogue insider, Edward Snowden, continues to discuss his forthcoming book with the media.
The U.S. Justice Department yesterday filed a civil lawsuit in the U.S. District Court
for the Eastern District of Virginia against the author and sometime NSA contractor.
Justice isn't interested in stopping publication of the book or in restricting its distribution
or presumably controlling its content.
Instead, the government wants whatever money Mr. Snowden may make on sales
of permanent record. The principle is that someone shouldn't be able to profit from violating a
proper non-disclosure agreement like the one Mr. Snowden had with NSA. The government doesn't
allege any misconduct on the part of the publishers, but it will go through them to get any
cash that may be coming Mr. Snowden's way. The complaint has the Fifth Avenue, New York address of the publishers,
but for the defendant simply notes exact address unknown.
Presumably it's still somewhere in Russia,
but from what we hear, he's hoping to relocate to France. Thank you. and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Daniel Prince.
He's a senior lecturer in cybersecurity at Lancaster University.
Daniel, it's great to have you back.
I know something that you've been studying there at Lancaster is this notion of cybersecurity as a force multiplier
and some of the ambiguity that that brings to international conflict.
What can you share with us about that today?
brings to international conflict. What can you share with us about that today? Some of the work that I'm doing is around this area of digital impact on conflict and
politics. So I co-supervise a number of PhD students in a multidisciplinary way with a
colleague from politics, philosophy and religion department here. And we're really looking
at the impact of the digital environment on the changing nature of politics and conflict.
One of the things that we're starting to really look at is this idea that this notion of ambiguous conflict, hybrid warfare or grey zone conflict is really the cyber warfare that we have actually got rather than the cyber warfare that we envisaged.
we have actually got rather than the cyber warfare that we envisaged. The science fiction of cyber warfare is people in dark rooms, hacking into remote locations, taking power grids offline,
and it makes for a great movie plot. And certainly some of that, we believe that to be plausible.
But actually, the types of things that we're seeing, particularly in the hybrid warfare or
the sort of gray zone warfare, is this use of information and influence to
subvert expectations or perceptions and it kind of comes back to that traditional
kind of subversion in terms of traditional warfare or political
influence but because of the hyper connected environments in which we work
digitally and is integrated into our societal lives, that
influence is much, much more prevalent in the media.
A large number of conversations really about other nation states influencing elections,
influencing the narrative around certain things.
Recently, there's been a number of articles around nation states influencing the narrative
around recent science fiction films to
make them appear more negative. And so when you've got that ability to exert that control and that
influence, that acts in a different way to the way that we perhaps were expecting cyber warfare
to be conducted. Yeah, I mean, it strikes me that there's an asymmetry at play here, as you say,
a force multiplier, that in the past, if I wanted to paper a country with flyers trying to spread some misinformation,
well, there was a physical component of that that was a limiting factor. These days, as you say,
with being able to spread things online, that physicality is a limiting factor that's pretty
much gone. That's true. And the flip side to that is the removal of information.
I mean, it's not just about the presence of information,
but also what information you can take away from a population
so they cannot verify certain facts.
But there are other mechanisms in terms of that force multiplier,
not just in terms of political influence and driving certain ideologies,
but also this idea that actually physical
attacks can be backed up by knocking out digital systems to enable much more effective operations.
And so this idea of sabotage is coming into play. And this is a concept that a gentleman named
Thomas Ridd really put forward around sabotage, that cyber attacks are around sabotage, espionage, and this idea of subversion.
And so they all act as force multipliers for political influence, but also in digital warfare.
So this idea of cybersecurity and cyber attacks acting as a force multiplier is a multi-factor thing that we need to really consider in terms
of modern conflict. All right, Daniel Prince, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, Thank you. and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
a smart speaker too.
The Cyber Wire podcast is proudly produced
in Maryland
out of the startup studios
of Data Tribe
where they're co-building
the next generation
of cybersecurity teams
and technologies.
Our amazing Cyber Wire team
is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Vaughn,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Vilecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick,
Jennifer Iben,
Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Pure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.