Dave Bittner: Ukraine warns that Russia's Gamaredon Group is running a phishing campaign ahead of Ukraine's independence day. CISA and the FBI publish details on a North Korean remote access Trojan. Google patches a serious Gmail flaw. Marriott faces another lawsuit over its 2018 data breach. The WannaRen ransomware operators have released a decryption key. Rob Lee from Dragos with lessons learned from recent virtual conferences. Our guest is Rachel Tobac from SocialProof with her insights on social engineering and the Twitter hack.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, August 20, 2020.
Dave Bittner: Ukraine's National Cyber Coordination Centre warns that the Gamaredon Group - also known as Primitive Bear, a Russian threat group run by the GRU and presenting itself as a Ukrainian separatist organization - is newly active with phishing. The attackers are using malicious attachments that pose as official government documents, often spoofing the Security Service of Ukraine. The effort appears to be battlespace preparations for a campaign against Ukrainian infrastructure believed to be timed for Monday, August 24, which is Ukraine's independence day.
Dave Bittner: The center's press service stated, "Specialists of the NCCC within the national security and defense council of Ukraine have identified a trend towards the modernization of cyberattack software in order to increase the effectiveness of overcoming protection means and concealment of their activities in compromised systems. The analysis of malicious programs revealed signs of preparation for a large coordinated attack on government agencies and critical infrastructure, aimed at destabilizing the situation in Ukraine before the independence day and during preparations for the next local elections," end quote.
Dave Bittner: Ukraine's SBU security service also says that accounts of its involvement with Russian Wagner Group paramilitaries allegedly active in Belarus are Russian disinformation. Ukraine's SZR foreign intelligence service yesterday said the Wagner Group is operating in Belarus under Russian control.
Dave Bittner: The U.S. Cybersecurity and Infrastructure Agency and the FBI have issued a joint Malware Analysis Report describing a North Korean remote access Trojan BLINDINGCAN, which Hidden Cobra is deploying in an attempt to establish persistence in networks of interest to Pyongyang. The report says a threat group with a nexus to North Korea targeted government contractors earlier this year to gather intelligence surrounding key military and energy technologies.
Dave Bittner: The campaign represents another use of bogus job offers targeting workers in the defense sector to induce them into installing malware via malicious Word documents. In the example provided in the report, the attackers used documents that purported to come from Boeing's HR department.
Dave Bittner: Google yesterday patched a security flaw that could have enabled attackers to spoof emails from any Gmail or G Suite user while bypassing DMARC and SPF policies, ZDNet reports. The vulnerability was reported by security researcher Allison Husain in April, and Google fast-tracked its patching process after Husain published details of the flaw yesterday. The bug could be exploited via the G Suite administrator console by setting up custom mail routing rules and configuring an inbound gateway.
Dave Bittner: Husain explained in a blog post, quote, "By chaining together both the broken recipient validation in G Suite's mail validation rules and an inbound gateway, I was able to cause Google's back end to resend mail for any domain which was clearly spoofed when it was received. This is advantageous for an attacker if the victim they intend to impersonate also uses Gmail or G Suite because it means the message sent by Google's back end will pass both SPF and DMARC as their domain will, by nature of using G Suite, be configured to allow Google's back end to send mail from their domain. Additionally, since the message is originating from Google's back end, it is also likely that the message will have a lower spam score and so should be filtered less often," end quote.
Dave Bittner: Google fixed the issue within seven hours of the details being published, and Husain praised them for their quick response.
Dave Bittner: Marriott International is facing a class-action lawsuit in the High Court of England and Wales over the hotel group's massive data breach that came to light in 2018. According to Reuters, the lawsuit seeks unspecified damages and represents anyone living in England or Wales whose data was stolen in the breach. Based on the number of potential claimants, Verdict estimates that Marriott could be forced to pay tens of millions of dollars in compensation if it loses the suit.
Dave Bittner: The operators of the WannaRen ransomware, which was responsible for a widespread, indiscriminate wave of ransomware attacks in China this past April, have given a master decryption key to a Chinese cybersecurity firm, ZDNet reports. ZDNet speculates that the attackers, thought to be a small-time criminal group, realized they were in over their heads and provided the keys to avoid excessive attention from Chinese authorities.
Dave Bittner: A report from Clarity notes that more than 70% of industrial control system vulnerabilities disclosed in the first half of 2020 are remotely exploitable via a network attack. Computer Business Review notes that the energy, critical manufacturing and water sectors were the most affected by the vulnerabilities, although this could be due to those sectors receiving increased attention from security researchers.
Dave Bittner: And, finally, Palantir has quietly decamped from its Palo Alto headquarters, forsaking Silicon Valley for real estate more to its liking in Denver, as both the Denver and Silicon Valley business journals report. CNBC notes CEO Karp's view that Silicon Valley's increasing intolerance and monoculture and high cost of living have made it a less desirable place from which to do business.
Dave Bittner: Rachel Tobac is well known in security circles for her expertise in social engineering, bolstered by her multiple wins in the DEFCON Social Engineering Capture the Flag competitions. She's CEO and co-founder at SocialProof Security. And I recently interviewed her for our "Hacking Humans" podcast to get her insights on the recent hack of Twitter. Here's a segment of that interview.
Rachel Tobac: It came to my attention maybe an hour into the attack. I checked out my Twitter, and I saw former President Barack Obama had tweeted out a link to a bitcoin opportunity - is the way that he positioned it - where he said that you would - he would double your money. And I'm thinking to myself, that's unlikely.
Rachel Tobac: I don't think that that's - I don't think former President Barack Obama is going to double my money. And then I saw that Elon Musk had tweeted it out, too. And I was like, OK, that's really strange. So using Occam's razor, I deduced a couple of predictions.
Dave Bittner: And where did you begin? I mean, what were your first suppositions of what might be going on?
Rachel Tobac: Well, I started from my position. So I started thinking, what would I have done as an attacker? And what I would have done as an attacker is I probably would have just tried to gain access to their accounts by leveraging some sort of, like, internal access panel - an admin panel or god mode, we sometimes call it, at a company. And a lot of times, I do that when I'm hacking just by calling customer support. So I might call customer support, gain access to their credentials and just log in and then change the things that I want to change on the back end myself. So that was a prediction that I made. And folks were like, eh, I don't know. I think it was probably an API thing.
Dave Bittner: (Laughter).
Rachel Tobac: And I was like, maybe? But I don't know. The simplest explanation is sometimes the easiest, and it's just what the attacker does.
Dave Bittner: I think it's a really important point that you bring up here, and you've said it a couple times, and that's the willingness to say, I don't know. And I think that's something that - particularly online, that impulse is not often rewarded.
Rachel Tobac: (Laughter) Yeah. I think we saw a lot of people try and say, like, oh, I think I know what happened, or we know what happened. And they really don't. Even now, we only can go off of what Twitter admits happened, and even that might not be correct. And so we have to say that Twitter claims this happened - just like that type of language is really important to be clear on. A lot of times, we just don't know the answer. We can make hypotheses. We have reporting. But we are only reading those claims. We don't know for sure.
Dave Bittner: I wonder sometimes if we've got a little bit of that boy crying wolf situation here in infosec in general where, you know, we see it play out so many times. A breach occurs, and the PR folks from whatever company got breached say, we're convinced that this was a sophisticated actor who - you know, there was nothing that could be done due to the sophistication of this actor.
Rachel Tobac: Yeah, we hear that a lot. That's, like, a knee-jerk first reaction is - the word sophisticated is used in almost every press release. A sophisticated actor - I think we saw that in the case of the Twitter announcement as well - a coordinated sophisticated social engineering attack.
Dave Bittner: Right.
Rachel Tobac: And while it was coordinated, they did likely coordinate on Discord, from what we're seeing. It doesn't necessarily mean it's sophisticated. Social engineering somebody and calling to gain access to credentials while pretexting or pretending to be IT support, I wouldn't call that sophisticated. The things that I do are interesting, but I wouldn't say they're so hard that the average person couldn't do them.
Rachel Tobac: We do know that it's possible to defend against this stuff, too. We need to have least privilege. That means limited admin access. We need to have software to detect aberrant behavior. You know, if you're changing 15-plus emails on an admin panel in two minutes when you're really supposed to be doing that maybe once a day, then that's probably going to raise some red flags, and it probably should have sooner. We need to audit who has access. We need, you know, four eyes or two-person signoff. We have to treat people well and fairly. So while a lot of times we say it's a sophisticated actor and there's nothing that could have been done, many times it's less sophisticated than we think, and there's probably something that could've been done.
Dave Bittner: That's Rachel Tobac from SocialProof Security. Be sure to check out our complete interview on the "Hacking Humans" podcast.
Dave Bittner: And I'm pleased to be joined once again by Robert M. Lee. He is the CEO at Dragos. Rob, it's always great to have you back. Your team at Dragos recently teamed up with the folks over at SANS, and you had a virtual conference. And you had a blog post about this. You said you had seven most meaningful lessons learned during that conference. Can you take us through what are the - some of the takeaways that you all left with?
Robert Lee: Yeah, absolutely. So every year, we put on the DISC, which is the Dragos Industrial Security Conference, at our headquarters in Maryland. It's a free conference for the ICS security community, the asset owners and operators to come in and get to see the latest in research and really just have a conference for them, not sort of the trade-showlike feel that can sometimes happen. And especially with COVID and all the things going on, I went to the team at SANS - we've - obviously, I'm a SANS instructor and have worked there and have good relationships over the years. So I said, look - why don't we actually just partner on some things and some various initiatives? And let's kick off that partnership with a conference. And so we hosted the SANS ICS Desk, right?
Robert Lee: So it's like SANS and the Dragos Industrial Security Conference. But we did it virtually, and we did it midsummer, right? Or so I - what? No, that was April. So that we could have it available for folks. So when we kicked it off, we were like, oh, maybe we'll have, like, 200 or 300 people that show up. We had close to 10,000.
Dave Bittner: Wow.
Robert Lee: And it was pretty wild. We had, like, 4,000 or 5,000 that were consistently on throughout the whole day - no matter, like, at any given point. You could dial in and see that. And that's crazy in terms of response. My No. 1 takeaway was just the amount of interest and passion people have for ICS security. And so we saw tons of people from outside the ICS security community coming in to take part in these presentations and understand what was going on. So it was a bunch of SANS people and a bunch of Dragos people that gave these presentations.
Robert Lee: The other one, though, is we pulled together and hosted a CTF. And for the CTF, it's really hard to get access to industrial control equipment. A lot of it's sensitive. More of it's super expensive. So most people in the community usually have, like, a virtual machine or two. Maybe they have a couple protocols they play around with. Getting access to a data off a full range is hard. There's only two or three places that have historically done that in our community, and it's been very limited data sets, anyways. And we put it out to the community and part of the CTF. So NetWars is the engine that SANS uses. It caps out at a thousand people. We've not ever had that problem. We did here.
Dave Bittner: (Laughter).
Robert Lee: We actually capped it out at a thousand people I think within the first three days of registrations being open, and everybody actually showed up. I think, like, 890 of them were active...
Dave Bittner: Wow.
Robert Lee: ...During the actual CTF window. It was a - I think it was a six-hour CTF.
Dave Bittner: (Laughter) I was going to say, did you effectively have to worry about the system being DDoS-ed with that many people?
Robert Lee: We were very concerned. And also just over, essentially, like, a six- or seven-hour period, I mean - we put so much data together, it was - and I mean this with no exaggeration. It was by far the largest ICS data set available to the community to date. And teams tore through it. And there was a couple of people in teams that finished, and it was, like, right down to the wire. Most didn't finish, which is what was expected. But they scored a ton of points and learned new things. So the feedback was just exceptional. People were in love with it. And that's the thing that - again, like, the bigger lesson learned, the bigger thing that I've been advocating for years anyways is, ICS security is cool, and given the opportunity, people will get involved.
Dave Bittner: Did your team come away with any things that they learned? Seeing the system get hammered in that kind of way with creative people from all over the world, were there any surprises?
Robert Lee: Yeah. So, I mean, we focused it on the defense, first of all. So we didn't see them, like, hammering it that way. Like, we did the attacks, and then they were doing the CTF in terms of, like, forensics and defense.
Dave Bittner: I see.
Robert Lee: I didn't want to give an environment - to be like, hey, some country's APT, do you want to come train on a...
Robert Lee: You know? I don't want to go down that route.
Dave Bittner: Right, right, right.
Robert Lee: So instead, it was like, here's packet capture and memory images - you know, that kind of stuff. And I think what the big takeaway was - and I've seen this anecdotally through teaching at SANS anyways in my ICS class, but it's good to get a non, like, you know, selection bias kind of view into this, where most of the people felt, hey, a lot of my IT security skill sets do translate well into ICS security, but many of them don't, and there are unique skills. And, hey, this is actually this interesting, unique thing. And you'll hear me talk a lot about how ICS is different and different mission and different, you know, threats. And you talk about that, but to get a reminder from a wide selection of highly skilled people of, no, yeah, we see the same thing; this is actually different, and it's cool, and it's unique, and it's fun. That's good feedback into the process.
Dave Bittner: All right. Well, congratulations on the event. Sounds like...
Robert Lee: It's available for people still, by the way.
Dave Bittner: ...It's a good experience for everybody. You can...
Robert Lee: Like, if people go to the SANS site, that - if they missed out, all of the presentations are online, both on the Dragos site and on the SANS site. All the slides, all the recordings and that data set is also available for folks that, once they register for the event over at SANS, they get that data set. Now, it's not - the CTF engine isn't active to go and score points, but all of the answers and the data set is there. And our hope is that there's just this continuing education tool for a lot of people to get interested in ICS.
Dave Bittner: All right. Robert M. Lee, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.