The CyberWire Daily Podcast 6.30.20
Ep 1120 | 6.30.20

Critical bug disclosed in Palo Alto products (a fix is available). StronPity (a.k.a. Promethium) is back. A big Bitcoin scam. Lots of PII newly offered in the dark web. Australia and India look to their defenses.

Transcript

Dave Bittner: Are you a follower of the CyberWire on LinkedIn? If not, you might just want to do that. Why, you ask? Well, we do a weekly discount code drop for CyberWire Pro. Each week, we will be dropping one discount code on LinkedIn with significant discounts for CyberWire Pro. That discount code can only be used five times, so follow @thecyberwire on LinkedIn. Keep your eyes peeled. The code could drop any day of the week, and it's first come, first served.

Dave Bittner: NSA and CISA agree - take Palo Alto's advisory about its PAN-OS operating system seriously. StrongPity is back and active against targets in Turkey and Syria. A big Bitcoin scam is using spoofed news outlets and bogus celebrity endorsements to lure victims. A large trove of PII has appeared in the dark web. Ben Yelin on whether or not the EARN IT Act violates the Constitution. Our guest is Brad Stone with Booz Allen Hamilton on how technology is changing the battlefield and why cyber is becoming so important in the DOD. Finally, both Australia and India look to shore up their defenses against cyberthreats from China. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 30, 2020. 

Dave Bittner: Palo Alto Networks yesterday disclosed a flaw in PAN-OS, the operating system that runs on its firewalls and enterprise VPN appliances. The vulnerability, CVE-2020-2021, is assessed as very serious, rated a 10 out of a possible 10 in the CVSS v3 scoring system, both easy to exploit and remotely exploitable. The company has also explained ways in which users can secure their systems. 

Dave Bittner: As Palo Alto explains it, quote, "when Security Assertion Markup Language - SAML - authentication is enabled and the Validate Identity Provider Certificate option is disabled - unchecked - improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources." 

Dave Bittner: US Cyber Command has urged all users to patch as soon as possible and warned that exploitation by foreign intelligence services can be expected soon. CISA has also distributed the alert. ITnews credits researchers at Monash University with tipping Palo Alto off to the problem. The issue is fixed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3 and all later versions, so the solution is readily available – upgrade to a current version. 

Dave Bittner: The Promethium APT, also known as StrongPity, although that name has also been used for one of the group's tools, is back, ZDNet and others report. This time around, StrongPity is active against targets in Turkey and Syria. The latest wave of attacks features new Trojanized installers. It also shows a capability to search for and exfiltrate files from victims' machines. It's been employing watering hole tactics to selectively target victims in Turkey and Syria using predefined IP lists, and it has adopted a three-tiered command-and-control infrastructure that's enabled it to mask, to a certain extent, its operations and escape forensic investigation. 

Dave Bittner: Promethium is a cyber-espionage and surveillance operation believed to have been active since 2012, although it came to public attention in October 2016 with a watering hole campaign against targets in Belgium and Italy. Researchers at Bitdefender and Cisco Talos believe it to be state-sponsored. That represents a consensus view. Which state does the sponsoring, however, is unclear, and the answer may not be a simple one. Cisco Talos believes, for example, that it's possible that Promethium could be a crew of hired guns, cyber mercenaries working under contract for a nation-state or a set of nation-states. It's had an extensive target list. While Middle Eastern and North African nations have figured prominently among its targets, Promethium has also been active in Europe, Asia and the Americas. It has recently been implicated in surveillance of Kurdish populations. Promethium has been known to use both internally developed tools and lawful intercept products in its operations. 

Dave Bittner: Group-IB reports a widespread Bitcoin scam that's exposed personal data on thousands of victims. They're distributed over 21 countries, but by far, the most have been in the UK and Australia. Group-IB explained that victims' phone numbers, which in most cases came with names and emails, were contained in personalized URLs used to redirect people to websites posing as local news outlets with fabricated comments of prominent local personalities about a cryptocurrency investment platform that helped them build a fortune. 

Dave Bittner: The scam begins with an SMS text message with a shortened link, often a message that spoofs a well-known media outlet. Following the link takes the victim to a page tailored to their geographical region. The content purports to be exclusive media content of interest to an alt-coin speculator. The final stage redirects the unwary to enroll in a fraudulent Bitcoin investment scheme. The losses for people gulled into fraudulent speculation are obvious. Less obvious, but equally real, is the reputational damage the spoofed celebrities and media outlets suffer as their names are hijacked into the service of crime. 

Dave Bittner: Brad Stone is senior vice president at Booz Allen Hamilton, and he joins us with insights on how technology is changing the global battlefield and why cyber is so important in the DOD. 

Brad Stone: The DOD, at its core, starts with some of the same problems that any other large organization is faced with, and that's protecting the enterprise. So at its core, the DOD, just like a large bank or just like other agencies, has to protect its core IT infrastructure, building off of their IT security. What assets do I have? What data am I protecting? Who's on my network? But it builds from there, given what the DOD's all about. 

Brad Stone: As we kind of go from that core enterprise, we move into a broader set of platforms and devices that are critical for what the DOD does on a daily basis. So thinking about how you secure these interconnected platforms and devices to not only have the readiness to protect our nation but to really have that advantage in driving the locality (ph) that is a key metric of defense success. And because of that view of this being a mission environment, there's the third element of cyber being a warfighting domain, so starting with that IT enterprise, moving into a broader set of platforms that are having to secure and understand embedded vulnerabilities, but ultimately getting at a point where you're going toe-to-toe with an adversary to achieve a mission objective. So it starts at that same kind of cyber level that many of us tackle, but it takes it up to another level 'cause, really, in the end of the day, the Department of Defense is about saving and protecting lives. 

Dave Bittner: How does an organization with the scale of the Department of Defense maintain an ability to stay nimble, to be able to be both reactive and proactive in an increasingly rapidly developing theater of war? 

Brad Stone: It's really a team sport between the public-private partnerships. But within the DOD, they attack it in multiple ways. So tying back to the core, enterprise IT with large organizations are protecting that enterprise, driving the network operations. But now with the new Cyber Mission Force that has been stood up under Cyber Command, you've got a set of trained warriors that are able to go in there and add the additional expertise and experience to go in and fight the fight, whether that's in incident response or threat hunting. So they're attacking it just like they have for years with almost a defense in depth kind of a strategy, but they're also doing that organizationally. And - but again, it's always about a team sport. And the adversaries know where the weak links are in that, so there's constantly preparation and testing, a lot of investment into ranges across the department to look at these things and prepare not only for today but for the future. 

Dave Bittner: Can you give us some insights - as an organization that does a lot of business with the Department of Defense, can you give us some insights as to what sort of things they're looking for from an organization like yours in terms of that partnering? What sort of things are they looking to rely on you? What are their expectations? 

Brad Stone: There's a few things that we really focus on in that partnership. One is this is such a complex ecosystem, it's really about helping our clients understand how to be effective. But a lot of it can come down to speed, simplicity and driving towards outcomes. So they look at an organization like ours that's helping them maximize their investment. They might have bought significant amounts of tools, but they're misconfigured, and integrating them together such that they are simpler for those warfighters to leverage but then still equally effective with the right understanding of detecting threats and responding to them to ensure their safety. So when we talk about, like, going in to doing a range or a training event, it's that understanding of the mission context with those cyber vulnerabilities and that tradecraft combined together allows our clients to understand risk. And risk in the Department of Defense ties back to readiness. And readiness is ultimately the measurement that the DOD is looking to understand where it stacks in a global environment. 

Dave Bittner: That's Brad Stone from Booz Allen Hamilton. 

Dave Bittner: Lucy Security says it's found data from 945 websites for sale in dark web markets. Up to 14 million victims may be affected. The information includes usernames, full names, phone numbers, hashed and non-hashed passwords, IP and email addresses as well as physical addresses. It's contained in two databases that together amount to roughly 150 gigabytes of unpacked SQL files. They were released this month on June 1 and June 10. The content of the databases - and remember; they represent material culled from almost a thousand sites - appear to have been procured by different hackers. Investigation is proceeding. 

Dave Bittner: Australian concern about Chinese operations in cyberspace has not abated. The Chinese activity, comprising a range of espionage activities, has prompted an equivalent range of defensive responses. The most recent response has been in terms of resources. Prime Minister Morrison's government has pledged, ZDNet reports, AU$1.35 billion. The expenditure will be spread over 10 years, and a lot of it will be spent on the Australian Signals Directorate, where 470 million will be allocated to the creation of 500 jobs. A further 278 million will be used to help ASD go after offshore cybercrime, to help expand intelligence capabilities and to develop a national situational awareness system to respond to threats on a national scale. The situational awareness package is known as CESAR, for Cyber Enhanced Situational Awareness and Response. The use to which the remaining 500 million will be put are expected to be specified in the forthcoming 2020 Cyber Security Strategy, due out later this summer. 

Dave Bittner: And finally, India, whose policy on allowing Chinese tech into its domestic markets has hardened considerably since recent shooting skirmishes along the Indian-Chinese border, is preparing for a wave of cyberattacks orchestrated from Beijing, the Economic Times reports. Authorities have been issuing alerts and warnings to this effect for more than a week. Whatever develops, New Delhi expects the worst from Beijing. 

Dave Bittner: And joining me once again is Ben Yelin. He is from the University of Maryland Center for Health and Homeland Security, also my co-host over on the "Caveat" podcast, which if you have not yet checked out yet, what are you waiting for? It's an awesome show (laughter). Welcome back. 

Ben Yelin: Yeah, you really have to check it out, yeah. 

Dave Bittner: (Laughter) We do have a good time over there and cover some important issues. Ben, I want to touch base with you this week. Got news - this is from the EFF, the Electronic Frontier Foundation, and they have put Congress on notice that they believe that the EARN IT Act violates the Constitution. What's going on here? 

Ben Yelin: Yeah. So the EARN IT Act was a piece of legislation proposed earlier this year by Republican members of Congress. And the ostensible purpose of the act was to get online platforms to crack down on things like sexual exploitation, cybercriminals, et cetera. But what opponents have alleged, you know, for good reason, is that this bill is a Trojan horse to undermine encryption. Even though encryption isn't actually contained within the legislation, it would give the attorney general the power to compel online service providers to break encryption or be exposed to legal liability. 

Ben Yelin: So this presents, in the view of the Electronic Frontier Foundation, a bunch of constitutional issues. They talk about how the bill would identify various best practices for online service providers. And just instituting those best practices would be sort of an impermissible regulation of editorial activity, which is something that's usually up to the discretion of that platform. They talk about how this bill would remove Section 230 immunity. We've talked about Section 230 on our podcast and on this podcast from the Communications Decency Act. It generally shields tech companies from liability for content-management decisions that they make on their platform. 

Dave Bittner: Right. 

Ben Yelin: What this bill would do would be to remove that immunity if online platforms don't comply with the government's best practices. And what EFF is saying, I think reasonably, is that sort of meddling in editorial choices would be a violation of the free speech rights and expression rights of those platforms. 

Ben Yelin: Another thing that this bill would do is it would hold these online service providers responsible for certain types of content - certain types of user-generated content. Obviously, the content that's being regulated in this bill are things that we would find morally objectionable - sexual exploitation, et cetera, et cetera. 

Dave Bittner: Right. 

Ben Yelin: But in order to have a content-based restriction under the First Amendment, according to our Supreme Court, it has to pass strict scrutiny, which in nonlegal parlance means you have to have a darn good reason to regulate that behavior. And in the mind of EFF, this bill would fail that test. 

Ben Yelin: And then they identify some Fourth Amendment issues with this bill, as well. They say it would turn online platforms into government actors that search users' account without a warrant based on probable cause, you know, partially because it's allowing these providers to search, screen or scan for instances of online sexual exploitation. That's a laudable goal, but it is something where a company, kind of mandated by the government, would be surveying people or searching people without any probable cause to do so. 

Ben Yelin: So they have put members of Congress on notice that they think this bill fails to pass constitutional muster. I haven't gotten any indication that this act is really going anywhere in Congress. Congress kind of has its mind on other things - the COVID response, policing reform, appropriations bills, and we're also in an election year. 

Dave Bittner: Right. 

Ben Yelin: But I also, you know, I do think it's important for advocacy groups to always be on watch for laws like this, especially ones where the average person would see it and say, oh, cracking down on online sex predators, that's great. 

Dave Bittner: Yeah. 

Ben Yelin: You know, who wouldn't support that? 

Dave Bittner: Right. 

Ben Yelin: It is incumbent upon these advocacy groups to point out potential constitutional issues, and I think that's what they've done here. 

Dave Bittner: Yeah. All right, well, thanks for explaining it to us. Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. See you back here tomorrow.