The CyberWire Daily Podcast 7.16.21
Ep 1376 | 7.16.21

DDoS at Russia’s MoD. Facebook disrupts Iranian catphishing operation. An intercept tool vendor’s activities are exposed. No signs of the US softening on Huawei bans.


Dave Bittner: Russia's Ministry of Defence says its website sustained a distributed denial of service attack this morning. Facebook disrupts a complex Iranian catphishing operation aimed at military personnel and employees of defense and aerospace companies. Microsoft and CitizenLab describe the recent operations of an Israeli intercept tool vendor. The U.S. shows no signs of relenting on Huawei. Johannes Ullrich from the SANS Technology Institute has been hunting phishing sites with Shodan. Our guest is Rick van Galen from 1Password with insights from their Hiding in Plain Sight report. And there's nothing new on the REvil front. The gang is as much in the wind as it was early this week.

Dave Bittner: From the CyberWire studios that DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, July 16, 2021. TASS reports that a website belonging to Russia's Ministry of Defence was taken offline this morning by a distributed denial of service attack. According to Reuters, the attack was stopped and access restored in about an hour. Russian authorities attribute the attack to a source outside the Russian Federation. 

Dave Bittner: Facebook yesterday said it had disrupted an operation by the Iranian threat group Tortoiseshell, whose fake persona used Facebook in an initial catphishing approach to military personnel and people who work in the defense and aerospace sector. As Facebook put it, fewer than 200 inauthentic accounts were disabled. These accounts often posed as recruiters and employees of defense and aerospace companies from the countries their targets were in. Other personas claimed to work in hospitality, medicine, journalism, NGOs and airlines. The initial lure was generally the prospect of discussing employment opportunities. The operation as a whole was patient, complex and designed for plausibility. 

Dave Bittner: Most of the intended targets were in the U.S., with some in Europe. Tortoiseshell used Facebook to establish contact and trust, eventually hoping to persuade its prospects to contact them in other ways and channels. And those other channels were where the malware payloads were delivered. Tortoiseshell is thought to have connections with the well-known Iranian threat actors APT34, commonly called Helix Kitten, and APT35, known to many as Charming Kitten. The tools Tortoiseshell deploys against its targets include remote access Trojans, device and network reconnaissance tools and keyloggers, many of which were developed by Mahak Rayan Afraz, a Tehran-based IT company associated with the Islamic Revolutionary Guard Corps. 

Dave Bittner: It's not the first operation of this kind that in recent years has been traced to Iran's Islamic Revolutionary Guard Corps. Wired described some of Tehran's earlier efforts along these lines. Quote, "Symantec noted back in 2019 that the group had also used some software tools also spotted in use by Iran's APT34 hacking group, which has used social media lures across sites like Facebook and LinkedIn for years. Mandiant's Hultquist says it roughly shares some characteristics with the Iranian group known as APT35 too, which is believed to work in the service of the IRGC. APT35's history includes using an American defector, military intelligence defense contractor Monica Witt, to gain information about her former colleagues that could be used to target them with social engineering and phishing campaigns," end quote. Iran has historically used online methods in developing target dossiers on persons of interest to its intelligence services. This most recent campaign seems to be squarely in that operational tradition. 

Dave Bittner: Also yesterday, the Microsoft Threat Intelligence Center, MSTIC, and the Microsoft Security Response Center, MSRC, reported on the activities of a private sector offensive actor, a company that would probably characterize itself as a lawful intercept vendor. The company, which Microsoft assigned the name Sourgum, is selling intercept tools to governments that are using them to monitor the communications of journalists, dissidents and other people in bad odor with the regime deploying the intercept tool. Microsoft wrote, quote, "Sourgum generally sells cyberweapons that enable its customers, often government agencies around the world, to hack into their targets' computers, phones, network infrastructure and internet-connected devices. These agencies then choose who to target, and run the actual operations themselves," end quote. Microsoft calls the intercept software itself, which exploits Windows zero-days patched this week, DevilsTongue. Targets of the surveillance tool have been found in the Palestinian Authority, which had about half of the victims identified - Israel, Iran, Lebanon, Yemen, Spain, specifically Catalonia, the United Kingdom, Turkey, Armenia and Singapore. 

Dave Bittner: As Microsoft observes, the location of a target isn't perfectly correlated with the government using Sourgum. International targeting of individuals is common, and none of the countries listed are necessarily users of DevilsTongue. Microsoft acknowledged the University of Toronto's Citizen Lab for its assistance in the investigation, and Citizen Lab identifies Sourgum as the Tel Aviv-based company whose original name was Candiru. Candiru's past customers are believed to include Uzbekistan, Qatar, Singapore, Saudi Arabia and the United Arab Emirates. The company has been through several rebrandings since its founding in 2014. In 2020, it assumed its current name, Saito Tech Ltd. Some of the corporate names appear to represent low-cunning gestures toward misdirection. Citizen Lab and others reporting the incident have generally been sticking to the first name the company did business as. 

Dave Bittner: Candiru's intercept tools aren't confined to Windows systems. The Register notes that the company also offers products that can monitor iPhones, Android devices and Macs. More than 750 domains are said to have been used to host Candiru's surveillance software. Many of those domains misrepresent themselves as belonging to media companies, advocacy groups and civic organizations, which suggests that journalists and activists, not criminals or terrorists, are the probable quarry. Candiru, or Saito, is the latest of a series of intercept tool vendors based in Israel to run afoul of legal and reputational trouble for their willingness to assist repressive regimes conduct surveillance of domestic targets. The best-known of these is NSO Group, currently engaged in a lawsuit brought in U.S. federal court by WhatsApp. 

Dave Bittner: Huawei is unlikely to receive a reprieve from its present restriction from U.S. markets. The present U.S. administration has, through the Commerce Department's Bureau of Industry and Security, reasserted its predecessor's strictures against the Chinese company, Fox Business reports

Dave Bittner: And finally, there's nothing new about REvil or Russia-based ransomware gangs, generally. Secplicity has blogged its opinion that REvil probably hasn't gone anywhere, that such groups rarely disappear entirely. So perhaps the gang has temporarily gone to ground. There have been no official announcements of takedowns or other enforcement actions against REvil. 

Dave Bittner: The folks at 1Password recently published a report titled "Hiding in Plain Sight: How Secrets Mismanagement is the Next Big Cybersecurity Threat." The report outlines the challenges IT and DevOps leaders face when keeping track of the wide spectrum of valuable secrets they're charged with keeping and securing. Rick van Galen is a security engineer at 1Password, and he joins us with highlights from the report. 

Rick Van Galen: You know, at 1Password, we're always about making secrets management easy to everyone. And we just started wondering, what's going on with the folks that probably have the hardest time and the most, you know, impactful consequences to mistakes in the process? How are they doing secrets management? And those folks, of course, are IT and DevOps folks, so we reached out to them to see what they had to say. 

Dave Bittner: Well, let's go through some of the details together. What are some of the things that you uncovered here? 

Rick Van Galen: You know, there's a bunch of interesting stuff in there - in here. So the first is just, you know, the scale of the problem. So 65%, almost 2 in 3 respondents, they say they have more than 500 secrets to manage. That's a large number. And 1 in 5 even say that they don't know how many they have. They have more than they can count. 

Dave Bittner: How exactly do you define a secret in this case? What would be categorized as that? 

Rick Van Galen: That's a great question to define it. So any secret is something that you most often use to access other systems. The traditional example, of course, are just, you know, regular passwords. But especially in IT and DevOps cases, you can extend that to things like API keys that must be shared amongst a bunch of people or SSH keys or client certificates. Basically, anything that you use to go from one system to another. Now, if secrets management is hard, if it's hard for people to find where they keep secrets or they lose them and they need stuff being reset, that slows down project time. Longer project time leads to, you know, missing delivery dates, and that leads to an overall rate of cost in making your product or service. 

Dave Bittner: One of the things that struck me in your report here also was that very often, for example, if an employee leaves an organization, there may be a lag time between when they leave and all of the things that they had access to get shut down or the, you know, there's a lot of information that can still be flowing that shouldn't be. 

Rick Van Galen: Yeah, that's a very common problem. And I'm totally not surprised to see that in the reports. It's just very hard to keep track of which secrets somebody who's leaving the company had access to. And it's very, very hard to be complete. And not only is it hard to be complete, it's also hard to be even near complete unrolling all the secrets that, you know, that are necessary when somebody leaves. And that's just because, you know, it's very difficult to keep track of what this person was able to access in the first place. 

Dave Bittner: So, based on the information that you all gathered here, what are your recommendations? What can organizations do to better get on top of this? 

Rick Van Galen: Right. So I think what's really key here is to remove friction. So a bunch of these numbers in our report, they really strongly indicate that people are experiencing a lot of friction working with secrets management. And as a result, you know, you're seeing workarounds or lack of manageability, lack of auditability. And what we really recommend is setting up a system where secrets are automatically deployed into infrastructure, where it's easy for everybody to get access to the secrets that they need access to and make sure that that system is actually something that is intended to keep track of secrets - right? - with the proper encryption and the proper access controls and the proper auditability. 

Rick Van Galen: One thing that I'd like to point out, and this into the reducing friction part of this, is that you see, if you look at the distribution of how many people are employing bad or admitting to employing bad security practices like, you know, sharing secrets between projects is that you see the number rise up amongst VPs. Which is quite telling because, you know, who amongst IT and DevOps folks are the least tolerant to this kind of friction? It's likely going to be the VPs. But those are also in the position to actually make a change in how secrets management is being done. So I'd like to call on them to think about this problem and take some action. 

Dave Bittner: That's Rick Van Galen from 1Password. The report is titled "Hiding In Plain Sight: How Secrets (Mis)management Is The Next Big Cybersecurity Threat." There's a lot more to this conversation. If you want to hear the full interview, head on over to CyberWire Pro and sign up for Interviews Selects, where you'll get access to this and many more extended interviews. 

Dave Bittner: And joining me once again is Johannes Ullrich. He's the dean of research at the SANS Technology Institute and also the host of the "ISC StormCast" podcast. Johannes, it's always great to have you back. You've got an interesting method, interesting technique for trying to hunt down some fishing sites. What can you share with us today? 

Johannes Ullrich: Yeah, thanks for having me again, Dave. So this is about trying to find websites that impersonate your brand. And there's nothing really you can do against someone setting up a website like that. The trick is, how do you find it? And then, of course, you know, how do you initiate some kind of a takedown process or so forth? In some cases, you've got it easy. And the phisher was lazy and is just including images from your website directly, saving the phisher's bandwidth, but, of course, giving your hints that someone is loading these images with an odd referral, for example. Well, the better phishers, they wised up to that. They host their own images. After all, they probably don't pay for hosting anyway. 

Dave Bittner: (Laughter) 

Johannes Ullrich: So we have a nice tool here - Shodan. Shodan, turns out, indexes these little favicons, these little icons that you often see displayed in the URL bar depending on your browser. And, well, the attacker, of course, will copy that image from your side in order to have a good representation of your site. And you can search Shodan for these images. Shodan actually converts these images into a 32-bit number. There's something called a MurMurHash they're using here to do that. So once you know what that hash is for your favicon, it's really easy to plug that into Shodan, get a list of all the sites that use that particular favicon. And, well, then, of course, you still have to figure out which one is actually a phishing site or just some marketing person setting up a website without you knowing about it. 

Dave Bittner: Right. Right. Release the takedown notices. 

Johannes Ullrich: Yeah. I've seen them also go wrong, kind of thing where you basically don't know about all the legitimate websites that necessarily are used for your brand. That's - that can be a little tricky, too. 

Dave Bittner: Right. I suppose, especially if you're an international brand, you know, it could be that, you know, the European division of your company is up to something that maybe you weren't tracking that closely. 

Johannes Ullrich: Yeah. And you often have sort of that often-cited shadow IT where people aren't happy with the speed at which you implement things because of all those stupid security checks, so they just go out there and set up their little website themselves. Also, found a couple of development sites that way, you know, where you do hire a company to develop a website for you and they leave the development site exposed to the world, which is kind of a nice find, too. So it's not always a phishing site that is a good find. But something like these exposed development sites are also kind of a good thing to find. 

Dave Bittner: Yeah, for sure. All right. Interesting stuff. Johannes Ullrich, thanks for joining us. 

Johannes Ullrich: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at Be sure to check out this weekend's "Research Saturday" program and my conversation with Nathan Howe from Zscaler. We're going to be discussing their research on emerging attacks and how best to counter them. That's "Research Saturday." Do check it out. 

Dave Bittner: The CyberWire is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carol Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.