The CyberWire Daily Podcast 12.21.20
Ep 1238 | 12.21.20

Sunburst looks worse: bad Bears in US networks, and that’s not just right at all. “Evil mobile emulator farm.” Report: Pegasus used against journalists.


Dave Bittner: Cozy Bear's big sweep through U.S. networks gets bigger, longer, more carefully prepared and worse in every way. IBM uncovers a big, conventionally criminal evil mobile emulator farm, and that's no good, either. Citizen Lab finds more to complain about with respect to alleged abuse of NSO Group's Pegasus tools. Awais Rashid from Bristol University on taking a risk-based approach to security. Rick Howard speaks with Cyral CEO Manav Mital on infrastructure as code. And tech executives are worried about pandas and bears and kittens, oh my.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, December 21, 2020. 

Dave Bittner: CISA updated Alert (AA20-352A) on Saturday to say that these SAML-abuse cyberespionage campaign wasn't confined to SolarWinds' Orion platform. Quote, "CISA has evidence that there are initial access vectors other than the SolarWinds' Orion platform. Specifically, we are investigating incidents in which activity indicating abuse of SAML tokens consistent with this adversary's behavior is present, yet where impacted SolarWinds instances have not been identified. CISA is working to confirm initial access vectors and identify any changes to the TTPs," end quote. 

Dave Bittner: According to Reuters, Microsoft found an earlier attempt on SolarWinds' Orion's software. The researchers call it Supernova, believing the malware was compiled in March, and describe it as an unsigned Orion imitator. Supernova is thought to have been the work of a second threat group distinct from the SVR group responsible for Sunburst. It's not known if Supernova was actually deployed operationally. 

Dave Bittner: The SAML-abuse campaign appears to have been under preparation for some time. Yahoo cites sources on background who say the threat group conducted a trial run of their campaign as early as October of 2019. 

Dave Bittner: The number of victims continues to expand. Bloomberg has put the most recent count at "more than 200." Bloomberg also says that after initial checks, the financial services sector seems to have been relatively unaffected by the campaign. Banks and brokers are treating it as a wake-up call. 

Dave Bittner: US Secretary of State Pompeo said publicly Friday that the SAML-abuse campaign was pretty clearly the work of Russian intelligence services. Hitherto, such identification had come from the private sector, CISA and NSA confining themselves to attributing the cyberespionage to a state actor. President Trump discounted both the attribution and the severity of the incident as a whole, tweeting that it could just as well have been a Chinese operation and that, in any case, matters were well in hand. Few seem to agree with the President, and Congress is looking for retaliation. The range of responses will probably be sanctions, indictments of individuals determined to have been behind the keyboards or directing the people behind the keyboards and active disruption of Russian networks. That last class of action is unlikely to quickly become a matter of public record. 

Dave Bittner: While Russia may have been behind the Sunburst and Supernova campaigns, it is possible to look at China's track record for examples of how such cyberespionage can yield useful intelligence. Beijing's style can seem indiscriminate, collecting whatever can be collected. But according to an essay in Foreign Policy, once it's done that, analysis and exploitation become essentially a set of big data problems - and solvable big data problems at that. 

Dave Bittner: Russian representatives have, as is their custom, denied any involvement in an operation that has Cozy Bear's paw prints all over it. Has Russian President Putin addressed the incident? No - not directly anyway. But in remarks he made this weekend in recognition of the 100th anniversary of the founding of the SVR - actually the founding of its ancestor organizations in the early years of Soviet power - Reuters says Mr. Putin praised the SVR for its work in general. "I know what I'm talking about here," he said, in an evident allusion to his former career as a KGB agent. "And I rate very highly the difficult professional operations that have been conducted," end quote. So do a lot of other people, although they don't necessarily agree that this is a good thing. 

Dave Bittner: IBM Trusteer researchers have discovered a large-scale bank fraud operation run from what they characterize as an evil mobile emulator farm. More than 20 emulators were used to spoof well over 16,000 compromised devices. The scale of the operation is unprecedented for crime of this type. The gang responsible, probably based in Europe, is capable and careful in its exploitation of inherently legitimate services. 

Dave Bittner: Citizen Lab reports four groups - two unknown, one attributed to Saudi Arabia, the other to the United Arab Emirates - monitoring Al Jazeera journalists with NSO Group's Pegasus tool. Pegasus features zero-click installation, and its capabilities extend to accessing passwords, taking pictures, geolocating infected devices and recording audio from those devices' microphones. iPhones in particular were affected. And while Apple told computing that it hadn't been able to independently verify Citizen Lab's findings, the company did say that the surveillance appeared to be highly targeted. 

Dave Bittner: In the blog post that denounced Cozy Bear's cyberespionage campaign, Microsoft also took a shot at NSO Group, which it singled out as an example of private sector offensive actors, whom Redmond characterized as dangerous, akin to 21st-century mercenaries. 

Dave Bittner: NSO Group has long maintained that it's in the lawful intercept business and that it sells only to responsible governments, with its exports informed by determinations made by the Israeli government. Computing quotes the company as saying, quote, "Where we receive credible evidence of misuse combined with the basic identifiers of the alleged targets and time frames, we take all necessary steps in accordance with our product misuse investigation procedure to review the allegations," end quote. 

Dave Bittner: What do people see coming in the near future? Whatever they're seeing, that view is refracted through the pandemic, the holidays and, of course, Cozy Bear. The massive, long-running SVR intrusion into US government and corporate systems has strongly shaped business views of where the biggest cyberthreat lies. A CNBC poll of technology executives last week found that 50% of them regarded nation-state cyber operations as the biggest threat their organizations face. They're also alive to the counterintelligence failure the Sunburst and Supernova incidents represent. Thirty-two percent of the respondents thought that defining a national cybersecurity protocol should be the top priority for the incoming Biden administration and a new Congress. 

Dave Bittner: Online threats emerging during the holidays aren't going to just go away in early January. The holiday shopping season has seen a surge in online fraud that won't abate with the winter holidays. Not only have periods of online bargains and special offers followed the familiar pattern of seasonal creep, expanding so that what was once a single Cyber Monday has become at least a solid fortnight, but the pandemic will continue to drive trade out of brick-and-mortar venues and onto the internet. That risk affects not only consumers and retailers, but businesses whose workforce is now significantly remote are to consider, Arab News glumly points out, that this workforce is likely to be doing a lot of that shopping on the same devices they use to connect to the enterprise. 

Dave Bittner: Fake delivery notices are proving one of the most common scams, CNBC reports, and this will continue as long as people continue, in their innocence, to fall for them. 

Dave Bittner: The CyberWire's own CSO, Rick Howard, has been talking to experts about DevOps and infrastructure as code and how that design philosophy applies to security. Here's Rick. 

Rick Howard: I have been disappointed in the pace that the network defender community has adopted this infrastructure-as-code concept. I first heard about it when I read Gene Kim's book "The Phoenix Project" back in 2013 - a Cyber Security Hall of Fame book, by the way. In it, Kim describes the philosophy of DevOps, which is kind of a fancy name for infrastructure as code. And with apologies to my fellow "Mandalorian" fans out there, I was convinced that this was the way. 


Rick Howard: Unfortunately, our entire community seems stuck in neutral about this topic. I was talking to Manav Mital about this. He is the co-founder and CEO of Cyral, a DevOps support company. I asked him to describe what infrastructure as code is. 

Manav Mital: It is a process for managing and configuring infrastructure through text files in both human and machine-readable format. So historically, what you would do is, you know, rack and stack infrastructure either yourself or through remote hands. And now all of the infrastructure resources are completely abstracted out by services that you can configure and treat it exactly the same way as software. 

Rick Howard: Manav agrees with me that the network defender community has shown up late to this party. 

Manav Mital: The security teams certainly came very late to this party, Rick. And even this goes back a few years, right? Historically, even before DevOps, you had three big silos - there was a development team, an ops team and a security team. Right? And there was a waterfall release model. And a software release would basically flow down from development to ops and then to security. And development and ops were the first two teams that fused together and brought this whole DevOps movement to bear. It became this virtuous cycle which made releases faster, but also enabled them to release more frequently and fundamentally be more agile. 

Manav Mital: Infrastructure as code then came in and put this up in a very high gear and really helped them accelerate everything that they were already doing. Now, for security, this became very challenging because, you know, they were typically deploying their tools and services and monitoring capabilities around the software and the stack that the development and ops teams to - provisioned. And now as the speed of release increased, they were just left hanging out there, trying to figure out how to keep up with it. 

Rick Howard: But recently, the security side of DevSecOps has seen some gains from the cloud deployment side, specifically when it comes to the CIDC (ph) pipeline, which stands for continuous integration, continuous delivery. 

Manav Mital: And that led to this DevSecOps movement that allowed these three teams to very intimately collaborate with each other. In fact, some of the, you know, fastest-growing, most popular, hottest startups that we've seen in the security space have focused on enabling this DevSecOps culture. And with infrastructure as code, what has now come to bear is this security-as-code model, which integrates security directly into a team's CI/CD pipeline. So you can do security testing, vulnerability scanning, auditing, authorization checks, et cetera, directly into the application as it flows from test to code cover to production. 

Rick Howard: The DevOps movement got its name back in 2010 or so, but organizations have been playing around with the concept as early as 2003. What is clear is that the infosec community is still basically standing at the starting line. Nobody is saying that DevOps or DevSecOps, in this case, is a bad idea. But it feels like we are all still trying to get our heads around the idea. 

Dave Bittner: That's our own CSO Rick Howard. Be sure to check out his "CSO Perspectives" podcast. That's part of CyberWire Pro. 

Dave Bittner: And I'm pleased to be joined once again by Professor Awais Rashid. He's the director of the National Research Center on Privacy, Harm Reduction and Adversarial Influence Online at the University of Bristol. Professor Rashid, it's great to have you back. Today, we wanted to touch on this notion of the importance of risk-thinking when it comes to security decision-making. What do you have to share with us today? 

Awais Rashid: Security decision-making goes on in organizations all the time and at different levels. So, for example, you know, when you are dealing with sort of particular technical setups in your organizations, you would have to think about what kind of security mechanisms that need to be deployed. If you're a board member, you have to think about, you know, how, in particular strategic decisions, you must consider cybersecurity and how that may impact the business. 

Awais Rashid: But one of the things that we have noticed in a piece of research that we've been doing is that it's actually the risk-thinking strategies that matter greatly as to how effective the risk decisions can be. And there are, you know - in our work, we have observed a number of different risk-thinking strategies. And teams, when they work together on making decisions about cybersecurity, they can, for example, exhibit what you will call isolated thinking. And in this case, what effectively is happening is that the teams are considering the various stimuli in isolation. So the information that they're being provided, they are considering it in isolation rather than in a connected way. And then there are, of course, you know, other types of thinking that consider more of this in an interlinked way and, again, at different levels of complexity. So the way you think about risks can actually have a significant impact into what your outcomes are and how good or bad those outcomes would be. 

Dave Bittner: Yeah. I mean, it's interesting to me because I think we've definitely seen this shift in the past few years of security professionals at larger organizations approaching security decisions in terms of risk - and I think particularly when it comes to framing it in a way so that they are speaking the language of the board, that the board of directors, you know, thinks in terms of risk and managing risk and so on and so forth. So it's interesting to me that - it sounds like what you're pointing out here is that that mindset itself is not enough, that you have to be mindful of the actual type of risk-thinking that you take on. 

Awais Rashid: Absolutely. It's the richness of your risk-thinking, for lack of a better term. It really, really matters. And, you know, for example, we've seen that, you know, often, teams of decision-makers would also undertake what is sequential thinking, so where they think of sort of various events in a - or various pieces of information in an order and use them to inform. And that helps to some extent. But really, what is required is, you know, what you would think of as something like radial thinking, you know, where you are thinking about, you know, a core question and then generating multiple related ideas from it to see what would happen or, you know, other types of complex thinking, where, you know, when the discussion is going on, there is quite a lot of cross references to particular issues. 

Awais Rashid: And it's how you make sense of the risk landscape or the threats that face your organization or particular infrastructures, really. And the richness with which you consider it does matter. Because if the risk-thinking remains largely isolated and you consider things in isolation, then you're not really considering, then, the connection between the various issues that arise. 

Dave Bittner: How do people get started down this line of thinking? I mean, is there - are there some good sources you can recommend for folks to learn about how to go about this in the proper way? 

Awais Rashid: Well, there is a rich body of research now out there on cybersecurity risk decision-making. I will recommend people to go, for example, to look at the Cyber Security Body Of Knowledge project, where there is a very extensive description of how to do the risk management and governance in these kind of systems. But the other thing that I would also say is that there are various ways to approach it. And one is that you can approach any decision-making in a risk-first way. So you may think about, you know, what the risks are and then, you know, explore ways of negating the risk and then consider, what are the kind of multiple things that come into play? 

Awais Rashid: But the other is that all risk is not bad, right? So you may also consider the opportunities that are presented, right? And then consider, what are the risks that come from taking some of these opportunities and how the kind of various parts evolved from there? So all of this is a way to approaching risk-thinking. But again, individuals and teams can be quite retrospect - introspective in that sense to think about as to, are they considering things in isolation, or are they actually also focusing on the links between the various elements that they are considering as they make decisions? 

Dave Bittner: All right. Well, Professor Awais Rashid, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. It's beginning to look a lot like Christmas. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha! I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.