The US off-off-year elections seem to have gone off largely free of interference, but officials caution that major foreign influence campaigns can be expected in 2020. Three former Twitter employees are charged with spying for Saudi Arabia. The website defacement campaign in Georgia remains unattributed. Google boots seven adware droppers from the Play Store. Phishers are using web analytics for better hauls. And nation-states are targeting unpatched Confluence. Johannes Ullrich from the SANS Technology Institute on encrypted SNI in TLS 1.3 and how that can be used for domain fronting. Guest is Kevin O’Brien from GreatHorn on managing email threats.
Dave Bittner: [00:00:03] The U.S. off-off-year elections seem to have gone off largely free of interference, but officials caution that major foreign influence campaigns can be expected in 2020. Three former Twitter employees are charged with spying for Saudi Arabia. Google boots seven adware droppers from the Play Store. Phishers are using web analytics for better hauls. And nation-states are targeting unpacked confluence.
Dave Bittner: [00:00:33] And now a word from our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in; it's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:01:44] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, November 7, 2019. The highly diversified and decentralized U.S. election system kept a close eye on Tuesday's off-off-year elections and has more or less declared success, as a joint announcement from several federal law enforcement and intelligence agencies asserted that election security had been unprecedented. That announcement did, however, note that attempts to influence or interfere with the 2020 elections with Russia, China and Iran likely to be particularly active. The concerns officials are voicing continue to focus on influence operations as opposed to direct manipulation of vote totals or other attacks on voting machinery. CISA Director Christopher Krebs told CBS News, no one should get cocky. Speaking of Russian operators in particular, Director Krebs said, "They're going to be back. They're trying to get into our heads. They're trying to hack our brains, so to speak, and ultimately have us lose faith in our process," end quote.
Dave Bittner: [00:02:52] The U.S. has opened a case against three men for what's being called by The New York Times and others spying for Saudi Arabia. In this case, the spying has been directed against individuals as opposed to state secrets. The U.S. Justice Department has charged three men, two former Twitter employees and a Saudi national who apparently acted as their controller, with acting as agents of a foreign government without notice to the attorney general and with the destruction, alteration or falsification of records in a federal investigation. The government accused Ahmad Abouammo, a U.S. citizen, with snooping into three Twitter users' accounts. Ali Alzabarah, a Saudi national who, like Mr. Abouammo, worked at Twitter, allegedly accessed more than 6,000 Twitter accounts in 2015. Their liaison with Riyadh is alleged to be Ahmed Almutairi.
Dave Bittner: [00:03:44] Mr. Abouammo is in custody, but the other two are on the wing and thought likely to be in Saudi Arabia. The criminal complaint ties their activities to Organization No. 1 led by Foreign Official No. 1 and Royal Family Member 1, said to be the owner of the charity. The Washington Post identifies these, respectively, Bader Al Asaker, MiSK and Crown Prince Mohammed bin Salman. The Twitter accounts of interest to the alleged spies were, The Wall Street Journal reports, critical of the Saudi regime in general and the crown prince in particular. It seems that the two former Twitter employees may have been placed in the company for the purpose of gaining access to such accounts. Both men left Twitter in 2015. The case opens concerns, obviously, about the security of social media companies and their susceptibility to being penetrated by state-run agents. Somewhat less obviously, it raises another question - if the platforms can be penetrated to snoop on individual accounts, might they not also be penetrated to facilitate the distribution of disinformation?
Dave Bittner: [00:04:50] The lowly email box remains a prime target for baddies, and as their sophistication grows, so too must our defenses. That's the opinion of Kevin O'Brien, CEO and co-founder at email security provider GreatHorn.
Kevin O'Brien: [00:05:05] Email is a really interesting piece of technology. It's been around for about 50 years. It is one of the technologies that we look at as being both venerable but vulnerable. You're looking at a system that was architected, again, 50 years ago for academics to be able to exchange information on timeshare Unix systems. And it was never meant to be a system that we built to be secure or to exchange messages with strong authentication or encryption or any of the other things that you see in modern communication platforms. But its age gives it a certain degree of ubiquity that means that most serious business communications - wire transfers, exchanges of information about intellectual property, contracts - they occur over this platform. And although we've spent, really, the last 25 years trying to add on functionality to make it a secure system, it's fundamentally at odds with what that platform was designed to be.
Kevin O'Brien: [00:06:10] And so it's now the case that we're in this moment when most cyberattacks start with an email in some fashion. And everything that people have put out into the world to try to supplant email - but the message-based systems. If you're of a certain age, then you think about IRC. If you're a bit newer, maybe you're thinking about Slack or Teams. They're not equivalent technologies. They're attention distractors. They're real-time. Email has a certain elegance to it because it allows you to not have an instantaneous exchange of information but rather to think for a moment about what you might say. And so that's well-suited to corporate communications, business communications. If we're going to secure the system, if we're going to make it something that is safe for communication, it has to also be easy because that's one of the foundational principles of email. I type in a subject line and a message and a to, and I'm done. When I started GreatHorn, so four years ago, the average adoption rate of things like Office 365 or G Suite - the two most well-adopted cloud email platforms for professional use - were 17% and 7% in the Global 2000, respectively. Today, that combination has a nearly 90% adoption rate, and that's happened over the last 24 months, give or take.
Kevin O'Brien: [00:07:40] So there's a real change that's possible when you deal with semantic analysis and looking at all of the related relationship information that no legacy product is capable of doing. That's what you should be thinking about if you're responsible for securing email in 2019 and 2020, is how can I go find cloud-native email security systems that are really - and not just from a marketing buzzword perspective - leveraging the evolutions in artificial intelligence and machine learning technologies to give us a better way to stop these threats?
Dave Bittner: [00:08:14] So if I'm using something like G Suite or Office 365 or something like that, isn't there a certain amount of protection going on behind the scenes from those providers themselves?
Kevin O'Brien: [00:08:26] There is, and both Microsoft and Google do a really good job at stopping what we describe as volumetric threat. You probably don't see a whole lot of spam. I mean, you might see some marketing email you don't want, but the real thing that we described as spam in the 1990s and early 2000s, the Nigerian prince who's going to send you a million dollars and just needs your Social Security number and last name, that stuff kind of doesn't get caught anymore, right? And those are examples of volumetric attacks. So you will get pretty good fundamental protection. And for some organizations, that's enough. But when you're talking about targeted email attacks, what the industry has classified as business email compromise - that is, the impersonation of an executive; fraud attempts that are often polymorphic, that is they change based on the recipient and their role - those are not the kinds of things that the basic protections that are available, regardless of how they're marketed, from your email provider are going to catch. Like any other part of a security program, those are the concerns that an enterprise will have, and they require enterprise-grade controls that have a certain degree of customization and a certain degree of flexibility and the ability to articulate a response that is in line with your security posture.
Kevin O'Brien: [00:09:45] And one-size-fits-all basic protections from your email provider just aren't designed to do that nor is that their business, right? They'll stop the volumetric stuff all day long, and that's good. But you don't need to worry about, as your primary concern, the problems that you might have worried about 20 years ago. It's not spam, and it's not even things like data loss prevention, where you're trying to keep someone from inadvertently sending your credit card out. You can do that by default in those platforms. The concern today has shifted, the locus of concern has shifted to advanced targeted attacks, and you need advanced third-party technology if you're going to combat that. And maybe you don't worry about that if you're a 10-person or 20-person small company because you can literally turn around and say, hey, did you send me this email? But once you're at hundreds or thousands or tens of thousands of employees and global, it's time to step up to an enterprise-grade control set to give you that level of protection and scalability.
Dave Bittner: [00:10:43] That's Kevin O'Brien from GreatHorn.
Dave Bittner: [00:10:47] Google has booted seven badly behaved apps from the Play Store, and they urge you to kick them out if you've already downloaded them onto your device. The apps are Alarm Clock, Calculator and Free Magnifying Glass, all from iSoft LLC; two apps produced by LizotMitis, the attractively named Magnifier, Magnifying Glass with Flashlight and Super-Bright Flashlight; and finally, two produced by PumpApp, magnifying glass and - another good name - Super Bright LED Flashlight. Give them all the heave-ho.
Dave Bittner: [00:11:21] Security firm Wandera found the maleficent seven, and how the app worked is interesting. They're dropper apps that pull files in from outside the Google Play ecosystem, in this case from GitHub, and that therefore avoid the usual security checks that might detect them. There's other obfuscation in place as well. Wandera told Forbes that there's some good news and some bad news. The bad news is the obfuscation and the aggressive backdoor that opens subjects devices to further attack; the good news is that so far the payloads have been nuisance malware and that the number of downloads is relatively small, numbering in the thousands and not in the millions.
Dave Bittner: [00:12:01] Web analytics platforms have many legitimate uses, like seeing where users come from and how long they spend on various pages. We use them, and you may use them, too. It's thought that somewhat more than half the world's websites use analytics. The biggest of these services is Google Analytics. Akamai has taken a look at the ways in which these tools can be used for evil. Phishing in particular seems able to benefit from web analytics. Implausible spray and pray campaigns, while still common enough, are giving way to more closely targeted - and therefore more likely to succeed - phishing. Much of that newfound plausibility, Akamai concludes, can be chalked up to criminal use of analytics. They use the analytics much the way legitimate users do, quote, "to improve kits and gather stats on campaign effectiveness," end quote; in short, to make their bait more attractive to the fish they hope to reel in.
Dave Bittner: [00:12:57] Attackers are exploiting Atlassian’s widely used Confluence collaboration platform, hitting a vulnerability, CVE-2019-3396, that Confluence disclosed and patched this past spring. NSA's Cybersecurity Directorate publicly warned that nation-state services were likely to attack unpatched Confluence instances, and various cybersecurity companies have since confirmed an uptick of activity against Confluence users. The warning is significant in itself, but it's also noteworthy as an example of the sort of relatively quick public disclosure NSA's young cybersecurity directorate has promised.
Dave Bittner: [00:13:40] And now a word from our sponsor ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest book "SOAR Platforms: Everything You Need to Know About Security, Orchestration, Automation and Response." The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. You can download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire, and we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:14:53] And I'm pleased to be joined once again by Johannes Ullrich. He's the dean of research at the SANS Technology Institute, and he's also the host of the ISC "StormCast" podcast. Johannes, it's always great to have you back. You have been working on some information about encrypted SNI and TLS 1.3 and how that can be used for domain fronting. Let's dig in here. What do you have to share with us today?
Johannes Ullrich: [00:15:17] Yeah, this actually worked - it was mostly done by Bojan Zdrnja. He is one of our Internet Storm Center handlers. Now, he looked into how sort of that entire DNS over HTTPS and TLS 1.3 ecosystem can be used for new attacks. Now, domain fronting itself is not a new attack. It has been done a lot, and cloud providers have done a lot to defend against it. The way it sort of works is, simplistically speaking - I'm inside a corporate network. For example, I'm malware. I'm trying to connect to my command control server, but the infrastructure within the corporate network prevents me from connecting to it. For example, at some TLS gateway or via DNS, the host name I'm trying to reach is blocked. So what I'm doing is I'm setting up my command control server to be behind a public cloud provider like Cloudflare. Then I'm going to connect to Cloudflare, pretending that I'm going to connect to a different hostname, a valid hostname that's not blocked. I can do that. I could do that DNS look-up.
Johannes Ullrich: [00:16:28] And the tricky part here is in a TLS connection. In a TLS connection, there are two parts that really determine which host they mind connecting to. There's one part that's in the clear that's visible, and that's called Server Name Indicator. The first packet of data that I'm sending to the server includes that. It basically says, hey. I want to connect to this particular server. And this would be now, in my attack, a server that's valid, that's not blocked. But then as part of the encrypted part, I'm sending a host header that is pointing to the malicious web site. So what cloud providers did is that, if the Server Name Indicator and the host header doesn't match, they would block it. But with the encrypted Server Name Indicator that is available now in TLS 1.3, that first part is also encrypted, so now the cloud provider has a much harder time figuring out what side I'm actually connecting to. And as Bojan found out, that - this is still sort of one whole - that, you know, Cloudflare, which supports TLS 1.3, supports Server Name Indicator - it actually is falling for this, and it's still able to do domain fronting using this specific technique.
Dave Bittner: [00:17:52] Is there a way to prevent this yet, or is it something that's yet to be addressed?
Johannes Ullrich: [00:17:58] It's really a bit of an open question here how this can be addressed. Now, in part, of course, it has to be addressed and can be addressed at the proxy providers like Cloudflare. They have to make sure that they are able to decrypt that Server Name Indicator, or maybe they're just not going to accept encrypted Server Name Indicator, which, of course, violates a little bit their privacy mission. They support this feature on purpose because it does provide some privacy. Now, in a corporate network that would be infected with malware taking advantage of this, there are specific DNS records that are being used in order to exchange encryption keys for this feature, and one thing that you could possibly do is block these DNS records. Now, Bojan took a look at how popular these DNS records are right now. There are only a few dozens of them that appear to be in use across the internet, so really, the feature isn't used officially yet at this point. Interestingly, a lot of them he found in Russia, but others sort of - it's always a bit particular types of sites. So this is one option right now - to just block it. But, you know, as the feature becomes more popular, if you are worried about privacy, that may no longer be an option. And then it's really just up to the cloud providers, and not really clear yet what they can do, really, to prevent that.
Dave Bittner: [00:19:24] All right. It's interesting and certainly one to watch. Johannes Ullrich, thanks for joining us.
Johannes Ullrich: [00:19:29] Thank you.
Dave Bittner: [00:19:35] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
ObserveIT is the leading Insider Threat Management solution with approximately 1,700 customers across 87 countries. ObserveIT is the only solution that empowers security teams to detect insider threats, streamline the investigation process, and prevent data exfiltration. Start your free trial of ObserveIT today.
Designed by analysts but built for the entire team, ThreatConnect’s intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics, and workflows in a single platform. Start Using ThreatConnect Today for Free.