A cyber espionage campaign is to use DNS hijacking. More observations on l’affaire Bezos. Operation Night Fury versus e-commerce hackers. Farewell to Clayton Christensen.
Dave Bittner: [00:00:01] Hey, everybody. Dave here. We are excited to announce our new subscription program, CyberWire Pro, that will be coming in February. For cybersecurity professionals who need to stay abreast of their rapidly evolving industry, CyberWire Pro is an independent news service you can depend on to stay informed and save time. This unique offer includes valuable content, such as exclusive podcasts and newsletters, exclusive webcasts, thousands of expert interviews and much more. Sign up to be one of the first to know of the CyberWire Pro release at thecyberwire.com/pro. That's thecyberwire.com/pro. Check it out.
Dave Bittner: [00:00:39] Someone has been running a DNS hijacking campaign against governments in southeast Europe and southwest Asia, and Reuters thinks that someone looks like Turkey. Experts would like to see a more thorough forensic analysis of Mr. Bezos' iPhone. That hack may look like a Saudi job, but the evidence remains circumstantial. Interpol's Operation Night Fury dismantles a gang that had been preying on e-commerce. And farewell, Clayton Christensen, theorist of disruptive innovation.
Dave Bittner: [00:01:20] It's time to take a moment to tell you about our sponsor Recorded Future. You've probably heard of Recorded Future, the real-time threat intelligence company. Their patented technology continuously analyzes the entire web to give infosec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best-informed decisions possible for your organization. Sign up for the Cyber Daily email, and every day, you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. It's timely. It's solid. And the price is right. And we thank Recorded Future for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security fueled by insight. Intelligence lets you respond to your environment. Insights empower you to change it. Identify with machine learning. Defend and correct with deep learning. Anticipate with artificial intelligence. McAfee, the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:02:46] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, January 27, 2020.
Dave Bittner: [00:02:55] Reuters, citing British and U.S. officials speaking anonymously, reports that a major cyber-espionage campaign is in all likelihood the work of Turkish services. The effort targeted some 30 organizations, including government agencies in Albania, Greece, Iraq and Cyprus, as well as some domestic Turkish groups, including at least one Freemasonic lodge thought sympathetic to the failed 2016 coup. The campaign made large-scale use of DNS hijacking.
Dave Bittner: [00:03:25] Reuters' sources told the news service that their assessment that the campaign was a Turkish operation depended on three things. First, the victims included the governments of countries that are strategically and politically important to Turkey. Second, the attacks resembled earlier attacks that used infrastructure connected to Turkey. And third and most interestingly, because the sources wouldn't talk about it, information contained in confidential intelligence assessments that they declined to detail.
Dave Bittner: [00:03:56] Reuters says that it reviewed public DNS records. The news service says it was able to find that the victims they identified had traffic to their websites hijacked and redirected to servers controlled by the attackers. Much of the traffic so redirected was traffic for login portals, suggesting that credential harvesting was at least one of the goals of the operation.
Dave Bittner: [00:04:18] The Turkish government declined to comment, but one official did venture to observe that Turkey itself had been the victim of cyberattacks, which is surely true. So has the rest of the world, pretty much.
Dave Bittner: [00:04:31] We received emailed comments from Dave Weinstein, CSO at security firm Claroty and the former CTO of the state of New Jersey. He noted that Turkey had not been known as a major player in international cyber conflict and that Ankara had tended to focus on its domestic priorities. But now, he says, the country is emerging as a more active and externally focused actor. He sees another, larger issue in the report, however. He thinks it follows a trend in hijacking attempts that exploit inherently insecure aspects of the internet. As Weinstein puts it, quote, "the DNS system relies in large part on trust, an element that state actors are apparently both willing and able to compromise for the sake of intelligence collection."
Dave Bittner: [00:05:17] Observers would still like to know more about what actually was found on Jeff Bezos' phone, the device FTI Consulting said, with medium to high confidence, was compromised by Saudi Arabia's government. It seems something was going on in the phone. Text messages from the crown prince, for example, suggest that he was better informed about Mr. Bezos' amours than he should've been, and knowing things like that would be consistent with hacking.
Dave Bittner: [00:05:43] But this is circumstantial, as is much of the other evidence the report cited. As several experts told SecurityWeek, the investigation didn't proceed beyond the circumstantial. The Wall Street Journal hears from other experts to the effect that the investigation, as described in the FTI report that became public last week, quote, "appeared to forgo important investigatory steps that could've yielded a fuller picture of what occurred on Mr. Bezos' iPhone X,” end quote.
Dave Bittner: [00:06:13] Saudi officials continue to maintain they had nothing to do with Mr. Bezos' iPhone X and that if there's any evidence to the contrary, they'd very much like to see it.
Dave Bittner: [00:06:22] On the other hand, a tweetstorm, significantly bot-driven, is standing up for the kingdom, Forbes reports, busily slanging Mr. Bezos and calling for a boycott of Amazon. Such trolling can have its effects. Whether a case of large-scale trolling is state-directed or state-inspired, AstroTurf is always difficult to determine, and sometimes it's even got a significant grassroots component. The story is still developing.
Dave Bittner: [00:06:48] As it develops, it may be shaped by a case in Tel Aviv, where a court is hearing arguments over whether NSO Group should keep its export license. The company's famous Pegasus tool was mentioned in dispatches by FTI, which said it seemed likely, on circumstantial grounds, that whatever got into Mr. Bezos' phone was Pegasus delivered perhaps via WhatsApp. A Hacking Team tool was mentioned as a second but less probable possibility.
Dave Bittner: [00:07:17] Observers will watch what emerges during the proceedings, but even many inveterate critics of NSO Group have been cautious about drawing the conclusion that Pegasus was implicated in this particular incident.
Dave Bittner: [00:07:30] Interpol's Operation Night Fury, with major assistance from security firm Group-IB, has taken down a cyber gang that operated from six ASEAN countries to hit online shopping with GetBilling sniffer.
Dave Bittner: [00:08:23] Interpol said that the investigation they coordinated led to authorities in Singapore taking down two of the command-and-control servers the gang was using. It also enabled the Indonesian national police to arrest three individuals. Similar hunts for servers and perps are in progress in several other ASEAN countries.
Dave Bittner: [00:08:43] And finally, we close on a somber note today. Few concepts are tossed around as freely in our industry as the notion of disruption, particularly in the context of disruptive technologies. But unlike many of the buzzwords that so fill business discourse, disruption is actually a concept that has some content and rigor behind it. The writer who formulated the concept, Clayton M. Christensen, professor at the Harvard Business School, died last Thursday at the age of 67, losing his struggle with leukemia. His book "The Innovator's Dilemma" is worth reading, as is his essay "How Will You Measure Your Life?" Our condolences to his family, friends and colleagues, as we recognize the completion of a life that measured up pretty well indeed.
Dave Bittner: [00:09:41] And now a word from our sponsor, KnowBe4. There's a reason more than half of today's ransomware victims end up paying the ransom - cybercriminals have become thoughtful, taking time to maximize your organization's potential damage and their payoff. After achieving root access, the bad guys explore your network - reading email, finding data troves - and once they know you, they craft a plan to cause the most panic, pain and operational disruption. Ransomware has gone nuclear. But don't panic - KnowBe4 is hosting an exclusive webinar where you can find out why data backups, even offline backups, won't save you, why ransomware isn't your real problem and how your end users can become your best, last line of defense. Go to knowbe4.com/ransom and learn more about this exclusive webinar. That's knowbe4.com/ransom. And we thank KnowBe4 for sponsoring our show.
Dave Bittner: [00:10:53] And joining me once again is Robert M. Lee. He's the CEO at Dragos, Rob, it's always great to have you back. We are starting a new year here, and I wanted to get your take on what are you looking ahead to. As you look towards the horizon, what do you see coming in the ICS space for 2020?
Robert M Lee: [00:11:11] Awesome. All right. Only for you by the way, all right?
Dave Bittner: [00:11:14] (Laughter).
Robert M Lee: [00:11:14] I want to start this off correct, that I get asked all the time for predictions and what's coming by all the different magazines that talk to me and publications and similar, and I always turn it down. But for the CyberWire...
Dave Bittner: [00:11:28] (Laughter).
Robert M Lee: [00:11:28] ...I will break my rule, and I will give you, you know, with a finger in the wind, here is what I am seeing.
Dave Bittner: [00:11:34] All right.
Robert M Lee: [00:11:35] And so take it with a grain of salt, but here's what I think. I think in the larger community - so not just ICS specific, but the larger community - because of all the momentum we've seen in starting to talk about tradecraft and thinking about threats beyond just malware exploits and vulnerabilities, but actually for what they are in humans on the other side of the keyboard, because of that movement - and even - and I acknowledge that not all the community's there yet - but because of that movement, we are going to have to look back at what we've done to date.
Robert M Lee: [00:12:05] And what I mean by that is we have made a lot of security investments and strategies and implemented a lot of things around the community, especially enterprise companies, where we were doing it off of one basis of knowledge, and now we have another. And I think that is going to drive a much deeper look at collection and detection strategies and response strategies and not just, here's a tool, let me buy it; what do I think it does?
Robert M Lee: [00:12:32] I think on a day-to-day basis, analysts get abstracted way too much from collection. You know, it's kind of the example where analysts in front of a seam takes an indicator, throws it through and goes, yep, no alerts, we're good, when the real question should have been, did we ever collect the data that would have been required to validate or invalidate that question we just asked? And I think as we think about tradecraft and get to this higher order of thinking in the community, we are going to have to very critically look at the collection and the detection strategies we put in place.
Robert M Lee: [00:13:02] And my recommendation for those companies is think about the response strategy first. Like, what is the executives going to ask questions about? What are you going to need for your business? What are the actual business requirements? And work backwards. Well, if I'm going to have that level of response, I got to have this strategy towards detection. And if I've got this strategy towards detection, I've got to have this type of collection. I think that's going to hit a lot of companies in the face, but I think we're up for the challenge. On the ICS side, on the industrial control systems side of the operations technology community, I mean, I think we can kind of pole-vault forward and look at a lot of that.
Robert M Lee: [00:13:34] But I made a prediction a year or two ago. Dale Peterson put me on stage at S4, which is always a good conference. There's a really - a couple really good conferences in the ICS community. I'm sure they're all great and wonderful. But I generally love the SANS ICS Summit and S4 and maybe CS3 Stockholm out in Europe. But when he asked me - he was like, make a prediction, and I told him the same thing. I was like, I hate predictions. He was like, just do it. Fine. And I got on stage, and I was like, ah, ah, our security professionals one day will know more about our operations than our operators. And I just kind of, like, said it in the moment thinking, you know, ooh, it's out there, you know. And then I stepped back, and I was like, I think I believe this.
Robert M Lee: [00:14:14] As I think about them, like, actually, what made really good security analysts anywhere else in the world was a deep understanding of how the system or system of systems worked in the first place. And we're starting to see more and more operations and engineering, especially on the operations side, get abstracted from the environment where maybe the vendor or the integrator themselves, like, built the ICS or integrated it in the way they thought. And really, we're just operating it, and we're leaning more and more on calling for helpdesk, and it's harder to hire people and train people and layers of expertise and more common operating platforms and et cetera, et cetera, et cetera, where the level of knowledge and operations - you know, these are amazing operators.
Robert M Lee: [00:14:50] I'm not trying to say they're lesser than they've ever been; they're actually better than they've ever been, but more generalists now than specialists. They're moving in that direction. And actually, it's the exact opposite of what we're seeing in the need of security of more specialization, especially with the level of automation that - in digital transformation that's happening in the industrial world. And I actually think that - not in 2020 - but as we go about our journey, industrial control systems security folks will have to appreciate that they will at some point or should know more about that plant inside and out as a whole than any other one person in that facility. And that's scary and amazing and crazy all at the same time.
Dave Bittner: [00:15:31] What about the overall sense of community itself? As the number of people working on these problems grow, is it your sense that that notion of community itself is becoming a component of greater importance?
Robert M Lee: [00:15:51] It is. And I always hear - when people talk about the community or our community, I always see people that kind of snipe on social media or whatever, and I don't think it's misplaced or malintended, but they kind of snipe, like - there is no community. Like, there's all these various little communities. And then like, yeah, for sure, but we're still a community. And my response to that is there's just different schools of thought. Like, it's not that we aren't one community; it's that there are lessons learned and expertise and - against specific requirements that not everyone shares that's getting developed, and it's defining a school of thought. Like, I had to publicly, like, really rant on this about, like, intel. Like, people were like, here's how you do cyberthreat intel, and it's like, nope, that's not the only way to do it, guys.
Robert M Lee: [00:16:33] Like, actually, like, that - one of the main reasons I wanted to make my SANS class, the Forensics 578 one and the GCTI, the certification that goes with it, is to say you do whatever you want, like, you do you, man, but, like, this is a school of thought of how to functionally and correctly inside this school of thought do cyber intelligence and put a stake in the ground going, here's the vernacular we use and the lexicon, here is the mental models and the structure analytic techniques, and here's the type of requirements we see. And you're not subsetting the community; you're just saying, here's one option as a full package of kind of a school of thought.
Robert M Lee: [00:17:07] And I think we're seeing the same thing in industrial control systems, where I'm very opinionated about what it takes to go toe-to-toe with the adversaries. I'm still not a fan of considering things like anomaly detection or protocol behavior analysis - whatever they want to flavor the marketing terms - as a detection strategy for ICS. You're going to get tens of thousands of false-positives when they do an analyst, and that's not - like, no analyst has ever sat there and gone like, you know what I want? I'd love to have a hundred thousand contextless alerts to go through today. Like, that's not a real answer. But other people may have different requirements.
Robert M Lee: [00:17:39] And so instead of saying, you're wrong, it's really just a school of thought. And I'm lucky that, you know, SANS has been kind of a neutral player in this to codify that school of thought, and so that's what we do in the SANS ICS curriculum. If you look across ICS 410, ICS 515, my class and ICS 612 - the new class they have - all of those certifications and process really is a school of thought.
Robert M Lee: [00:18:03] So I think the long-winded way to answer your question - as the community expands, we should be excited about it. But we shouldn't think that it's bifurcating; we should just recognize that there are competing schools of thought that are forming, and we should all be just overjoyed that we have those opportunities so that for each and individual one of our companies, we can try to choose the best school of thought that works for our people and our company.
Dave Bittner: [00:18:30] All right. Well, Robert M. Lee, thanks for joining us.
Dave Bittner: [00:18:37] And that's the CyberWire. For links to all of today's stories, check out our daily news brief at thecyberwire.com.
Dave Bittner: [00:18:44] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:18:56] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. Every week, we talk to interesting people about timely cybersecurity topics. That is at recordedfuture.com/podcast.
Dave Bittner: [00:19:24] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.