The CyberWire Daily Podcast 9.18.18
Ep 686 | 9.18.18

Tracking Pegasus. OilRig spearphishing. IP theft from universities. Peekaboo bug in surveillance cameras. WannaMine won't be EternalBlue's last ride. Preventing data abuse.


Dave Bittner: [00:00:00] Hey, everybody. It's Dave with a quick favor to ask. I'd love it if you would help spread the word about our podcast. Tell a friend. Share with your colleagues at work. Put a note out on Twitter or Facebook and recommend our show. It's a virtuous circle. The more people enjoying our show, the happier our advertisers are, and we get to pay the bills and provide for everyone who works hard every day to bring you the cybersecurity news you rely on. So don't be shy. Please, help spread the word about the CyberWire today. Thanks.

Dave Bittner: [00:00:33] Citizen Lab reports on global use of Pegasus lawful intercept tools. OilRig seems to be spear-phishing in Bahrain. University IP theft by Iran seems widespread, but it also doesn't look very lucrative. The peekaboo vulnerability affects security cameras. WannaMine is the latest campaign to exploit the stubborn EternalBlue vulnerability, and data firms work toward guidelines to prevent political data abuse.

Dave Bittner: [00:01:06] A few words from our sponsor, Cylance. They're the people who protect our own endpoints here at the CyberWire, and you might consider seeing what Cylance can do for you. You probably know all about legacy antivirus protection. It's very good as far as it goes. But, guess what? The bad guys know all about it, too. It will stop the skids, but to keep the savvier hoods' hands off your endpoints, Cylance thinks you need something better. They've just introduced version 2.3 of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection but security that's quick enough to keep up with the threat, by watching, learning and acting on systems behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit to learn more. And we thank Cylance for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [00:02:12] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, September 18, 2018. Citizen Lab has another report out on Pegasus spyware, NSO Group's lawful intercept product. They found the tool in use in at least 45 countries. Their scans aren't entirely clear. It's difficult to distinguish targets from users, for example. But Pegasus seems to be in widespread use. Observers note that while some of the regimes who employ the tool do so with lawful restraint, other more repressive governments make more indiscriminate use of it. Citizen Lab cites six countries as Pegasus users who have a history of deploying spyware against domestic dissidents, what they describe as abusive use of spyware to target civil society. Those nations are Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia and the United Arab Emirates. Pegasus is installed on a smartphone either through physical access, or, much more commonly, through social engineering. In the typical case, the targeted user is induced to click on a malicious link that installs the intercept code on their device. Once installed, Pegasus reports back, well, quite a bit of private data, including passwords, contact lists, calendar events, text messages and certain live voice calls from popular mobile messaging apps. The Pegasus operator can also convert the infected phone into an eavesdropping device, gaining access to the camera and microphone in ways that capture things going on around the phone.

Dave Bittner: [00:03:49] Citizen Lab says it gained its initial insight into Pegasus when they noticed UAE cybersecurity company DarkMatter registering a domain name that included a Pegasus link. NSO Group has denied selling its product to several of the governments Citizen Lab calls out in its report. They also told Citizen Lab in response to an advanced copy of the report, quote, "our product is licensed to government and law enforcement agencies for the sole purpose of investigating and preventing crime and terror. Our business is conducted in strict compliance with applicable export control laws," end quote. Citizen Lab, in effect, says in reply that while some governments may indeed well use Pegasus for what can be recognized as legitimate law enforcement purposes, the Lab contends that some of the governments who've obtained the tool in practice use it for repression of civil society. The report is interesting also for its account of how Citizen Lab uses DNS cache probing in its investigations. That's too long to go into here, but you'll find a link to the report in today's CyberWire daily news briefing. Many of the stories we hear about cloud data breaches involve improperly configured AWS buckets.

Dave Bittner: [00:05:02] Sam Bisbee is chief security officer at Threat Stack, a company that provides security monitoring of cloud services, and he shares some of the more sophisticated attempts at cloud data they've been tracking.

Sam Bisbee: [00:05:13] What's been interesting is watching that sophistication rise and how they're leveraging perfectly reasonable features inside of public cloud environments and then just abusing them. And so that's just really continuing to happen, where we're seeing these attack chains leveraging features in, let's say, an AWS control plane or API, leveraging those to then extend at high text down into the network layer where they continue to kind of sprawl out with a traditional network attack chain and then move back into the AWS, API console. So crossing that membrane multiple times. There's a lot of kind of standard techniques and tools that they're using that aren't necessarily new. It's more about the behavior of how they're leveraging these techniques and tools and combining them with traditional network attack techniques to extend and hide those breaches that's been most interesting.

Sam Bisbee: [00:06:09] Largely, in a lot of these attack chains, it really starts with that root credential theft or account takeover. And where it then starts to diverge is launching a server, for example, an AC2 instance, into that environment. Typically, that launched rogue infrastructure was to really just extend the botnet. You know, maybe do a cryptomining, maybe join a botnet that was being rented out per hour to go attack the hosts in another environment, whatever else. But where we started to see those servers be used differently was to begin recon and to act as a beachhead inside of the local area network that an organization was running, even if it's, you know, inside of an AWS VPC and, you know, it kind of follows all the best practices of how to log one of those networks down, you now are in a situation where an actor has the functional equivalent of physical data center access because they're able to access the management control plane, and they're now down at the network in the VM layer. And what they will do is use that initial rogue AC2 instance as a beachhead, recon the LAN a little bit more, and then start to move laterally through it, whether that be through a digital credential theft, just, you know, now more at the SSH key level, or attempting to, you know, remote scan and exploit other servers on that LAN.

Sam Bisbee: [00:07:33] And as they're moving through, their objective is not necessarily to escalate privileges or steal data off of a disk in the way that, you know, most typical network campaigns look. Instead, the objective is often to move back into that AWS control plane, where maybe the initial set of credentials that they compromised did not have access to an RDS instance or an S3 bucket where their objective lies. They're instead moving through that environment and leveraging the fact that, for example, in AWS, every server has an IAM role on and therefore permissions into AWS, which people often forget to configure. And then the metadata in those keys and everything that that instance has access to is all available at a hardcoded IP address on every server.

Sam Bisbee: [00:08:22] So without, you know, having to be too more technical, basically what they're doing is they're moving through those servers and they're leveraging the completely normal, solid, good features to then understand, now that I'm on this server, what access does this server have back into the infrastructure, and does that give me access to that RDS instance or S3 bucket that I wanted access to?

Dave Bittner: [00:08:45] That's Sam Bisbee from Threat Stack.

Dave Bittner: [00:08:49] Arbor's security engineering and response team, ASERT, reports finding spear-phishing emails targeting senior officials in Bahrain. They regard the campaign as similar to an OilRig distribution of the BONDUPDATER Trojan discovered by Palo Alto Network's Unit 42. OilRig is associated with the Iranian government.

Dave Bittner: [00:09:10] The theft of intellectual property from universities by hackers linked by SecureWorks researchers to Iran's government looks oddly like petty larceny. Papers are going for as little as 2 pounds on WhatsApp, but it seems a fairly widespread effort - 16 domains with more than 300 spoofed websites and login pages for 76 universities in 14 countries. The interest in British universities has attracted much attention, but institutions in Australia, Canada, China, Israel, Japan, Switzerland, Turkey and the U.S. were also targeted. It's not clear how much of the stolen information wasn't already destined for open publication, nor is it entirely clear how the material was taken. But the use of spoofed login pages suggests credential theft.

Dave Bittner: [00:09:58] Security company Tenable has found a zero-day they're calling Peekaboo in the NUOO software widely used in networked video surveillance cameras. They think upwards of 100 brands and 2,500 different models of camera could be vulnerable. Exploitation of the flaw could yield access to the control management system, expose credentials for connected video cameras and permit both disconnection of live feeds and image tampering. NUOO says a patch is being developed, and that in the meantime users should take steps to limit access to NUOO NVRmini 2 deployments. If you're unsure of whether a video security system you're using is vulnerable, contact the vendor and ask them directly. Tenable also draws a more general lesson from the discovery. They think it argues that we ought to rethink our patching cadence and methodology, especially as the internet of things expands our attacks surface even as it increases our capabilities.

Dave Bittner: [00:10:56] Patching is also a big part of the answer to the question why EternalBlue exploits, like the currently irritating WannaMine cryptojacker, continue to make pests of themselves. Although the vulnerability EternalBlue takes advantage of was patched last year, unpatched machines keep things like WannaMine alive through a constant reinfection cycle. And it's not only failure to patch that's a problem for digital public health, but also use of unlicensed software.

Dave Bittner: [00:11:24] Data analytics firms who serve both major U.S. political parties are working on a mutual agreement to control data abuse. No one wants to be the next Cambridge Analytica, caught with their fingers in data that ought to have remained private. The cooperation of the firms on a set of guidelines is being facilitated under the brooding wings of Georgetown University's Institute of Politics and Public Service. It will be interesting to see what they come up with. The temptation to abuse data must, one thinks, exert a particularly strong pull on political operations. Symantec has joined the companies offering free help to political campaigns and related groups. They're offering anti-spoofing services gratis. The company also has a guide to the leading groups associated with election influence operations. They're APT28 and 29, better known as the familiar bear sisters Fancy and Cozy, respectively. Whatever Mr. Putin may say, straight up, they're Russian intelligence services.

Dave Bittner: [00:12:29] And now a bit about our sponsors at VMware. VMware Trust Network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with microsegmentation and analytics. VMware's white paper on "A Comprehensive Approach to Security Across the Digital Workspace” will take you through the details, and much more. You'll find it at See what Workspace ONE can do for your enterprise security - And we thank VMware for sponsoring our show.

Dave Bittner: [00:13:30] And I'm pleased to be joined once again by David Dufour. He is the vice president of engineering and cybersecurity at Webroot. David, welcome back. We wanted to touch today on quantum computing - take a little reality check. What do we need to know here?

David Dufour: [00:13:44] Well, first off, I don't want to be, you know, Thomas Watson from IBM. He was famously quoted, though they can't really attribute it to him, that maybe there's a market for five computers in the whole world. This is all kind of just my opinion. We'll see where it lands in the end. But I think there's a lot here, but I also think there's a lot of hype around it. So you know, I think the fundamental thing a lot of people think is that quantum computing is just really fast regular computing done at quantum speed or hyperspeed or warp speed.

Dave Bittner: [00:14:17] (Laughter) Warp speed. I like that. Yeah. Yeah. Yeah.

David Dufour: [00:14:19] Right. But there are some very, very fundamental differences, and we should talk about where we are right now in the whole process of quantum computing. And one of the basic things folks need to understand is the difference between, you know, classical computing, where we have, you know, on and off, and we can all comprehend that. We've all been - we've grown up with it, in fact. So it's kind of almost innate in us now. You know, that's how a classical computer works. It has a bit, and that bit can either be on or off. Well, in quantum computing, you have a thing called qubits, which can be on, can be off, but they have a superposition state where they can be - for the sake of our discussion, they can be both. It's not exactly that it's both at the same time, but it's that idea. So it actually has three different states. And this is something that, as a society, we're going to have to get our heads around because it's one of those things that we come across technically that is a new leap forward that's going to take folks - if you're not a quantum physicist or you don't work with quantum mechanics every day, it's going to take us time to understand and get our brain around.

Dave Bittner: [00:15:31] I mean, it strikes me that one of the fundamental things about most things related to quantum mechanics, quantum computing is that it's not intuitive.

David Dufour: [00:15:42] It is not. And - but if you think back, David, honestly, into the '30s, '40s and '50s, the computing we do today was not intuitive. You know, they built these massive machines that only a few people knew how to operate. And that's kind of where we are with quantum mechanics. It's much more complicated. But I think as a society, as we talk about this more and more and more, it will become more intuitive, and it'll become ingrained in what we're doing. And I have a pretty simple example. And I'm sure all the quantum physicists out there are going to be cringing. But, you know, we want to talk about how it relates to security. But I've been thinking about this maze example where, if you have a classical computer and you give it a problem that involves looking at a maze and making a determination of how to make a path through that maze, that classical computer has to walk through every possible path of that maze. But it has to do it one path at a time. Now people might say, well, I could build a multicore processor. But at its essence, each core can only look at one path at a time. So you literally are only doing one thing at a time.

David Dufour: [00:16:58] Now if we look at quantum computing, and we have to stay in the quantum world because at the end, the output we have to convert to a non-quantum world so humans - we can kind of understand it. We can actually, at the same time, build a structure that looks at all of the possible paths at once. It's not infinitely scalable, but just for sake of our discussion. But it looks at all of those paths at once. And that's where the power - because of that - the superposition state and all of that, that's where the power of harnessing quantum computing lies.

Dave Bittner: [00:17:36] Yeah. So I mean, the way I envision what you're saying is it's sort of like the difference between standing at ground-level at the entrance to the maze and only being able to see what's right in front of me versus having a bird's-eye view, if I'm a hundred feet up and being able to see all of the possible pathways of the maze at once and making my plans based on that.

David Dufour: [00:17:57] That is exactly right, David. So I think - and why I'm being so specific - I think the first quantum computing we're going to see are some very, you know, very specific, uniquely built quantum computers to do one thing. And then over time, couple generations, just like we went from that - those computers back in the '40s that could do one thing, that took - you know, only four people in the world knew how to run them to today. Over time, it'll evolve into something that the rest of us can use, like the PC sitting on our desk. But I don't think we know what that looks like. We're just not there yet.

Dave Bittner: [00:18:35] All right. Well, it's interesting stuff - hard to wrap your head around. But as always, thanks for helping us understand. David Dufour, thanks for joining us.

David Dufour: [00:18:43] Thanks for having me, David.

Dave Bittner: [00:18:47] And that's the CyberWire.

Dave Bittner: [00:18:48] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [00:19:15] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.