The CyberWire Daily Podcast 9.14.21
Ep 1417 | 9.14.21

NSO Group’s Pegasus was installed in a zero-click exploit: iOS users should patch. Vermillion Strike hits Linux systems. Enforcing the law against cybercrime.


Elliott Peltzman: Citizen Lab finds, and Apple patches, a zero-day used for zero-click installation of Pegasus spyware. A Cobalt Strike beacon has been turned to cyber-espionage use against Linux targets. The Russian government could, it seems, take action against cybercrime, but its will to enforcement seems to be inconsistent. Ben Yelin from UMD CHHS with more on Apple's CSAM controversy. Our guest is Mel Shakir from Dreamit Ventures on selling to CISOs and their Customer Sprints. REvil makes nice with grumpy affiliates. And criminals' commitment to the common good seems weak. That's not a surprise, right?

Elliott Peltzman: From the CyberWire studios at DataTribe, I'm Elliott Peltzman, filling in for Dave Bittner, with your CyberWire summary for Tuesday, September 14, 2021. 

Elliott Peltzman: During its investigation of a Pegasus spyware infection of a Saudi activist's iPhone, the University of Toronto's Citizen Lab has found a zero-day zero-click exploit against iMessage. They call the exploit FORCEDENTRY, say it targets Apple's image rendering library and claim that it's effective against Apple iOS, macOS and watchOS devices. 

Elliott Peltzman: FORCEDENTRY is a zero-click attack requiring no obvious user interaction; victims may be unaware that their devices have been affected. Malicious files masquerading as GIFs were the infection mechanism, and they arrived courtesy of an unremarked bug in Apple's image rendering. As Apple put in their description of the vulnerability, quote, "processing a maliciously crafted PDF may lead to arbitrary code execution," end quote. In this case, the arbitrary code would be the Pegasus intercept product. 

Elliott Peltzman: The Wall Street Journal reports that NSO Group, maker of Pegasus, has apparently been exploiting the vulnerability since February. The company, asked for comment, simply told the Journal, quote, "NSO Group will continue to provide intelligence and law enforcement agencies around the world with lifesaving technologies to fight terror and crime," end quote, which is one way of looking at it. 

Elliott Peltzman: Citizen Lab and Apple made fairly short work of patching. Citizen Lab forwarded Apple suspicious artifacts on September 7. Apple confirmed that they included a zero-day exploit on the 13th and late yesterday also addressed the vulnerability with an update to iOS 14.8. Users are advised to upgrade their devices as soon as practicable. Subsequent releases of iOS will also be designed, Cupertino says, to keep this particular backdoor firmly shut. 

Elliott Peltzman: We have a roundup of industry reaction and advice to FORCEDENTRY in this afternoon's Pro Privacy Briefing. 

Elliott Peltzman: Intezer has discovered a criminal version of Cobalt Strike's beacon - Vermilion Strike, they're calling it - used by unknown threat actors against both Windows and Linux systems. Vermilion Strike may be the work of a gang, but its sophistication and evident interest in espionage could also suggest that it might have been developed and deployed by a nation-state's intelligence service. But both provenance and attribution remain unclear. 

Elliott Peltzman: Intezer thinks the Linux attacks most noteworthy, if only because their lower detection rates can lead to Linux exploits being overlooked. Quote, "Vermilion Strike and other Linux threats remain a constant threat. The predominance of Linux servers in the cloud and its continued rise invites APTs to modify their tool sets in order to navigate the existing environment," end quote. 

Elliott Peltzman: CSO thinks that recent events have revealed that Russian government is fully capable of shutting down cyber gangs if it wants to and that some disruptions of criminal activity may indicate that U.S. sanctions are having some limited effect. That Russia could, if it wished, take action against cybercrime seems beyond serious dispute. Controlling the gangs would seem to be more a matter of want-to than it is can-do, as football coaches are wont to say about tackling. But encouraging signs of better behavior seem thin. 

Elliott Peltzman: CSO cites as evidence of a little bit of want-to Roskomnadzor's blocking a week and a half ago of several VPN services that were used for various purposes criminal under Russian law, including drug trafficking, child pornography distribution, extremism and promotion or facilitation of suicide. 

Elliott Peltzman: The services blocked included some familiar names - Hola VPN, ExpressVPN, KeepSolid VPN Unlimited, NordVPN, Speedify VPN and IPVanish VPN. None of these, we can't help but observe, are Russian operations. They hail, respectively, from Israel, the British Virgin Islands, New York, Panama, Philadelphia and Dallas. Nary a Chelyabinsk among 'em, which offers a partial explanation, perhaps, of the want-to on display in these cases. 

Elliott Peltzman: It's also worth noting that they all have legitimate users and users which and whom Roskomnadzor says it's whitelisted. 

Elliott Peltzman: CSO also cites the arrests of some senior FSB figures in December 2016 and January 2017 as evidence of potential want-to. But those personnel were arrested and convicted on treason-related charges. They'd been sharing information on cybercrime with Western law enforcement agencies. Those arrests occurred before the latest round of U.S. protests and sanctions, however. 

Elliott Peltzman: One of the Russian gangs that was imperfectly controlled, REvil, is now pretty clearly back in business, Threatpost confirms. They say that the decryptor released to Kaseya was all a mistake, the fat-fingered fumbling of one their operators, who's now presumably on whatever counts as a performance improvement plan in the underworld. 

Elliott Peltzman: Whether fingers of size actually had anything to do with it or not, REvil is back and trying to make it all up with their disgruntled affiliates, who've complained to the gangland arbitration panels that apparently form from time to time in various corners of the dark web. REvil seems to have refunded payments to criminal affiliates who felt they'd been shafted by comping them to make them whole again. So expect to see more REvil. 

Elliott Peltzman: And, finally, various gangs have sought to wear Robin Hood's hat, claiming they act not against the common good, but only against the wealthy - wealth elite, as the Shadow Brokers used to say. And by the way, where are those guys? We kind of miss them. 

Elliott Peltzman: But a recent cyberattack on Jefferson Parish, La., courts should move us toward reluctant skepticism about whether such public spirit is widespread in gangland. An unspecified gang took advantage of the distraction of Hurricane Ida to install unspecified malware in the courts' networks, reports. The courts are expected to recover soon. 

Dave Bittner: Let's face it. If you're on the sales and marketing side of the house, one of the challenges you likely face is getting quality time pitching your wares to CISOs. Mel Shakir is managing director for security investments at Dreamit Ventures, a venture fund for startups. When I recently spoke with him, he emphasized networking and, not surprisingly, taking advantage of opportunities provided by VCs like himself. 

Mel Shakir: My background is in cybersecurity. I've spent almost 20-plus years working in this field and have a deep intrinsic knowledge in the cyberspace itself. That matters because even for us to be able to pick the right companies that we want to invest in, that is an important part of the equation. Also, you know, good understanding of the trends and where the industry is going, anticipating, you know, what the CISO's needs are now and what they're going to be in the future - all of those things factor in when we make an investment in a company. 

Mel Shakir: So again, these are highly filtered. I do product deep dives in early cause (ph). Many of these startups who reach out to us, they get surprised that I'm not just talking about all the other aspects of the business. The very first question I ask is, you know, can you do a product demo? I want to do a deep dive of the product. Get me excited about the product, then we'll talk about everything else. 

Mel Shakir: So, yes, you know, having a deep understanding of the product, the technology - that is important. I need to be able to communicate that also to the CISOs. 

Dave Bittner: Are there any common mistakes that folks make in their interactions with CISOs? Are there things that you shouldn't do 'cause it'll really just turn them off at the outset? 

Mel Shakir: Yeah. I think CISOs are very technical by nature. So, you know, one of the things that I always tell founders is, you know, take your A-team when you're meeting CISOs, for one. 

Mel Shakir: The other important thing is preparation, right? Before you go to meet the CISO, have an understanding of why they're meeting you. And there are a number of ways you can get that information. You could be - in some cases, you might be able to reach out to the CISOs and get that information, or you could reach out to their team members, right? Or you could reach out to the partners. You have to do some due diligence - you know, the kind of legwork the sales team and - the best sales teams would do to be prepared, right? So be prepared for those meetings. 

Mel Shakir: Also, try to have an understanding of the broader vision and road map for the CISO, and try to understand, you know, how you're going to fit in in their work. 

Mel Shakir: So preparation is a key, if you're going prepared. And if you're talking about your solution, which is not in context with what the CISO's needs are, what his vision is, you're certainly going to turn them off. 

Mel Shakir: And the other important thing is when talking about traction - every CISO wants to know whether the product is being used by other CISOs, especially ones that they might know. So you have to be careful about that. It's not very hard to anticipate what the network of a CISO is going to be. If he's based out of the Northeast, he's likely to know, you know, CISOs in those - in the area where he resides - right? - 'cause there are lots of local forms that they would be needing (ph). If you already had interaction with them, real ones that they are going to be able to reference and validate, then make those references - not just throwing out names and logos because they will verify that. 

Dave Bittner: That's Mel Shakir from Dreamit Ventures. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security. But more important than that, he is my co-host over on the "Caveat" podcast. Ben, it's great to have you back. 

Ben Yelin: Good to be with you, Dave. 

Dave Bittner: We recently had a special edition of "Caveat" where we spent the entire episode talking about Apple's announcement that they were going to do some on-device scanning for CSAM, which is child sexual abuse materials. Do I have that right? 

Ben Yelin: Yeah. 

Dave Bittner: Yes. And, of course, that was quite controversial and... 

Ben Yelin: To put it mildly, yes. 

Dave Bittner: ...Garnered a lot of coverage from folks who are concerned about privacy. There's been an update here. What's the latest Ben? 

Ben Yelin: So Apple has partially reversed its decision. So I don't think we should overexaggerate what they're doing here. You know, it's been reported in some news sources that Apple has walked back their announcement. I don't think that's entirely accurate. What they're saying is, we need more time to study it. We're going to hit the pause button on our plans. You know, we want to figure out a way to monitor for this exploitative material, but in a way that doesn't violate user privacy. 

Ben Yelin: So the big objection is to the program where Apple would be scanning on your devices through your photos, your iCloud photos, for sexually exploitive pictures that match pictures on a database maintained by organizations like the Center for Missing and Exploited Children. Obviously, that's an extremely worthy goal. I think Apple thought that they were being good Samaritans by developing this program, and it seems like they didn't really anticipate that there would be a backlash. 

Dave Bittner: Right. 

Ben Yelin: This was a pretty widely publicized decision. They sent out information on the technology to advocacy groups. I mean, you know, to put it relatively mildly, they were kind of bragging about what they were doing. 

Dave Bittner: It was and is a clever technological solution. 

Ben Yelin: Absolutely, to an extremely worthy goal. 

Dave Bittner: Right. 

Ben Yelin: You know, we cannot minimize the importance of keeping this type of material out of the hands of bad actors. 

Dave Bittner: Right. 

Ben Yelin: Because there was this backlash, Apple, in wanting to maintain its reputation as the foremost protector of user privacy, realized that they had gone a step too far. 

Ben Yelin: And I think the lesson here is activism matters. This company - you can hold organizations and companies reliable by raising hell when something happens that you disagree with. Activist groups, such as the Electronic Frontier Foundation, EPIC, sprung into action, got petitions together, wrote op-eds, and it had a really big impact. And as I said to you on the "Caveat" podcast, sometimes, you know, you can have more of an impact on private sector decisions than you can on, you know, your own lawmakers 'cause there's more accountability. I mean, if you have a problem with what Apple has done, you can move on to the next product. 

Dave Bittner: Right. 

Ben Yelin: And I think Apple is very attuned to that. So that's, to me, the broader lesson here. 

Ben Yelin: We don't know what Apple's going to do going forward, whether they will fully reverse this decision or whether, you know, while we're all sleeping on some Friday night they're going to reinstate the program. 

Dave Bittner: Yeah. Right, right. Well, that's just - I mean, that's an interesting question. I've seen some folks sort of cynically say that that would - could be Apple's next step is to sort of wait for the heat to blow over and then just quietly enable this in some future software update. Do you think at this point they could get away with that? 

Ben Yelin: I mean, I think it's possible they try to do that. I think because this has already happened and they've already raised the ire of privacy and - groups and security advocacy groups, no matter what they do now, there's a watchful eye on Apple's behavior. 

Dave Bittner: Right. 

Ben Yelin: So I don't think we're in a situation where cut three months ahead, in December, it's Christmas Eve, and Apple, you know... 

Dave Bittner: Right, right, right. 

Ben Yelin: ...Tries to avoid the publicity. 

Dave Bittner: Right. 

Ben Yelin: I don't think that's going to happen. 

Dave Bittner: Yeah. I mean, interesting to see Apple walk back something like this, which I think is - we can agree is sort of contrary to their corporate impulse, right? 

Ben Yelin: Right. 

Dave Bittner: Right? You know, as I said, they came out with this, and I think they thought it was a very clever technological solution to a serious problem. And it is. And the backlash maybe makes them take a closer look at the issue, but maybe, hopefully, themselves... 

Ben Yelin: Right. 

Dave Bittner: ...As to how they approach these sorts of things in the future. 

Ben Yelin: I think it's a wake-up call for Apple, and it's really all due to our "Caveat" podcast. Let's be honest. We know they listen to it. 

Dave Bittner: (Laughter) That's right. That's right. That's right. 

Ben Yelin: Yeah. 

Dave Bittner: Yeah. Well, I just can't get Tim Cook to stop writing me with the - I'm just like, all right, Tim, I get it. 

Ben Yelin: I know. Leave us alone, Tim. 

Dave Bittner: Just (unintelligible). My inbox is full of just effusive praise from... 

Ben Yelin: Tim Cook, Tim Cook, Tim Cook. 

Dave Bittner: Yeah. All right, so needy. All right. Well, Ben Yelin, thanks so much for joining us. 

Ben Yelin: Thank you. 

Elliott Peltzman: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Elliott Peltzman: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Tre Hester, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Dave Bittner. And I'm Elliott Peltzman. Thanks for listening.