Iowa Democrats continue to count their caucus results, and blame for the mess is falling squarely on Shadow, Inc.’s IowaReporterApp. Bitbucket repositories are found spreading malware. The attack on Toll Group turns out to be Mailto ransomware. The Gamaredon Group is active, against, against Ukrainian targets. Charming Kitten’s been phishing. And there’s a new legal theory out and about: the pain-in-the-ass defense. (We know some colleagues who’d plead to that.) Justin Harvey from Accenture on DNS over HTTPS (DoH). Guest is Peter Smith from Edgewise Networks on defending against Python attacks.
Dave Bittner: [00:00:00] Hi, everybody. It's Dave. We're happy to announce that our new subscription program, CyberWire Pro, will be available soon. For everyone who wants to stay on top of developments in cybersecurity, CyberWire Pro is an independent news service that keeps you informed without wasting your time. This new offer includes such valuable content as exclusive podcasts and newsletters, exclusive webcasts, thousands of expert interviews and much, much more. As always, you can rely on us to separate the signal from the noise. Sign up to be one of the first in the know about CyberWire Pro at thecyberwire.com/pro. That's thecyberwire.com/pro. Check it out.
Dave Bittner: [00:00:44] Iowa Democrats continue to count their caucus results. And blame for the mess is falling squarely on the IowaReporterApp made by Shadow. Bitbucket repositories are found spreading malware. The attack on Toll Group turns out to be Mailto ransomware. The Gamaredon Group is active against Ukrainian targets. Charming Kitten’s been phishing. And there's a new legal theory out and about - the pain-in-the-ass defense. We know some colleagues who'd plead to that.
Dave Bittner: [00:01:17] And now a word from our sponsor ObserveIT, a Proofpoint company. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:02:05] Funding for this CyberWire podcast is made possible in part by McAfee, security fueled by insight. Intelligence lets you respond to your environment. Insights empower you to change it. Identify with machine learning. Defend and correct with deep learning. Anticipate with artificial intelligence. McAfee, the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:02:30] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, February 6, 2020.
Dave Bittner: [00:02:39] Iowa Democrats continue to count their caucus results with 97% of the precincts accounted for this morning. The problems at the caucus are now clearly attributed to Shadow's IowaReporterApp, which proved difficult to use and unable to transmit results correctly to state party headquarters. Shadow's CEO Gerard Niemira told Bloomberg he was, quote, "really disappointed that some of our technology created an issue that made the caucus difficult," end quote, but also defended IowaReporterApp as sound and good. He argued that the app worked, but that it just had problems with transmitting data. So it wasn't the app, but just a bug in the code that transmits results data into the state party's data warehouse – a data formatting error, specifically. The app was great at adding up caucus preferences, but it just had trouble sending the numbers to caucus central. Most observers seem to regard that as a distinction without a difference.
Dave Bittner: [00:03:36] The emerging consensus about Shadow's IowaReporterApp is that it was hastily and carelessly put together and inadequately tested. Clearly done by someone following a tutorial, an off-the-shelf skeleton product and looks hastily thrown together are among the assessments Motherboard quotes. Shadow's Niemira told Motherboard, "it's basically a calculator, so that's the approach we took to it" – defending the simplicity that many critics have derided.
Dave Bittner: [00:04:04] This makes one wonder why the precincts didn't just use a calculator and phone the results in. That's basically what they wound up doing anyway. A calculator, of course, usually won't have an embedded comms capability, which is what Shadow appeared to add. But on the other hand, Mr. Niemira suggests that communication issues really weren't part of the app, which, again, makes one wonder, what did the app do beyond serve as an adding machine?
Dave Bittner: [00:04:30] While the problems in Iowa seem clearly attributable to a buggy, showy, flashy app and not to hacking, that may not have been because IowaReporterApp was secure. The Iowa caucus may just have dodged a bullet. ProPublica obtained a copy of the app and sent it to security shop Veracode for a security assessment. Veracode found that, quote, "vote totals, passwords and other sensitive information could have been intercepted or even changed by hackers." Mr. Niemira says that his company subjected the app to rigorous independent testing. But at this point, that's a distinctly minority view.
Dave Bittner: [00:05:05] The Nevada Democratic Party, which had also purchased the app, has already said it won't use it when that state conducts its own primary. The Daily Beast says that the Democratic Senate National Committee, which had been considering Shadow products, is said to have cut ties with the company. And suspicion about using any mobile apps for election work is spilling over onto other unrelated products. Senator Wyden, Democrat of Oregon, has written Oregon's secretary of state to advise against using the Voatz app in this year's elections. Voatz is a mobile application Oregon wants to use for submitting absentee ballots. The idea is to send your vote in by smartphone as opposed to snail mail.
Dave Bittner: [00:05:46] Forbes sums up the consensus on Shadow, its IowaReporterApp and the Iowa Democratic Party. The caucus mess shows what happens when managers and developers ignore best practices. At any rate, Shadow says it feels terrible about what happened. We'll give the last word to Mr. Niemira, who said, I own that.
Dave Bittner: [00:06:06] Security firm Cybereason has found a malware campaign that's been using Bitbucket repositories as its launching point. Bitbucket is a version control repository hosting service Atlassian owns. Developers working with the Mercurial or Git revision control systems use Bitbucket for source code and development projects.
Dave Bittner: [00:06:27] Cybereason found seven malware strains being distributed through Bitbucket - Evasive Monero Miner, a quiet cryptojacker; IntelRapid, a cross-currency alt-coin stealer; Predator, which steals credentials from browsers, compromises device cameras, takes screenshots and rifles cryptocurrency wallets; Azorult, an information stealer with backdoor capabilities - it's used for spying, credential theft and, again, cryptocurrency stealing; STOP Ransomware, which also comes with downloader capabilities; Vidar, another information-stealer; and Amadey bot, a reconnaissance Trojan.
Dave Bittner: [00:07:05] A bit more information has come out about the attack on Australian logistics company Toll Group that's disrupted operations since Sunday. It's ransomware, iTnews reports, specifically the Mailto strain. The Australian Signals Directorate says it's unclear whether the Mailto attacks are part of a larger campaign. Mailto, also known as Kazakavkovkiz, is a strain of ransomware within the KoKo family. The Toll Group said yesterday that it's still working on recovery, and that it regrets the inconvenience to its customers.
Dave Bittner: [00:07:37] SentinelLabs reports on renewed activity against Ukrainian targets by the Gamaredon Group, a state-sponsored APT that Ukrainian security services associate with Russia's FSB. The FSB is generally regarded as Cozy Bear's proprietor. SentinelLabs sees the activity as a bellwether for future hybrid war. When kinetic fighting slows or freezes due to strategic, operational or diplomatic pressures, expect an intensification of activity in cyberspace.
Dave Bittner: [00:08:07] Forbes talked to SentinelLabs and concluded that Ukraine has effectively become a proving ground. Russian cyber tactics, techniques and procedures that will eventually be used elsewhere are first deployed against Ukraine. Foreign Affairs suggests that the next field of Russian activity may be, surprisingly, Belarus, long the most Russophile state in the near abroad, but a state that's begun to push back against Russian diplomatic moves to bring Minsk even closer to Moscow.
Dave Bittner: [00:08:35] If Foreign Affairs and SentinelLabs have got it right, there may soon be Cozy Bear sightings from Gomel to Grodno.
Dave Bittner: [00:08:42] The folks at Edgewise Networks have been tracking specific vulnerabilities to be alert for when dealing with Python. Joining us to share their finding is Edgewise founder and CEO Peter Smith.
Dave Bittner: [00:08:54] Python backdoors are used in large part by nation-state attackers. Most recently, we saw an attack against the government of Turkey by operatives from Iran. And they leveraged a Python-based backdoor that was assembled via snippets from the Internet, as well as some custom code. And they're using it to gain a foothold post-exploitation for remote command and control.
Dave Bittner: [00:09:22] So what are the mitigations for this? How does - how do you go about protecting your organization from these sorts of things?
Peter Smith: [00:09:29] Well, you know, I think the default that people look towards is firewalls. And one of the main problems with firewalls is the types of firewalls that you get in the cloud in particular are Layer 3, Layer 4 firewalls, which really means that they have no ability to inspect the content of the traffic that's being communicated. And even when an organization uses NGFWs with Layer 7 deep packet inspection or content inspection, it's really about positive identification of malicious activity.
Peter Smith: [00:10:01] And the thing about a lot of these Python-based backdoors is they don't have a clear signature that would indicate malicious intent, and therefore they go unnoticed. In one of the presentations I've done recently, we build a Python backdoor with a bootstrapper for persistence, so that even if you try to remove it, it just keeps coming back, fully encrypted communications with obfuscation with an encoding mechanism, and a full command-and-control system in 25 lines of Python.
Peter Smith: [00:10:35] And I think the point here is that it is so easy to create something new, unique and novel that a lot of the existing mitigation techniques that look for positive identification of malicious activity, there simply is no signature to identify these activities as malicious. So they go unnoticed. If you go to GitHub, there are presently 230 Python-based backdoors that are available for download right now. At the end of the day, Python is the power shell of the Linux and Unix world. It's incredibly pervasive. It's installed by default on virtually every Unix and Linux operating system.
Peter Smith: [00:11:19] It's more or less convert. Malicious scripts are often confused for administrative tools. So EDR platforms, as an example, they might see invocation of Python but not recognize that this is something that is out of the ordinary. And it's remarkably easy to develop and debug Python scripts. So you can see that Python is this sort of universal language that covers all of the Unixes and even macOS. And by the way, it even extends to Windows.
Peter Smith: [00:11:51] One of the Python-based backdoors that I write for demonstration purposes without any modification, without any special handling, runs perfectly on Linux - multiple versions of Linux, on macOS and on Windows. So it's this ideal framework for malicious actors to build malicious code.
Dave Bittner: [00:12:16] That's Peter Smith from Edgewise Networks.
Dave Bittner: [00:12:20] There's been another sighting of a familiar creature from the cyber bestiary. Security firm Certfa Lab is calling out Charming Kitten, the well-known Iranian APT, as the group responsible for a recent phishing campaign that spoofed a Wall Street Journal writer's email to prospect targets for further compromise. The phishbait is a bogus request for an interview.
Dave Bittner: [00:12:41] Certfa Lab's list of Charming Kitten's interest is broad but still instructive. Quote, "private and government institutions, think tanks and academic institutions, organizations with ties to the Baha'i community, and many other European countries, the United States, United Kingdom and Saudi Arabia," end quote. So a familiar list of rivals, opponents, espionage targets and, interestingly, adherents of the Baha'i faith.
Dave Bittner: [00:13:06] And finally, accused Vault 7 leaker Joshua Schulte’s trial has begun, and the outlines of his defense are coming into focus. Mr. Schulte, a former CIA employee who faces 11 federal counts in connection with the leak of alleged CIA hacking tools to WikiLeaks. His attorneys are arguing, as reported by The Washington Post, that the CIA's security was so miserably inadequate that the Vault 7 material could have been leaked or stolen by any number of people and that the government can't really determine who was responsible for what prosecutors call the single biggest leak of classified national defense information in the history of the CIA.
Dave Bittner: [00:13:45] Why then pick on Mr. Schulte? He was, his defense team says, an easy person to scapegoat. Lead defense counsel Sabrina Shroff told the jurors, quote, "he was also a pain in the ass to everyone at the CIA," end quote, thus just impossible but not a disgruntled employee who leaked classified material to get back at his bosses when they didn't stick up for him in a squabble with a colleague, as the prosecution alleges.
Dave Bittner: [00:14:11] And so the pain-in-the-ass defense enters legal history. Not to make light of it, Mr. Schulte is certainly entitled to the presumption of innocence, and that's one theory that would at least partially explain the scapegoating his defense team alleges. But there's another serious point here. As Ms. Shroff put it, being a difficult employee does not make you a criminal. And one must surely agree. If being impossible were a crime, where would any of us be, especially our editorial staff?
Dave Bittner: [00:14:45] And now a word from our sponsor, KnowBe4. There's a reason more than half of today's ransomware victims end up paying the ransom. Cybercriminals have become thoughtful, taking time to maximize your organization's potential damage and their payoff. After achieving root access, the bad guys explore your network, reading email, finding data troves. And once they know you, they craft a plan to cause the most panic, pain and operational disruption. Ransomware has gone nuclear. But don't panic. KnowBe4 is hosting an exclusive webinar where you can find out why data backups - even offline backups - won't save you, why ransomware isn't your real problem and how your end users can become your best, last line of defense. Go to knowbe4.com/ransom and learn more about this exclusive webinar. That's knowbe4.com/ransom. And we thank KnowBe4 for sponsoring our show.
Dave Bittner: [00:15:58] And I'm pleased to be joined once again by Justin Harvey. He's the global incident response leader at Accenture. Justin, it's always great to have you back. You know, privacy is on a lot of folks' minds these days. And I've been seeing people talking about DNS over HTTPS - DOH as I'm seeing people call it. What sort of insights can you give us on this? How much of a - how much should we have our eye on this feature?
Justin Harvey: [00:16:22] Oh, I think we should definitely have our eye on this feature. As it stands today, if you want to go to a website - let's say www.whitehouse.gov - even if you're using HTTPS within your browser to access that website, your ISP has monitoring in place to see your DNS requests. DNS is not encrypted over the internet. But, of course, HTTPS is a means of encapsulating the content.
Justin Harvey: [00:16:52] So, therefore, ISPs have been banking on this for quite a while, where they're able to see all of the sites that people are visiting. And then they can sell that information for marketing purposes or for further analysis, of course, how to get products to reach those customers. And I think that from a privacy perspective, there hasn't really been a technology or even a need to encrypt DNS until now.
Justin Harvey: [00:17:18] So the way that DNS over HTTPS works is essentially how it sounds. When you make an HTTPS request to somewhere like www.whitehouse.gov, it actually encapsulates that DNS request and then reaches out to a DNS service, thus making it hidden from view from anyone in between you and the website. DOH is not quite foolproof. It doesn't quite give you all of the privacy you need. It doesn't take away the need for secure VPN or proxy or HTTPS. You still need to have all of those to be completely or nearly completely undetected. When you go to a website, your ISP will still have access to see where you're going based upon IP address. They just won't know what the associated domain with that is unless they do some reverse lookups.
Dave Bittner: [00:18:12] Is there any downside to this? Is it taking away some helpful visibility?
Justin Harvey: [00:18:17] It can take away helpful visibility from the standpoint of cybersecurity if you're an employee. So, certainly, there's also another downside in the sense that we've had DNS - I guess you could say DNS over UDP, if you will, for 30 to 40 years. And it's become a mainstay. And I think that with new technologies and with changing the - essentially, the transport protocols of one of the most-relied-upon protocol on the internet, I think that can lead to some unexpected outages or problems, depending on how it's implemented on a per-vendor basis. And let's not forget the internet industry adage of if anything is wrong, it's always DNS.
Dave Bittner: [00:19:05] Right. Right. Fair enough. Fair enough. All right. Well, the march of progress continues, right?
Justin Harvey: [00:19:10] That's exactly right. And there are all six major browser vendors that will be supporting DNS over HTTPS. It's not enabled by default today. In fact, Google Chrome is doing a small pilot with this, turning it on for a small segment of users by default. If you're a casual nontechie, I would say watch this space over time. Perhaps in the next three, six, nine, 12 months, we should see the maturation of these browsers' implementations over DOH.
Justin Harvey: [00:19:44] But if you're a geek like me, I don't see many downsides to turning it on today, just as long as you remember that you have it enabled. So if you're seeing some weird behavior by your browser, maybe some outages are not able to access some websites, remember, you might have to turn that module off to rule that out.
Dave Bittner: [00:20:00] All right. Well, good advice. Justin Harvey, thanks for joining us.
Justin Harvey: [00:20:03] Thank you.
Dave Bittner: [00:20:08] And that's the CyberWire. For links to all of today's stories, check out our CyberWire daily briefing at thecyberwire.com.
Dave Bittner: [00:20:15] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:27] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team, who is not a pain in the ass, is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. See you back here tomorrow.
Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
ObserveIT, a Proofpoint company, is the leading Insider Threat Management solution with approximately 1,700 customers across 87 countries. ObserveIT is the only solution that empowers security teams to detect insider threats, streamline the investigation process, and prevent data exfiltration. Start your free trial of ObserveIT today.
There is a reason more than half of today’s ransomware victims end up paying the ransom. Cyber-criminals have become thoughtful; taking time to maximize your organization’s potential damage and their payoff. After achieving root access, the bad guys explore your network reading email, finding data troves and once they know you, they craft a plan to cause the most panic, pain, and operational disruption. Ransomware has gone nuclear. And KnowBe4 will show you how. Go to www.KnowBe4.com/ransom to learn more about this exclusive webinar.