CyberWire Daily - US-Iranian tensions find expression in cyberspace as Refined Kitten returns. Facebook tries friction against abuse. Cryptominers in the wild. Lead generation for cyber criminals.
Episode Date: June 21, 2019Tensions between the US and Iran over tanker attacks, nuclear ambitions, and the downing of a Global Hawk drone seem to be finding expression in cyberspace: Refined Kitten sees to be pawing for some A...merican phish. Facebook tries friction as an alternative to content moderation in damping its abuse in fomenting South Asian violence. Cryptomining campaigns are showing some renewed vigor. And a look at lead generation for Nigerian prince scams. Mike Benjamin from CenturyLink on RDP scanning and the GoldBrute campaign. Guest is Michael Coates, former CISO for Twitter and former head of security for Mozilla, from Altitude Networks on better addressing the needs of CISOs and improving the sales process. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_21.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Tensions between the U.S. and Iran over tanker attacks,
nuclear ambitions, and the downing of a global hawk drone
seem to be finding expression in
cyberspace. Refined Kitten seems to be pawing for some American fish. Facebook tries friction
as an alternative to content moderation in damping its abuse in inciting South Asian violence.
Crypto mining campaigns are showing some renewed vigor. My guest Michael Coates offers advice on
selling to CISOs and a look at lead generation
for Nigerian print scams.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Friday, June 21st, 2019.
Tensions between the U.S. and Iran, already high over attacks on tankers in the
Arabian Gulf and ongoing disputes over Iran's nuclear ambitions, have risen significantly in
the wake of Iran's shootdown of a U.S. Air Force RQ-4A Global Hawk reconnaissance and surveillance
drone on Wednesday. The U.S. says the drone was in international airspace over the Straits of
Hormuz. Tehran says the RQ-4A was flying over southern Iran. Either might be right in the fog
of war, but we're strongly inclined to go with the U.S. Air Force on this one.
The Global Hawk is a big, capable, and expensive platform, costing $131.4 million a copy,
leaving research and development costs out of the reckoning.
It's 47.5 feet long, has a wingspan just shy of 131 feet,
and it weighs more than 8 tons when it's loaded for a mission.
It's got a 14,000-mile range, cruises at about 350 miles an hour,
and has a 60,000-foot service ceiling.
It doesn't, of course, have a pilot or crew on board,
so no lives were lost when an Iranian surface-to-air missile,
probably a Syed SD-2C, knocked it down.
Still, Tehran says it sent a message,
and Washington is unhappy with the shoot-down.
Those drones aren't cheap, and there are only so many of them to go around.
Besides, they're U.S. government property,
and so the U.S. government is understandably steamed. What's this got to do with cyber
security, you may well ask? Well, it's this. As is so often the case, kinetic action is accompanied
by cyber action, especially when there appears to be the danger of escalation, and cyber battle
space preparation appears to be underway.
Wired says that the security firms Dragos and CrowdStrike have reported a surge in phishing
emails deployed against a range of American targets.
The actor is said to be APT-33, also known as Magnalium or Refined Kitten.
FireEye, without naming the threat actor, says it's seeing much the same.
At least some of the phishing attempts were baited with what appeared to be an announcement
of a job opening at the White House's Council of Economic Advisors. The malicious link opened
an HTML application, which in turn started a Visual Basic script on the targeted machine
that installed the payload, the Powerton Remote Access Trojan. All of these, the security
firms say, are consistent with how Refined Kitten has done business in the past. It's not known if
any of the attempts have been successful, nor is it clear whether their goal is reconnaissance of
potential targets or the staging of malware against the possibility of future use. CrowdStrike's Adam
Myers speculated to Wired that the choice
of fish bait suggests that the campaign might be principally interested in gathering intelligence
about U.S. policy with respect to economic sanctions, but he points out that this is
exactly that, speculation. The point of the campaign isn't known. Espionage is possible,
but so are reconnaissance and staging. Dragos' Joe Slowik
told Wired that, quote, you can't turn on a dime and say, I need cyber now, end quote. That's what
battle space preparation involves, getting the intelligence, getting the reconnaissance,
and staging capabilities where you may need them. Under pressure to do something about abuse of its
platform to inspire violence in Sri Lanka and Myanmar,
Facebook is trying something other than content moderation, introducing friction.
Facebook will limit the number of times users around the region can share a message.
For now, the limit is five.
The hope is that this will help keep things from going viral that ought not to go viral.
It will be interesting to see if it has the desired effect.
Security companies are tracking crypto miners in the wild.
ESET and Malwarebytes are tracking similar cross-platform crypto miners,
respectively Loudminer and Birdminer.
They share some infection vectors.
Trend Micro also has its eye on a crypto miner.
This one is a Satori-like botnet that
arrives via the Android debug bridge. And finally, it's long been a truism that criminal markets
behave in many ways like legitimate markets, and that criminal enterprises ape some of the
practices of legitimate businesses. Researchers at security company Agari have been looking at
some of the West African cyber gangs, the people who gave the world the now familiar but still sometimes
effective Nigerian print scam. Agari tells Axios that email scammers run their operations like a
business, complete with consultants and lead generation systems. The gangs use regular lead
generation services of the kinds that many legitimate businesses employ.
As the story in Axios puts it, Agari has seen the criminal groups use several lead generation firms.
The lead generation sites offer customizable searches.
You want CFOs of companies in a given sector, of a given size, and a particular geographical region?
You got them.
and a particular geographical region?
You got them.
Agari found that the crooks generally signed up for free trials using the Gmail dot trick that lets them create accounts easily.
Some of them are even more brazen.
The London Blue crew just went ahead and bought a $1,500 annual subscription
to a lead generation service last year.
Was it worth it?
Apparently, at least London Blue seems to have thought so.
They downloaded 50,000 leads in six months.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Mike Benjamin.
He's the Senior Director of Threat Research at CenturyLink's Black Lotus Labs.
Mike, it's great to have you back.
You've all been tracking a large RDP scanning campaign, and it's been getting some attention lately.
What do we need to know here?
RDP, of course, a lot of folks are using to administrate remote computers,
and often it's using single using single factor username and password.
And with that sort of infrastructure on the Internet, actors want to take advantage of it for a variety of reasons.
And periodically we'll see someone come out on the Internet and scan RDP across the Internet.
They'll look for some pretty simple default usernames and passwords, and they'll move on with their day. They'll grab a handful of hosts, and that's about the extent
of what they'll accomplish. We are constantly monitoring for internet-wide anomalies in port
utilization. So those things tend to stand out like a sore thumb when somebody issues
such a scan. They also tend to do them from a small subset of hosts. So you'll see a
number of other public resources talk about, hey, I'm seeing a scan from IP address X, Y, and Z.
In this particular campaign, what we were seeing was they were dropping a persistence payload on
the host. And then in some cases, even using that to scan for more hosts. And so while not a worm
in the true nature of the word, they were using that scale to find more hosts. And so while not a worm in the true nature of the word, they were
using that scale to find more hosts. And we saw a lot of folks reporting on the fact that there were
1.5 million open RDP hosts on the internet. And that sounds like a horribly scary number, right?
Anything that can talk to 1.5 million hosts. However, the actual infection pool that we were able to see
where they successfully brute forced, and then we saw command and control callback was more in the
tens of thousands, still not a small number in regards to success, but nowhere near that 1.5
million number. Now, this is the campaign that folks are referring to as gold brute. Absolutely.
The command and control has been publicly listed and as well as the port number for the callback. So of course, folks can review their logs to look to
see if they were one of those infected. So what are the ways for folks to prevent this?
First and foremost, don't turn on RDP on the internet. VNC, even SSH, try to restrict it to
the places where you actually need to be accessing it from. That's a pretty basic security control that most folks can use.
And in this case, they were using dictionary attacks.
So basic password hygiene can also prevent such an attack.
And so what are the take-homes here?
What did we learn from this one?
Well, anytime an actor decides that they want to automate the scale of what they're doing,
it gets us all in a bit of an uproar,
but in most cases we'll find that what they're attacking really isn't that complex.
A number of years ago we saw embedded IoT devices
attacked with some extremely simple usernames and passwords.
That then evolved to a whole plethora of exploits that we see embedded into those things.
But I'll tell you, about 99%
of the time, they're known exploits with existing patches and known dictionary method attacks. So
the good news is we can manage these things. And as we see them as an internet community,
as a security community, we should make sure that we're openly sharing what's going on
and making sure that we're patching those simple to-do tasks.
Never underestimate how many folks out there are just trying to be opportunists.
Absolutely.
And in many of these cases, we're seeing the sophistication that occurs afterwards
not be particularly high with some of these really loud actors.
But keep in mind that those vulnerable hosts, those default credentials,
sit out there for more sophisticated actors to use as well.
So the things that we need to be concerned about, even if the very loud ones aren't actually causing much impact at the end of the day.
All right. Well, Mike Benjamin, thanks for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
My guest today is Michael Coates.
He's CEO and co-founder at Altitude Networks and former CISO at Twitter and former head of security at Mozilla.
Our conversation focuses on how he, as someone with purchasing authority, prefers to have products pitched by cybersecurity vendors.
I had some pretty exciting years leading security programs. I was head of
security at Mozilla for many years. I was also the CISO at Twitter for a number of years.
And what I noticed was that there was clearly a lot of activity in the vendor space for security
solutions, which is great. We need innovation. But the way in which they reached out to potential
buyers like myself as a CISO left me certainly wanting more. I would receive largely a ton of
unsolicited inbound emails with really peculiar message formats. I applaud the efforts to try and catch our eye, but they end up having,
you know, an unintended consequence. Um, emails like, do you care about security? Um, or,
or did you know you're vulnerable to this? Let's talk more. All things that, um, I get it. They're
trying to be catchy and clever, but it's actually kind of off-putting. But yeah, the thing that hit me initially was that massive amount of cold call email that I would get.
And that really just didn't work well, as I know we'll dive into here.
Well, so let's come at it from the other direction.
The folks who were successful, who got your ear, what techniques did they use?
As a result of the large amount of movement,
there's obviously tons of investments in security right now, tons of innovation,
lots of new companies. Because of the fact that there was so much noise, many buyers like myself
would actually rotate hard the other way. Instead, we would rely very heavily on referrals from our personal networks.
And I realized that that is something that would happen in any space. You always want to
think about a referral. But in security in particular, the CISOs form together in these
CISO networks. And we have one in the Bay Area, and I know other industries and other
locations have them too. And in some regards, they're a bit of a support network, because let's
face it, the security role is hard. It's hard at every level. But we would definitely use that
referral, like, hey, have you guys heard of this? Or I'm looking for a solution in this space and
see who would pipe in. And that is great. It's really good to have a referral. But at the same
time, that could leave us a little bit blinded to really great new innovation that we should be
thinking about. Do you think there's a risk then of becoming insular?
I think we're in a challenging spot because we definitely need to branch out and look at
new ideas, look at new solutions. And yes, if we're not careful, we could be a little bit
insular right now in terms of the solutions and products we use. But I think the trick we need
to do is actually shift the way we look at selling security software, security solutions,
and also the method we have for discovery. because we've kind of taken two extremes here.
We're talking about on one hand, you have cold inbound versus referral.
Like, what's that middle ground?
Like, where can we have a trusted review of options out there?
And in some regard, trusted advocates kind of fill that void.
Like, if you have a VC relationship, someone that you trust, they're kind of a vetting
mechanism.
Like, hey, these solutions look pretty interesting. I'm sure they're in their portfolio, they're kind of a vetting mechanism like,
hey, these solutions look pretty interesting. And sure, they're in their portfolio, but they've done some vetting to get them there. So that's kind of nice. That works really well, of course,
in Silicon Valley, but not scalable to the rest of the country or world. And so can we have some
sort of consumer reports style trusted review or display of vendor information. The thing that's important
about that and where I really key in is as a security buyer, you want the security information.
You want the technical chops of what you're looking at. You really don't want to see a
marketing slick sheet that says machine learning, internet of things. How do you measure success?
What's your false positives? How
do you look at those types of things that actually matter to us? So I think we can find that middle
ground if the security vendors realize, hey, stop trying to push buzzwords. Stop with the cold calls.
How do you show your product and what it actually does, hopefully in a neutral space, if we can
create such a beast? And if not, how do we lead in more of a demo-first style sales approach?
Like, let your product speak for itself.
Let me come to your website and actually see how it works.
And for some reason, I think we're really far away from that reality right now.
Why do you suppose that is?
There's no doubt that there is a lot of noise out there.
I mean, you walk around on any of the trade show floors
and it's hard to focus on any one thing.
Everyone's fighting for your attention.
So I guess on the one hand,
I have a certain amount of sympathy for the folks out there
who are trying to sell in that environment.
And I have to eat my own words here
because I'm now on the other side of the fence.
Yeah.
I think, one, we have a macro challenge in security, which
is there's far too much headline chasing, you know, Hollywood style products that are solving
things that don't matter. And because there's so much investment money out there right now,
the bar to get funded, the bar to start a new idea is lower perhaps than it should be.
And as a result, you see just crazy off the wall ideas that may catch fire because of their
buzzwordiness. It may get a set of buyers that aren't as technically adept that need it. Like,
what is your solution right now to quantum encryption and things like that? Like, well, it's a cool buzzword, but is it really the most important thing to solve in
your program? So we have that big mismatch between flashy headline grabbing things,
people trying to solve APT, really, they don't even have good inventory management. Or how do
you even think about automation and real time alerting? You look at something like the target
breach. And so I think that's one problem. There's just so much stuff out there. And then the second part
really is we don't have a channel that can give people that neutral way of learning about companies.
So it really is the biggest shouting match. How can I shout more over email? How can I shout with
catchy phrases at an expo floor? And that's an unfortunate reality of where we are
right now. I think as we mature, as buyers become more sophisticated, more aware of what they need
to focus on, we'll get better. And yeah, going back to that point again, like I would really
love for that neutral evaluation, like give me the, maybe not a hard copy, but that magazine of
what are the different security products in
different spaces and how do we have a neutral body to give us some information about them?
Now, if someone's reaching out to you, you get that email in your inbox,
what would the ideal approach be? How could someone get your attention and get you to spend
a little more time with their product? Yeah, I think that actually is a really
good question because, sure, I'm harping on email is really hard.
And it is because there's so many inbounds.
But there's a lot we can do in the messaging itself
because there is some amount of hit rate.
There's some opportunities where people do sit down
and say, all right, let me see what's going on,
what kind of inbounds I have.
The thing that can help a lot
for a vendor selling to a CISO
is to basically do the three second
test. Let's assume you're going to get three seconds as they scroll through, if they open it,
so make your subject line helpful. But if they scroll through that email, you're going to get
three seconds. Don't have a long narrative. Don't have tons of words. Do not ask me things that make
me kind of recoil in a bit of frustration.
Like, yes, I do care about security.
I love cute puppies.
Yes, yes.
And no, I know you don't have a silver bullet and all these things.
Like, let's just cut through all that.
Just tell me, one, what do you do?
Like, we solve this problem.
Don't tell me about flashy features because we don't need to sell on features.
We need to sell on what problem gets solved.
If you tell me, number one, what problem you solve, I will then self-select and say, I have that problem where I don't.
And either answer is good for you because we don't need to talk about that problem.
But if I do, I'll read the next line.
Like, tell me how you solve that problem.
Do it.
Maybe this is my Twitter.
My Twitter days coming back.
Do it in like one sentence or two, because you should be able to, it should be compelling
in two sentences.
And in three, tell me how you integrate. Cause that's actually really important for a security
person to wrap their head around that. Like, am I looking at a network device? Am I looking at an
agent on my workstations? Help me wrap my head around it real quick. And then after those three
things, what I would ideally like as a buyer, let me go view your product without talking to sales.
I know it's horrible. I know you want me to talk to sales.
But let me just see it.
Because if I can do those things, there's a better chance I will learn about your product.
And when the time is right, I will engage.
But if you don't do those things, because you really want me to engage with sales first,
you really want me to read this long narrative, what will happen is I will do none of those.
And you will have no reaction from me.
And I think that's a worse outcome.
Because when you look at security and why particular things happen, like if you think about phishing attacks, we're always like, how does anyone fall for those?
And almost no one does.
But if 0.1% do, you just send more emails.
Right.
So maybe we're at a spot where the smarter companies are figuring it out and
they're being more successful, or maybe we're all incredibly biased and we're in this small
segment of the market. But I don't think that's the case because as much as we say, there's more
technical or less technical CISOs or the West Coast, the East Coast, how they're different from
each other or even the middle America. I think really people want that core info. I don't think there's anybody out
there saying, yeah, I really want to read through this long narrative to decide if I care about
security. Thank you for asking. So I don't know. I don't know what we're missing. I think we have
a fair point as the buyers to say, please just give it to me this way. That's what I want.
That's Michael Coates from Altitude Networks.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders
who want to stay abreast
of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time
and keep you informed.
Listen for us
on your Alexa smart speaker, too.
The CyberWire podcast
is proudly produced in Maryland
out of the startup studios
of DataTribe,
where they're co-building
the next generation
of cybersecurity teams
and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.