CyberWire Daily - Washington and Tehran confront one another in cyberspace. Dominion National investigates data incident. Facebook on info ops (and identity). Labor market notes. Skids on skids.
Episode Date: June 27, 2019The US cyberattack against Iranian targets remains only indistinctly visible in the information fog of cyberwar. Iran’s APT33 seems to have altered its tactics after its operations against Saudi tar...gets were described by Symantec at the end of March. An insurer and provider of vision and dental benefits investigates a “data incident.” Skids-on-skids, kids. Facebook talks information operations, and teases plans concerning identity. Notes on the labor market. Johannes Ullrich from the SANS Technology Institute and the ISC Stormcast podcast on malware C&C channels making use of TLS. Tamika Smith speaks with Harrison Van Riper from Digital Shadows about their recent report, “Too Much Information: The Sequel,” outlining the increase in data exposure over the past year. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_27.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The U.S. cyber attack against Iranian targets remains hazy in the information fog of cyber war.
Iran's APT-33 seems to have altered its tactics after its
operations against Saudi targets were described by Symantec at the end of March. And insurer and
provider of vision and dental benefits investigates a data incident. Skids on skids, kids. Facebook
talks information operations and teases plans concerning identity and notes on the labor market.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for
Thursday, June 27, 2019. Military Times says the U.S. cyber operations against Iran last week
remain obscured by the fog of war,
as Iran denies the attacks had any effect, and some U.S. officials say, anonymously,
on background, that on the contrary, the attacks did have effect. The Iranians would be in a
position to know, but it's unlikely that they'd complain about the effects unless they were both costly and discreditable to the U.S.
Refined Kitten, also known as Elfin or APT33, appears to have shifted its tactics after
Symantec reported on the Iranian threat group's operations against Saudi targets.
Recorded Future has observed the group shelving most of the domains it had used
and registering some 1,200 new ones.
About half of the newly established domains are connected with Stone Drill, an upgraded Shamoon wiper.
The concentration on Saudi targets isn't novel.
The Kingdom of Saudi Arabia has long represented not only a regional political rival of Iran,
but a religious rival as well.
Refined Kitten has shown an increased preference for commodity malware tools, especially remote-access Trojans. This is a sign of sophistication,
not frugality or desperation. Among other advantages, using commodity malware can render
attribution murkier. APT33 also uses organizations outside the scope of their declared purpose,
and the Nasser Institute, which Ars Technica describes as an organization that oversees Iran's computing and networking,
seems to be one of Tehran's cyber-attack crews.
Should Iran undertake the broader offensive against the U.S., what form might that take?
The Washington Post reviewed the track record going back to 2012
when Tehran responded to the imposition of sanctions by conducting a range of distributed
denial-of-service attacks against American financial institutions, including the Bank
of America, JPMorgan Chase, and Wells Fargo. 2012 was also the year of the Shamoon wiper
attacks against Saudi Aramco.
In 2014, Iran conducted a data destruction attack against the Sands Casino in Las Vegas,
whose pro-Israel owner, Sheldon Adelson, had made intemperate remarks about Iran deserving a nuclear strike.
The Post doesn't mention the U.S. indictment of Iranian hackers in March of 2016 for an attack against the Bowman
Avenue Dam in downstate Rye, New York. That one was interesting and to many baffling, the Bowman
Avenue Dam being nothing more than a small flood control dam that keeps a brook from flooding a
couple of residential basements and a little league baseball field. This is neither a high
value nor a high payoff target. Speculation is that either the Iranian operators were interested in testing their technique,
they did succeed in getting into the dam's controls,
which in this case would not have been much more difficult than hacking a casually installed home security system,
or that they'd mistaken their target.
It would have made more sense had they attacked the Arthur R. Bowman Dam on the Crooked
River in Oregon. Hitting that irrigation dam wouldn't have caused widespread devastation either,
but it would have been more noticeable than whatever they were up to on Bowman Avenue.
In any case, Iran has shown a strong disposition and ability to learn,
so it would be unwise to simply project past actions into the future.
Have you ever come back to your parked car and found you accidentally left the doors unlocked?
It happens to most of us from time to time. You get distracted from your regular routine and
somehow just miss it. It's an inadvertent lapse in security, right? Our own Tamika Smith takes
a closer look at the online version
of this data exposure from misconfigured files.
During the past year, billions of files were exposed globally across commonly used
file storage technologies. A recent annual report from the Digital Shadows Photon Research
team shows misconfiguration is one of the main contributors of this data exposure.
Here to talk more about the report is Harrison Van Ryper. He's the strategy and research analyst
at Digital Shadows. At DS, he provides analysis into technology and digital risk. Hi, Harrison.
Thanks for joining us. Hi. Yeah, thanks for having me.
So let's start with some of the various technologies that are being exposed. Sure. So it's things like network-attached storage devices, FTP servers, rsync servers,
and SMB file shares are actually a pretty big chunk of kind of the overall exposure
that we've been seeing, as well as Amazon S3 buckets.
So what makes these sources so vulnerable to exposure?
Very basically, it's that they don't have any authentication measures on them.
There really is no password login or anything like that.
They're just kind of there existing on the open internet, which is obviously pretty troubling.
The United States had one of the largest numbers of exposed files to the tune of about 330
million.
Why are we seeing this in the US.S.? And how does it compare
to other countries? It's a little bit difficult to say why in the U.S. specifically. You know,
I had a couple of ideas as we were putting the paper together as to why the geography would be
so different. But, you know, in the U.S., if we look at like the data privacy regulations and
security policies that are in place, there really isn't one that kind of
broadly applies to the entire country like a GDPR does to the EU. I would say that definitely has
something to do with it. You know, the less likelihood of a consequence typically goes
hand in hand with that action sort of playing out. So the GDPR, you think has a role to play in it?
I think it does overall. I think, you know, we're still within the firstR, you think, has a role to play in it? I think it does overall. I think, you know,
we're still within the first year, or I guess now we're beyond one year. We passed the one
year anniversary around the release of this paper, actually. And, you know, that's kind of
one reason why we wanted to look back to see what the effect of GDPR was. Currently, you know,
there is still a whole lot of exposure out there. I think there were a couple of
instances within the report with Luxembourg and the Netherlands, they actually have reduced their
overall exposure. And it's hard to say specifically if GDPR was the cause of that. But I definitely
think that it helped overall, having that sort of policy and regulation in place to say, here's how
we can actually curb some of this exposure,
that's definitely going to help, you know, in the long run.
So when you look at some of the files that are being misconfigured or stored in a place
where they're easily accessible, there's passport information, bank records, medical
information.
I mean, this feels and seems so troubling. You know, especially when we look at something like the medical records, medical information. I mean, this feels and seems so troubling.
You know, especially when we look at something like the medical records, that's definitely one
of the things that stood out for me. And I think it hits home for a lot of consumers,
anybody who's ever been to a hospital, which is, you know, kind of anybody. You know, we look at
the imaging files that we found, 4.4 million DICOM medical imaging files. So these would be things
like x-rays. Those are also considered to be protected health information. So within the U.S.,
it falls under HIPAA regulations. So yeah, I think it's something that is troubling. And I think it's
something that, you know, continues to expand as we've seen since this is our, this is now our
second report following up from last year's report. And
obviously we saw a great increase. But the thing that I kind of like to hammer home about it is
that it's not an impossible problem to solve. There are ways that we can kind of curb this
exposure and reduce it overall. And I think that there's a lot of really good work that's going on
sort of behind the scenes that we can really take note of and start to implement some of these mitigation measures. If I'm an organization, a hospital,
a bank, you know, these people have a responsibility to protect information and to their best knowledge,
they're doing so. So how would you advise them on being able to protect this information,
being able to make sure that they're
staying aware of how to protect that information? So I think a lot of it, you know, like you say,
a lot of it, it's a lot of inadvertent data exposure. When you're dealing with things like
remote servers that you may need to log into, like, you know, especially in the hospital scenario,
as we have e-doctors and kind of remote care going on. There's a fairly large, you know,
sort of exposure point there. From the research that we found, we found over 17 million different
files that are existing on these online file repositories that have been encrypted by ransomware.
So I think that's one thing to note is that there's also a lot of these files that have been
potentially, you know, encrypted slash attacked, if that's how
you want to describe it, by ransomware that organizations may not even really know about.
I think when you look at that overall, the 17 million files that have been encrypted, you know,
the common mitigation for ransomware is to have backups, right? Have backups for your files,
have backups for your systems. And a lot of times people will put those
backups on network attached storage devices, on FTP servers, things like that. You know, what
happens then if those files are then encrypted? What happens when your backups become encrypted?
What do you do then? I think in that case, you know, it's obviously a, it's always a good idea
to have a ransomware playbook. Backing up your data is not going to be the only thing that you should do.
You should be doing more than that.
And I think this kind of highlights that point.
Harrison Van Riper, he's the strategy and research analyst at Digital Shadows.
And at DS, he provides analysis into technology and digital risk.
That's the Cyber Wire's Tamika Smith reporting.
Dominion National has disclosed a
data security incident, in effect a data breach. The company, which offers insurance and administers
dental and vision benefits, is investigating unauthorized access to its servers that may
have taken place as early as August 25, 2010. The data on those servers include personally
identifiable information. The company says it has
no evidence yet that the data were accessed, manipulated, or stolen, but investigation is in
progress. Silex malware, which bricked large numbers of IoT devices until its command and
control server went down yesterday afternoon, seems to be the work of three teenagers,
bleeping computer reports. The three European kids glory in the names Light the Leafon,
or Light the Sylveon, Alex, and Skitty. Akamai looked at Silex and found that it worked against default passwords. The motive seems to have been a form of snobbery. The hackers wanted to preempt tiresome skids from exploiting poorly protected IoT devices for cash and bragging rights.
As Mr. Lifan said, quote, I am only here to prevent skids to flex their skidded botnet, end quote, which is one way of looking at vandalism.
Facebook has been back in the news with CEO and founder Mark Zuckerberg appearing at Aspen to call upon the government to help businesses like his fight election influence operations.
He seemed more censorship-averse than much of big tech has appeared lately,
saying that it didn't seem to him that a private company should be in the business of telling individuals
that they can't say false things to people.
He did suggest that there was a line to
be drawn somewhere around deep fakes, but saw even difficulties there. And Facebook's white
paper on its projected Libra cryptocurrency contains a brief remark that's prompted much
comment. Quote, an additional goal of the association is to develop and promote an open
identity standard. We believe that decentralized and portable digital identity
is a prerequisite to financial inclusion and competition.
Quote,
That's all it says, but the social media watchers
who devote themselves to the close reading of texts emanating from Menlo Park
see it as a sure sign that Facebook is out to dominate identity.
Burning Glass Technologies has published a
comprehensive report on the cybersecurity job market. There are still more positions open than
can be readily filled. One thing hasn't changed. Cybersecurity remains to a significant extent an
additional duty for IT personnel. But there have been changes. Enterprises increasingly look for security personnel with automation and cloud skills.
And finally, as the 4th of July approaches, that annual celebration of the AMEXIT of 1776,
Unisys offers up some advice on all the unfortunate things that can happen during the festivities.
Some of the advice involves common sense cautions about personal physical
security, like telling people where you're going, not traveling alone, traveling light,
and in an emergency moving to the edge of the crowd. But others involve online safety because
scammers observe holidays too. Don't buy event tickets from dodgy sites, don't use unsecured
Wi-Fi, and update your mobile devices.
Also, watch out for wasps in the lemonade.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Johannes Ulrich.
He's the Dean of Research at the SANS Technology Institute and also host of the ISC Stormcast podcast.
Johannes, always great to have you back.
You had some stuff you wanted to discuss with us today about malware command and control channels making use of TLS and some of the issues there.
Before we dig into that, can you just give us a brief overview and describe to us what is TLS?
TLS, well, it's short for transport layer security.
It's a protocol that's commonly used to protect network connections.
protocol that's commonly used to protect network connections. For example, if you are using HTP S, then what you're really doing is you're sending your HTTP, your web requests over a secure channel
that's implemented using TLS. And so in terms of malware command and control channels using it, what are the implications there?
Well, malware likes to use TLS because it does hide the actual content of the command and control channel. So as a system administrator monitoring my network, the only thing I'm seeing is a TLS connection, but I have no idea what's inside.
TLS connection, but I have no idea what's inside. It could be just a user browsing a harmless website, or it could be malware exfiltrating all my secrets. And so what options do you have then?
Well, one option you do have is to do something called TLS fingerprinting. TLS has a large number of different options available like what exact
encryption mechanisms, what ciphers are being used. There are things like for example the host
name can be transmitted in the clear as an option and malware often uses slightly different options
compared to a normal browser. So what a system administrator
can now do is they can look for anomalies in this initial handshake where the TLS connection
is established to see if something in your network is using options that are somewhat anomalous
for your particular network. So you can't actually see what's the specific data that's being sent and received, but you
can sort of monitor the patterns that are forming.
Correct.
You can monitor patterns.
You can monitor what encryption algorithms are being used.
You can also monitor this host name that's usually sent in the clear.
And for example, Malware often doesn't do that. Malware doesn't send the usually sent in the clear. And for example, Malware often doesn't do that.
Malware doesn't send the host name in the clear.
Normal browsers do because it's actually a fairly important feature
to connect to a lot of HTTPS websites.
And so suppose you do find an anomaly, what's your next step?
Once you find an anomaly, the next step would try to figure out,
first of all, where does this connection originate from?
What's the software that's establishing this connection?
And then hopefully it's just yet another piece of normal software that you don't have to worry about.
But if not, then by all means, block the connection and you have some new interesting malware to analyze.
Yeah, better safe than sorry, I suppose.
All right, Johannes Ulrich, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is
Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Your AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.