CyberWire Daily - US National Security Advisor to be replaced. Stealth Falcon’s new backdoor. DDoS, social engineering investigations proceed. Exfiltrating an agent. Patch Tuesday notes.
Episode Date: September 10, 2019John Bolton is out as US National Security Advisor. A new backdoor is attributed to Stealth Falcon. Wikipedia’s DDoS attack remains under investigation. So does a business email compromise at Toyota... Boshoku and a raid on the Oklahoma Law Enforcement Retirement Services. Vulnerable web radios get patches. The US is said to have exfiltrated a HUMINT asset from Russia in 2017. Microsoft patches 79 vulnerabilities, 17 of them rated critical. Michael Sechrist from Booz Allen Hamilton on the spillover of geopolitical issues into cyber security. Guest is Ashish Gupta from Bugcrowd on the economics of hacking and the adoption of ethical hacking. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/September/CyberWire_2019_09_010.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
John Bolton is out as U.S. National Security Advisor.
A new backdoor is attributed to Stealth Falcon.
Wikipedia's DDoS attack remains under investigation.
So does a business email compromise at Toyota Boshoku
and a raid on the Oklahoma Law Enforcement Retirement Services.
Vulnerable web radios get patched.
The U.S. is said to have exfiltrated a human asset from Russia in 2017.
And Microsoft patches 79 vulnerabilities, 17 of them rated critical.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, September 10, 2019.
Some news broke today out of Washington concerning senior administration personnel.
Some news broke today out of Washington concerning senior administration personnel.
NBC News, The Washington Post, and other outlets report today that President Trump has asked for and received the resignation of National Security Advisor John Bolton.
As the president tweeted, he found himself in disagreement with many of Mr. Bolton's suggestions,
as did others in the administration.
He thanked Mr. Bolton for his service and accepted his resignation.
The president intends to appoint a successor this week.
ESET says it's associated a hitherto overlooked backdoor with Stealth Falcon.
The previously unreported binary backdoor ESET calls Win32 Stealth Falcon.
Stealth Falcon itself has been connected by the University of Toronto's
Citizen Lab with the distribution of spyware against a range of Middle Eastern targets.
Citizen Lab reported that Stealth Falcon had been engaged in surveillance of journalistic
and diplomatic targets of interest to the United Arab Emirates. ESET doesn't say this directly,
but the campaign is regarded as being, probably,
a United Arab Emirates operation linked to Project Raven, which Reuters described earlier this year.
ESET does quote Amnesty International to the effect that Stealth Falcon is the same threat actor as Project Raven.
The distributed denial-of-service attack that struck Wikipedia over the weekend remains under investigation,
but Bleeping Computer reports some speculation that the incident was the result of a botnet testing round.
The story is still developing and investigation continues.
Bleeping Computer also noted that the UK's National Cyber Security Centre, the NCSC,
recommends dusting off DDoS protection advice it's offered
for some time. Here are the five essential practices NCSC thinks any organization would
benefit from. First, understand your service. This means recognizing the places in your service where
your resources could quickly become overloaded or exhausted, and determine who's responsible
for maintaining service at each of those crucial points. Second, look to upstream defenses. Make sure your service providers are
ready to deal with resource exhaustion where they're distinctly well-placed to help. Third,
look to scaling. That is, ensure you're equipped to deal with surges in demand. Fourth, and this
is good advice in any aspect of cybersecurity,
have a response plan. You should design your service and plan your response to an attack
so that the service can continue to operate, albeit in a degraded fashion. Finally, test and
monitor your services. Exercise your response plan and be sure you're in a position to recognize when you've come under a denial-of-service attack.
Toyota Boshoku, a parts unit of Toyota Group, continues to investigate a business email compromise scam in a European subsidiary that may have cost the company 4 billion yen, which comes to approximately $37 million.
$37 million. According to InfoSecurity magazine, the incident occurred on August 14,
and if it followed the usual business email compromise template,
the theft depended on social engineering.
Another case of apparent theft enabled by social engineering appeared in the Western Hemisphere.
A pension fund for retired Oklahoma State Highway Patrol officers was also the victim of a raid that seems traceable to a compromised employee email account.
In this case, the Oklahoma Law Enforcement Retirement System said that roughly $4.2 million were looted on August 26.
Fifth Domain reports that the fund said the theft came after an employee's email account was hacked.
The FBI is investigating, and the state and the fund are being tight-lipped about the matter while the investigation proceeds.
They do say that they've succeeded in recovering some $477,000 of stolen funds.
Oklahoma is confident that they'll recover the rest of the money too,
but how they'll manage that remains to be seen.
In a disclosure coordinated with manufacturer Telestar Digital,
Vulnerability Lab reports that Dabman and Imperial Web radios were vulnerable to exploitation
through an undocumented Telnet service on the standard port 23.
Telestar has fixed the vulnerabilities.
One of the many force multipliers the internet has enabled is crowdsourcing.
Whether you're raising money for a non-profit,
funding a fancy new bit of electronics,
or making sure your favorite podcast
keeps their doors open,
the ability to gather a wide range of people
for a common cause is a powerful tool.
Ashish Gupta is CEO of BugCrowd,
where they've built their business
crowdsourcing vulnerability testing.
Full disclosure, BugCrowd is a CyberWire sponsor,
but this interview was booked through our usual journalistic procedures.
The whole idea was how can you democratize things
for anybody to research on different assets
and any company to make crowdsourced cybersecurity
part of their layered security
model. And to that end, we've seen a continuous increase in the use of crowdsourced cybersecurity.
In fact, in 2019, we saw as much as 50% more public programs that are being run by
customers to ensure that they've built a stronger security posture because they're seeing the value that
our researchers provide them in terms of vulnerabilities that they can find before
they're used by an adversarial actor and fix those vulnerabilities in time.
Before folks came to crowdsourcing these sorts of efforts, what have been some of the barriers
or roadblocks or even speed bumps that got in the way of this sort of collaboration?
The first thing that used to be a challenge was how do you find the right resource that can provide you with that feedback?
The second one was getting over the initial fear of, what, you're going to allow a hacker to come into my environment but educating folks that there are the white hat hackers who are ethical in nature
and want to make the digitally connected world safer was a really good thing in
the last few years and we hear much less of that and then the third one was now
that I found this how do I fix this and how do I teach my engineering team to
build more secure code.
I myself started off as an engineer.
I learned how to do C++ programming, and yes, I do admit it.
I do know Cobalt and Fortran.
And to that end, we knew how to build code and get product out to market,
but making it secure was something we learned on the job.
And having that capability
also is super important. And this is the reason we do partnerships with folks like Secure Code
Warrior to ensure that our engineers, our customers' engineers are informed on how to
build secure code as well. What is the transition like for organizations when they decide to make a shift and start implementing these sorts of open source opportunities?
What does that look like for them?
Yes, you know, the thing is that the whole world has been using pen testing for quite some time. to deliver specific reports that will show what kind of vulnerabilities might be in the environment
or what kind of compliance they're meeting or not meeting. And to that end, just making it more easy
to have an assessment that brings a larger number of eyes to the attack surface has enabled us to
provide as much as 10 to 11 times the number of high risk
vulnerabilities to customers that have already gone through pen tests. The decision really comes
down for them is how do they build a layered security model and how does everything else that
they're doing, which they should continue to do, whether it's a firewall or endpoint protection system, or even have internal teams, can be complemented very well with a crowdsource security model,
because you can have a specific program developed for a specific application with
very targeted resources that are going to deliver the kinds of vulnerabilities that you don't get from typical scanners and other
things. Are there any common misperceptions that you run across where people think that
they may run into some issues with this? Yeah, you know, it used to be the case where folks would be
worried about, quote unquote, a hacker, because they defined a hacker the same, whether it was a black hat hacker or
white hat hacker. We have seen that misconception go away increasingly, not that it's completely
gone. The second misconception I would say is, how do you focus in on the right way of launching
a program? And what do you want to get out of the program and We've done a lot to help customers understand that it's pretty important to play that pay that insurance debt down
You know get all the low-hanging fruit address before you go out and build a public program as I was talking about
That has been very successful for customers because it addresses both
Misconceptions I just talked about because they get more comfortable with the feedback that they're receiving from researchers.
They're also able to provide researchers with the feedback that's needed because it's a
smaller group of folks.
And that allows for researcher health with the program.
And to that end, also get vulnerabilities and make the programs that much more successful.
also get vulnerabilities and make their programs that much more successful. The whole idea of increasing the price of attack by bad actors, while reducing the benefits
from these attacks for those bad actors.
So I'll just give you an example.
The very same issue and vulnerability that was part of the problem that delivered the
Equifax challenge for Equifax. Our researchers found
almost four months earlier for a Fortune 500 financial services organization, and the financial
services organization, when they were provided the fully triaged report from us, and our platform
prioritized that obviously very high, were able to fix that many, many months before Equifax was
hit by that same problem,
saving a ton of reputational and financial risk.
That's Ashish Gupta. He is the CEO at BugCrowd.
The Washington Post reports that in 2017, the U.S. exfiltrated an asset, a source, an agent, from Russia.
The asset had provided the U.S. with information about 2016 Russian election
hacking by Fancy Bear and Cozy Bear. The U.S. intelligence community became concerned for
the safety of the asset after the previous administration released a report detailing
Russian cyber operations directed against the U.S. election, and after the current administration
shared certain sensitive information in high-level meetings with Russian officials.
Russian sources have confirmed that an official, a relatively low-level one in Moscow's account,
who worked for the Russian president, has been in parts unknown since sometime that year.
The Post says it's believed the asset and his family were pulled out of Europe,
and thus out of harm's way, during a vacation in Montenegro.
Today is Patch Tuesday, and updates have appeared.
Microsoft has released two advisories and addressed 79 vulnerabilities.
17 of those vulnerabilities are classified as critical,
and so, as Bleeping Computer reports, Windows admins have a busy week ahead of them.
Finally, a note on the naming conventions applied to the state-directed threat actor Menagerie.
Falcons tend to be Emirati. Bears, of course, are almost invariably Russian, whereas pandas are Chinese.
Pandas, of course, aren't true bears, but rather relatives of raccoons, so don't be confused on this point.
Kittens, kitties, and domestic cats reside around Tehran.
North Korea is sometimes associated with cobras.
These conventions aren't followed everywhere by everyone, of course.
Other sneaky metaphors have been used for Russian actors, for instance, like Ouroboros, the snake that swallows its own tail.
Not every North Korean group gets an animal name,
and not every Chinese group is an actor.
The animals don't always go with the big four threat actors
who display inveterate opposition to the Five Eyes.
Lebanon services, for example, have been associated with caracals,
and India's with elephants.
The Five Eyes themselves don't seem to get animal names, which seems a pity.
It would be nice to greet someone in a Cheltenham pub crawl with a
Yo, regal lion, say hello to naughty unicorn!
Or to holler in a Maryland bar,
Hey, the drinks are on thumping buffalo and screaming eagle!
The other three eyes have obvious animals too. Dingoes, beavers,
loons, kangaroos, kiwis, penguins, and so on. So, researchers, get naming.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Together, head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian
and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. Savor the new small and mighty Cortado. Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And now a message from Black Cloak.
a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives
and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks,
and connected lives.
Because when executives
are compromised at home,
your company is at risk.
In fact,
over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Michael Sechrist. He's Chief Technologist at Booz Allen Hamilton, and he also leads their managed threat services intelligence team. Michael, it's great to have you back. I wanted to touch base with you about what your team is tracking when organizations need to take stock, not just of kind of tactical indicators and things that they're seeing within their security operation centers, but also this wider context of what potentially is happening and where your kind of operations are in different countries and across the world so that you can better prepare for
what's next in terms of the fight that might be existing on a nation state to nation state level.
And how do you advise your clients on how they can set their expectations and
best prepare for what may come?
What we try to do is to build in an Intel lifecycle here that pulls in the tactical as well as the strategic.
So that is monitoring for kind of early warning indicators in the geopolitical landscape that
have had spillover effect in the past and ones that we think we might not have had precedent
for, but what we would expect to see.
Obviously, when we're seeing kind of potential for sort of kinetic conflict taking place,
seeing kind of potential for sort of kinetic conflict taking place, then we also kind of have our antenna up for the cybersecurity conflict in this space is going to grow as well. And that
means that then we're tracking closely any sort of actor group that has been associated with the
countries being pulled into the fray before and how those active groups have certain tactics, techniques and procedures
that we want to alert our clients on that have also kind of potential to be pulled into some
such sort of cyber conflict to prepare for, to look for and to protect against.
And I think it brings up this notion of data integrity, because
I believe that the Iranians are known for sending out wipers.
That's correct.
I mean, so, you know, destructive malware is, you know, something we've seen implemented
in a lot of different cases.
You know, it has linkages potentially to certain nation states in some cases.
We don't expect that to go away.
We expect that to be a potential tool that's used in certain times of conflict.
It is a very serious tool.
I think that those who engage and use it and know what they're trying to do know the serious ramifications of conflict. It is a very serious tool. I think that those who engage and use it and know
what they're trying to do, know the serious ramifications of that. There was a kind of
breakthrough moment recently in sort of the geopolitical to cyber security transitional
landscape, so to speak, where, you know, the Israelis, you know, confirmed that they conducted
a kinetic operation to take out a facility in Palestinian territories that was potentially
linked, conducting cyber operations against the state of Israel. And so that is a, you know,
having sort of that cybersecurity attack to kinetic measure option on the table now,
having that sort of as an example, a bit of a watershed moment in the industry,
and it's pretty recent as of a couple months. So we're not sure how that could potentially spill over to other countries, but...
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
It's something we're certainly tracking closely.
All right. Well, Michael Seacrest, as always, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too. The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you.