In today's podcast, we hear that the Five Eyes look at WannaCry and officially see Pyongyang. New US National Security Strategy emphasizes economic power and cybersecurity (and names the adversaries). Hex Men are no super heroes. More Bitcoin theft bankrupts an alt-currency exchange. Android Monero miner can basically melt your phone, it's working so hard. Users leave Lexmark printers open to the Internet. AnubisSpy peeks at Arabic-speaking Android users. Joe Carrigan from JHU on holiday IoT devices. Guest is Chris Webber from SafeBreach, reviewing the third edition of their Hacker’s Playbook. And guess the two worst passwords of 2017.
Dave Bittner: [00:00:01:07] Thanks again to all of our supporters on Patreon. The support we receive there helps us provide the daily news that you come to rely on. We hope you'll check it out at Patreon.com/TheCyberWire.
Dave Bittner: [00:00:14:21] The five eyes look at WannaCry and officially see Pyongyang. The new US national security strategy emphasizes economic power and cyber security and names the adversaries. Hexman are no superheroes. More Bitcoin theft bankrupts an old currency exchange. An Android monaro miner can basically melt your phone. Users leave Lexmark printers open to the Internet. AnubiSpy peeks at Arabic speaking Android users and can you guess the two worst passwords of 2017?
Dave Bittner: [00:00:52:07] Now a holiday message from our sponsor Nehemiah Security. Twas the night before the board meeting when all through HQ not a sea level was stirring, even finance was a snooze. Reports were all stacked in the boardroom with care, in hopes that the members would not pull out their hair. The CISO, however, was pacing the ground, mostly because he had no real metrics to sound. The head of IT, in front of long log reviews, had just settled his brain after full back-up number two. When out of the seam, alarms started to fly. They looked at each other and did not know why. Away to the reports they flew like a flash to see which malware showed up as a hash. If only they knew where exploitables lay and could sort them and treat them in an intelligent way. Showing true business impact and real dollars lost, could cyber finally be a justifiable cost? With Nehemiah Security so ready to assist, converting cyber into dollars is impossible to resist. More rapid than eagles, the RQ dashboard came, instantly upping their cyber risk game. Now dollars, now cents, now recommendations, on threats, on exploits, financial justifications. To the top of the budget the CISO's report flew, smart cyber investments, now everyone knew. To hear the rest of the story, visit Nehemiahsecurity.com
Dave Bittner: [00:02:26:07] Major funding for The CyberWire podcast is provided by Cylance. I'm Dave Bittner with your Cyber Wire summary for Tuesday, December 19th, 2017.
Dave Bittner: [00:02:36:19] This is perhaps unsurprising news, since it's widely become the consensus, but the US has publicly blamed North Korea for WannaCry. In a Wall Street Journal piece published yesterday, White House homeland security advisor Tom Bossert said, "The attack was widespread and cost billions and North Korea is directly responsible." Bossert noted that the other four five eyes, Australia, Canada, New Zealand and the United Kingdom see the same thing. The White House has since followed up with more official statements today. The dots are being connected through the activities of the Lazarus group. The US isn't alone in blaming North Korea. Indeed, if anything, it's late to the party since the UK and others have made this attribution as early as June. The British foreign office today joined again in fingering Pyongyang for WannaCry.
Dave Bittner: [00:03:29:03] To review the history of WannaCry, its initial outbreak took place between May 12th and 15th of this year. It infested more than 300,000 devices worldwide. Regarded as a worm because of the way it propagated itself, WannaCry scanned for vulnerable Windows machines, accessed them with the Eternal Blue exploit, alleged NSA attack code released by The Shadow Brokers, and then used a double pulsar tool to install itself and execute. The ransomware then encrypted data on the affected computers and demanded a ransom payable in Bitcoin.
Dave Bittner: [00:04:02:20] Less than $150,000 seems to have been paid, which would make an effort like this pretty much a damp squib. The relatively low return on attack has led many experts to the conclusion that WannaCry was really aimed for disruption as opposed to money, although the ease with which the attack was contained by a researcher, Marcus Hutchins, who inadvertently found and tripped a kill switch, could also be the result of simple criminal ineptitude.
Dave Bittner: [00:04:29:08] The Lazarus group has always been interested in making money and remains so today.
Dave Bittner: [00:04:34:06] What does the US hope to gain from the attribution? The strategy here seems to be to shame North Korea and stiffen international consensus against what Washington sees as an increasingly dangerous rogue regime. Homeland security advisor Bossert said today, "It's not about holding a country accountable. It's about simply culpability. We're going to shame them for it. I hope that they decide to stop behaving badly online. I'm not naive."
Dave Bittner: [00:05:01:19] No reaction from Pyongyang that we've seen so far. When one does arrive, it's unlikely to be conciliatory, still less repentant.
Dave Bittner: [00:05:09:23] The attribution comes on the heels of a US statement of strategic policy that identifies North Korea, Ian, China and Russia as adversaries. North Korea and Iran get strong talk. China and Russia are more nuanced but still cold treatment. Chinese and Russian observers are quick to call the document a return to the Cold War. It's worth noting that the US hasn't, for all of its strong words, characterized WannaCry as an act of war. In any case, the new national security strategy disclosed in Washington yesterday emphasizes that the way the US responded to cyber challenges will, "Determine our future prosperity and security." Prosperity and security are indeed linked throughout the document, which features an appreciation of economic power as a key element of national power. There are, the strategy suggest, five things the US will do to manage cyber risk. As summarized in Fifth Domain's account, they are; identify and prioritize risk; build defensible government networks; deter and disrupt malicious cyber actors; improve information sharing and sensing; and deploy layered defenses.
Dave Bittner: [00:06:20:14] It also seems that the document is consistent with other moves within the US department of defense to push cyber authorities down to lower levels of command, delegating decisions to the field that would have formerly been held at the national command authority.
Dave Bittner: [00:06:34:24] Turning to more ordinary hacking threats, Lexmark printers are often poorly secured and this seems entirely the fault of the operators. Researchers at New Sky Security conducted a show down search and found more than 1,000 printers misconfigured to allow free access from public Internet. Access doesn't even require a hack. You can just waltz right in. This is problematic because once in the printer it's possible to pivot to other places in the printer's network. That wouldn't be a waltz, it would be a little more ambitious, maybe a foxtrot, but it wouldn't be that hard either.
Dave Bittner: [00:07:09:16] Chris Webber is a security strategist at Safe Breach. They're a company that specializes in attack simulations and control validations. Every year they put together a report they call the Hacker's Playbook, based on the data they gather throughout the year. Chris Webber takes us through this year's findings.
Chris Webber: [00:07:27:11] I think what we see here is a little bit of the legacy perimeter still getting that lion's share of the attention from enterprises, trying to keep attacks out and focusing not so much on the later stages of the kill chain, with segmentation or stopping exfiltration. We also see kind of a lack of focus on some of the newer sort of attacks. Ransomware specifically seemed pretty successful in our attacks and then generally we see a trend towards lack of optimization across controllers, where basically where folks can get more from what they have and maybe instead they're investing in, we're sort of supposing here that they're investing a lot of different technologies instead of getting the most out of the stuff they already have and then moving on.
Dave Bittner: [00:08:16:23] One of the interesting things I saw in the report was the notion that people aren't watching the exits.
Chris Webber: [00:08:21:15] That's exactly right. We're seeing, you know any successful attack really isn't successful unless somebody gets data out. I guess in the case of ransomware or something where they're trying to break systems or lock them down sure getting in and moving around is enough. But in a lot of the headlines breaches that we've seen over the last few years it's all about stealing data right, whether that's credit card data or customer records. A lot of times we see that there's a lack of outbound scanner. In fact, we see data that shows perhaps up to or more than 50% of the time it's pretty easy to steal data outside or exfiltrate data out of a network via simple things like HDDP, that probably could very easily be scanned or have data blocked with already existing technologies. Whatever is protecting the inbound side could probably be configured to also do some scanning and protection on the outbound. But we're able to use HDDP, just simple gates and posts, over 50% of the time to actually get simulated data out of an organization.
Dave Bittner: [00:09:26:21] Was there any particular findings that were surprising to you?
Chris Webber: [00:09:30:08] I guess what's surprising to me was less any of the specific findings and more what it seems to indicate. For those of us that have been around and doing the security game here for years and years, we're all familiar with the idea of defense and depth. What it looks to me like is that defense and depth has gone away from what I thought it usually meant, you know back in the day, which is having not redundant controls but complimentary controls at different stages, different phases of the kill chain. Maybe you have your network controllers doing some file level scanning with network antivirus or anti-malware, and you also have endpoints controllers doing something similar to make sure that you don't just have a single point of failure if you don't catch that malicious file. What it looks like we're seeing here, judging by some of the data and the success rates is that perhaps, for example in the case of malware, people are leaning heavy on the end point side and when we look at network controllers we can see, you know executables packed inside other kinds of files or encrypted just sneaking their way right through networks controls and making their way all the way down to host level to disc without being stopped, blocked, scanned or anything that will slow down an attack or provide that defense and depth.
Dave Bittner: [00:10:53:06] Based on the information that you've gathered, what sort of advice would you have for folks?
Chris Webber: [00:10:57:06] We often see a story like we wrote up here, which is that the initial deployment, the initial few attacks we run are pretty successful. The ability to get in, to move laterally or to get data out is pretty high. Then with just a little bit of configuration, just a little bit of tuning, optimizing what's already there or getting the configuration cleaned up, usually we see those levels of success go way down. What happens is our attacks get blocked. The tools work as though they're supposed to work, as they should. That can take as little as a day in some cases. The highlight that we did here was three weeks, to move, for example, from 30% successful attacks getting through the outer perimeter, to just nine percentage. Just with three weeks of tuning, not a dollar spent. I think that's the first big recommendation I have is just go back to what we have. We're often so pushed by the industry, by vendors, by ourselves, to just try to get another tool in, to try to fill every gap in our mind, because we're worried and we're trying to protect against these attacks. But often times we already have what we need. Our next gen firewalls, our proxies, our end point controls, our internal segmentations, our traditional firewalls, they can be better tuned and tweaked to actually keep us safe rather than having to invest in the next new thing and have our teams learn that new technology and try to go from the ground up.
Dave Bittner: [00:12:28:05] That's Chris Webber from Safe Breach. You can find the complete Hacker's Playbook on their website.
Dave Bittner: [00:12:35:11] GuardiCore has published the results of its look at an organized Chinese cyber gang. The gang is operating from a "coordinated infrastructure," and they're going after database-service servers. GuardiCore finds three attack variants, which they're calling "the Hex-Men": Hex, Hanako, and Taylor. They're MS SQL Server and MySQL services, and their goals appear to be a mix of cryptocurrency mining, backdooring, and distributed denial-of-service.
Dave Bittner: [00:13:05:06] Another Bitcoin exchange, South Korea's YouBit, has been hit with an attack that emptied its "coin purse" of about 17% of the exchange's total assets. Investors will be able to recover what's left, but YouBit itself is beyond help, the company has filed for bankruptcy. Security experts suggest that if you must invest in Bitcoin, you might wish to consider keeping your coin in a hardware wallet.
Dave Bittner: [00:13:30:13] Kaspersky Lab warns that another miner, this one interested in Monero and targeting Android devices, will physically destroy your phone. It's called Loapi, an apparent descendent from the Podec malware that surfaced in 2015. Its mining is so busily aggressive that it will overheat a phone's components: the battery will bulge, the case will deform, and other bad stuff will happen. Loapi isn't in Google Play, but lurks rather in third-party app stores, where it represents itself as either a mobile antivirus program or an adult-themed app.
Dave Bittner: [00:14:05:03] Trend Micro reports that Arabic-speaking Android users are being targeted by AnubisSpy in a cyberespionage campaign. AnubisSpy has been found both in Google Play and various third-party app stores. Trend Micro points out that what it calls "persistent and furtive spyware" is an underappreciated, under-reported problem in the Android ecosystem. They've been working with Google to help chase Anubis from the walled garden of the Play Store.
Dave Bittner: [00:14:32:14] As we approach the end of the year, people are running through lists of commonly used passwords. You'll never which are number one and number two, according to a study by Splash Data. Wait for it…the second most common password is that perennial favorite, "Password," and the first is 123456. Like a certain brand of hot sauce, people say, "I use that on EVERYTHING."
Dave Bittner: [00:15:08:06] Now some more seasons greetings from our sponsor Cylance. On the second day of hacksmass, my black hat sent to me two-factor auth and a zero-day in SMB. But hey, Cylance and everyone knows that two-factor authentication is, everything equal, a good thing. But it's in there because it scans, doesn't it? I mean scans in the poem, not on your network. Also, there are two factors good for the second day, like those two turtle doves. At any rate, check out Cylance.com Head on over to their blog section and check out their 12 days of Hacksmass. That's Cylance and we thank them for sponsoring The CyberWire.
Dave Bittner: [00:15:49:15] Joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Joe, welcome back.
Joe Carrigan: [00:15:56:02] Hey Dave.
Dave Bittner: [00:15:56:20] The holidays are quickly approaching here and with that is going to come a flood of new IoT devices hitting the web, we'll probably receive some ourselves. Being gadget guys, people will give us things with best intentions.
Joe Carrigan: [00:16:13:17] And say, "Here, you can use this."
Dave Bittner: [00:16:16:08] And the first thing that device is going to want is your WiFi password.
Joe Carrigan: [00:16:19:21] That's right. Access to your network and it wants to go connect to some external server and go uploading data somewhere and it also may want to create some external port like there might be some kind of camera where you now can go out and view your security camera, for example, from the outside world. So if you're at work, you can check on your dog and your cat, watch what the nanny's doing if you have a nanny. People should be aware that when these things come they're going to come with some default password, that's the first thing I'm going to recommend. If you get a new device that is accessible on the Internet, first of all evaluate do you truly need this device? Do you need that connectivity? If you believe that you do, take the time to secure it and change the default passwords so that people aren't just logging in remotely or putting it in some botnet, like the Mirai botnet.
Dave Bittner: [00:17:15:13] Do that quickly, right away. You can do that in a way before it's connected to because I've seen those reports where people will hose up a camera to the Internet and it takes moments before that thing is owned by outside forces.
Joe Carrigan: [00:17:28:11] That's correct. So if you can disconnect your Internet connection and then connect the new device to the WiFi network and you can still actually connect to it from your computer, it just can't reach the internet and then you can go ahead and change the password. That's possible.
Dave Bittner: [00:17:43:18] What about the idea of basically having a guest network for all your IoT devices, separating it from the computers where you keep important information?
Joe Carrigan: [00:17:51:14] Yeah, I would definitely recommend doing that if you have that technical capability and the hardware to do it. That's always a good thing to do. It's segmentation. It's a basic security practice, good idea. However, that's not going to stop those things from being attacked from outside of your network. They're still going to be attacked, you're just going to have that attacked be isolated it will be less damaging. You still need to take measures to make sure that the devices themselves are protected.
Dave Bittner: [00:18:15:19] Good advice. Joe Carrigan, thanks for joining us.
Dave Bittner: [00:18:22:12] That's the CyberWire. Thanks to all of our sponsors for making The CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, check out Cylance.com
Dave Bittner: [00:18:34:24] The CyberWire podcast is proudly produced in Maryland out of the start-up studios of Data Tribe, where they're co-building the next generation of cyber security teams and technology. Our show is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jen Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Nehemiah Security delivers a security risk assurance platform that is transforming how organizations secure technology so they can quantify their cyber risk in dollars and cents. Learn more at: nehemiahsecurity.com.
Cylance is revolutionizing cybersecurity with products and services that proactively prevent, rather than reactively detect the execution of advanced persistent threats and malware. Learn more at cylance.com