The CyberWire Daily Podcast 1.23.20
Ep 1009 | 1.23.20

Phishing with a RAT in the Gulf. More on how Jeff Bezos was hacked. Microsoft discloses data exposure. Ransomware continues to dump data. Windows 7, already back from the great beyond.

Transcript

Dave Bittner: [00:00:00] Hey, everybody. Dave here. We here at the CyberWire are excited to announce our new subscription program CyberWire Pro that will be coming in February. For those whose interests and responsibilities lead them to be concerned with cybersecurity, CyberWire Pro is an independent news service you can depend on to stay informed and to save your time. This offer includes such valuable content as exclusive podcasts and newsletters, exclusive webcasts, thousands of expert interviews and much more. And you can rely on us to separate the signal from the noise. Sign up to be one of the first in the know about CyberWire Pro at thecyberwire.com/pro. That's thecyberwire.com/pro. Check it out. 

Dave Bittner: [00:00:47]  There's more phishing around the Arabian Gulf, but it doesn't look local. Reactions to Brazil's indictment of Glenn Greenwald. The forensic report on Jeff Bezos' smartphone has emerged, and the U.N. wants some investigating. Microsoft discloses an exposed database, now secured. Ransomware gets even leakier - if it hits you, assume a data breach. And Windows 7 is going to enjoy an afterlife in software Valhalla - you know, around Berlin. 

Dave Bittner: [00:01:22]  And now a word from our sponsor, KnowBe4. There's a reason more than half of today's ransomware victims end up paying the ransom. Cybercriminals have become thoughtful, taking the time to maximize your organization's potential damage and their payoff. After achieving route access, the bad guys explore your network, reading email, finding data troves, and once they know you, they craft a plan to cause the most panic, pain and operational disruption. Ransomware has gone nuclear. But don't panic - the good folks at KnowBe4 have an exclusive webinar where you can find out why data backups, even offline backups, won't save you, why ransomware isn't your real problem and how your end users can become your best last line of defense. Go to knowbe4.com/ransom and learn more about this exclusive webinar. That's knowbe4.com/ransom. And we thank KnowBe4 for sponsoring our show. 

Dave Bittner: [00:02:27]  Funding for this CyberWire podcast is made possible in part by McAfee - security fueled by insight. Intelligence lets you respond to your environment; insights empower you to change it. Identify with machine learning, defend and correct with deep learning, anticipate with artificial intelligence - McAfee, the device-to-cloud cybersecurity company. Go to mcafee.com/insights. 

Dave Bittner: [00:02:52]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, January 23, 2020. 

Dave Bittner: [00:03:00]  There are some developments in the phishing campaign observed against Arabic-speaking targets last week. Researchers at Cisco Talos late last week posted an analysis of JhoneRAT. They noted its unusual stage deployment, its focus on Arabic-speaking targets and the fact that it appeared to be custom malware, not a commodity attack tool. 

Dave Bittner: [00:03:22]  This morning, deep-learning firm Blue Hexagon published a description of a phishing campaign that appears to be prospecting targets in the Gulf Cooperation Council using Iranian news focused on the death of General Soleimani as phishbait. The countries of interest include Saudi Arabia, Bahrain and the United Arab Emirates. The payload was what Irfan Asrar, head of Cyber Threat Intelligence and Operations at Blue Hexagon characterized as a highly modularized remote access Trojan. It made clever use of public resources, including at least one major digital marketing firm. Asrar believes the campaign is the same one Talos identified but that it's adopted a different set of themes. 

Dave Bittner: [00:04:06]  The presence of Iranian news as phishbait might suggest an Iranian threat actor, but Blue Hexagon believes Iran can be ruled out. They've found code similarities with attack tools previously deployed by what Blue Hexagon characterizes as East European threat actors, thus the Iranian themes are both attractive to targets and regional rivals and serve as a useful false flag as well. 

Dave Bittner: [00:04:32]  Brazil's indictment of Glenn Greenwald continues to attract negative reactions in the press, which see it as a threat to journalists everywhere, as in effect amounting to a criminalization of their interactions with their sources. A New York Times editorial published Tuesday is a fair representative of general media opinion. 

Dave Bittner: [00:04:50]  While some interactions with sources can be criminal, this seems a very long stretch indeed in the case of Greenwald. Support for the indictment does appear in the comments sections of some of the articles that describe the indictment. Those anti-Greenwald commenters, for the most part, object to what they assess as Greenwald's political animus against Brazil's populist President Bolsonaro. 

Dave Bittner: [00:05:13]  But claims that interactions with sources can amount to criminal conspiracy seem less of a stretch in the case of Julian Assange. Greenwald himself has suggested that the U.S. charges against the WikiLeaks proprietor did foreshadow the charges Greenwald now faces in Brazil. But few in the media appear to agree, seeing the two cases as significantly different. Assange isn't charged with just talking to people or advising them to keep things on the QT; he's accused of active cooperation in accessing noncooperating systems. But a lot of websites run by pro-Assange activists and others of like mind are with Greenwald on this one, saying, in effect, see - we told you so, and by the way, free Assange. 

Dave Bittner: [00:05:57]  The U.N. has asked the U.S. to investigate the spyware incident involving the phone belonging to Amazon founder Jeff Bezos, The Guardian reports. Motherboard has obtained a copy of FTI Consulting's forensic report on the device and notes this conclusion - Bezos' phone was compromised via tools procured by Saud al Qahtani. Motherboard describes Saud al Qahtani as a friend and close adviser to Saudi Crown Prince Mohammed bin Salman. He was also president and chairman of the Saudi Federation for Cybersecurity, Programming and Drones and was known to procure offensive hacking tools on behalf of the Saudi regime - among them, tools made by the Italian company Hacking Team. 

Dave Bittner: [00:06:41]  The forensic investigation used a Cellebrite UFED 4PC Ultimate and Physical Analyzer to inspect the phone's contents, but they apparently were not provided the encryption key. Some experts consulted by Motherboard note that the investigators may not have got the route access they needed to fully inspect the phone, since good state-sponsored malware wouldn't portray itself by appearing in backup files. 

Dave Bittner: [00:07:07]  NSO Group's Pegasus tool has been the usual suspect, but the basis for that conclusion, while convincing to many, remains largely circumstantial. The forensic report doesn't say it found Pegasus; it simply notes that Pegasus could have been used and that it's also possible Hacking Team's Galileo might have been used. As the report puts it, advanced mobile spyware, such as NSO Group's Pegasus or Hacking Team's Galileo, can hook into legitimate applications and processes on a compromised device as a way to bypass detection and obfuscate activity in order to ultimately intercept and exfiltrate data. The success of techniques such as these is a very likely explanation for the various spikes in traffic originating from Bezos'. 

Dave Bittner: [00:07:52]  Comparitech found five Microsoft Elastisearch servers exposed online on December 29. Microsoft secured them over the next two days and disclosed details of the incident yesterday. The data were held in a customer service database. Some 250 million records were exposed. Comparitech says Microsoft was quick to respond when notified, and Microsoft has given Comparitech a nice tip of the hat in its own disclosure. 

Dave Bittner: [00:08:19]  Redmond says that it follows standard redaction procedures for the information stored in such databases and that, in this case, most of the records appear to have been redacted in accordance with company policy. Nonetheless, Microsoft goes on to say, quote, "While the investigation found no malicious use and although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable," end quote. 

Dave Bittner: [00:08:50]  The company plans to take four actions immediately. First, it will audit the established network security rules for internal resources. Second, it will expand the scope of the mechanisms that detect security rule misconfigurations. Third, it will add additional alerting to service teams when security rule misconfigurations are detected. And fourth, it will put additional redaction automation in place. And it recommends that everyone else who owns a database that could be exposed inadvertently to check to ensure that it's properly secured and not hanging out there, open to inspection. 

Dave Bittner: [00:09:25]  A ransomware infestation must now be considered a data breach until investigation proves otherwise. Bleeping Computer notes that both Maze and Sodinokibi are now leaking data belonging to victims who fail to pay up. Dark Reading writes that organizations are increasingly disposed to pay. Whether they're fueling a bandit economy has apparently become less important than suffering the double whammy of business disruption and then the regulatory odium of a data breach, and they're making the business decision that paying the ransom is cheaper. 

Dave Bittner: [00:09:57]  The insurance industry has also twigged to the new reality. It's getting more expensive to transfer the risk of ransomware, as U.S. underwriters generally are raising premiums for their coverage. Reuters reports increases amounting to as much as 25%. 

Dave Bittner: [00:10:13]  Hey, hey, hey, hey - have you heard? Dracula has risen from the grave because you just can't keep a good man down. No, not really. Just anyway - take it from Uncle Dave, kids, there's no such thing as vampires and revenants and zombies and stuff. But there is such a thing as software that's beyond its end of life. 

Dave Bittner: [00:10:34]  What's risen from the grave already is Windows 7. The old operating system may have gone West, but what ho, it's going to enjoy an afterlife courtesy of the German government, which apparently just can't quit it. Berlin will pay Redmond 800,000 euros in 2020 for Extended security updates for the roughly 33,000 PCs still running Windows 7, reports say. We hesitate to speculate about the number of IOT devices around the world that will also keep Windows 7. Those are inherently much harder to update. 

Dave Bittner: [00:11:08]  And seriously, kids, we're sorry if we scared you about the vampires. Uncle Dave is bad. No, really - there are no such things as vampires, just retired versions of the Windows OS (laughter). 

Dave Bittner: [00:11:28]  And now a word from our sponsor, ExtraHop, delivering cloud-native network detection and response for the hybrid enterprise. The cloud helps your organization move fast, but hybrid isn't easy. Most cloud security failures will fall on customers, not service providers. Now that network detection and response is available in the public cloud, it's finally possible to close the visibility gaps inside your network. ExtraHop Reveal(x) Cloud brings cloud-native network detection and response to AWS, helping security teams spot, contain and respond to threats that have already breached the perimeter. Request your 30-day free trial of Reveal(x) Cloud today at extrahop.com/trial. That's extrahop.com/trial. And we thank ExtraHop for sponsoring our show. 

Dave Bittner: [00:12:28]  And joining me once again is Tom Etheridge. He's the VP of services at CrowdStrike. Tom, it's always great to have you back. You know, you and I, in a previous conversation, we were talking about the 1-10-60 concept of responding to incidents and how much timing matters. And one of the things that struck me in our conversation was that it seems to me that in order to respond quickly, you have to practice ahead of time. It's that old practice-like-you-play thing from sports. What sort of insights do you have for us when it comes to that? 

Tom Etheridge: [00:13:01]  So Dave, your comments are spot on. Muscle memory is a concept that we talk to clients about consistently in terms of being able to test, over and over, an organization's ability to respond to a cyber incident should one occur in their environment. It's really important to validate or test out things like your incident response guide or playbook, making sure that you understand which key stakeholders in the organization need to be engaged during an incident, what type of legal support you'll need, what type of communications and PR support you might need should notifications and reporting be required and understanding, really, how to optimize and improve all the elements of cyber response. 

Dave Bittner: [00:13:55]  You know, it strikes me that - kind of like how I really wish I went to the gym more than I do - that everybody has best intentions. I think this is an area where I could imagine it being easy for some organizations, despite having those best intentions, that this sort of practicing is an easy thing to push aside. Do you have any recommendations for organizations to make sure that they're keeping up with this, make sure that it stays on the schedule? 

Tom Etheridge: [00:14:23]  Certainly. One of the techniques that we use here at CrowdStrike is we offer a retainer service to our clients that can flexibly be used for all of the service offerings that we offer to help customers prepare and test out their incident handling capabilities - techniques such as red teaming and adversary emulation, exercises where we can mimic a threat actor, tactics and techniques and really test out whether an organization has the defenses to be able to detect that, understand what's going on quickly and be able to respond in an efficient manner - is something that we offer as part of that retainer service. And many of our clients actually schedule regular red team or pen testing exercises to ensure that they're up to speed and that their application life cycle includes the right kind of security controls to make sure that they're able to detect and prevent these breaches from happening. 

Tom Etheridge: [00:15:25]  Tabletop exercises are another great way to bring in other stakeholders from across the organization, not just the IT organization or the security team, but to bring in the legal team, the PR and the communication staff, to bring in other key executives into the incident handling process to make sure that everybody's aligned and onboard and that there's not finger-pointing or balls being dropped when an incident really does happen. 

Dave Bittner: [00:15:55]  Yeah, I can imagine also that when you've made that investment or even, you know, engaging with an outside company, like you all at CrowdStrike, that once that investment is made and, you know, your folks are on the calendar and coming, I mean, that sets up a situation of a different level of commitment than perhaps if someone was just trying to do it all in-house. 

Tom Etheridge: [00:16:18]  Absolutely. We work pretty hand-in-hand with clients to build a road map for how they can plan these types of activities and events throughout the course of their calendar year. It's also a great way to continue to drive investment from the leadership of the organization, even the board of directors, around pointing out areas where improvements need to be made, focusing investment dollars into the right areas so that the organization has a plan for how they're improving their overall maturity and ability to be prepared for these types of events. 

Dave Bittner: [00:16:55]  All right. Well, Tom Etheridge, thanks for joining us. 

Tom Etheridge: [00:16:58]  Thank you, Dave. 

Dave Bittner: [00:17:04]  And that's the CyberWire. For links to all of today's stories, check out our daily news brief at thecyberwire.com. 

Dave Bittner: [00:17:10]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:17:22]  Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. Every week, we talk to interesting people about timely cybersecurity topics. That's recordedfuture.com/podcast. 

Dave Bittner: [00:17:50]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. 

Dave Bittner: [00:17:59]  Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.