The CyberWire Daily Podcast 6.23.21
Ep 1360 | 6.23.21

Cyberespionage, in Central Europe and South Asia. Iranian state media sites seized. Sale of inspection and tracing tools leads to an indictment in France. Cooperation, foreign and domestic.


Dave Bittner: ReverseRat looks like a state-run espionage tool active in South and Central Asia. The U.S. Justice Department seizes 33 sites run by media aligned with the Iranian government. Poland offers more clarity on a cyberespionage campaign it attributes to Russia. An intercept and inspection company's executives are indicted for complicity with torture. NSA opens a Cybersecurity Collaboration Center for Industry. Joe Carrigan examines Apple's push to replace passwords. Our guest is Shehzad Merchant from Gigamon with a breakdown on security guidelines for hybrid cloud programs. And the FSB says it hopes for reciprocity.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, June 23, 2021. 

Dave Bittner: Lumen's Black Lotus Labs have described a new Trojan they're calling ReverseRat. The malware is deployed in cyberespionage operations against government and energy sector targets in South and Central Asia. Its infrastructure is hosted in Pakistan, and Black Lotus Labs tentatively attributes the campaign to Pakistan's government. ReverseRat is regarded as unusually evasive, with low detection rates by monitoring software. Lumen describes the Trojan's evasion techniques as including use of compromised domains in the same country as the targeted entity to host their malicious files, highly targeted victim selection after the initial compromise, repurposed open-source code, in-memory components used for initial access and modification of registry keys to covertly maintain persistence on the target device. 

Dave Bittner: How the first stage of the attack is delivered isn't entirely clear. It involves delivering malicious URLs that point to compromised sites, and Lumen conjectures that the baited documents probably arrive through some form of phishing or smishing. The phishbait is varied, but documents alluding to events or organizations in India have been common. Lumen has also seen COVID-19 phishbait and topics likely to be of interest to people working in the energy sector. 

Dave Bittner: Most of the victims were in India, with a smaller set of targets in Afghanistan. Lumen assesses the ReverseRat operators as not as sophisticated as the most skilled state-sponsored actors, but the threat actor is by no means contemptible, and the researchers think they bear watching. 

Dave Bittner: The U.S. Justice Department yesterday seized 33 websites used by the Iranian Islamic Radio and Television Union and three more run by the Kata'ib Hezbollah. Aligned with the Iranian government, the media outlets were operating in violation of U.S. sanctions against designated terrorist groups. The domains Justice seized were owned by a U.S. corporation. Other sites based abroad were beyond the scope of the warrants the feds executed. The immediate offense, note, is sanctions violations, not engagement in propaganda or disinformation. 

Dave Bittner: Polish authorities have offered more details on the cyberattacks their country has sustained over recent months. They attribute the campaign to UNC1151, a threat actor associated with Russian intelligence services and generally regarded as responsible for the Ghostwriter campaign. According to The Hill, Polish intelligence services regard the campaign as part of a larger effort aimed at destabilizing central European governments. A spokesperson for the Polish minister coordinator of special services said yesterday, quote, "The findings of the Internal Security Agency and the Military Counterintelligence Service show that the UNC1151 group is behind the recent hacker attacks that hit Poland. The secret services have reliable information at their disposal, which links this group with the activities of the Russian secret services," end quote. 

Dave Bittner: The attacks involved the compromise of email accounts. The Washington Post puts the tally of affected accounts at more than 4,300, at least a hundred of which belonged to current or former Polish government officials. 

Dave Bittner: C10p is down but not out, apparently. Motherboard says the C10p gang - that's C, numeral one, numeral zero, letter P - C10p - has resurfaced after some of its principals were arrested in Ukraine last week. Other members of the gang have made a reappearance on their dark web site, posting what they claim is information stolen from some recent victims. The gangstas aren't answering their email, or anyway they're not responding to the hey, what's up, Motherboard sent them, but they appear to be signaling that they're not out of the picture yet. Still, we can hope, right? 

Dave Bittner: Reuters reports that NSA has opened a Cybersecurity Collaboration Center. The new center aspires to closer ties with U.S. companies. It’s hoped that sharing information on attacks will be mutually beneficial, especially as companies that operate portions of critical infrastructure increasingly come under attack. 

Dave Bittner: The head of Russia's FSB says Russia intends to work together to hunt down cybercriminals. Reuters says the FSB hopes for reciprocity from the U.S. The proof of course will be, as they say, in the pudding. Russia has always offered its cooperation in investigating cybercrime and other affronts, but their prospective partners have tended to regard the gift as Greek, like that big horse left behind on the beach outside the walls of Troy. We shall see. 

Dave Bittner: SecurityWeek reports that French authorities have indicted four former and current executives of Nexa Technology, an intercept company formerly known as Amesys, on charges of complicity with torture carried out by Egypt and the Libyan regime of the late Muammar Gaddafi. 

Dave Bittner: The charges are complicity in acts of torture and complicity in acts of torture and forced disappearances. Amesys had sold deep packet inspection tools to Colonel Gaddafi's Libya, and the charges allege that the Libyan government used it for the surveillance and arrest of opposition figures who were subsequently tortured. After its rebranding as Nexa, the company is accused of selling a version of Amesys’s Cerebro software - capable of real-time message and call tracing - to the Egyptian government, which is alleged to have used it in a similarly repressive fashion. 

Dave Bittner: The problem lies in the selection of customer - whatever one thinks of the possibility that surveillance tools can be used legitimately and legally, to whom they’re sold matters a great deal. It’s difficult to say that their abuse by Gaddafi was unforeseeable by a reasonably well-informed person. 

Dave Bittner: And finally, the Market Research Telecast has an account of the Nefilim ransomware. It’s the "computer virus that robs but the rich," the headline says. But when you read further, you’ll realize that their motives aren’t ones of altruistic restraint, still less any kind of preferential option for the poor. They’re more Willie Sutton than Robin Hood, more Depression-era Philadelphia than Sherwood Forest. Nefilim goes after rich organizations because that’s where the money is. It's a self-interested preferential option for a big illicit payday. 

Dave Bittner: If their name is to be taken as an allusion to the Nephilim of Genesis and Numbers, do recall that those Nephilim, whether giants or fallen angels, weren’t exactly positive role models. So whether it’s the happy land of Canaan or the Corn Exchange Bank and Trust Company, the giants are in for the big score. 

Dave Bittner: The journey many organizations are taking toward the cloud can include stops along the way, mixing various elements from different suppliers. Shehzad Merchant is chief technology officer at Gigamon, and he shares insights on the elements he sees leading to success in hybrid cloud deployments. 

Shehzad Merchant: Today, cloud is foremost on people's mind. Almost every CIO, every CISO you talk to has a mandate to move to the cloud. And that typically means one of three things. The first is to migrate towards a private cloud infrastructure, where they are essentially hosting their own applications in a private cloud environment and their own data center, or it can mean moving to infrastructure as a service - in other words, AWS, Azure, GCP - or it can mean moving towards a SaaS-first model - right? - which is you move towards software as a service first, and what you cannot satisfy with the SaaS model, then you leverage either infrastructure as a service or you leverage a private cloud infrastructure. But I think almost any company you speak to today is well on their journey towards this framework and this model. The degree to which they have made the transition varies, but almost every company is on this journey. 

Dave Bittner: Is it safe to say that talking about hybrid cloud - I mean, that covers a broad spectrum of possibilities? 

Shehzad Merchant: It absolutely does. It covers the spectrum of a hybrid from the perspective of your own private cloud and the public cloud. But it also covers a spectrum of having multiple public cloud providers. You could have your applications hosted in AWS. You could have some applications hosted in Azure, some in GCP. And that's a different aspect of hybrid cloud as well, right? And so maybe you can talk about that as multi-cloud, but really, hybrid covers all of those spectrums. 

Dave Bittner: And from your perspective, what sort of things are you and your team tracking in store - in terms of some of the specific challenges that folks are facing? 

Shehzad Merchant: Yeah. And this is a really important conversation because one of the biggest challenges we see today in that customer journey is around security. And the challenge really stems from one key problem, and that is that in almost every cloud journey today, agility is trumping security. In other words, how quickly can I move to the cloud? How quickly can I deploy my applications and get them up and running in the cloud? - is trumping the security requirements of running those applications in the cloud. And that's a big challenge today because what is happening is people are forgetting the security lessons of the last 20 years and are moving at a pretty quick pace. And in the journey, we are resulting over the situation where we have significant gaps in the security posture of many of these companies. 

Dave Bittner: Does it have to be an either-or situation? I mean, is it possible to move - you know, to be both nimble and secure? 

Shehzad Merchant: It absolutely is. So that's - that is the crux of this, right? And so the reason why agility is trumping security is because when we sit and think about the cloud journey, it's typically driven by the persona of DevOps. And DevOps run at a certain pace. But they've not come from an infosec background, and in many cases, they don't know or truly understand the risks. And on the other hand, infosec teams have not come from a developer mindset and don't understand DevOps' programmability and automation. So that's the real problem. And I do think that there is a happy medium where the infosec teams and the DevOps teams can actually work together. 

Shehzad Merchant: Hybrid cloud is here to stay. I think the one thing I would say is, you know, as I mentioned earlier, making sure that we don't lose the paradigms that we've learned over the last 10 years. Defense in depth is important. We have to monitor all communications, all patterns of usage. It doesn't matter whether it's on prem, in the private cloud, in the public cloud or it's the fully hybrid infrastructure. This - I mean, I can't emphasize this enough - is continuous visibility is critical for security of your workloads, regardless of the level of the site. 

Dave Bittner: That's Shehzad Merchant from Gigamon. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: You know, something you and I discuss all the time over on "Hacking Humans" is the challenge that lots of people face when it comes to resisting the urge to reuse their passwords. Right (laughter)? 

Joe Carrigan: Yes, indeed. 

Dave Bittner: It looks like Apple is making a run at this issue. There's an article over on Forbes written by Kate O'Flaherty, and its title - "Apple to Kill Passwords with Game-Changing New Face ID Move." 

Joe Carrigan: Right. 

Dave Bittner: That headline may be a little breathless. But (laughter)... 

Joe Carrigan: Yes. Yeah. 

Dave Bittner: ...Click on... 

Joe Carrigan: Well, let's remember the reporters don't write the headlines. That's written by an editor. 

Dave Bittner: Right, right. 

Joe Carrigan: So it's - what's going on is that Apple has now - has this system that they demo'd at WWDC. They had a session called Move Beyond Passwords. It was a developer session. And I don't know that this is anything new. But what it is - is it's Apple's Keychain product that uses WebAuthn, which is a public-private key way of authenticating to websites. So, basically, what this does is it stores your private passkeys in your iCloud Keychain, so they're always accessible to you no matter what Apple device you're using. And the other thing it does is it takes the authentication token out of the hands of the server, right? So if you think about this from a service provider perspective, right now, if I have a username and password, I have to store that password some way on my server, right? 

Dave Bittner: Right. 

Joe Carrigan: And hopefully I'm using salted hashes that can be increased in difficulty over time. But still, I have to have that authentication token on my server. Well, with a key base, with a public key-private key situation, I don't have to have any authentication information. Right? I just keep a public key on my server. And if that gets breached, no big deal, right? I just have - the public information has been stolen. And the way this works is you, the user, log in to my service. Right? I take a a nonce, a number. Right? And I run it through your public key. And I say, here's the number; tell me what it is. And you - it's called a challenge response, right? And based on your response, I'll know that you have a - the private key - right? - because I'll be able to decrypt your response properly. 

Dave Bittner: Yeah. 

Joe Carrigan: And if you can't do that, then I know that you don't have the right private key, therefore you're probably not Dave, so I'm not going to authenticate you. 

Dave Bittner: Right. 

Joe Carrigan: This is a lot better than passwords. Right? And that's what they're doing here with this new feature or that they're trying to get people to adopt is they're securing this with Face ID and Touch ID. So now the user logs in, and there's a video out there of how easy it is and how transparent it is for the user. And it's a really good job of letting the user authenticate using public-private key cryptography to authenticate right away to a webpage. And it's fast. It's easy. The user doesn't have to remember the password. The key is that somebody is remembering the private key. Right? 

Dave Bittner: Mmm hmm. 

Joe Carrigan: And that's where the the concern is. So what I'm going - here I'm going to put on my Nostradamus hat now, Dave. 

Dave Bittner: (Laughter). 

Joe Carrigan: I'm going to predict the future here. What's going to happen is more people adopt these kind of systems. we're going to see attackers going after the users to try to get access to these keystores somehow. That's what's going to happen next. That's how this is going. So it's going to be important that companies like Apple do a really good job of protecting those keystores. Apple traditionally has done a very good job with security. 

Dave Bittner: Yeah. Well, I mean, it's an interesting thing to think about, right? I mean, do I trust Apple and their security team with this key more than I trust, you know, Bob's Discount Pet Supplies' website down the street? 

Joe Carrigan: With a password, right. 

Dave Bittner: Right (laughter). Right, right. 

Joe Carrigan: I'm with you on that. I trust Apple more with the keys (laughter), you know, than I do Bob's Discount Pet Supply. And you know what? Bob's Discount Pet Supply would probably love just to have public keys for everybody. That would be great for them. 

Dave Bittner: Mmm hmm, yeah. 

Joe Carrigan: So it's a good solution all around, I think. Just - it makes the attack more difficult, which is good. But it doesn't make the attacks go away. We're still going to see attacks on individuals' - to try to gain access to individual keystores. 

Dave Bittner: Right, right. And as usual, the way that Apple handles these sorts of things, if you are in the Apple ecosystem, this will be very easy for you to use. And if you're not, good day to you, sir. 


Dave Bittner: Right? 

Joe Carrigan: That's 100% correct. The article does point out that you can also get the same kind of protection with a YubiKey. YubiKey is pretty much the same kind of technology. It doesn't... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Store the keys. It kind of generates them on the fly. That's OK as well. But, you know... 

Dave Bittner: Yeah. 

Joe Carrigan: ...There is some talk in here about biometrics - in this article about the biometrics being non-changeable. Right? Like if my Face ID... 

Dave Bittner: Right, right. 

Joe Carrigan: ...Is breached or somehow that gets broken, that is - that's kind of tangential to this conversation because really all it's using is - Face ID and Touch ID for is to give you access to your keychain keystorage. 

Dave Bittner: Yeah, Yeah. And I think - it seems to me that so far, you know, Face ID and Touch ID have both pretty much stood the test of time in terms of being reasonably secure solutions to what they're setting out to do. 

Joe Carrigan: I would agree. They're pretty good. 

Dave Bittner: Yeah, yeah. Yeah. 

Joe Carrigan: As much as I rail against biometrics, we haven't really seen an attack that's feasible on these yet. 

Dave Bittner: Yeah, yeah. All right. Well, Joe Carrigan, thanks for joining us. 

Joe Carrigan: It's my pleasure, Dave. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.