The CyberWire Daily Podcast 10.3.19
Ep 941 | 10.3.19

A new threat group, Avivore, is called out in the Airbus hack. Ransomware and VPN exploit warnings. EU tells Facebook to take down some content, everywhere. Spearphishing ANU. SandCat’s bad opsec.

Transcript

Dave Bittner: [00:00:03] Who's been hacking aerospace firms? Context Security suggests it's a new Chinese threat actor, Avivore. The FBI issues a ransomware alert. The NCSC warns of active exploitation of vulnerable VPNs. The EU issues a sweeping takedown order to Facebook. U.S. senators ask Facebook about deepfakes. Spearphishing at the Australian National University, FireEye may be for sale, and the SandCat threat group shows poor opsec. 

Dave Bittner: [00:00:37]  And now a word from our sponsor ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show. 

Dave Bittner: [00:01:28]  Funding for this CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pen testers and white hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights like remediation advice to help fix faster while methodology-driven assessments ensure compliance needs are met at bugcrowd.com. 

Dave Bittner: [00:01:55]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, October 3, 2019. In a year where CrowdStrike finds cybercriminals more active than state-sponsored hackers, Chinese intelligence services have been taking a leading role in industrial espionage. Someone - and most signs point to China - has certainly been poking into the networks of aerospace companies and their suppliers. Airbus is the most prominent of these firms that have been so prospected. The company disclosed in January that business systems at its commercial aircraft division had been hacked and that data had been improperly accessed. Last week, Agence France-Presse, citing security sources, reported that the company had continued to sustain security incidents, several of which affected its suppliers, among them the British engine manufacturer Rolls-Royce, the French technology consultancy Expleo and two other unidentified French companies. 

Dave Bittner: [00:02:55]  Most of the speculation about specific attribution has turned to APT10, also known as Stone Panda, and which CrowdStrike earlier last month associated with the Tianjin bureau of the Ministry of State Security, MSS for short. Other researchers thought the attackers most likely to belong to Jiangsu province Ministry of State Security, JSSD for short. The U.S. Department of Justice has indicted members of JSSD in the past for hacking, and the group has a special interest in aerospace companies. 

Dave Bittner: [00:03:27]  But the London-based security firm Context believes a different threat actor is responsible. In fact, Context believes it's found a previously unremarked threat actor that's engaging in living off the land as it island-hops across targets in the aerospace supply chain. They've given the group its own name - Avivore; that is, eater of birds, which seems apt for something that preys on the aerospace sector. Context acknowledges that there are some similarities among Avivore and both JSSD and Stone Panda, but they've concluded that the tactics, techniques and procedures, infrastructure and tooling observed differ significantly, and that while they can't rule out the involvement of the other two groups, it seems likely to them that Avivore represents a different organization. 

Dave Bittner: [00:04:15]  The group's attacks display good opsec, and the researchers note in particular the group's attention to removal of forensic artifacts, a sign of its desire to remain as obscure as possible. Contrast this with the somewhat willful noisiness of some other state actors. Fancy Bear broke onto the scene, for example, with considerable eclat, not seeming to care a great deal whether it was detected or not. And that was a matter of style, not incompetence. Whoever Avivore is, the group is probably Chinese, probably state-directed and almost certainly concerned with industrial espionage. 

Dave Bittner: [00:04:52]  Israel is a major player in the cybersecurity ecosystem, with significant research and innovation originating in that country. It's also a hot market for venture capital. Yoav Leitersdof heads up VC company YL Ventures. 

Yoav Leitersdof: [00:05:06]  Israel is the number-two country in the world in terms of cybersecurity exports, and that's just one measurement. I would say it's number two in absolute numbers in terms of number of startups, cybersecurity startups. It's also number two in terms of venture capital funding in cybersecurity, and that's especially impressive since Israel only has about 8 million people - you know, much fewer than what the U.S. has and many other countries have. The total amount of funding for Israeli cybersecurity companies across all stages grew 22% from 2017 to 2018. In 2018, we had over a billion dollars - actually, 1.03 billion - of total funding for security startups in Israel, and as I mentioned, that is number two in the world. Also in 2018, we had 66 new companies founded in Israel in cybersecurity, which is growth of 10% over 2017. The average seed rounds are getting bigger, so 3.6 million in 2018 up from 3.3 million in 2017. Most of the new companies are in emerging fields, meaning - in Israel, meaning completely new fields in cybersecurity, which is very interesting because it's not more of the same, but rather, we're seeing lots of new lots of new innovation. 

Yoav Leitersdof: [00:06:33]  Now, you compare that with any other region in the world, and these stats are extremely impressive, I mean, especially the absolute numbers of dollars invested and number of companies formed. You don't really have that anywhere in the world except for the U.S. And think about, you know, all the different regions in the U.S. where cybersecurity is strong, like, you know, the Virginia Corridor or Silicon Valley, Boston - all these areas. Israel is a very, very small place. So you can get from one end to the other in terms of, you know, what's interesting in the security industry within about an hour's drive. 

Dave Bittner: [00:07:14]  When you look around at the state of things when it comes to investing in cybersecurity, where do we find ourselves today? 

Yoav Leitersdof: [00:07:21]  This is a very exciting time to be in cybersecurity. I think it's one of the highest growth sectors in venture capital overall. It's driven by many factors. I mean, I could say, you know, first of all, the movement to the cloud is really increasing the security concerns that organizations have and, therefore, their budgets. Another one is IOT, Internet of things. We're expected to triple the number of Internet of things by 2025 to about 22 billion devices, and a lot of them are unprotected. You know, security spent worldwide is over $100 billion a year now, and that's growing year over year. I think by 2021 we're going to be at $133 billion, according to Gartner. 

Yoav Leitersdof: [00:08:12]  The cost of cybercrime is - was about $600 billion in 2017 and is much higher now. You know, the number of data breaches, that's a big driver, right? I'm sure you've seen a lot of that. I mean, we've gone from about 800 in 2015 to about 1,600 in 2017. That's in just two years, the doubling of the number of breaches. And security is now a top topic in boards of directors. And of course, there is a big shortage of cybersecurity professionals - about 3 million people that are needed worldwide. And so, you know, all these are driving demand for cybersecurity. And of course, the business we're in is investing in cybersecurity startups that are meeting this demand. So I mean, our whole goal and reason for existence here is to supply the world with some great solutions. In our case, these solutions originate in Israel, which is the No. 2 exporter in the world in terms of security solutions. So that's - you know, that's the world that we're in. 

Dave Bittner: [00:09:20]  That's Yoav Leitersdof of YL Ventures. 

Dave Bittner: [00:09:25]  There have been some official warnings of cyberthreats in both Britain and the U.S. The U.S. FBI has issued an alert that ransomware represents a high-impact threat. The bureau urges victims to report the incidents to their local FBI field office, and it strongly recommends that no one pay the ransom; doing so at this point is simply fueling the bandit economy that keeps ransomware in circulation. The U.K.'s National Cyber Security Centre warns of pervasive exploitation of widely used VPNs. They are not scrub VPNs, either, but rather the products of respected vendors Pulse Secure, Palo Alto Networks and Fortinet. Both British and international organizations are being targeted, and the NCSC says the victims include government, military, academic, business and health care organizations. They advise everyone using the affected VPNs apply the latest patches - and all three vendors have them - and reset their authentication credentials. 

Dave Bittner: [00:10:25]  The New York Times reports that the European Court of Justice ruled today that national courts may order Facebook to take down and restrict access to content globally. The case originated with an Austrian Green Party politician who requested removal of unflattering comments an unnamed individual had posted to a personal page. The plaintiff alleged that three bits of content were impermissibly objectionable. Specifically, she objected to trader of the people, corrupt clod and fascist. The decision is sweeping and will have the effect of pushing social networks toward treatment like publishers, as opposed to common carriers. Skeptics note that European law has tended to restrict disrespectful posts about politicians more readily than it has quelled extremism or invasions of pure personal privacy. But then it stands to reason that politicians might just be better resourced than your average Susi Musterfrau or Janie Sixpack. 

Dave Bittner: [00:11:21]  Facebook is also receiving attention across the Atlantic. The social network yesterday received a letter from U.S. Senators Warner, Democrat of Virginia, and Rubio, Republican of Florida, asking for an explanation of its policies and technical capabilities with respect to deepfakes and fabricated news, generally. An Australian National University review of its data breach concludes that the hackers got in by spearphishing a senior member of the university's staff. The Australian Financial Review reports that ANU declined to name a culprit but called the attackers sophisticated and probably interested in fraud. 10Daily says the phishing victim simply previewed the email and didn't interact with it in any other way. 

Dave Bittner: [00:12:06]  Business Insider says FireEye has retained Goldman Sachs as the security company explorers putting itself up for sale. FireEye's stock has been up on the news, trading around $14 since it broke. The likeliest buyers are thought to be private equity investors. 

Dave Bittner: [00:12:24]  And finally, to return to the issues of opsec and state-directed threat groups, here's one that seems decidedly not to have its security house in order. It's the group security researchers at Kaspersky calls SandCat, which is believed to be a cyber operations unit of Uzbekistan State Security Service, the SSS, which inherited a reputation for repression and brutality with its KGB DNA. Kaspersky described its findings to Vice. First of all, SandCat used the name of an associated military group to register one of the domains used in its infrastructure. This is held to be bad by those in the business. If you're registering a domain, use some anodyne but plausible front organization - maybe the Young Persons' Chess Clubs of Greater Bukhara. 

Dave Bittner: [00:13:13]  Second of all, they had installed Kaspersky security software in their systems, and that software was reckoned both effective and intrusive with a pretty big footprint in the systems it protects. Thus, Kaspersky had pretty good visibility into things that would raise any security eyebrows, like buying a bunch of zero days from third parties. So the gaffe was blown pretty quickly. Kaspersky researchers said they were surprised to see that Uzbekistan's SSS had any cyber operational capability at all. Some of that can be written off to the casual disregard with which the Central Asian members of the near abroad tend to be disregarded. But those who have eyes to see, let them see. The researcher known as Phineas Phisher said in 2015 that he'd found a good bit of email correspondence between the Uzbek organs and the Italian lawful intercept firm of Hacking Team. 

Dave Bittner: [00:14:11]  And now, a word from our sponsor Edwards Performance Solutions. It's commonly accepted that cybersecurity is a business risk, not an IT problem. What may not be as commonly accepted is that cybersecurity needs to be an integral part of every business strategy and that cybersecurity can actually be an asset to your business. Achieving this outcome is a journey. The journey starts with an understanding of what information is important to the business; what business processes generate, use, store or transmit that information; and what are the rules and regulations impacting the information. The next part of the journey is understanding the risks to the business and those information assets, followed closely by establishing a governance structure to manage those business risks. This includes managing the risk to your supply chain. The journey is not an easy one and is fraught with roadblocks and obstacles. You may need a guide. Edwards Performance Solutions is ready to be your guide in this journey. Please visit their website, edwps.com, to learn more. That's edwps.com. And we thank Edwards Performance Solutions for sponsoring our show. 

Dave Bittner: [00:15:31]  And I'm pleased to be joined once again by Craig Williams. He's the head of Talos outreach at Cisco. Craig, great to have you back. You all recently published some information as a blog post titled "Open Document Format Creates Twist in Maldoc Landscape." What's going on here? 

Craig Williams: [00:15:46]  Well, so this is a very interesting one, right? You know, we've all known maldocs exist, and we all know that you need to be worried about them. But what this particular attacker did was very, very clever. They found an issue in, you know, an OpenOffice format called ODT, or open document. And they were able to, you know, basically discover that if you exploited the ODT file type, not only were you able to compromise OpenOffice, but Microsoft Office would actually fall victim to the same or a very similar bug, resulting in them getting the execution that they wanted. 

Craig Williams: [00:16:25]  So think about this, right? You get an ODT file. And let's say you're super savvy, right? And maybe even your security software warned you, or you know that ODT is OpenOffice. And so you think, ha, ha, ha, silly hacker. I run Microsoft Office. I'm far superior and can't be compromised. Well, you might click on it to see what it is because you know deep down that you're not running any sort of open software, and so therefore, you shouldn't be vulnerable. However, that's not the case here. And so I think by using this format to target both sets of victims, the attacker actually has a much wider net than we would normally consider. And because it's in ODT format, a lot of the detection technology, particularly in things like antivirus, may not actually work as effectively as they should. 

Dave Bittner: [00:17:19]  Now, do you have a sense that this is an intentional misdirection, or is it a happy accident for them that's effective within the actual Microsoft environment? 

Craig Williams: [00:17:31]  Oh, I'm pretty sure that this is intentional. 

Dave Bittner: [00:17:34]  OK. 

Craig Williams: [00:17:35]  You know, the things that they're using are things like PowerShell that are very generically used in Word attacks. And so I think what happened was they basically found a particular technique that worked in both and decided to make use of it because it does double your potential pool of victims. 

Dave Bittner: [00:17:54]  So what are we looking at here in terms of recommended protections? 

Craig Williams: [00:17:58]  Well, the gist of it here is, you know, the same type of advice we would give anyone for a malicious document campaign. I mean, number one, don't ever click on an email attachment unless you're confident who sent it and you know that they intentionally attached it. You know, number two, make sure you're running some sort of antivirus product so that if the file is known to be malware, it actually gets convicted and removed from your system before you can open it. I suppose for number three, we could throw out there, make sure you have a firewall on so that in the event you do click on it, perhaps it won't be able to reach out and grab the actual additional payload. 

Dave Bittner: [00:18:33]  I see. Do you have any sense for how successful this is or how widespread it is? 

Craig Williams: [00:18:40]  So this one, we think we found pretty early. We did not see a ton of attachments in our email telemetry. Now, it is possible that there were very isolated, heavily targeted pockets like we've seen in the past - very specific industries, very specific countries. But from a global perspective, it does appear to be very limited, so hopefully we got the word out in time. 

Dave Bittner: [00:19:01]  The blog post is titled "Open Document Format Creates Twist in Maldoc Landscape." Craig Williams, thanks for joining us. 

Craig Williams: [00:19:08]  Thank you. 

Dave Bittner: [00:19:13]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:19:26]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.