Cyber alert remains high as the US-Iranian confrontation cools. Information ops, wipers, and energy sector targeting.
Dave Bittner: [00:00:00] Hi, everybody. Dave here. Before we begin today's show, I want to share some special news. By our estimation, today marks the 1,000th episode of our daily CyberWire news brief podcast. That's quite a milestone. And we couldn't have done it without the support of everyone who works here every day to bring our show to you, to our sponsors who support our show and, of course, to all of you who listen every day and find value in the work we do. So a heartfelt thanks from all of us to all of you. And here's to the next thousand shows.
Dave Bittner: [00:00:39] As kinetic combat abates in Iraq, warnings of cyberthreats increase. US intelligence agencies warn of heightened likelihood of Iranian cyber operations. These may be more serious than the low-grade website defacements and Twitter impersonations so far observed. One operation, Dustman, has hit Bahrain, and it looks like an Iranian wiper and some notes on the Lazarus Group and a quick look at information ops across the Taiwan Strait.
Dave Bittner: [00:01:12] And now a word from our sponsor, ExtraHop - delivering cloud-native network detection and response for the hybrid enterprise. The cloud helps your organization move fast, but hybrid isn't easy. Most cloud security failures will fall on customers, not service providers. Now that network detection and response is available in the public cloud, it's finally possible to close the visibility gaps inside your network. ExtraHop Reveal(x) Cloud brings cloud-native network detection and response to AWS, helping security teams spot, contain and respond to threats that have already breached the perimeter. Request your 30-day free trial of Reveal(x) Cloud today at extrahop.com/trial. That's extrahop.com/trial. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:02:07] Funding for this CyberWire podcast is made possible in part by McAfee - security fueled by insight. Intelligence lets you respond to your environment. Insights empower you to change it. Identify with machine learning. Defend and correct with deep learning. Anticipate with artificial intelligence. McAfee, the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:02:33] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, January 9, 2020. As both the US and Iran appear to have backed away from kinetic combat, The New York Times predicts that cyber operations will become more attractive. Iran's missile volleys against US cantonment areas in Iraq may have been, as US Joint Staff Chairman General Milley said, intended to kill. But they fortunately didn't. And Iran said it was satisfied that it had responded proportionally to the US strike against General Soleimani last week.
Dave Bittner: [00:03:09] CNN summarizes the cautions US agencies - notably, the FBI and the Department of Homeland Security - have distributed this week. The centerpiece of those warnings is a joint intelligence bulletin that went out to law enforcement agencies around the US. CNN, which says it's obtained a copy, quotes the bulletin as warning, quote, "in the event Iran were to determine to conduct a homeland attack, potential targets and methods of attack in the homeland could range from cyber operations, to targeted assassinations of individuals deemed threats to the Iranian regime, to sabotage of public or private infrastructure, including US military bases, oil and gas facilities and public landmarks" - end quote. That's a common-sense summary of the sorts of activities one would hope police and security organizations would be alert for.
Dave Bittner: [00:04:00] Such warnings have reached a spooked and skittish audience. Consider this week's incident in Las Vegas, where local speculation quickly turned to Iran. The city's IT department tweeted that "We experienced a cyber compromise at 4:30 a.m. Tuesday. Our IT team is assessing the extent of the compromise. When aware of the attempt, we immediately took steps to protect our data streams. We will have a clearer picture of the extent of the compromise over the next 24 hours." The Vegas station KSNV News 3 quickly spoke with local cybersecurity experts who assured the station that Iran looked good for the attack. Las Vegas doesn't think any sensitive or personal data were compromised. But the investigation continues.
Dave Bittner: [00:04:45] Cyber operations, of course, represent a gray zone where attribution and responsibility can be hard to pin down. There's some chatter on the internet, the New York Times says, by actors who claim to have connections with whoever defaced the home page of the Federal Depository Library Program, a site run by the US Government Printing Office. They're going on about how their capabilities have hardly been exhausted and that they're just waiting to be unleashed by the Islamic Revolutionary Guard Corps and that, in sum, you ain't seen nothing yet. There's probably some truth to the last point because the Federal Depository Library Program wasn't exactly either a high-value or a high-payoff target. But on the other hand, this sort of online woofing by inspired freelance amateurs has been a feature of cyberspace since it was called the information superhighway. So beware. Take the reports of chatter seriously but with an appropriately large grain of salt.
Dave Bittner: [00:05:41] That said, there have been other information operations conducted either by Iran or by independent actors working in Iran's interests. Twitter has suspended two accounts it found impersonating journalists, The Daily Beast reports. The accounts were disseminating what the Beast describes as Iranian propaganda, although, as usual, it's difficult in such cases to distinguish a state-run operation from a hacktivist demonstration. Britain's Telegraph newspaper argues that Iran has developed a significant online disinformation capability over recent years. While calling it a capability that rivals Russia's is surely overstated, Tehran's operators aren't contemptible. And they've shown a disposition to learn from the best.
Dave Bittner: [00:06:24] Chances are you may have heard that Windows 7 is no longer supported by Microsoft. We've certainly been talking about it here. So it shouldn't come as any surprise. And yet, for a variety of reasons, many organizations find themselves still running Windows 7. Karl Sigler is manager of SpiderLabs Threat Intelligence at TrustWave. And he shares his insights.
Karl Sigler: [00:06:48] Windows 7 and Windows Server 2008 are reaching their end of life this month. And what that means is that Microsoft is no longer going to be providing primarily security patches for those platforms. So mainstream support for those platforms actually ended a couple of years ago where, you know, those platforms, Windows 7 and Server 2008, were no longer getting any new features, any new updates. Only security updates that are critical were those platforms receiving. And as of this month, they're going to end even that. So if you're currently using Windows 7 or Windows Server 2008, by the end of the month, you will no longer be getting any security fixes, which, of course, introduces risk to any environment that is still using those.
Dave Bittner: [00:07:34] And where are the environments we're most likely to find folks are still using an operating system that's this long in the tooth?
Karl Sigler: [00:07:42] All over the place. By our estimates, at least a third of large organizations currently have some footprint of Windows 7 and Windows Server 2008 in those environments. We still see a lot of end users that are using them. People obviously don't like to upgrade. A lot of people, especially when it comes to technology, follow the principle, if it's not broke, don't fix it. And for Windows 7, Windows Server 2008, if it's still doing what you need it to do, then no one really has the impetus to upgrade.
Dave Bittner: [00:08:16] And so what's the reality here? For folks who are running these systems, what sort of actions should they take?
Karl Sigler: [00:08:23] The most basic action you can take is to upgrade. If that's possible, it's highly recommended that you just upgrade. For Windows 7, that upgrade path would be to Windows 10. So for the desktop operating systems, if you're still on Windows 7 at home, you know that your organization is still using Windows 7, you want to look for that upgrade path to Windows 10. For Windows Server 2008, you're looking to upgrade to Server 2012 or hopefully 2016. Although we're seeing a lot of organizations, rather than upgrading in-house, just moving to cloud platforms for a lot of services, which puts, you know, the security question into somebody else's hands entirely, which is also a good path for upgrade.
Dave Bittner: [00:09:04] Yeah, that's interesting. Are there any specific security issues that are known with Windows 7? In other words, as it's being put out to pasture, are there any lingering issues?
Karl Sigler: [00:09:17] Absolutely. BlueKeep is probably the biggest one right now. So the BlueKeep vulnerability affected remote desktop services. And those services tend to be publicly exposed. If you're trying to get access to a remote desktop, you tend to need that access over the general internet or at least through your VPN. So the services tend to be exposed to a certain extent. You know, we haven't seen any major exploitation for BlueKeep. But back when Windows XP was end-of-lifed, shortly thereafter, we saw the WannaCry worm go out. And it was trashing those older systems that just didn't get that security patch. BlueKeep is a very similar vulnerability. If exploits get developed for that, it's going to be very serious. Luckily, there are patches for Windows 7 and Windows Server since it was - the patches were released this past year. It's really only a matter of time before we see the next WannaCry or BlueKeep. And for the next one that's coming up in the wings, there's no security fix for those. So there's really no avenue to patch it for Windows 7.
Dave Bittner: [00:10:21] So I guess this is a better-safe-than-sorry sort of situation. If you've still got some of these legacy systems out there, now's the time.
Karl Sigler: [00:10:30] And hopefully, you've been planning for this. Again, the end of life for just new features was back in 2015. So this is not a big surprise, hopefully, for a lot of these organizations and they have a plan in place. But if they don't, like you say, this is the time to do it. For big organizations, that can be a little bit harder. They have a lot of complexity. They might have networks all over the globe that they have to upgrade. And, you know, it takes some careful planning. It could take a lot of time to get it implemented. For smaller organizations, they may have a smaller footprint. But they may not have the technical resources. A lot of those small businesses have an IT team of one person. So it can be hard for those organizations as well. So plan things out. Think about it appropriately. And see the best path to get those upgrades in place for you.
Dave Bittner: [00:11:17] That's Karl Sigler from TrustWave.
Dave Bittner: [00:11:20] There have been some consequential attacks that seem traceable to Iran. Citing a report by Saudi Arabia's National Cybersecurity Authority, multiple sources report that Dustman, a destructive Iranian cyber campaign, has hit Bapco, Bahrain's national oil company. The media outlet ZDNet outlines the malware as a successor to earlier Iranian wiper campaigns, notably Shamoon and its ZeroCleare successor. The Saudis call Dustman an evolved and improved version of ZeroCleare, a wiper discovered in the fall of 2019 that itself shares code similarities with Shamoon. Shamoon, ZeroCleare and Dustman all use EldoS RawDisk, which is a legitimate tool used to interact with files, disks and partitions. The three wipers gain initial access, then use a variety of exploits to elevate their access to admin-level privileges, at which point they use EldoS RawDisk to destroy data belonging to the infected host. Yahoo News points out that the cyberattack hit on December 29, 2019, the same day the US retaliated for the death of an American contractor in a rocket attack with airstrikes against Iranian proxies in Syria and Iraq. Bahrain is close to the US and even closer to Iran's principal regional rival, Saudi Arabia. And Iran has shown a predilection for regional targets in the energy sector. The original victim of Shamoon - remember - was Saudi Aramco.
Dave Bittner: [00:12:49] Since many of the warnings from CISA have stressed the potential threat to industrial control systems and critical infrastructure, it's worth noting a report the ICS security specialists at Dragos released this morning. Dragos, we should emphasize as a matter of policy, doesn't attribute the attacks or threat actors it studies to any particular nation-state. But their findings are interesting, coming as they do, during a period of heightened alert. The researchers say that the threat actors Dragos calls MAGNALLIUM and XENOTIME, best known for targeting the oil and gas sector, have shown signs of expanding their interest to the North American electrical power industry. XENOTIME's and MAGNALLIUM's most notorious actions were taken against Saudi Arabia's oil and gas industry. But since the late fall of this past year, they've been observed prospecting targets in the United States. In any case, one hopes that organizations, whether they're business, government, educational, charitable or religious in nature, do take the kinds of sensible precautions CISA and others have recommended. It's worth reviewing them here quickly - disable unnecessary ports and protocols. Monitor network traffic and email traffic. Keep an eye out for phishing themes and tactics, especially ones that might cater to fears related to current tensions. And follow best practices that increase resistance to social engineering generally. Get your patching up to date. And finally, keep backups current and in an air-gapped location where they'll survive a destructive attack on your network.
Dave Bittner: [00:14:20] It's not, of course, all Iran all the time, even this week. Kaspersky has been tracking the Lazarus Group's AppleJeus campaign and concludes that North Korea is becoming more careful, more sophisticated and more focused on the cryptocurrency sector as Pyongyang continues its policy of addressing financial shortfalls through cybercrime.
Dave Bittner: [00:14:41] And Taiwan is in the homestretch of its national elections, with voting to be held Saturday. China has increased its influence campaigns with the intent of influencing the vote in favor of parties thought to be disposed to prove useful to the return of what Beijing is pleased to call the breakaway province of Taiwan. That's what Beijing calls it, not us. We just call Taiwan, Taiwan.
Dave Bittner: [00:15:10] And now a word from our sponsor, BlackCloak. Do you worry about your executives' personal computers being hacked? How about their home network and all those IoT goodies they got over the holiday or credential stuffing attacks because of their password reuse? Executives and their families are targets. But unlike the corporate network, they have no cybersecurity team to back them up. Instead of hacking the company with millions of dollars' worth of cyber controls, hackers have turned their attention to the executives' home network and devices, which have little to no protection. BlackCloak closes this gap in your company's protection with their unique solution. The cybersecurity professionals at BlackCloak are able to deploy their specialized controls that protect your executives and their families from hacking, financial loss and privacy exposure. Mitigate these risks that could lead to a corporate data breach or reputational loss. Protect your company by protecting your executives. To learn more and partner with BlackCloak, visit blackcloak.io. That's blackcloak.io. And we thank BlackCloak for sponsoring our show.
Dave Bittner: [00:16:29] And I'm pleased to be joined once again by Emily Wilson. She's the VP of research at Terbium Labs. Emily, before the holidays, you all published a report that was called "How Fraud Stole Christmas." And you were looking at different types of data that consumers were worried about having exposed during the holiday season. You've got some things you want to dig in here. What can you share with us today?
Emily Wilson: [00:16:50] In putting together this report, we were primarily focused on asking consumers about their spending patterns during the holiday season. What kinds of payment cards are you going to be using? How many of them? Are you going to be using those over cash? Where are you most concerned that that financial information might be exposed? Are you worried about online retailers, brick-and-mortar stores? How are you adapting your behavior? All of this was payments focused. And so then we got to a question where we asked consumers what kind of information they were most worried about being exposed during the holiday season. And given the patterns that we had been tracking through the rest of the survey, I expected it to be payment card numbers, bank account information, maybe account credentials for the number of people who were worried about online retailers. But it wasn't any of those things. Consumers told us they were most concerned about their Social Security numbers. And I thought that was interesting. Because in this in this holiday season, where we are concerned about fraud, we're concerned about card skimmers, we're spending money at a variety of different retailers or shops that we maybe wouldn't shop from before, you know, we're buying things from different, little pop-ups. We're finding gifts here and there and spending all over the country and perhaps around the world. But consumers circled back and said, no, I'm worried about my Social Security numbers.
Dave Bittner: [00:18:12] Why do you suppose that is?
Emily Wilson: [00:18:14] I think the reason that identity theft is front of mind for consumers right now in a way that maybe it wouldn't have been a couple of years ago is twofold. One, there have been some major breaches that have made mainstream news that I think has made ID theft an issue front of mind for not just security-minded folks, not just people who maybe work in high-risk industries, who are dealing with this from a security perspective in their day-to-day roles. But if we think about things like Equifax, that was a big shock, I think, to kind of the hive mind, at least here in the US. And when I say Equifax, I mean not just the breach itself but the way it was handled and some of the issues with people trying to go in and claim their payment as a result. I think this is something where people saw, perhaps for the first time or at least for the first time since something like OPM, the scale of data exposure that actually impacted them directly. That's one reason I think it might be front of mind.
Emily Wilson: [00:19:16] The other is that I think for all of the other breaches and security issues - and that could be something like election security. It might be minor breaches. It might be issues with companies like Wells Fargo having account fraud. There are a variety of different, what I would consider, kind of consumer-level breaches here that may have made local news. It may be part of the discussion now, letting people know, hey, your accounts have been compromised - not for tech platforms they may forget that they're using, not for third-party data breaches that only we in security care about but things that are actually making their way down to local journalism, that are making the 6 o'clock news. You know, we see from this report that people having knowledge, they've changed their spending patterns when it comes to unsecured point-of-sale systems like ATMs, for example. And I think ID theft - I think personal information is the next wave of that. I think that we're seeing the threat of exposure and compromise there trickle down to be more front of mind for consumers. And I'm hopeful for that because I think that will give them the opportunity to start to think critically about where they share information, maybe to have higher expectations for the brands that they engage with.
Dave Bittner: [00:20:36] All right. Well, Emily Wilson, thanks for joining us.
Dave Bittner: [00:20:44] And that's the CyberWire. For links to all of today's stories, check out our daily news brief at thecyberwire.com.
Dave Bittner: [00:20:50] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:21:01] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.