What do AI and machine learning mean for cybersecurity?
The week that was.
The UK's Parliament Friday sustained a brute-force attack against email credentials (Telegraph). The attack lasted more than twelve hours; security officers responded by shutting down access to online services and requiring password changes (Newsweek). Officials speaking on background attribute the incident to an unnamed foreign nation. There's widespread shock, shock, at the weak passwords and other substandard measures said to be in evidence at Westminster. The principal fear is that MPs and members of their staffs could have been subjected to blackmail (Sunday Times).
On Wednesday another incident touching the British government was disclosed: Cyber Essentials was breached by unspecified parties, with email addresses of consultancies registered as vetted bidders for "certain sensitive and personal information-handling [government] contracts" compromised (Register).
American credentials were also of interest to Russian services involved in spearphishing attempts during November's US elections (NPR).
Get Smart on the Politics of Cyberspace
Insider threats and leaks.
In its now familiar Friday ritual, WikiLeaks dumped another set of documents from its Vault7. These purport to be a tool kit, "Brutal Kangaroo," the US CIA allegedly assembled to use against air-gapped systems. Brutal Kangaroo's approach is direct and mundane, but potentially effective: it uses USB drives to get into its targets (Computing).
How CIA-gadfly WikiLeaks got the material in Vault7 remains publicly unknown (the same might be said of the ShadowBroker NSA-gadflies, currently in the first round of their leak-of-the-month-club membership drive). Combine these with the recent arrest of Reality Winner for allegedly passing highly classified material to the Intercept, and the US Intelligence Community and its overseers are particularly sensitive to the possibility of insider threats.
So Congress wants answers about leaks and insider threats. The House Armed Services Committee is mulling closer Intelligence Community oversight, particularly with respect to cyber operations (The Hill). NSA itself seems likely to receive an enhanced inspector general's office as the agency responds to a Defense Department investigation into insider threat control (US News).
Results of that US Defense Department Inspector General look at NSA's insider threat program suggests the agency has a lot of work ahead of it (FCW). The IG found that NSA fell short in managing privileged access to data and systems—NSA was often unable to say who had such access. Records were kept in manual spreadsheets, for example, that could no longer be found. As Motherboard sourly put it, either the dog ate their homework, or someone fed said homework to the dog.
Leaks of cyber operational tools are of more than national security significance, as they find their way into criminal hands (SearchSecurity). Dr. Web is tracking the progress of such tools used to infect machines with Bitcoin mining software (Coindesk).
Accelerate Malware Analysis with Orchestration (Webinar, June 22, 2017)
CrashOverride and its consequences.
Experts think the CrashOverride malware used against Ukraine last December represented the culmination of a long and patient campaign prepared by infestations of Havex and BlackEnergy. WIRED puts it directly: Ukraine "became Russia's test lab for cyberwar." Observers think Russia now has a proven cyber weapon ready for use. CrashOverride is disturbing—apparently purpose-built from scratch and used in deliberate, highly targeted campaigns.
Power grid risk is receiving attention at the highest levels of the US Government. President Trump has met with senior advisors—both official and unofficial—to develop a defensive response to threats like CrashOverride. The Federal Energy Regulatory Commission met this week with representatives of the European Union, Canada, and Mexico on risks to the electrical grid. The US Department of Energy intends to release a study of grid hacking this coming week (Washington Examiner).
Europe's power industry is also at work on grid defense. The European Network for Cyber Security (ENCS) and the European Network of Transmission System Operators for Electricity (ENTSO-E) will develop regulations, standards, practices, and protective measures against cyberattack. ENCS will provide the cyber expertise; ENTSO-E will contribute operational knowledge (Power Engineering International).
Seeking a new cyber security career in San Antonio?
WannaCry (more clearly North Korean?) troubles the IoT.
WannaCry again had significant effect this week: an infestation of control systems on Monday forced Honda to shut down a production facility in Japan (Infosecurity Magazine). Less serious but also interesting is the case of traffic cameras in the Australian state of Victoria that were infected through a third-party contractor's mistake (The Guardian).
The industrial IoT may be inherently more susceptible to disruption by ransomware than are conventional IT enterprises. Many enterprises proofed IT systems against WannaCry by closing a port and updating their software, but things are not so simple with industrial control systems. Many standard industrial control systems are built on older versions of Windows, and patching them is harder than patching Windows out-of-the-box. The operating systems may be Windows-based, but they've been extensively modified and adapted by industrial control system vendors, and they also touch and interact in complex ways with a wide variety of process control systems.
The BBC says the UK's GCHQ has attributed WannaCry to North Korea. GCHQ's National Cyber Security Centre hasn't discussed the evidence that led it to the attribution, but most observers believe such evidence probably lies in overlaps with earlier code. Both BAE Systems and SecureWorks have told the BBC and The Guardian, respectively, that the telltale code is a module called "Brambul" that appeared in earlier Lazarus Group capers.
WannaCry itself may be undergoing adaptation to fresh campaigns, especially since it may have been released prematurely—leaked carelessly, perhaps by mistake. Its developers failed to contain it, crafted WannaCry's Bitcoin wallets poorly, and left an exposed kill-switch (Threatpost).
This carelessness strikes some as evidence the North Koreans weren't behind the incident after all. Cybereason argues in an SC Magazine op-ed that the DPRK is better than that, more careful. But mistakes happen, even in the most careful organizations. Recorded Future cautions against concluding that this sort of carelessness is evidence that the threat actors behind WannaCry are just stumblebums. If they indeed are, as most evidence suggests, North Korean government hackers, they've simply got a risk-reward calculus that leads them to a more indiscriminate style of operation. There's also increasing speculation that WannaCry served as misdirection for a cyber espionage campaign (New York Times).
There's disgruntlement in the Indian press over what some regard as the Indian government's downplaying of the extent of WannaCry's effect on that country's enterprises (India Today).
Best Practices for Applying Threat Intelligence
Election influence operations.
Britain's National Cyber Security Centre declares the UK's recent elections to have been free of Russian influence—specifically, that there were no signs of fraud, no outright manipulation of results. Some observers think the Russians just weren't interested. As one expert, Thomas Rid of King's College London noted, if the Russian aim was chaos, "It's already chaotic enough here. There's no need for Russian meddling in the U.K. Basically, it's messed up enough on its own" (US News & World Report).
US Congressional hearings on Russian election meddling conclude that many states were prospected, twenty-one to be exact, but also that vote counts were not manipulated (Fifth Domain). The meddler, as represented in testimony, is by consensus Russia, and its activity, while not unprecedented in motivation or intent, was unprecedented in its use of the Internet. Senator Rubio pointed out during the hearings that voter fraud was unnecessary, at least from the Russian point-of-view. If the Russian objective was to undermine trust in the American electoral system, then mission accomplished (Fifth Domain).
Former Homeland Security Secretary Johnson called for more Federal assistance with election security during his testimony (USA Today). Other calls for reforming voting systems at a national level came from an advocacy group, the National Election Defense Coalition, whose members include many names familiar to the cybersecurity sector. Prominent among their recommendations is the suggestion that paper ballots become the official voting record throughout the US. New York State isn't waiting for Federal movement, but is undertaking its own security overhaul of voting (The Hill).
Johnson also testified that the Democratic National Committee declined to cooperate with Department of Homeland Security investigators. As the Washington Post news analysis headline puts it, "Obama's homeland security secretary just unloaded on the DNC." Johnson testified that the Department of Homeland Security offered its support when the DNC realized it had been compromised, but DHS was rebuffed—the DNC said they'd already spoken with the FBI and that they'd hired CrowdStrike to help them clean up. A DNC spokesperson disputes this account, saying that they cooperated fully with Federal authorities, but that's not the way Johnson remembered it under oath.
Response to state-directed attacks.
The European Union has decided to adopt a united front with respect to answering cyber-attacks with sanctions. The EU thus joins NATO in adopting a collective posture with respect to cyber warfare (Deutsche Welle).
Voter records exposed on an Amazon S3 account.
Post mortems of the Deep Root Analytics voter data exposure see poor configuration of an Amazon S3 bucket as a sufficient explanation of the incident. The data were collected under Deep Root's contract with the US Republican National Committee. Researcher Chris Vickery reported finding one-hundred-ninety-eight million US voter records exposed in an unsecured Amazon S3 account (CyberScoop). The data, since secured, were exposed by Deep Root Analytics, a political big data consulting firm that has worked for the US Republican Party (Deutsche Welle).
While many enterprises see security advantages in moving to the cloud, there are risks, too, as this and the recent exposure by a contractor of sensitive National Geospatial Agency information (also left on an S3 account) indicate (Ars Technica). Failure to secure data properly is a failure on the part of the user, not Amazon—security controls available to protect the data were apparently not activated. Such oversights have been distressingly common in large data breaches. The information exposed could be exploited in spearphishing or blackmail campaigns; it also has value on criminal markets.
Infestations in Google Play.
Google continues to struggle with adware infestations in the Android Play Store. Sophos over the past week identified forty-seven adware-infected apps that together have been downloaded more than six-million times. The ads Sophos was studying are particularly irritating because they continue to appear even after users take action that ought to have caused the apps to quit. The popups are triggered from a third-party library, App/MarsDae-A (Naked Security).
It appears a single black hat may be the fons et origo of 2017's dramatic increase in Android malware infestations. Bleeping Computer tracks "Maza-in" (his—hers?—nom du hack) in various underground fora and sees signs that Maza-in both created and shared the code for Bank Bot and Mazar Bot. These unusually evasive and irritating bits of malicious code have been taken up and used by other criminals. Maza-in appears be engaged in a bit of dark web boasting, which suggests Maza-in is off his or her OPSEC game (Bleeping Computer).
Trend Micro is tracking a different third-party ad library, Xavier, which holds about eight-hundred apps. Google has booted a few more than seventy of them, but most continue to sit on the Play Store unmolested by the bouncer. Xavier escapes detection and ejection by going quiet when it detects sandboxing or emulation (Economic Times).
So dodgy apps, at best unwanted, at worst malicious, continue to trouble Google's Play Store. Ars Technica calls it "an uphill battle;" Help Net Security calls it "whack-a-mole." There's a lot on offer in the Play Store, and all things being equal maybe a lot is better than a little, but experts advise exercising some discretion.
If you're an Android user, what should you do? First of all, don't download apps from third-party stores. As we've seen, that an app appears in Google's Play Store is no guarantee that it's clean, but still, your odds are better if you stay there. Second, if it's a free app that displays pop-ups, think twice before you download it. And finally, of course, do look closely at the permissions you're asked to give an app. The fewer privileges the better, especially if it's unclear why the app would need what it's asking for.
Other hacks and attacks.
Trend Micro finds Erebus resurfacing in the form of Linux ransomware: a South Korean web hosting firm paid the Erebus threat actors about $1 million to recover data (Help Net Security). Erebus had been known for two things—going after Windows systems and not restoring files upon payment of ransom. The first feature has changed, as Linux systems are now in the crosshairs. The second? Probably not, so back up your files.
Business email scams continue to bite. A New York State judge lost more than a million dollars when an email spoofing her attorney instructed her to transfer $1,057,500 to a certain bank account. She did so, and the controllers of that bank account promptly shifted the money to a different account in a Chinese bank, where of course it's gone for good. It would be easy to regard this as astonishing carelessness, but the scam was carefully crafted and its victim not notably clueless—the criminals knew she was negotiating the purchase of an apartment and baited the hook accordingly (Bleeping Computer).
A similar scam hit Southern Oregon University, where the university lost $1.9 million to persons unknown when it believed it was paying the contractor building a new student center (The Oregonian).
Policy, code inspection, counterterrorism, and the cryptowars.
Terror attacks have sharpened the crypto wars in the UK, with Her Majesty's Government calling for severe restrictions on the wide availability of end-to-end encryption (Foreign Affairs). The EU is not following suit. A recent ruling from Brussels puts Europe firmly on the other side of the crypto wars (Naked Security). So Prime Minister May in this respect is increasingly playing a lone hand.
The Queen's Speech, the annual outline of Her Majesty's Government's policies, is unusual this year for the attention it pays to data security. Specifically, it removes most doubt that the United Kingdom's exit from the European Union will also entail an exit from the EU's General Data Protection Regulation and GDPR's attendant privacy safeguards. Whatever else Brexit means, if apparently won't mean a farewell to GDPR (Information Security Buzz).
Reuters reports that US firms are complying with Russian government requirements that they share their source code as a condition of doing business. China has long sought to exact similar arrangements from companies wishing to do business there. There are, as Reuters observes, market reasons for compliance: "From their side, companies say they are under pressure to acquiesce to the demands from Russian regulators or risk being shut out of a lucrative market." The companies also claim they've taken steps to minimize the risks associated with exposing their code, permitting authorities to review source code only in secure facilities that prevent copying or tampering.
Raytheon keeps $1B DHS cyber contract.
With award protests resolved, Raytheon will keep its billion-dollar contract to provide cybersecurity services and solutions to the US Department of Homeland Security (Washington Technology). The company sees the win as helping it not just domestically, but with international market penetration as well (Defense News).
Security industry anti-trust litigation.
Kaspersky Labs' anti-trust complaint against Microsoft before the European Commission alleges that Microsoft is using its dominant market position to unfair advantage, disabling security software other than Windows Defender (Computer Weekly). This week Microsoft said that Windows 10 does block some security products, but that's due entirely to compatibility issues, not to favor Windows Defender (Neowin).
This CyberWire look back at the Week that Was discusses events affecting Canada, European Union, India, Democratic Peoples Republic of Korea, Republic of Korea, Mexico, Russia, Ukraine, United Kingdom, United States.
© 2018 CyberWire, Inc.
Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story.