Bear prints in Oslo and Silicon Valley. Deepfakes may be finally coming... maybe... CISA issues ICS alerts, some having to do with AMNESIA:30. A quick trip through Patch Tuesday.
Dave Bittner: Norway calls out the GRU for espionage against the Storting. The SVR, probably, hacks FireEye. Huawei tested recognition software designed to spot Uighurs. 2021 predictions from Avast hold that next year might be the year deepfakes come into their own. CISA issues a long list of industrial control system alerts. Joe Carrigan looks at the iOS zero-click radio proximity vulnerability. Our guest is Matt Drake, director of cyber intelligence at SAIC, on what the recent elections can tell us about threat intelligence. And yesterday was Patch Tuesday. Do you know where your vulnerabilities are?
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, December 9, 2020.
Dave Bittner: SecurityWeek reports that Norway's PST, the country's domestic security and counterintelligence service, yesterday stated that Fancy Bear, APT28, a unit of Russia's GRU, was responsible for cyber-espionage directed against the parliament in Oslo, the Storting, back in August. It was part of a campaign that may go back as far as 2017.
Dave Bittner: The attacks weren't particularly exotic. Fancy Bear got access to Storting email accounts the old-fashioned way - by brute-forcing them.
Dave Bittner: Fancy Bear has been busy elsewhere, too. The security firm Intezer this morning reported that the GRU actor is using COVID-19 phishbait to distribute Zebrocy malware.
Dave Bittner: FireEye disclosed late yesterday that its red-teaming tools had been accessed by a sophisticated attacker the company believes to have been a nation-state. Some of the tools stolen were open source, others proprietary and held for in-house use. The company said no zero-days or unknown techniques were taken.
Dave Bittner: The New York Times says the attackers were almost certainly Russian. Unlike the intrusion into the Storting's email system, however, sources familiar with the matter told The Wall Street Journal that the intruders weren't the GRU but in all probability were the SVR, Russia's Foreign Intelligence Service and one of the Soviet KGB's direct offspring. Cozy Bear, APT29, is the best-known SVR threat actor.
Dave Bittner: Observers have shared several observations. First, FireEye is by no means a clueless or inept operation. This suggests that the attackers combined what the Johns Hopkins University's Thomas Rid characterized through The Wall Street Journal as confidence and recklessness.
Dave Bittner: Second, as CrowdStrike co-founder Dmitri Alperovitch said, FireEye isn't the first serious cybersecurity company to be hacked. He tweeted, quote, "with the FireEye breach news coming out, it's important to remember that no one is immune to this. Many security companies have been successfully compromised over the years, including Symantec, Trend, Kaspersky, RSA and Bit9," end quote. It's safe to assume that FireEye won't be the last, either.
Dave Bittner: It's the biggest theft of cybersecurity tools, The New York Times points out, since the Shadow Brokers looted the Equation Group material from NSA in 2016.
Dave Bittner: Why would Cozy Bear be interested in FireEye red-teaming tools? Of course, no one can be sure, but one possibility is simply embarrassment of a capable security company who's been called in to help in significant cyber-espionage cases. Another possibility is simple reconnaissance, or perhaps such tools might have some utility in deniable false flag operations.
Dave Bittner: WIRED sees the attack as a statement. Either largely stymied or a relative no-show during the recent U.S. elections, Russia would like the Americans to realize that the bears are still there, at most snoozing, not hibernating. Maybe, but the timing isn't entirely clear, either. FireEye had nothing to say in response to TechCrunch's question about when the attackers first gained access to its networks.
Dave Bittner: In any case, FireEye says it sees no signs of any of the tools having been used but that it's watching closely for any signs that the stolen material is being either employed or distributed to other threat actors. The company's quick disclosure is attracting good notices in Twitter.
Dave Bittner: The FBI has the incident under investigation.
Dave Bittner: Researchers at the security firm Cybereason this morning announced the discovery of a cyber-espionage campaign that's using Facebook, Dropbox, Google Docs and Simplenote for command and control and the exfiltration of data from targets across the Middle East. There are signs in the campaign's tactics, techniques and procedures that point to the MoleRATs, also known as the Gaza gang, which Cybereason describes as an Arabic-speaking, politically motivated advanced persistent threat.
Dave Bittner: The Washington Post writes that Huawei tested software designed to recognize ethnic Uighurs and set off Uighur alerts for Chinese authorities interested in keeping track of the disfavored, predominantly Muslim group. The Post sources its story to IPVM, a firm that tests and investigates video surveillance equipment. IPVM says it obtained its information from internal Huawei material.
Dave Bittner: Huawei said it was all just a test. And the video security startup it worked with, a company called Megvii, said that its technology was never intended to target any particular ethnic group.
Dave Bittner: It's noteworthy that IPVM didn't get the information through hacking or any form of corporate espionage. The company found it posted openly on Huawei's European website. Huawei took the file down when IPVM asked them about it. It's a disturbing, albeit not unexpected report. It's also an object lesson in how informative open-source intelligence can be.
Dave Bittner: There's a great deal of agreement among security companies about what 2021 is likely to hold. Avast is among the firms who've just published predictions. And like most others, they see the COVID-19 pandemic as driving more attacks on home offices and filling cyberspace with more virus-themed chum. Vaccination scams should be especially prominent as effective vaccines enter distribution, and there will be no shortage of fraudulent medical offers. And since valuable data draw not only espionage but also various forms of denial of availability, pharmaceutical and medical organizations will continue to be targets of both criminals and nation-states.
Dave Bittner: We've been warned against deepfakes for a long time, but Avast thinks they'll finally show up with significant effect in disinformation campaigns during 2021. The technology has advanced sufficiently to render them potentially effective.
Dave Bittner: The other technical advance Avast expects to see in the coming year is with respect to automation. The firm is more circumspect than many others have been about AI proper, pointing out that there has yet to be evidence of AI-based threats circulating in the wild. But they do think that growing datasets and knowledge bases will enable some hybrid threats to emerge. And, of course, both adware and stalkerware will keep thriving.
Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency has issued a large number of advisories concerning industrial control system vulnerabilities. As is usually the case with CISA advisories, they include links to and information about patches and mitigations. One of the advisories covers the AMNESIA:33 vulnerabilities reported yesterday by Forescout. Another warning addresses a hard-coded credential issue in the proprietary software of some GE medical devices.
Dave Bittner: Yesterday was, of course, Patch Tuesday, and Trend Micro emailed us to share an evaluation that called Microsoft's patching historically light - 58 patches in all, with nine rated critical, 46 important and three moderate. Adobe was similarly light - four patches affecting Adobe Prelude, Experience Manager and Lightroom. So the year ends with more a whimper than a bang, as far as patching is concerned. KrebsOnSecurity calls December's Patch Tuesday the Good Riddance 2020 Edition. On the other hand, CISA really had a lot to say about ICS issues, so let's not get cocky, kids.
Dave Bittner: Matt Drake is director of cyber intelligence at SAIC and former section chief of the Cyber Division of the FBI. He joins us with insights on how the recently completed election can inform a cyber approach to threat intelligence as we head toward the new year.
Matt Drake: There weren't the kind of incidents or the concerns - shouldn't say concerns - but we didn't have some of the issues that we had in previous elections. I think that's partially attributable to just the work that's gone in in the past few years, you know, at kind of all levels, whether it be, you know, the local municipalities are, you know, 8,000 ballpark, you know, voting districts out there with state officials, with federal officials, with county officials, the National Guard - all of those entities kind of working together over the past few years to harden those systems and have a better understanding of how everybody works together. And I think you're seeing the results of that in this election.
Dave Bittner: Is it fair to say that it's probably more that than restraint on the part of our foreign adversaries?
Matt Drake: Yeah. You know, it's hard to - I don't have any insight into their thought process and what it is...
Dave Bittner: Yeah.
Matt Drake: ...That they're going after. But, yeah, I mean, I suspect that there wasn't maybe the same effort there was. But I suspect if there was, we were on top of it. It's always kind of hard to tell, you know, if they backed off or if they kind of put the same effort into it and we were just ready for them. I really don't know. But it does seem to be, certainly, for whatever reason, a more successful election season from a cybersecurity perspective.
Dave Bittner: Well, I mean, with the things that you experienced when you were with the FBI back in 2016 and now observing what you have in this election cycle from the outside in 2020, what's your outlook? Are you optimistic going forward that we're headed in the right direction, that we're getting things under control in a good way?
Matt Drake: Yeah, I'm optimistic that the cybersecurity piece of it is working well. There's a part of me that thinks that back - looking back to 2016, you know, the intent of those intrusions wasn't necessarily, though, to get in and change votes. The intent of the intrusions, you know, may have very well been to just undermine the public's confidence in the election process. And you can turn into any channel you want these days, and you see that playing out, I think. So there was...
Dave Bittner: Right.
Matt Drake: I think that has become the greater concern. The cyberattacks in 2016 might have planted that seed and might still be, you know, doing their work today as, you know, the country is divided almost 50-50 on, you know, who won the election, almost.
Dave Bittner: Right.
Matt Drake: So we're still questioning how elections are held, whether or not, you know, every vote is counted, whether or not every legal vote is counted - you know, depends on how you even say that.
Matt Drake: So I do think the cybersecurity part has gotten better. We've hardened the systems, and I think we've done a better job of putting in processes that allow us to talk to all the, you know, stakeholders in this and get information out quicker so people can react to it quicker. But I think...
Dave Bittner: Yeah.
Matt Drake: ...From the cybersecurity perspective, I do think that we've gotten much stronger.
Dave Bittner: That's Matt Drake from SAIC.
Dave Bittner: And joining me once again is Joe Carrigan from the Johns Hopkins University Information Security Institute, also my co-host on the "Hacking Humans" podcast. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: A really interesting story came out of Google's Project Zero recently. I wanted to touch base with you on this. This was a fascinating one to me. Can you just give us an explanation? What's going on here?
Joe Carrigan: Yeah. So Ian Beer, who is a researcher at Project Zero, found a buffer overflow attack in some C++ code in the Apple operating system that allowed an attacker to run arbitrary code, but the vulnerability was accessible via radio - one of the radio services that the iPhone provides. So you didn't need to actually touch the phone to do this or even access it via a network. You can send a radio signal with a properly crafted payload that would reboot the phone and allow access and let people access all kinds of information on the phone.
Dave Bittner: Yeah, there's a remarkable demo that they have here in their write-up, too.
Joe Carrigan: Right, it is...
Dave Bittner: They have a whole - like, a dozen or so phones, and they just - they all reboot (laughter).
Joe Carrigan: Yep, every single one of them.
Dave Bittner: Yep, yep.
Joe Carrigan: This vulnerability has been patched because it is Ian's and Project Zero's policy to disclose these vulnerabilities responsibly. And they did a great job doing that.
Dave Bittner: Yeah.
Joe Carrigan: I don't want to spend time talking about the technical details of this attack. I want to talk about the implications and some of the things that are interesting that Ian says.
Joe Carrigan: First, he says - there's a great quote in this article - a couple great quotes. I'm going to read directly from what he wrote here. The takeaway from this project should not be, no one will spend six months of their life just to hack my phone; I'm fine. Instead, it should be, one person working alone in their bedroom was able to build a capability which would allow them to seriously compromise iPhone users they'd come in close contact with.
Joe Carrigan: And Ian spent six months during this pandemic time - he was up in his room, in his bedroom or his lab just doing this at home, and he found the vulnerability. And imagine if he didn't report this. Imagine the - and one of the things he talks about in the article is, imagine the power you feel if you just have this capability and you're just walking around with it.
Dave Bittner: Well, and these have high value as well. A vulnerability like this can be sold to the highest bidder.
Joe Carrigan: Yes, and there are companies out there that look for these things. And, in fact, while Ian says he didn't see any evidence of this being compromised in the wild, he did notice that there was a tweet from Mark Dowd, who's the co-founder of Azimuth Security, which is an Australian company, that tweeted about the patching of one of the vulnerabilities he reported to Apple. And that tweet came out in May.
Joe Carrigan: So that was still while the vulnerabilities were undisclosed. So when you disclose a vulnerability, you say, we're going to - here are the vulnerabilities. I'm not telling anybody else about this. Fix them. And Apple has a very good response to this. They go, yep, we'll fix these right away if this is a problem. And once they fixed it, Mark Dowd tweeted, hey, they fixed the vulnerability.
Joe Carrigan: Now, there's a couple of things about this. One, whenever a patch for a vulnerability comes out, it's plainly visible to someone who has good reverse engineering skills what the vulnerability was in the operating system because you have to fix it. And you can reverse engineer the code, compare the difference between the old code and the new code and go, oh, they fixed this. Oh, they fixed that because that's a buffer overflow, right?
Joe Carrigan: But there's a VICE article from a couple of years ago that says that Azimuth Security is one of these companies that keeps these zero-days. In fact, there's another company called Zerodium, which has in the past actually offered bounties up to a million dollars for these kind of things.
Joe Carrigan: One of the things that Ian says in this article is that unpatched vulnerabilities aren't like physical territory. This is another quote. "Unpatched vulnerabilities aren't like physical territory, occupied only by one side. Everyone can exploit an unpatched vulnerability." And this is the crux of the entire keeping vulnerabilities secret issue.
Joe Carrigan: It doesn't make you more secure by keeping the vulnerability hidden from the manufacturer or the people responsible for the code. It makes everybody less secure. Chances are you're not the only person that found this vulnerability. There are people out there who have also found it. There are people out there who are looking for it, I guarantee you that. They're always out there looking for it. And when they find it, there are unethical people out there who are going to try to utilize it. They're not going to report it. So when you find it, if you're an ethical person, it's great for you to - the first thing you do, to report it.
Dave Bittner: Yeah, absolutely. All right, well, for sure, it's an interesting bit of research here for Ian Beer. We've reached out to him, hoping to get him on "Research Saturday" to discuss the work here. Joe Carrigan, thanks for joining us.
Joe Carrigan: It's my pleasure, Dave.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Sometimes you feel like a nut, sometimes you don't. Listen for us on your Alexa smart speaker, too.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.