CyberWire Daily - Tracking Pegasus. OilRig spearphishing. IP theft from universities. Peekaboo bug in surveillance cameras. WannaMine won't be EternalBlue's last ride. Preventing data abuse.
Episode Date: September 18, 2018In today's podcast, we hear about a Citizen Lab report on the global use of Pegasus lawful intercept tools. OilRig seems to be spearphishing in Bahrain. University IP theft by Iran seems widespread, b...ut it also doesn't look very lucrative. Peekaboo vulnerability affects security cameras. WannaMine is the latest campaign to exploit the stubborn EternalBlue vulnerability. Data firms work toward guidelines to prevent political data abuse. David Dufour from Webroot with a primer on quantum computing. Guest is Sam Bisbee from Threat Stack on public cloud breaches. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/September/CyberWire_2018_09_18.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Citizen Lab reports on global use of Pegasus' lawful intercept tools.
Oil rig seems to be spearfishing in Bahrain.
University IP theft by Iran seems
widespread, but it also doesn't look very lucrative. The peekaboo vulnerability affects
security cameras. WannaMine is the latest campaign to exploit the stubborn Eternal Blue vulnerability.
And data firms work toward guidelines to prevent political data abuse.
toward guidelines to prevent political data abuse.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, September 18, 2018.
Citizen Lab has another report out on Pegasus spyware, an SO Group's lawful intercept product.
They've found the tool in use in at least 45 countries.
Their scans aren't entirely clear.
It's difficult to distinguish targets from users, for example.
But Pegasus seems to be in widespread use.
Observers note that while some of the regimes who employ the tool do so with lawful restraint,
other, more repressive governments make more indiscriminate use of it.
Citizen Lab cites six countries as Pegasus users who have a history of deploying spyware against domestic dissidents. What they describe as abusive use of spyware to target civil society.
Those nations are Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates.
Pegasus is installed on a smartphone either through physical access or, much more commonly,
through social engineering. In the typical case, the targeted user is induced to click
on a malicious link that installs the intercept code on their device. Once installed, Pegasus
reports back, well, quite a bit of private data,
including passwords, contact lists, calendar events, text messages, and certain live voice
calls from popular mobile messaging apps. The Pegasus operator can also convert the infected
phone into an eavesdropping device, gaining access to the camera and microphone in ways
that capture things going on around the phone.
Citizen Lab says it gained its initial insight into Pegasus
when they noticed UAE cybersecurity company Dark Matter
registering a domain name that included a Pegasus link.
NSO Group has denied selling its product to several of the governments Citizen Lab calls out in its report.
They also told Citizen Lab in response to an advanced copy of the report,
quote,
Our product is licensed to government and law enforcement agencies
for the sole purpose of investigating and preventing crime and terror.
Our business is conducted in strict compliance
with applicable export control laws, end quote.
Citizen Lab, in effect, says in reply that
while some governments may indeed well use Pegasus
for what can be recognized as legitimate law enforcement purposes,
the lab contends that some of the governments who've obtained the tool in practice use it for repression of civil society.
The report is interesting also for its account of how Citizen Lab uses DNS cache probing in its investigations.
how Citizen Lab uses DNS cache probing in its investigations.
That's too long to go into here,
but you'll find a link to the report in today's CyberWire Daily News briefing.
Many of the stories we hear about cloud data breaches involve improperly configured AWS buckets.
Sam Bisbee is chief security officer at ThreatStack,
a company that provides security monitoring of cloud services,
and he shares some of the more sophisticated attempts at cloud data they've been tracking.
What's been interesting is watching that sophistication arise and how they're leveraging
perfectly reasonable features inside of public cloud environments and then just abusing them.
And so that's just really continuing to happen where we're seeing these attack chains
leveraging features in, let's say, an AWS control plane or API, leveraging those to then extend
and high-techs down into the network layer where they continue to kind of sprawl out with a
traditional network attack chain and then move back into the AWS API and console. So crossing that membrane multiple times.
There's a lot of kind of standard techniques and tools that they're using that aren't necessarily new.
It's more about the behavior of how they're leveraging these techniques and tools
and combining them with traditional network attack techniques
to extend and hide those breaches that's been most interesting.
Largely in a lot of these attack chains, it really starts with that root credential theft or account takeover.
Where it then starts to diverge is launching a server, for example, an EC2 instance into that environment.
Typically, that launch rogue infrastructure was to really just extend a botnet you know maybe do crypto mining
maybe join a botnet that was being rented out per hour to go attack some hosts in another
environment whatever else but where we started to see those servers be used differently was
to begin recon and to act as a beachhead inside of the local area network that an organization is running,
even if it's inside of an AWS VPC and follows all the best practices of how to lock one of those networks down,
you now are in a situation where an actor has the functional equivalent of physical data center access
because they're able to access the app management control plane,
and they're now down in the app management control plane and they're now down
into the network in the VM layer. And what they will do is use that initial rogue EC2 instance
of Beachhead, recon the LAN a little bit more, and then start to move laterally through it,
whether that be through additional credential theft, just now more at the SSH key level,
or attempting to remote scan and exploit other
servers on that LAN. And as they're moving through, their objective is not necessarily to
escalate privileges or steal data off of a disk in the way that most typical network campaigns
look. Instead, the objective is often to move back into that AWS control plane, where maybe that
initial set of credentials that they compromised did not have access to an RDS instance or an S3
bucket where their objective lies. They're instead moving through that environment and leveraging the
fact that, for example, in AWS, every server has an IAM role on and therefore permissions into AWS, which people often forget to configure.
And then the metadata and those keys and everything that that instance has access to is all available at hard-coded IP address on every server.
to more technical, basically what they're doing is they're moving through those servers and they're leveraging the completely normal, solid, good features to then understand, now
that I'm on this server, what access does this server have back into the infrastructure
and does that give me access to that RDS instance or S3 bucket that I wanted access to?
That's Sam Bisbee from ThreatStack.
that I wanted access to.
That's Sam Bisbee from ThreatStack.
Arbor's Security Engineering and Response Team, ACERT,
reports finding spear phishing emails targeting senior officials in Bahrain.
They regard the campaign as similar to an oil rig distribution of the Bond Updater Trojan,
discovered by Palo Alto Network's Unit 42.
Oil rig is associated with the Iranian government.
The theft of intellectual property from universities by hackers linked by SecureWorks researchers to Iran's government
looks oddly like petty larceny.
Papers are going for as little as £2 on WhatsApp,
but it seems a fairly widespread effort.
16 domains with more than 300 spoofed websites and login pages
for 76 universities in 14 countries.
The interest in British universities has attracted much attention,
but institutions in Australia, Canada, China, Israel, Japan, Switzerland, Turkey,
and the U.S. were also targeted.
It's not clear how much of the stolen information wasn't already destined for open publication,
nor is it entirely clear how the material was taken,
but the use of spoofed login pages suggests credential theft.
Security company Tenable has found a zero-day they're calling peekaboo
in the Nuo software widely used in networked video surveillance cameras.
They think upwards of 100 brands and 2,500 different models of camera could be vulnerable.
Exploitation of the flaw could yield access to the control management system,
expose credentials for connected video cameras,
and permit both disconnection of live feeds and image tampering.
Nuo says a patch is being developed,
and that in the meantime users should take steps
to limit access to Nuo NVR Mini 2 deployments. If you're unsure of whether a video security
system you're using is vulnerable, contact the vendor and ask them directly. Tenable also draws
a more general lesson from the discovery. They think it argues that we ought to rethink our
patching cadence and methodology, especially as the Internet of Things expands our attack surface, even as it increases our capabilities.
Patching is also a big part of the answer to the question why EternalBlue exploits, like the currently irritating Wanamine CryptoJacker, continue to make pests of themselves.
continue to make pests of themselves.
Although the vulnerability Eternal Blue takes advantage of was patched last year,
unpatched machines keep things like Wanamine alive through a constant reinfection cycle.
And it's not only failure to patch that's a problem for digital public health,
but also use of unlicensed software.
Data analytics firms who serve both major U.S. political parties are working on a mutual agreement to control data abuse.
No one wants to be the next Cambridge Analytica,
caught with their fingers in data that ought to have remained private.
The cooperation of the firms on a set of guidelines is being facilitated
under the brooding wings of Georgetown University's Institute of Politics and Public Service.
It will be interesting to see what they come up with.
The temptation to abuse data must, one thinks,
exert a particularly strong pull on political operations.
Symantec has joined the companies offering free help
to political campaigns and related groups.
They're offering anti-spoofing services gratis.
The company also has a guide to the leading groups associated with election influence operations. Thank you. Agents winning with purpose and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by David DeFore.
He is the Vice President of Engineering and Cybersecurity at Webroot.
David, welcome back.
We wanted to touch today on quantum computing and take a little reality check.
What do we need to know here?
Well, first off, I don't want to be, you know, Thomas Watson from IBM.
He was famously quoted, though they can't really attribute it to him,
that maybe there's a market for five computers in the whole world.
This is all kind of just my opinion.
We'll see where it lands in the end.
But I think there's a lot here, but I also think there's a lot of hype around it.
So, you know, I think the fundamental thing a lot of people think is that quantum computing is just really
fast, regular computing done at quantum speed or hyperspeed or warp speed.
Warp speed.
I like that.
Yeah.
Yeah.
Right.
But there are some very, very fundamental differences.
And we should talk about where we are right now in the whole process of quantum computing. And one of the basic things folks
need to understand is the difference between classical computing, where we have on and off,
and we can all comprehend that. We've grown up with it, in fact. So it's kind of almost innate
in us now. That's how a classical computer works. It has a bit and that bit can either be on or off.
Well, in quantum computing, you have a thing called qubits, which can be on, can be off. But they they have a superposition state where they can be for the sake of our discussion.
They can be both. It's not exactly that it's both at the same time, but it's it's that idea.
So it actually has three different states.
And this is something that as a society, we're going to have to get our heads around because
it's one of those things that we come across technically that is a new leap forward that's
going to take folks, if you're not a quantum physicist or you don't work with quantum
mechanics every day, it's going to take us time to understand and get our brain around.
I mean, it strikes me that one of the fundamental things about most things related to quantum mechanics,
quantum computing, is that it's not intuitive.
It is not.
But if you think back, David, honestly, into the 30s, 40s, and 50s,
the computing we do today was not intuitive.
You know, they built these massive machines that only a few people knew how to operate.
And that's kind of where we are with quantum mechanics.
It's much more complicated.
But I think as a society, as we talk about this more and more and more, it will become
more intuitive and it will become ingrained in what we're doing.
And I have a pretty simple example, and I'm sure all the quantum physicists out there are going to be cringing.
But, you know, we want to talk about how it relates to security.
But I've been thinking about this maze example where if you have a classical computer and you give it a problem that involves looking at a maze and making a
determination of how to make a path through that maze, that classical computer has to walk through
every possible path of that maze, but it has to do it one path at a time. Now, people might say,
well, I could build a multi-core processor, But at its essence, each core can only look at one path at a time.
So you literally are only doing one thing at a time.
Now, if we look at quantum computing and we have to stay in the quantum world because at the end, the output, we have to convert to a non-quantum world so humans, we can kind of understand it.
output, we have to convert to a non-quantum world so humans, we can kind of understand it.
We can actually, at the same time, build a structure that looks at all of the possible paths at once. It's not infinitely scalable, but just for sake of our discussion,
that it looks at all of those paths at once. And that's where the power, because of that,
the superposition state and all of that, that's where the power, because of that, the superposition state and all of that,
that's where the power of harnessing quantum computing lies. Yeah. So, I mean, the way I
envision what you're saying is it's sort of like the difference between standing at ground level
at the entrance to the maze and only being able to see what's right in front of me versus having
a bird's eye view from a hundred feet up and being able to see all's right in front of me versus having a bird's eye view from 100 feet up
and being able to see all of the possible pathways of the maze at once and making my plans based on
that. That is exactly right, David. So I think, and why am I being so specific? I think the first
quantum computing we're going to see are some very, you know, very specific, uniquely built
quantum computers to do one thing. And then over time, a couple of generations, just like we went
from that, those computers back in the forties, they could do one thing that took, you know,
only four people in the world knew how to run them to today over time, it'll evolve into something
that the rest of us can use like the
PC sitting on our desk. But I don't think we know what that looks like. We're just not there yet.
All right. Well, it's interesting stuff. Hard to wrap your head around. But as always,
thanks for helping us understand. David DeFore, thanks for joining us.
Thanks for having me, David.
Thank you. a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Thanks for listening.
We'll see you back here tomorrow. Thank you. platform comes in. With Domo, you can channel AI and data into innovative uses that deliver
measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.