Best Practices for Applying Threat Intelligence
The week that was.
Leaks and patches.
Among the ninety-six fixes Redmond distributed Tuesday were some that addressed obsolete software. The exploits loosed by the last round of ShadowBrokers leaks, those pertaining to EternalBlue and enabling WannaCry, prompted Microsoft to take the very unusual step of reaching back to deprecated, beyond-end-of-life systems and issuing patches for them. With this Patch Tuesday, the last of the alleged NSA exploit tools now have publicly available fixes. The security community has regarded this with a degree of ambivalence. To be sure, remediations are welcome, but on the other hand many don't want to enable the bad practice of clinging to aged legacy systems whose security issues are likely to grow with time, however much they're patched (CSO).
Another tranche of WikiLeaks' Vault7 was dumped late Thursday. The documents purport to represent instructions for an alleged CIA implant, "CherryBlossom," said to have been in use against popular home Wi-Fi routers since 2007 (WIRED). Updated and patched versions of the routers or their successors are believed to be secure against CherryBlossom, but unfortunately home Wi-Fi routers, like networked security cameras used in mom-and-pop stores, are notoriously among the last things anyone considers patching.
What do AI and machine learning mean for cybersecurity?
Hidden Cobra fingered as DPRK threat actor responsible for DDoS campaigns since 2009.
On Tuesday, US-CERT issued a technical alert that identifies Pyongyang as the directing intelligence behind a long-running distributed denial-of-service campaign that's interfered with networks in the media, aerospace, infrastructure, and financial sectors (TA17-164A: HIDDEN COBRA–North Korea's DDoS Botnet Infrastructure). The campaigns have been running since 2009, and while most of the targets have been American, Hidden Cobra has not been too picky about whom it goes after. Infestations have been reported worldwide. The threat actor is believed to have connections with the Lazarus Group. It's said to use DeltaCharlie malware to herd its botnets. The FBI and the Department of Homeland Security issued the warning jointly.
Feel vulnerable to insider threats? 74% of organizations feel the same way.
Was the Ukrenergo hack a dry run?
On Monday researchers at security firms Dragos and ESET released their analyses of the malware that contributed to grid outages in Ukraine last December. They're calling it, respectively, "CrashOverride" and "Industroyer," and they doubt it was designed as a one-off attack tool. CrashOverride is interesting, according to Dragos, in that it appears to have been built from scratch, and so has none of the fingerprints usually found in reused code (Daily Beast). The malware's modular design and efficacy against physical systems is reminiscent of Stuxnet (WIRED). Dragos calls this "the first ever malware framework designed and deployed to attack electric grids," and reckons it as the fourth piece of what they characterize as "ICS-tailored malware." The predecessors will be familiar: Stuxnet, which was deployed against Iranian uranium-refinement centrifuges sometime between 2005 and its discovery in 2010, BlackEnergy 2, which was used in spearphishing connected with the disruption of power in Eastern Ukraine on December 23rd, 2015, and Havex, a remote-access Trojan discovered in 2014 during investigation of industrial espionage campaigns in Europe.
US-CERT picked up the report quickly and announced mitigation work it was undertaking with the electrical power sector (US-CERT).
Nozomi thinks CrashOverride particularly menacing in that, unlike Stuxnet, to which it has been widely compared, CrashOverride isn't designed to attack a specific target. Nozomi's co-founder, Andrea Carcano, said in an email that "this malware is broad-based and could affect power grids in many countries." Nor is CrashOverride designed to confine its attacks to any one specific sector. It's clear from the Dragos report that the malware can be used with a reasonable prospect of success against most varieties of industrial control systems. So may utilities everywhere look to their cyber resiliency programs.
And from a conversation we had Friday with John Brick, of the Downstream Natural Gas Information Sharing and Analysis Center (DNG-ISAC) and his colleagues from the American Gas Association, Jim Linn and Jake Rubin, we would judge that in fact, the utilities are indeed looking to their security. Dragos quietly notified the ISACs a week ago Friday, on June 9th, and the members' response appears to have been quick, both in terms of raising their alert levels and applying mitigations in advance of attack. Brick, Linn, and Rubin said they've observed no compromises of their members' systems.
To a question about whether they expect more attacks like those that crippled portions of the Ukrainian power grid in 2015 and 2016, they answered that of course they did. They see "synergies" among various actors with a range of criminal, espionage, and political motivations. "We're seeing all sorts of attacks, worldwide. We see protestors very adamant about pipeline issues, for example." They pointed to the record: from 2008 Havex and BlackEnergy had been observed quietly establishing persistence in, and mapping, critical infrastructure networks. Why they were doing so was unclear, but we've now seen them plugged into CrashOverride, which clarifies the matter. We can expect this pattern of patient reconnaissance and preparation followed by attack to repeat itself in the future.
All told, it would appear that the ISACs in this case have functioned pretty much as advertised. They have developed and exercised familiar paths for sharing information, and the personal relationships that have grown up among the members seem to be of considerable value. There are twenty-four ISACs; the first ones began operating in 2003. The National Council of ISACs serves as a central clearing house for information about these member-driven organizations and their role in critical infrastructure protection.
Accelerate Malware Analysis with Orchestration (Webinar, June 22, 2017)
Other critical infrastructure: election systems.
Hearings into Russian influence operations in the US continued on Capitol Hill this week, with much attention devoted to the reasons for former FBI Director Comey's dismissal. These hearings, coinciding as they do with the publication of an NSA report on election hacking allegedly leaked by Reality Winner, have prompted the Senate to vote sanctions against Russia by a nearly unanimous 98 to 2 margin (Reuters).
The Russian response has been relatively muted, although President Putin did offer asylum to James Comey in the course of the Russian president's annual call-in TV show. "What's the difference between the FBI director and Mr. Snowden?" President Putin asked, then adding, with surprising tenderness for dissenters, "It makes him not a security service director, but a civil activist advocating a certain belief" (NPR). You can review his remarks on the Kremlin's Direct Line. It seems unlikely Mr. Comey will take the offer up.
How do you determine which threats directly affect your organization, and which are irrelevant?
Hacking, disinformation, and fake news.
The diplomatic problems raised by what the FBI at least thinks is Russian hacking in Qatar continue to work their way toward a diplomatic resolution. The disinformation campaign achieved by hacking the Qatar News Agency has effectively split Qatar from regional Arab allies. Morocco and Kuwait are attempting to mediate the dispute. The fake news in this case consisted of bogus stories attesting to Qatar's approval of the Shi'ite Islamic Republic in Iran (Al-Jazeera).
Russian probes of US electoral processes seem to have been more extensive than feared. Cozy and Fancy Bear between them may have prospected systems in as many as thirty-nine states, and they're expected to be back. The probes seemed to involve reconnaissance, but also attempts at voter registration data manipulation (Bloomberg).
Trend Micro warned that fake-news-as-a-service is now available in online black markets. It's pricey, but payoff could be high—one service available for $400,000 offers effective manipulation of election results. That seems a large claim, but how effective such services may be is so far anyone's guess (eWEEK).
Canada's Communications Security Establishment (CSE) warned Friday that the country should expect attempts to influence its 2019 elections. Unlike similar warnings in Europe and the US, however, CSE's report explicitly downgrades the threat from hostile nation-states: the problem the security agency sees is hacktivism (New York Times).
In a discussion at CyberTech Fairfax this Tuesday, former US Secretary of Homeland Security Michael Chertoff suggested a way of framing an approach to "fake news." He took the strong First Amendment position that the answer to speech you disapprove of is more speech. He did suggest, however, that impersonation wasn't, in the US Constitutional context, at least, protected speech, and he pointed out that "botnets don't enjoy First Amendment protection." He suggested that researchers might with profit pursue better forms of identity management, and quicker ways of discerning robots from natural persons (the CyberWire).
The uses of threat intelligence: tactical, operational, strategic.
Russian and North Korean state actors are being fingered in the CrashOverride and Hidden Cobra campaigns. Why might this matter?
In the immediate sense, it doesn't matter much at all. As the people we spoke to from the AGA and DNG-ISAC put it, what they find immediately valuable are indicators and mitigations. Attribution and accounts of motivation can wait. They also pointed out that "clearing attribution" through government greatly slows down public-private intelligence sharing. But in the longer term, knowing who the threat actors are, what they're likely to be after, and how they interact with your environment can be quite helpful indeed.
Dragos thinks the Electrum threat group, itself directly tied to the Sandworm group, is responsible for CrashOverride. Dragos doesn't say so directly, but the Sandworm crew has generally been regarded by others as working for Russian intelligence services. And so the Ukrenergo attacks now look more like dry runs than they had before, which ought to put us on guard against the repetition of the Havex-BlackEnergy-CrashOverride pattern.
Or consider North Korean activities, which people are at least "moderately confident" are behind Hidden Cobra and the Lazarus Group. These have been widely characterized as sloppy and indiscriminate, a dog's breakfast of espionage and common crime. A long piece in WIRED, citing conversations with FireEye analysts and others, suggests that from Pyongyang's point of view, there's more rationality here than might appear under Western eyes. North Korea is an international pariah, and it understands this very well. The DPRK is subject to heavy sanctions that bite deeply into its economy. It has powerful enemies and few friends: even its nominal friends really don't care for it very much. So North Korea will grasp at whatever asymmetrical advantage it can. It will also look for ways to grab much-needed money, and if bank robbery will do it, then bank robbery it is, as the Bangladesh Bank and the New York Federal Reserve learned first-hand. As far as the indiscriminate opportunism of attacks in cyberspace, with little to lose, why not see what you might gain? (WIRED) Or, as Recorded Future put it, "North Korean cyber actors are not crazy or irrational: they just have a wider operational scope than most other intelligence services."
So for the mid-term, it's worth thinking through how a threat actor is likely to attack. In the long-term, from a strategic perspective, attribution of attacks to threat actors might shape diplomatic (the CyberWire), deterrent (Center for Strategic and International Studies), and retaliatory (Mintpress News) policy.
Tracking extremism online.
In Europe, authorities continue to work to round-up known wolves—one of them, a Syrian expatriate arrested in Germany, is said to be a principal point-of-contact between terrorists and the ISIS news service Amaq (New York Times). Questions of recognizing and countering extremism gained new salience in the US following Wednesday's attempted mass assassination of Republican members of Congress and their staffers who were practicing for a charity baseball game in Alexandria, Virginia. The shooter, who was killed during an exchange of gunfire, seems to have left an online record of radicalization (Washington Post). Yet few would characterize him as a known wolf: one sees much the same kind of violent expression in comments and social media all the time, and, indeed, in partisan media, even in the wake of sad violence like this shooting.
Facebook continues to look for ways to control radicalization online, mostly by recognizing and purging it. The social media giant doesn't want terrorists anywhere in its networks, it says, and it's using artificial intelligence to recognize and flag them, including their reappearance under freshly assumed identities (Ars Technica). They realize that AI alone isn't equal to the job, and so they make extensive use of human watchstanders to monitor content crossing their platform. This job is by no means either easy or risk-free. It was reported at week's end that the "moderators" Facebook employed to ride herd on content had their own identities and personal information exposed to the very people they were policing. More than a thousand Facebook workers were outed because their personal Facebook accounts appeared as notifications in the logs of the groups they were charged with monitoring. Until late last year at least Facebook appears to have required its monitors to use their personal accounts. Some forty monitors apparently faced significant threat of retaliation from the groups they were watching (Motherboard).
A strain of ransomware has infected the Android game King of Glory, popular in China. It mimics the warning screen used by WannaCry, but it has none of WannaCry's functionality (Naked Security).
Researchers at AlienVault and Fortinet have obtained and analyzed live samples of MacSpy and MacRansom, two varieties of malware-as-a-service that have been on offer in dark web souks at least since the last weeks of May. As the names suggest, they target Mac systems with, respectively, spyware and ransomware. As Mac marketshare rises, so does Mac malware's black marketshare (Bleeping Computer).
Companies struggle to prepare for GDPR (with less than a year to get it right).
The European Union's General Data Protection Regulation (GDPR) will take effect on May 25, 2018, and enterprises worldwide will be affected. The GDPR has teeth in the form of fines—some €20 million worth of teeth—so the regulations are being taken seriously (Infosecurity Magazine). Privacy and security experts are offering advice on prepping for compliance (Infosecurity Magazine), but few expect it to be an easy transition. For one thing, it's not entirely clear what will count as "personal data." Some think the regime's definition sufficiently broad to include, well, almost anything (Computing). But we've all got almost a year to lawyer up and narrow it down.
This CyberWire look back at the Week that Was discusses events affecting Bahrain, Canada, China, European Union, Germany, Iran, Democratic Peoples Republic of Korea, Kuwait, Morocco, Qatar, Russia, Saudi Arabia, United States.
© 2018 CyberWire, Inc.
Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story.