The Triton actor seems to be back. Project TajMahal is after diplomatic secrets. California’s motor-voter program and a DMV hack.

Dave Bittner: [00:00:00] Hey, everybody. A quick thank you to all of our Patreon supporters. You can find out about all the different levels of supporting the CyberWire at patreon.com/thecyberwire. And a reminder that at the $10-per-month level, you get an ad-free version of our podcast. It's the same show you know and love, just doesn't have the ads. Check it out - patreon.com/thecyberwire. And thanks.

Dave Bittner: [00:00:26] FireEye says the Triton actor is back. There’s some ICS malware staged in an unnamed critical infrastructure facility. And it looks as if the people who went after a petrochemical plant in 2017 are back for battlespace preparation. Kaspersky describes Project TajMahal, a cyber-espionage effort against a Central Asian embassy. And California’s motor voter program hits a hacker-induced bump in the road.

Dave Bittner: [00:00:59] And now a word from our sponsor, ExtraHop, the enterprise cyber analytics company delivering security from the inside out. Are login credentials compromised? Is that encrypted traffic malicious? Is an attacker accessing sensitive company data? Security teams need to answer questions like these every day, but without complete visibility inside your network, your investigation could take hours, or even weeks, and that's assuming you were able to detect potential threats in the first place. ExtraHop helps enterprise security teams rise above the noise of their complex attack surfaces with complete visibility, real-time threat detection powered by machine learning and guided investigations into late-stage attacks. Check out their interactive demo and be the blue team at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.

Dave Bittner: [00:01:57] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, April 10, 2019.

Dave Bittner: [00:02:05] FireEye announced this morning that they were investigating activity by the Triton actor whose operations they've discovered in a critical infrastructure facility. Which facility and where that facility is located aren't specified in the report, but FireEye stresses that it's not the same plant in which Triton malware was first detected. It's worth noting that FireEye doesn't say that the destructive Triton malware itself was found in the facility, but rather that they found the Triton actor and some use of the Triton framework.

Dave Bittner: [00:02:37] The attack showed the now-familiar mix of commodity and custom-built code. And this particular infestation is noteworthy for the steps it took to evade detection and establish long-term persistence in the systems it targeted. FireEye’s report lists seven distinct tools with 15 components among them. They appear to have been pulled together in a way designed to evade detection by security tools and to establish persistence in the targeted environment.

Dave Bittner: [00:03:04] The researchers emphasized that the Triton actor has a deep interest in ensuring prolonged and persistent access to the target environment. That’s not unusual for campaigns directed against industrial control systems, especially ones mounted by nation-states, and the Triton actor seems to be an intelligence organ.

Dave Bittner: [00:03:21] FireEye notes that nation-states are likely to stage such incursions into industrial control systems as contingency operations. Another way of putting this would be to say that we’re seeing battlespace preparation. Just as an air force would want its target folders prepared as far in advance as possible, and to have the ordnance it thought itself likely to need for battlefield air interdiction staged into the theater of operations in advance, so too with ICS malware. Find the targets you think you’ll need to hit, get the malware in unobtrusively and in persistent form, and then it’s there when you want it.

Dave Bittner: [00:04:00] So which nation-state is probably implicated in this case? Not, we’d conjecture, the operators behind GossipGirl, the supra threat actor researchers at Google’s corporate sister Chronicle described earlier this week as involved with the various versions of Stuxnet, Duqu and Flame. Instead, Triton, which has also been called Trisis, has been attributed by FireEye and others to the Russian government. FireEye rather delicately points this out in their report on the latest infestation.

Dave Bittner: [00:05:03] Triton’s earlier appearance in an operation against a petrochemical facility said to be in a Middle Eastern country was alarming for the way it affected safety systems. The malware was targeted against the Triconex safety instrumented system produced by Schneider Electric and widely used in plant safety operations. That incident didn’t kill or hurt anyone, but compromising a safety system is nasty business. What the Triton actor was up to in this latest incident is so far unclear, but the activity again showed an unpleasant targeting of safety instrumented systems.

Dave Bittner: [00:05:05] As organizations move toward the cloud for data storage and services, they can find themselves re-evaluating how they protect their assets. Dr. Ratinder Ahuja is CEO at ShieldX Networks, and he advocates a technique called elastic microsegmentation.

Ratinder Ahuja: [00:05:22] So over the last few years, enterprises, you know, looking at situations like Equifax, have come to a conclusion that they need to supplement their boundary security strategies with a more pervasively deployed security strategy, so meaning most enterprises have deployed the security controls at the boundary of the data center, so firewalls and threat prevention, data loss prevention - various controls.

Ratinder Ahuja: [00:05:45] But for a couple reasons, those boundaries get bypassed. One of them is under the right set of circumstances, there is a failure of the controls, and the attacker can get in, just like what happened at Equifax. But more recently, as you adopt a multicloud architecture, the boundary itself becomes elastic so that as it's extending out into the public clouds, the private data center is connected to the public clouds. So you're dealing with a data center boundary that is scaling out and moving on to the public cloud. So this then, again, warns that you have controls that are equally elastic and agile.

Ratinder Ahuja: [00:06:20] And enterprises have started saying, well, can I bring these controls closer to the workloads? So if you have, for example, a PCI zone, and those have, in the past, been very rigidly defined structures, so you have a set of controls around a set of assets. But as these assets want to take advantage of the elasticity of the cloud, they would like to migrate them into the public cloud, take advantage of the agility problems of the cloud. So then this concept came along which says, why can't I create microperimeters around my workloads, so as they migrate, my security intention goes along with it?

Ratinder Ahuja: [00:06:56] So one such technique is called segmentation, or microsegmentation, where you take assets that were in a flat environment, and you place boundaries around them. So again, if you do that in a static fashion, that would, again, defeat the purpose because you'd be configuring those microperimeters, you know, over and over again.

Ratinder Ahuja: [00:07:14] So the process ShieldX took was to first discover your environment, and all with full automation. And this discovery then helps us understand what the layout of the applications is and, more importantly, automatically generate policy - security policy, and then to transform the security policy - what we call your security intention - into a set of controls that are coupled through your intention. So this is where the concept of elasticity comes in - that as these workloads migrate, as these applications scale up and down, our company's discovery transforms your intention into a set of controls, including microsegmentation and threat prevention, preventing the kill chain from progressing naturally. And hence we call it the elastic microsegmentation because it's not rigidly defined. It's defining your intent.

Dave Bittner: [00:08:05] What do you mean when you say intent? How does that fall into place?

Ratinder Ahuja: [00:08:09] If your assets were fairly static, you could say, you know, here's how I want to protect them. But in the multicloud, where you have DevOps and CloudOps teams that are adopting these multicloud architectures with the idea of harnessing the agility promise of this cloud, so now security is even more orthogonal to these application development teams. So what security can now hope for is to say, I need a system which can capture my security intention and then, with full automation, discover things as they happen and then transform the intention to actual controls because they can no longer mandate where some things show up. So you can no longer say, well, you know, every time you bring up a web server, you have to talk to me first because those web servers will scale up because a machine decides that we need more - that they need more capacity.

Ratinder Ahuja: [00:08:55] So that is why what we have come to have proven is that we need a system where the security teams can express their intention and then have a fully automated system transform that intention into actual controls by watching the environment and learning from the environment and then creating those controls to satisfy the intent. So security team doesn't have to go wire things up anymore because they cannot in these agile wars. So you need this automation to transform intent into actual controls.

Dave Bittner: [00:09:23] That's Dr. Ratinder Ahuja from ShieldX Networks.

Dave Bittner: [00:09:28] Another apparently state-directed APT framework is being reported by researchers at Kaspersky Lab. This one seems more interested in relatively conventional espionage, the theft of information from its target. The researchers call it TajMahal, and they say it's both quiet and sophisticated, having been operated since at least 2013. The package is delivered in two modules, Tokyo and Yokohama. Tokyo gets deployed initially, and then it's followed by Yokohama if the target is sufficiently interesting to warrant further collection. So far, an unnamed Central Asian country's diplomatic networks have been affected.

Dave Bittner: [00:10:07] Kaspersky sensibly notes that we shouldn't take this too seriously as definitive evidence of narrow interest or restricted operations. They think it likely there are other victims out there they simply haven't found yet. After all, TajMahal is, Kaspersky says, sophisticated, and a lot of work went into it. It strikes them as unlikely a nation-state would make such a heavy investment in an espionage campaign of such apparently limited scope.

Dave Bittner: [00:10:34] WIRED calls TajMahal a Swiss Army knife, a tool with lots of distinct components that perform distinct functions. Kaspersky hasn’t attributed the operation to any particular nation-state, but since we’re accustomed to looking for clues in the names of threat actors, we should probably get that particular red herring out of the way to begin with. We all know that if it's a bear, it's Russia, if it's a panda, that means China, and that kitty cats tend to hail from Iran. But in this case, there seems to be nothing of the sort going on. There's no particular indication that TajMahal means an Indian government op. And there's even less than no particular indication that calling the two big modules Tokyo and Yokohama point to Japan. They're just names - for now, anyway - because you've got to call these things, well, something.

Dave Bittner: [00:11:23] California's motor voter program, which would enmesh the state's driver and voter registration systems, is now thought to be insecure, with the Department of Motor Vehicles hacked and compromised. The Los Angeles Times says the tipoff came when someone noticed a DVM (ph) server phoning home to Croatia. So our California desk is no better at geography than any other graduates of their Los Angeles high school, but they're pretty sure there's no exit for Zagreb on the 405. So maybe the 110, because all those underpass pillars around San Pedro can get confusing, but probably not there, either. So the DMV picked up on that pretty quickly, too.

Dave Bittner: [00:12:04] An email obtained, as journalists say, by the LA Times included a remark from one of the DMV staffers who sounded the alarm. It went like this - quote, "my Latin is a bit rusty, but I think Croatia translates to Hacker Heaven," end quote.

Dave Bittner: [00:12:24] Now a moment to tell you about our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. In fact, a whopping 60 percent of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer, network or system data, but to stop insider threats, you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT for free. No installation required. Go to observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:13:33] And I'm pleased to be joined once again by Johannes Ullrich. He is the dean of research for the SANS Institute. He's also host of the ISC StormCast podcast.

Dave Bittner: [00:13:41] Johannes, it's always great to have you back. We saw some stories come by recently about hidden cameras that have been found in some Airbnb apartments. And you've got some tips for protecting yourself against these sorts of things. What are your suggestions?

Johannes Ullrich: [00:13:57] Yes. So essentially, you have to be aware that these cameras may exist. And you definitely want to be on the lookout for them. So first thing, of course, to do is look for any odd devices that you find in the apartment that are sort of out of place - let's say a fire alarm sensor in the bathroom. Usually, you don't have a fire alarm sensor - a smoke detector in the bathroom. So that would be sort of one thing to look a little bit closer at, and maybe also oddly placed sensors and motion sensors and the like because they often include these little cameras.

Johannes Ullrich: [00:14:31] The second thing you could do is just run a little network scan on the Wi-Fi network. Now, usually, they offer a free Wi-Fi network in these apartments. So what you should do is just break out good old Nmap or whatever your favorite port scanner is and run a quick port scan on the inside. Check if there are any open web servers. That often is an indicator that you may have a camera or some other device that you probably want to take a closer look at.

Johannes Ullrich: [00:15:01] Now, the last thing you could do is just, from within the Wi-Fi network again, go to a website like Shodan. Also, check what your IP address is - your external IP address, and then look up on Shodan. On this IP address, has Shodan found anything like cameras or so in the past? That's what gives you a quick external look at this. This may not be 100 percent effective because often, these are consumer connections with dynamic IP addresses. But it gives us another data point to check, you know, if maybe the owner of this apartment was smart enough to sort of hide these cameras on the network internally, but they want to connect to them, so maybe they didn't protect that properly.

Dave Bittner: [00:15:45] Yeah. It's - I mean, it's really - it seems to be a growing problem. It's sort of this intersection of the availability of these inexpensive, small, well-disguised cameras and also the uptick in things like Airbnb.

Johannes Ullrich: [00:16:00] Yeah. And, yeah, the host also may feel like they have a legitimate reason. They have to protect themselves with these cameras, to prevent damage to an apartment. Of course, we have also seen in some of these news reports that they were obviously used maliciously. And then some of these video streams were actually sold for pay-per-view video streams.

Dave Bittner: [00:16:22] Yeah, yeah. It's interesting to me because I - what I understand from some of those stories is that it's not out of bounds for an Airbnb owner to have a camera in the residence, but they have to tell you about it.

Johannes Ullrich: [00:16:38] Correct. Now, there's, of course, a lot of local restrictions on that. Even personally, with security cameras in my own home, I always recommend against putting them inside the house just for the privacy risk and the risk that someone may gain access to these cameras without authorization.

Dave Bittner: [00:16:57] Yeah. That's a good insight. All right, Johannes Ullrich, thanks for joining us.

Dave Bittner: [00:17:05] And that's the CyberWire. For links to all of today's stories, check out our CyberWire daily news brief at thecyberwire.com.

Dave Bittner: [00:17:11] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.

Dave Bittner: [00:17:23] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.