New research into industrial threats and vulnerabilities.
Dragos released three unique research reports this week detailing industrial threats, vulnerabilities, and lessons learned in hunting and incident response. These “2017 year in review reports” contain key findings such as five threat groups targeting industrial networks and the fact that 64% of ICS vulnerability advisories released last year did not actually address the risk of the vulnerability. Download the reports here free.
The Week that Was.
March 4, 2018.
By The CyberWire Staff
Fancy Bear goes to Berlin.
German authorities said this week that they're investigating a cyber espionage campaign against Federal networks (Infosecurity Magazine). The attack was detected in December, but the threat actors are believed to have been present in the networks for about a year before they were discovered. The campaign is generally if unofficially regarded as the work of Fancy Bear, Russia's GRU military intelligence service (New York Times).
Deutsche Welle describes the Informationsverbund Berlin-Bonn network, the IVBB, which was the hackers' target, as a dedicated secure platform used only by "the Chancellery, the German parliament, federal ministries, the Federal Audit Office and several security institutions in Berlin and Bonn, the former German capital where some ministries still have offices."
The German Government, which continues to work on remediation of what's being called an "ongoing" attack on a government dedicated secure network, officially declines to attribute the attack. Economy Minister Zypries yesterday said that, while there were no indications Russia was behind the hack, it would be "problematic" if this would turn out to have been the case (Reuters). Few others are so reticent. The industry consensus is that the attack is the work of Fancy Bear, Russia's GRU. Some members of the Bundestag who've been briefed on the incident are calling it "a form of warfare" (Telegraph). (Spiegel likes Turla for the job, but that's inside baseball: it's still Russia.)
Fancy Bear (a.k.a. Sofacy) is thought to have been busy elsewhere, too. Palo Alto Networks reports that it's observing a campaign mounted against diplomatic targets in Europe and North America (SecurityWeek).
How seamlessly is your data ingested across vendors?
To successfully fend off increasingly sophisticated cyber attacks, organizations need security tools that work effectively and efficiently across vendors. Join LookingGlass’ webinar with IBM and Cisco overviewing how STIX/TAXII2 standards-based technologies support solving those challenges in a new and effective manner. Sign up now!
The breach that never was.
UpGuard reported finding another exposed AWS S3 bucket, but has pulled down its account of the discovery (HackRead). This account belonged to Birst, a cloud business intelligence and analytics firm, and UpGuard had reported that the data exposed belonged to Capital One, the eighth largest US commercial bank, and raised concerns that any data so exposed could have been used by attackers to develop a "roadmap" of targets' infrastructure (Gizmodo).
But by week's end this appeared no longer to be the case. Birst and its corporate parent, Infor, have said that no data were exposed. An Infor representative told ITWire: "A Birst employee placed a copy of certain non-production components of the Birst software in a publicly-available S3 bucket to provide a prospective customer in the financial services industry non-production, read-only access to the software (a proof-of-concept). These components were not populated with data; no data from the financial institution was ever present in the test environment at any time, although the filename contained the name of the financial institution." Thus it appears that no data were exposed. Capital One contacted the CyberWire to point out that the report of a breach was inaccurate. The bank has also said that as a matter of policy it never leaves default passwords unchanged, which is, of course, sound policy.
Obtain full visibility into your security team with Cybrary.
It’s easy to track, measure, improve and grow your security team with Cybrary’s business platform. Not only will your team have access to an expansive catalog of IT and Cyber Security learning resources, you can operate more efficiently with full visibility, without compromising company standards. Start your team's free training pilot today!
Cloudflare and Arbor Networks warned Tuesday that the Memcache open source memory caching protocol can be abused to amplify distributed denial-of-service attacks. The vulnerability—Cloudflare called it "Memcrashed"—affects Memcached servers where UDP (that is, the User Datagram Protocol) is enabled.
US-CERT is taking the threat seriously. It's updated the UDP-based Amplification Attacks advisory to include Memcache as a potential attack vector. US-CERT explains how UDP amplification works as follows: "By design, UDP is a connection-less protocol that does not validate source Internet Protocol (IP) addresses. Unless the application-layer protocol uses countermeasures such as session initiation in Voice over Internet Protocol, an attacker can easily forge the IP packet datagram (a basic transfer unit associated with a packet-switched network) to include an arbitrary source IP address. When many UDP packets have their source IP address forged to the victim IP address, the destination server (or amplifier) responds to the victim (instead of the attacker), creating a reflected denial-of-service (DoS) attack."
According to US-CERT, a useful way of measuring the effect of an amplification attack is by BAF, or Bandwidth Amplification Factor. Other than a memcache attack, they say, a Network Time Protocol, that is, an NTP, attack, is the most severe in its effect, returning 556.9 payload bytes to answer a request for every byte in that request. Other kinds of attacks have a BAF of between 2 and 358.8. But a memcache attack puts them all far, far to shame, clocking in with a BAF of between ten thousand and fifty-eight thousand.
Arbor Networks thinks the exploit will soon be available in commodity booter services. That is, Arbor says, the typical pattern. New exploits are hand-managed by skilled threat actors, then relatively swiftly turned into commodities that spread through the criminal-to-criminal black market souks. Cloudflare urges everyone to disenable UDP if they can possibly do so. Note that memcache, by design, has no access controls, and so shouldn't be exposed to the Internet. The SANS Institute's Internet Storm Center also suggests blocking traffic from port 11211 (SecurityWeek).
On Wednesday Github sustained possibly the largest known DDoS attack (WIRED). They were able to recover quickly, largely through the services of Akamai, whom they retain against this sort of eventuality. The attack clocked in at an impressive 1.35 terabits per second, which most observers seem to consider a record (TNW).
The effectiveness of the Memcrash amplification technique has already rendered it attractive to criminals. Extortionists are sending blackmail demands for Monero payments and threatening DDoS if their demands aren't met (Bleeping Computer).
A study produced at Harvard suggests that other, large-scale Mirai-like distributed denial-of-service attacks can be expected (CSO). Researchers concluded that there's a lack of redundancy in DNS management, that services providing DNS resolution have become increasingly concentrated. This "decreasing entropy," they say, renders successful massive DDoS attacks more likely (Harvard University Faculty and Research Working Paper).
Looking for an introduction to AI for security professionals?
Your wait is over. A new book is out from the Cylance data science team, covering artificial intelligence and machine learning techniques in practical situations to improve the security professional’s ability to thrive in a data driven world. Whether you are reviewing logs or analyzing malware, being able to derive meaningful results and improve productivity is key. Order your free copy today.
Duo Security has found a new class of vulnerability affecting single-sign-on systems that use the SAML (that's the Security Assertion Markup Language). Exploitation could enable users with authenticated access to induce the system to authenticate them as different users without needing to know the victims' passwords. This would afford attackers a ready way of pivoting from one compromised user to other accounts on a network. Remediation is possible but complicated because there are so many different single-sign-on solutions in use, not all of which are equally vulnerable. Duo observes that what you should do about the SAML vulnerability—and you should certainly do something, would depend upon your relationship with your vendor, and then sensibly recommends contacting said vendors for the right patch or mitigation. Disclosure was coordinated with vendors, and patches are available (Duo Security). US-CERT also has an account of the issue.
Industrial control system threats.
Or, Mr. Lee goes to Washington, where the Dragos founder and CEO testified on industrial control system (ICS) threats before Congress (US Senate). Dragos researchers have identified five particularly interesting industrial threat actors: "Chrysene," which specializes in espionage and IT penetration of the oil, gas, and power generation sectors in North America, Western Europe, Israel, and Iraq; "Covellite," which has phished at least one US electrical utility and prospected others in North America, Europe, and East Asia; "Dymalloy," responsible for compromising ICS targets in Turkey, Europe, and North America; "Electrum," famous as the group responsible for the 2016 Ukrainian power outages accomplished through CrashOverride malware; and finally "Magnalliumm" which has focused on Saudi Arabia's petrochemical and aerospace targets. Magnalliumm hasn't shown itself to be particularly dangerous from an ICS perspective, but the group bears watching. Definitely worth watching is Electrum, which Dragos believes initially served as a development group that supported the operations of the Sandworm APT. CrashOverride represented Electrum's coming out party as an operational group. Dragos thinks this threat actor has remained active, but that it's broadened its range of interests and may no longer be exclusively focused on Ukraine (Help Net Security).
Notes from the underground (some now available in an online auction).
A Russian "information exchange," Joker.Buzz, offered internal documents leaked, stolen or otherwise obtained from the Internet Research Agency, the St. Petersburg troll farm that figured so prominently in the indictment prepared as the result of Special Counsel Mueller's investigation into Russian influence operations during US elections. (The Special Counsel is now said to be close to filing charges against Russian hackers who doxed the Clinton campaign and the Democratic National Committee (New York Daily News).) The files Joker.Buzz offered, which apparently didn't sell well (or at all) are interesting in their identification of US targets for prospecting or spoofing. Various activists drew considerable close attention from the trolls (Daily Beast).
An opinion piece in ITWire argues that the Shadow Brokers are the reason Kaspersky Lab is in bad odor with the US Intelligence Community. The author sees Kaspersky as an ideal "bête noire" for the US IC (with NSA in particular "caught with its pants around its ankles"), basically a fall guy for embarrassment over the Brokers' leaks. He also thinks there's a strong likelihood the Shadow Brokers represent an insider threat, and aren't the Russians at all. In partial support of this he offers their linguistic performance, broken English broken in a way only a proficient English speaker could manage. With this we heartily agree: ShadowBrokerese is hilariously contrived hokum, better than Heckawi. But we also note that plenty of non-native speakers of a language achieve virtuoso proficiency a native could only envy. We offer two examples: Joseph Conrad (né Józef Teodor Konrad Korzeniowski) and Vladimir Nabokov. Discuss: Russian organs, disaffected Americans, or some mixture of both? Or someone else altogether?
If you want to forget, join the Foreign Legion. If you want to be forgotten, call Google.
But recognize, Beau Geste, that Google may or may not forget, depending on the circumstances. This is, of course, a matter of compliance with European Union right-to-be-forgotten regulations. The percentage of urls accepted for forgetting has since 2014 fluctuated within a notably stable range, between 42% and 44%. A small fraction of requestors (0.25%) made a lot of the workload (almost 15%). Google says those requestors were for the most part law firms, reputation management outfits, and Internet celebrities with a big online presence. Ordinary EU citizens without legal or publicist representation appear to be relatively underrepresented (Naked Security).
Patches and updates.
As Cellebrite (again) claims it's able to unlock iPhones, Apple urges customers to upgrade to iOS 11.2.6 (Threatpost). Some observers think Cellebrite's approach seems to involve brute-forcing passcodes (Ars Technica).
Hewlett Packard Enterprise has patched a vulnerability in the Lights-Out 3 remote management hardware that's integrated into its ProLiant servers. The high-severity flaw, CVE-2017-8987, could be exploited to mount an unauthenticated remote denial of service attack (Threatpost).
Intel has issued another round of Spectre fixes, these for its Broadwell and Haswell chips (Threatpost). Microsoft has also issued a new Spectre patch, this one for Windows 10 running on Skylake CPUs (Help Net Security).
Philips is working on patches for vulnerabilities in its medical imaging systems (SecurityWeek).
PhishMe has sold itself to a private equity consortium (said by Forbes to be led by BlackRock and Pamplona Capital Management) in an acquisition PhishMe said values the company at $400 million. The company will also rebranding itself as "Cofense," which its leadership says more accurately reflects the expanded range of its offerings and reduce the impression that the company's a "one-trick pony" (Washington Business Journal). Proofpoint's acquisition of Wombat Security closed this week (Globe Newswire).
Splunk announced its purchase of Phantom Cyber for $350 million in cash and stock(TechCrunch). Phantom specializes in security automation; Spunk is expected to adapt Phantom's capabilities in this field to uses outside security (CSO). In 2016 Phantom was named a winner in both the SINET 16 (the CyberWire) and RSA's Innovation Sandbox (the CyberWire) competitions. By Light Professional IT Services has acquired NSA contractor Axom Technologies. Terms of the acquisition were not disclosed (Washington Technology).
SK Telecom has acquired a controlling interest in Geneva-based quantum cryptography specialists IDQuantique (Le Temps). Amazon is said to have acquired Ring, the home security company that provides Internet-connected cameras and doorbells. It's seen as both a security market play and an enabler for Amazon's home-delivery business (Yahoo!). Kratos announced an agreement to sell its public safety and security divisions to Securitas for some $70 million as Kratos repositions itself as a pure-play Defense company (Globe Newswire).
Wipro has taken a minority stake in the Denim Group. The agreement comes with extensive plans for partnership, with Wipro contributing expertise in digital transformation and cybersecurity, Denim Group bringing application security consulting, assessments, and implementation services (BusinessWire).
Industrial IoT security shop CyberX has raised $18 million in a Series B round. Norwest Venture Partners led the funding (BusinessWire). CounterFlow AI, whose solutions deploy machine learning at the edge, has closed a $2.7 million seed funding round. Many of the investors had also backed the founders' earlier startup, nPulse Technologies, which FireEye acquired in 2014 (California Newswire). Coalition Inc., which describes itself as offering "the first technology-enabled cyber insurance solution," raised #10 million in Series A funding (PRNewswire). Crowdsourcing security shop Bugcrowd closed a $26 million Series C round this week (Globe Newswire). Mist has raised a Series C round of $46 million to further its work on an artificially intelligence wireless LAN. This is clearly mostly an IT play, but with potential security implications as well (Enterprise Networking Planet).
Colorado-based Webroot, known for delivering endpoint protection, network protection, and security awareness training for managed service providers and others, reported four consecutive years of double-digit year-over-year annual recurring revenue growth this week (PR Newswire).
Huawei continues to describe concerns expressed by the US Government that its products represent a security risk as "groundless" and "unfair" (South China Morning Post). Apple takes steps to ensure it won't get the Huawei treatment from China's government, and CEO Tim Cook will co-chair the eighteenth China Development Forum later this month (VentureBeat). Broadcom's hostile takeover bid for Qualcomm, still being resisted by the target company, may run afoul of US security concerns. The Department of Defense supports a CIFUS (Committee on Foreign Investment in the U.S.) review of the proposed acquisition. Broadcom is incorporated in Singapore; the Defense Department is concerned about its possible ties to China (Bloomberg).
The information security labor market continues to favor the hirees, who as a group seem to have small disposition to stick with one employer for the long-haul: more than 80% of workers are "open to offers," and almost half of them are approached by recruiters weekly (Dark Reading). The cybersecurity market is hot because the online world itself is hot (Acumin). One section of that labor market that's getting a lot tighter is the Data Protection Officalent pool. Demand is driven by GDPR preparation (Wall Street Journal).
Large North American tech-focused venture capital firms are increasing their presence and investment in Latin America (TechCrunch).
eSecurity Planet offers a list of the top twenty security startups to watch in 2018.
Today's issue includes events affecting Australia, China, European Union, Germany, Russia, Saudi Arabia, Singapore, Switzerland, Turkey, Ukraine, United Kingdom, United States.
A note to our readers: We'll be in Mountain View, California, next week, covering SINET's ITSEF conference. Sessions will be held on March 7th and 8th. Watch for summaries, articles, and live tweets beginning Wednesday.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.