Fox Kitten campaign linked to Iran. LokiBot’s new clothes. Unsigned firmware. Iowa Democratic caucus post-mortem. SoftBank and the GRU. Hacker madness.
Dave Bittner: [00:00:00] Hi, Jack.
Jack: [00:00:01] Hi, Dad. I've come to talk to you about something.
Dave Bittner: [00:00:03] OK, go ahead.
Jack: [00:00:04] So I was thinking. You don't do enough, OK?
Dave Bittner: [00:00:09] Really?
Jack: [00:00:09] Yes.
Dave Bittner: [00:00:10] Go on.
Jack: [00:00:10] I think that there's more that you can do.
Dave Bittner: [00:00:12] OK.
Jack: [00:00:13] So...
Dave Bittner: [00:00:13] You know I do, like, 10 shows a week?
Jack: [00:00:15] Well, still, that's not enough.
Dave Bittner: [00:00:17] OK.
Jack: [00:00:17] So I'm thinking...
Dave Bittner: [00:00:19] Yeah.
Jack: [00:00:19] ...You guys come up with a new service called CyberWire Pro.
Dave Bittner: [00:00:23] Really?
Jack: [00:00:23] Yes.
Dave Bittner: [00:00:24] OK. What would this include?
Jack: [00:00:27] Well, I think this would include newsletters, exclusive webcasts and thousands of expert interviews and much more.
Dave Bittner: [00:00:33] OK.
Jack: [00:00:34] Emphasis on the much more.
Dave Bittner: [00:00:36] Yes, of course.
Jack: [00:00:37] And I think that you should release it at thecyberwire.com/pro.
Dave Bittner: [00:00:41] I see. So if people go to thecyberwire.com/pro, that would be - in your mind, that would be a place where they could go to learn all about all these extra things that I need to do.
Jack: [00:00:51] Yes.
Dave Bittner: [00:00:52] OK. All right. Well, gee, thanks for stopping by and creating more work for all of us here at the CyberWire.
Jack: [00:00:59] Anything for you, Dad.
Dave Bittner: [00:01:05] Fox Kitten appears to combine three APTs linked to Iran. LokiBot is masquerading as an installer for Epic Games. Unsigned firmware has been found in multiple devices. Extortionists threaten to flood AdSense banners with bot traffic. China says the Empire of Hackers is in Washington, not Beijing. Iowa Democratic caucus IT post-mortems continue. Japan connects the SoftBank breach to the GRU. And more on that hacker-madness poster from the West Midlands.
Dave Bittner: [00:01:42] And now a word from our sponsor ExtraHop, securing modern enterprises with network detection and response. Security teams today want to say yes to cloud adoption, just like they want to support enterprise IoT and edge computing. But the more complex your architecture the less you can trust your perimeter to keep threats out. When attackers make it into your environment, you need to be the hunter, not the hunted. ExtraHop helps organizations like Home Depot and Credit Suisse detect threats up to 95% faster with the context they need to act immediately. Visit them at RSA for a full product demo of threat detection and response for cloud, multicloud and hybrid enterprises, or learn more at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security fueled by insight. Intelligence lets you respond to your environment; insights empower you to change it. Identify with machine learning. Defend and correct with deep learning. Anticipate with artificial intelligence. McAfee, the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:03:02] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, February 18th, 2020.
Dave Bittner: [00:03:10] ClearSky outlines the Fox Kitten campaign, which it calls an Iranian operation directed primarily against the US and Israel. Fox Kitten has been active, ClearSky says, for three years, and it's proceeded largely by exploiting VPNs and RDP. The company concludes with medium confidence that the campaign represents a collaborative effort among three APTs – APT33, Elfin; APT34, OilRig; and APT39, Chafer. The sectors of interest to Fox Kitten appear to be IT, utilities, defense and aviation, and petroleum. These are essentially the sectors Elfin, OilRig, and Chafer worked most heavily against.
Dave Bittner: [00:03:54] Trend Micro warns that LokiBot is distributing malware disguised as an installer from the Epic Games store. Epic Games publishes Fortnite and other popular diversions.
Dave Bittner: [00:04:06] Eclypsium has issued a study that suggests the prevalence of unsigned firmware in Wi-Fi adapters, USB hubs, trackpads and cameras in use in computers from Lenovo, Dell, HP and other major manufacturers.
Dave Bittner: [00:04:20] KrebsOnSecurity reports a new extortion scam. This one targets website owners who display banner ads through Google's AdSense program. The extortionists threaten to flood the ads with enough bot traffic to cause Google's automated tools to suspend the victim's account. Google suggests that this won't really work, so the extortion threat is largely empty. Google told Krebs, "we hear a lot about the potential for sabotage. It's extremely rare in practice, and we have built some safeguards in place to prevent sabotage from succeeding," quote. Google says mostly invalid traffic - that is, traffic of the kind the extortionists threaten - is filtered before it affects advertisers and publishers. So it's probably safe to put this scam in the scare category. It works if it convinces you. Otherwise, not.
Dave Bittner: [00:05:11] As the US continues to warn allies against using Huawei equipment, China's foreign minister replies by complaining that Washington, not Beijing, is the problem. No one spies like the Americans, they say. Citing Crypto AG and the matter of Chancellor Merkel's cellphone, Foreign Ministry representative Geng Shuang said, "facts have proven once again that as the largest state actor of spying in cyberspace, the US is worthy of the name of the Empire of Hackers. The sky is the limit with the US when it comes to spying," end quote, says they.
Dave Bittner: [00:05:46] The Washington Cyber Roundtable is a nonprofit industry liaison group with a mission of connecting technology, consulting and professional services firms on cybersecurity and related issues. They are perhaps best known for the handful of events they host each year, intimate invitation-only gatherings where candid discussion is the goal. Kaitlin Bulavinetz is managing director of the Washington Cyber Roundtable.
Kaitlin Bulavinetz: [00:06:12] The Washington Cyber Roundtable was started over 11 years ago by our founder, George Meyers, who recognized that there wasn't a venue for government and industry cyber professionals to collaborate and share ideas because, at the time, a lot of the challenges that were being faced in the public sector were being solved in the private sector. So the Washington Cyber Roundtable - we facilitate roundtable events for government and industry professionals to have candid conversations that are not attributional about cyber challenges. So that's in our mission, and it's solving a unique problem and helping move the needle in the right direction a little bit at a time.
Dave Bittner: [00:07:08] And the events that you put together here, I mean, these are fairly unique in the scale of them. These are not, you know, big, big rooms full of lots of people. These are intimate get-togethers.
Kaitlin Bulavinetz: [00:07:20] That's correct. We limit attendance to 15 to 20 people - 25 is the absolute tops - because we want everyone to be able to have a conversation. So our events are invite-only to our membership, and then we also invite our past speakers. So they like to chat with their peers in government and in industry.
Dave Bittner: [00:07:45] Can you give us some insights on to the kind of the matchmaking process that you do here, how you choose the connections that you're going to make to make sure that you get these valuable conversations happening?
Kaitlin Bulavinetz: [00:07:58] Sure. So we, naturally, look to see what is going on in the larger dialogue from a cyber policy perspective. And then we also have an excellent team of advisers. And our membership also can weigh in on what they're seeing from the private sector perspective. Some of our past speakers will be great with telling us event ideas. So we have a lot of feelers out to identify what might be a unique perspective that hasn't been raised yet but has value to contributing to the cyber national security conversation.
Dave Bittner: [00:08:42] And what do you hear from the attendees of these sorts of events? What sort of feedback are you getting from them?
Kaitlin Bulavinetz: [00:08:48] From a WCR perspective, that it's a unique opportunity to engage in conversations from our government speakers. So we'll also offer the opportunity to do a follow-on report. So if there are some ideas that need to be further explored or evaluated, we will engage in that type of report. So we have a lot of partners as well, so we're able to go into deeper context and really get to kind of the different ideas that should be expressed and should be explored, have an opportunity to do that.
Dave Bittner: [00:09:29] What is the cycle? I mean, how many events are you hosting in a typical year?
Kaitlin Bulavinetz: [00:09:35] So we hold about eight to nine roundtable events a year, and then we'll offer the follow-on engagement to further explore the ideas, and then we plan our events. We'll plan things pretty far in advance, but we'll only send out the invites for one event at a time and just to our membership on our invite list.
Dave Bittner: [00:09:56] I see. And so if someone wants to find out more, if this is something they're thinking perhaps they want to become engaged with, what's the best way to find out more information about the organization?
Kaitlin Bulavinetz: [00:10:08] So after our events, we'll do a brief summary on our website or on our social media, on LinkedIn. That's really the best way. We do have a number of great events coming up for 2020. So we're going to be having an event with the Department of State and DHS on interagency collaboration on cyber and the digital economy with a focus of the Indo-Pacific.
Kaitlin Bulavinetz: [00:10:33] We'll be also looking at undersea cables. And we'll be having an event with Congressman Langevin on the Cyberspace Solarium Commission. Our goal is for attendees to have, like, an a-ha moment in our events. So it's not just the talking points, but it's something that you can really dive deeper into.
Dave Bittner: [00:10:56] That's Kaitlin Bulavinetz from the Washington Cyber Roundtable.
Dave Bittner: [00:11:01] As Iowa Democrats work their way through the recanvassing of the Sanders and Buttigieg campaigns requested after this month's difficulties with the Iowa Democratic caucus, observers continue to work through what happened and why and what lessons, if any, the caucus holds for election security as a whole. The Iowa party notoriously struggled to reach a credible and accurate caucus result as it worked through the resistant medium of the IowaReporterApp, a product of Shadow Inc.
Dave Bittner: [00:11:30] The Washington Post has published its look into the troubled Iowa Democratic caucus. The paper concludes that, first, the problems were years in preparation, and, second, that the Democratic National Committee appears to have been more involved than it initially seemed. The national party, eager to avoid a repetition of 2016's intramural ill feeling in which Senator Sanders' supporters felt the game was rigged for eventual nominee Hillary Clinton, pushed the state parties toward what they hoped would prove more transparent processes. This especially represented a departure for caucuses like the one in Iowa.
Dave Bittner: [00:12:05] The Post's investigation concluded that party officials, however, never effectively vetted the basic tool used to collect and publish those results. The review found they hardly questioned why an app was necessary rather than a simpler reporting method, though internal correspondence shows that DNC staffers were privy to discussions about the testing and rollout of the technology.
Dave Bittner: [00:12:28] Democratic National Committee representatives have consistently maintained that their only role was to ensure the cybersecurity of Shadow Inc.'s software and, on the reliability side, to create a backup system to double-check the delegate math from the app, as a precaution in case there was a hack. If nothing else, the incident probably should teach everyone that security and reliability aren't necessarily the same thing. Assuming that IowaReporterApp was as secure as such things can be, the fact that it was unlikely to be hacked doesn't mean that it could be counted on to work as advertised, which, of course, it didn't.
Dave Bittner: [00:13:05] In what Nikkei reads as a warning against attempting to meddle with the Tokyo Olympics, Japan's government has attributed the SoftBank breach to Russia's GRU. Prime Minister Abe's government has sought improved relations with Moscow, but the Foreign Ministry's attribution of the incident to Russian military intelligence suggests that Tokyo remains particularly sensitive to potential threats to the Olympic Games. The games have been a Russian target since the 2018 Winter Olympics in South Korea. Animus against the world anti-doping authority's strictures against Russian teams seems to have provoked Moscow with motive enough to hack.
Dave Bittner: [00:13:44] Finally, we return to the odd case of the public safety hacker madness poster the West Midlands Police issued in the UK, the one that was immediately repudiated last week by the National Crime Agency. The West Midlands Police say they didn't do it, they tell you. Here's their tweet on the subject: "The poster - produced by a third party - was created as an aide-mémoire to assist teachers with safeguarding in schools. It was taken from wider information on cyber tools which could be used to commit cyberattacks but equally have a legitimate purpose." Well, OK, so they sort of did it. But let all who've never created an aide-mémoire cast the first stone.
Dave Bittner: [00:14:30] And now a word from our sponsor, LastPass. LastPass is an award-winning security solution that helps millions of individuals and over 61,000 organizations navigate their online lives easily and securely. Businesses can maximize productivity while still maintaining effortless strong security with LastPass. Each entry point in your organization can compromise your business' security. LastPass Identity can minimize risk and give your IT team a breakthrough integrated single-sign-on, password management and multifactor authentication. LastPass Identity enables you to manage and control user access for all access points in your organization, add an additional layer of security to every single login through multifactor authentication, securely authenticate into your work using biometrics, like fingerprint or face, deliver a passwordless login experience for employees while securing every password in use through Enterprise Password Management, and gain an integrated view across all access and authentication tasks to know which employees are accessing what, when and where. To learn more, go to lastpass.com/enterprise. That's lastpass.com/enterprise. And we thank LastPass for sponsoring our show.
Dave Bittner: [00:15:56] And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security, also my co-host on the "Caveat" podcast. Ben, always great to have you back.
Ben Yelin: [00:16:05] Good to be with you, Dave.
Dave Bittner: [00:16:06] We got word recently that the chairman of the FCC put Congress on notice that some of the wireless carriers have apparently violated federal law when it comes to selling customers' location data. That is something you and I have tracked here over and over again. What's going on here?
Ben Yelin: [00:16:25] Yeah. So back in May of 2018, there were multiple reports that indicated that pretty much every major carrier, including the big guys - the Verizons, AT&Ts, Sprints, T-Mobiles - sorry if I'm excluding you, fellow mobile carriers - were selling location data to resellers.
Dave Bittner: [00:16:42] Right.
Ben Yelin: [00:16:42] Those resellers could either resell it or give it away. And, you know, that was a major breach and an invasion of privacy. So you saw a lot of privacy advocates petition to the Federal Communications Commission under the leadership of Ajit Pai to issue some type of criminal sanction against these companies. So basically, what Chairman Pai is doing is proposing a notice of apparent liability for forfeiture, which is an official declaration from the FCC saying that somebody's violated the rules and they're going to be penalized. And this means that these companies are going to be fined. Now, that's all the information we have at the moment. You know, it's been a couple of weeks now, and we don't think that anything else has come out, so we don't know which companies are going to be subject to this punishment. The reaction in the privacy community has largely been, what took you so long? This was such an obvious breach of privacy on the part of these companies that the FCC should've issued these fines a long time ago. That seems to be the reaction of both some of the interest groups and of Chairman Pallone himself, and not to mention some of the other commissioners of the FCC. It's a bipartisan agency. So there are some - oftentimes, you get dissenting commissioners as part of that agency. Why it took so long is an open question, but it is happening now. And we will see some of these companies be subject to FCC liability for the first time, and they're going to get, you know, a hefty fine, probably more than a simple slap on the wrist.
Dave Bittner: [00:18:10] Does anybody go to jail anymore, Ben?
Ben Yelin: [00:18:12] Well, it's hard for an entity like the FCC to go to jail, you know - I'm sorry, an entity like one of these companies to go to jail - because oftentimes, it's hard to pin liability down on one individual. But when we're talking about violations of Federal Communications Commission's regulations, that generally doesn't lead to jail time.
Dave Bittner: [00:18:33] We're not going to see a CEO hauled out in handcuffs...
Ben Yelin: [00:18:36] I know that's so appealing.
Dave Bittner: [00:18:37] ...As gratifying as that might - as it may be (laughter).
Ben Yelin: [00:18:39] If they weren't able to put Justin Timberlake and Janet Jackson behind bars for what happened at the Super Bowl...
Dave Bittner: [00:18:45] Oh, right, right.
Ben Yelin: [00:18:46] ...It doesn't look so good for Verizon.
Dave Bittner: [00:18:51] (Laughter) OK. Goodness. All right. Well, I mean, I suppose this is good news for those who are on the privacy sides of things.
Ben Yelin: [00:19:00] Absolutely. I mean...
Dave Bittner: [00:19:01] Better late than never.
Ben Yelin: [00:19:02] It is. It's absolutely welcome developments. You know, it took two years. You know, we knew in May of 2018 that multiple carriers were violating these privacy protections that exist in statute and per FCC regulations. And we finally are taking - the FCC, at least, is taking this proactive step. So in that sense, it is good news. And, you know, better late than never, right?
Dave Bittner: [00:19:27] Yeah, yeah. All right. We'll track it, as always. Ben Yelin, thanks for joining us.
Ben Yelin: [00:19:32] Thank you.
Dave Bittner: [00:19:37] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And don't forget you can get the daily briefing as an Alexa flash briefing, too.
Dave Bittner: [00:19:48] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:01] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. Every week, we talk to interesting people about timely security topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:20:28] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. See you back here tomorrow.