The CyberWire Daily Podcast 7.7.20
Ep 1124 | 7.7.20

Sabotage, not cyber? Cosmic Lynx pounces on some big companies with BEC. Purple Fox upgrade. Coordinated inauthenticity in the journalistic supply chain.


Dave Bittner: Explosions at Iranian nuclear sites remain unexplained but look increasingly like conventional sabotage as opposed to cyberattacks. The Cosmic Lynx gang sets a high bar for business email compromise. The Purple Fox exploit kit gets an upgrade. Ben Yelin describes a Fifth Amendment-compelled decryption case that may be headed to the Supreme Court. Our guest is Hugh Thompson, chairman of the RSA Conference program, on the human element of cybersecurity and lessons learned shifting a conference online. And a network of coordinated inauthenticity and fictitious persona is found phishing an Emirati official line.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, July 7, 2020. 

Dave Bittner: The explosions and fires last week at Iran's Natanz nuclear facility and some other installations continue to remain officially unexplained. The BBC reports that Tehran says it knows what caused the fire at Natanz but that Tehran isn't saying. It looks, however, more like physical sabotage than either an accident or the kinetic cyberattack that was the subject of weekend speculation. And whoever is speaking for the self-described Iranian dissident group the Homeland Cheetahs appears to have had advanced knowledge of the incident. But the putative group materialized from nowhere and increasingly looks like a false flag. 

Dave Bittner: The Washington Post quotes an anonymous Middle Eastern security official who spoke on condition that both his identity and nationality be concealed to the effect that the damage was caused by a bomb placed inside the facility. The operation, that source says, was an Israeli effort to send a message that would deter Iran from accelerating its pursuit of nuclear weapons. 

Dave Bittner: Agari describes Cosmic Lynx, a Russian gang responsible for 200 business email compromise attacks in 46 countries over the past year. Tempted as we might be to think that overworked county clerks offices and gentle little mom and pop small businesses are the natural prey of the BEC scammer, Cosmic Lynx has bigger fish to fry. As Agari puts it, quote, "unlike most BEC groups that are relatively target agnostic, Cosmic Lynx has a clear target profile - large multinational organizations. Nearly all of the organizations Cosmic Lynx has targeted have a significant global presence, and many of them are Fortune 500 or Global 2000 companies," end quote. They're also selective with respect to the people they prospect. About three-quarters of them hold the title managing director, vice president or general manager. 

Dave Bittner: The gang shows a regular pattern. They use the bogus intention of acquiring an Asian company as the pretext of their request. They impersonate the victim company's CEO in an email, asking them to work with external legal counsel to arrange the payments necessary to closing the acquisition. That external counsel is the hijacked identity of a real attorney. Agari says the imposture involves an actual British law firm. Once the hook is set, the corporate mask is induced to send payments to mule accounts Cosmic Lynx controls. The average Cosmic Lynx ask is $12.7 million, two orders of magnitude larger than the average seen in BEC attacks in general, which normally run about 55 grand. The mule accounts are usually in Hong Kong, sometimes in Hungary, Portugal or Romania but never in the United States. Large or small organizations should consider the training and policies that can help protect them against business email compromise. 

Dave Bittner: For those of us who attended the 2020 RSA Conference in San Francisco earlier this year, it's a safe bet that it was the last major gathering most of us attended before COVID-19 shut everything down. For organizations like RSA who run multiple conferences around the world, this presents the obvious challenge of how to continue doing so in a safe way while still providing the value attendees demand. Hugh Thompson is chairman of the RSA Conference program, and he joins us with lessons learned, shifting their upcoming Asia Pacific and Japan conference online. Full disclosure - the CyberWire is a media partner with RSA. 

Hugh Thompson: We are just in unprecedented times. You know, we were very fortunate to have RSA Conference in the U.S. earlier in the year. But now we find ourselves in a period where most people are at home, may be home for a significant amount of time. But they still need the kind of content that RSA Conference provides and the kind of connective tissue that we provide for the industry. So we're finding ourselves asking, how do you reproduce something that's such a human experience; that's, you know, the interaction of people and, you know, the transferring of knowledge and calibration to something that people can consume at home and really get a lot of value out of. And that's what we've tried to do. That's what we've strived to do. And we'll have a big launch of it in our upcoming RSA APJ conference. 

Dave Bittner: Do you suppose when we find ourselves on the other side of this and people feel as though they can get back together safely, are there going to be changes to large conferences like RSA, or are people going to approach them differently? 

Hugh Thompson: I think so. I think that if you are an organizer of a large conference, one of the first questions you have to ask is, how do you make the virtual experience rich, whether you have an in-person component or not? I think that's going to be critical, and there's some fascinating benefits to it. One is that it really opens up the attendance to many, many more folks. Like, for example, you know, for RSA Conference, we see every year that part of a security team from a large company can go to the conference. And then maybe the following year, a different set of people from the security team can go to the conference. And it's a budgetary issue. It's a, you know, availability of resources issue. 

Hugh Thompson: But with an event being virtual or at least having a strong virtual component, you can actually bring a lot more people together. And I've heard this from many other folks that are organizing these large virtual events - is the amount of attendance, the amount of registration, the amount of interest - I think we're building the community in a meaningful way. And what we're seeing is the humanity of this space shine through. And that's incredibly encouraging. I think most folks who are outside the security industry don't realize how human and how collaborative a space that it really is. And we're really seeing that come to the forefront during these times. 

Dave Bittner: That's Hugh Thompson from RSA. The 2020 RSA Asia Pacific & Japan virtual conference kicks off July 15. 

Dave Bittner: Security firm Proofpoint reports that the Purple Fox exploit kit has gained capabilities exploiting two known and patched Microsoft vulnerabilities. Purple Fox, described this past September by Trend Micro, appears to be a successor to the widely used RIG exploit kit. The crew behind Purple Fox apparently decided it made business sense to bring exploit kit development in-house. Proofpoint has now observed Purple Fox exploiting CVE-2020-0674 and CVE-2019-1458. The former is a memory corruption vulnerability in Internet Explorer that Microsoft fixed on January 18. Proof-of-concept exploits have been published since then. The latter vulnerability is a Windows privilege escalation bug Kaspersky observed being exploited last October in the Operation WizardOpium watering hole attacks. Microsoft fixed that one in December's 2019 Patch Tuesday release. And the obvious message here is the simple one - patch. These aren't zero-days. 

Dave Bittner: An investigation by The Daily Beast has exposed a journalistic persona, one "Raphael Badani," represented as an international affairs expert whose bylines have appeared in the Washington Examiner, RealClearMarkets, American Thinker and The National Interest. There is, however, no such guy at all. Raphael Badani's online pictures were scraped from the unknowing site of a San Diego entrepreneur who had no idea his image was being appropriated. And Raphael Badani's profile claimed degrees from George Washington and Georgetown Universities. But sorry, no, he didn't attend either. In fairness to Raphael Badani, how could he have attended? After all, poor guy doesn't even exist. And trust us, it's tough to get through a university program when not only are you not there; you're not anywhere. You thought distance learning was tough? Try nonexistence learning. 

Dave Bittner: The Badani persona wasn't a lonely one-off, either. It - he - it figured in a network that boasted a lineup of at least 19 other policy catphish whose general line was to praise the United Arab Emirates and advocate a harder line toward Qatar, Turkey and Iran and toward those nations' proxies in the Levant. Their work also appeared in Human Events, The Post Millennial, The Jerusalem Post, Al Arabiya and the South China Morning Post. The catphish were often linked to the Arab Eye and Persia Now, which served as central sites for sourcing their work. Some of the news outlets, notably The Washington Times, have taken down the contributed content with a brief notice. Others still have it up. 

Dave Bittner: Twitter yesterday took down a number of accounts associated with the coordinated inauthenticity, but the whole episode serves as a useful cautionary tale of the relative ease with which it's possible to place pieces, especially as op-eds, in news outlets. It's even easier if their editorial boards aren't disposed to a sympathetic hearing of your message. You may have heard the old saw, the enemy of my enemy is my friend, or the underworld platitude, keep your friends close but your enemies closer. Here's another one for us to consider. Keep the enemies of your enemies closest of all. They may not have your best interests at heart. 

Dave Bittner: And joining me once again is Ben Yelin. He is from the University of Maryland Center for Health and Homeland Security, also my co-host over on the "Caveat" podcast. Ben, always great to have you back. 

Ben Yelin: Good to be with you, Dave. 

Dave Bittner: Interesting story here. This came across my desk via Orin Kerr, who's a well-known, I guess, legal pundit on Twitter. Is that a fair way to describe him? 

Ben Yelin: Yeah. He's a law professor at UC Berkeley. We - I'm a great admirer of his, even though we... 

Dave Bittner: All right. 

Ben Yelin: ...Differ on some political issues. But he is probably the foremost legal expert in this country on Fourth Amendment and Fifth Amendment issues relating to technology. 

Dave Bittner: Well, he brings up a case here from the Indiana Supreme Court, who has split with a Massachusetts court with a case that may be heading to the Supreme Court. And it's all about compelled decryption. What's going on here, Ben? 

Ben Yelin: So the case, as you said, comes from the Indiana Supreme Court. It was a woman who was placed under arrest. Law enforcement took her iPhone. They thought that iPhone contained incriminating evidence. Detective couldn't get into the iPhone because the iPhone was locked. Law enforcement got a warrant to force this person to enter in the passcode to unlock her phone. She refused, and the trial court held her in criminal contempt. 

Ben Yelin: So this, of course, concerns the Fifth Amendment right against self-incrimination. The Fifth Amendment says the government cannot force you to be a witness against yourself. This only applies to testimonial evidence, so things you say, the contents of your own mind. And there's this related doctrine as it comes to compelled decryption called the foregone conclusion doctrine. So the government can force somebody to submit testimonial evidence if the government already knows the testimonial aspect of the act and isn't trying to actually learn anything through that compelled act. The question in these cases is what counts as - what is the actual testimony being sought through compelled decryption here? 

Ben Yelin: What Orin Kerr has argued is that the only testimonial act involved is the person admitting that they know their own passcode. If the government is aware that the person knows their own passcode, then there's no Fifth Amendment violation because it is a foregone conclusion that a person knows their own passcode. Presumably, they've been able to open that phone in the past. There's all different types of information. You're not forcing a person to reveal anything new by compelling them to decrypt their device. 

Ben Yelin: The conflicting view - and this is a view that has been adopted by a number of other scholars - says that testimony is not just the knowledge of one's own passcode but the contents - the knowledge of the contents on one's own device. And in a separate jurisdiction in a 2011 case, a federal court actually adopted that alternative view that the Fifth Amendment does apply in these circumstances because you're not just revealing that you know the passcode; you're revealing that you are aware of the information that is on the device - the potentially incriminating information. You are making that information available to the government. 

Ben Yelin: The Indiana Supreme Court is taking this alternative view as well. And this goes against the jurisprudence of other state courts, specifically, as you mentioned, the Massachusetts Supreme Court. They're saying that a suspect surrendering an unlocked phone implicitly is communicating not only that they know the passcode but that they know the files on that device exist, that incriminating information exists, and the suspect is admitting that they possess those files and are aware of those files. And in the view of this court, that counts as testimonial evidence that would invoke the right against self-incrimination. 

Ben Yelin: So the upshot of all of this is now we have competing case law coming from state supreme courts. And at least Professor Kerr, and I think many other scholars, are predicting that this is sort of on a collision course for the Supreme Court. Eventually, the Supreme Court is going to have to decide based on their own view of the issue which one of these approaches best fits with the original intent of the Fifth Amendment right against self-incrimination. So I - you know, whether it's this Indiana case that actually makes it up to the Supreme Court or whether it's a different case, I think this is something that we're going to see the Supreme Court wrestle with in the coming years. 

Dave Bittner: Do you have a take on it? Do you feel like it should go one way or the other? 

Ben Yelin: I sort of - I disagree with Professor Kerr on this issue, and I kind of agree with the alternative view of different scholars that the testimonial act is admitting that you know incriminating information is on that device. It's not just the knowledge of your password. It's sort of like being forced to reveal something very personal like a diary - knowing that you know the contents of that diary, not that you know how to actually physically open, you know, the notebook that you've written that diary in, if that makes sense. So, you know, I think the spirit of the Fifth Amendment is not letting the government force somebody to testify against themselves, to incriminate themselves. It's a fundamental tenet of our criminal justice system and of the due process of criminal defendants. And I think that would be violated if this foregone conclusion doctrine is applied as it relates to compelled decryption. 

Dave Bittner: Oh, yeah. Interesting to see this one make its way through the courts. 

Ben Yelin: Yeah, and I would love to see the Supreme Court resolve this issue one way or another just because we do have this pretty fundamental split between state supreme courts. 

Dave Bittner: Yeah. All right. Well, Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.