In today's podcast, we hear that a new Mirai variant, Okiru, is forming botnets of ARC-based IoT devices. Meltdown and Spectre remediation continues. CIA is said to have confirmed that NotPetya was a GRU operation. Suspicions rise that the Shadow Brokers used security tools to scan for classified documents. US and Canadian officials raise alarms about election influence operations. Wichita swatter charged with involuntary manslaughter. Malicious Chrome extensions spotted. Robert M. Lee from Dragos on the security of petroleum ICS. Guest is Lance Cottrell from Ntrepid on the importance of net neutrality for security. And USB drives contain the darndest things.
Dave Bittner: [00:00:00:14] Thanks again to all of our Patreon supporters, you can find out how you can become a supporter at patreon.com/thecyberwire.
Dave Bittner: [00:00:10:23] A new Mirai variant, Okiru, is forming botnets of ARC-based IoT devices. Meltdown and Spectre remediation continues. CIA is said to have confirmed that not NotPetya was a GRU operation. Suspicions rise that the Shadow Brokers used security tools to scan for classified documents. US and Canadian officials raise alarms about election influence operations. The Wichita swatter has been charged with involuntary manslaughter. Malicious Chrome extensions have been spotted, and USB drives contain the darnedest things.
Dave Bittner: [00:00:48:24] Now I'd like to share an opportunity from our sponsor, CYBRIC. On February 8th, cyber security thought leader, Dr. Chenxi Wang, joins continuous application security platform provider, CYBRIC, to discuss DevSecOps from cradle to scale, real world lessons and success cases. Many businesses are moving to DevOps and agile development methodologies, but most security tools and processes aren't designed for this new world, and that hinders innovation. In this webinar, Dr. Chenxi Wang, founder of the Jane Bond Project cyber security consultancy, invites chair of OWASP's board of directors, joins CYBRIC's CTO, Mike D. Kail, to discuss integrating security into your DevOps process at scale using real world examples. Mike and Chenxi will also cover getting started with DevSecOps, what metrics to use and what security at scale can mean for you. Join them February 8th at 1.00 pm US Eastern Time for this insightful and information packed webinar.
Dave Bittner: [00:01:50:11] To register, or to learn more, go to thecyberwire.com/cybric. That's thecyberwire.com/CYBRIC. And we thank CYBRIC for sponsoring our show.
Dave Bittner: [00:02:12:14] Major funding for the CyberWire Podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Tuesday, January 16th, 2018.
Dave Bittner: [00:02:22:21] A Mirai variant, Mirai Okiru, is active in the wild. The DDoS botnet is said to be capable of targeting widely used ARC-based Internet-of-things devices. Its signatures diverge significantly from earlier Mirai strains, which will impede detection and blocking. ARC CPUs are found in a very wide variety of products, prominently including automotive, mobile, televisions, cameras and so on.
Dave Bittner: [00:02:47:17] Researchers at the Malware Must Die Team are credited with spotting Okiru. Reports say that about a billion IoT devices ship with ARC CPUs annually, so the potential for very large botnets capable of strong distributed denial-of-service attacks is very high. Note that many of the affected devices, as is so often the case with the Internet-of-things, will be difficult, if not effectively impossible to patch.
Dave Bittner: [00:03:13:14] The response to Meltdown and Spectre proceeds, with performance penalties that, while smaller than initially feared, remain real concerns. Enterprises receive divided counsel on whether to apply patches or adopt other approaches to defense. Mobile devices seem particularly affected.
Dave Bittner: [00:03:32:07] US sources, seconded by retired American and British officials, are saying that the Central Intelligence Agency has concluded that Ukraine was right: NotPetya attacks on the former Soviet Republic indeed were the work of Russian military intelligence service GRU, specifically GTsST, the GRU's Main Center for Special Technology. You'll recognize the GRU under one of its several familiar nicknames, call them Fancy Bear and let it go at that.
Dave Bittner: [00:04:01:19] The method is being described as a watering hole attack. The extortion requests were so much misdirection to make it appear that the campaign was criminal and not a state-directive move in hybrid warfare. It was a destructive attack, files were being eliminated, not held for ransom. The CIA has declined to make any official public comment.
Dave Bittner: [00:04:22:16] The US Senate believes it's seeing signs of Russian influence operations directed against mid-term Congressional elections. There are reports of phishing expeditions against political targets, which is believed to be the method used to compromise the Democratic National Committee during the last election cycle.
Dave Bittner: [00:04:39:24] Canadian authorities are also bracing for an expected wave of election influence operations, which they too see as emanating largely from Russia. Russia continues to deny any meddling in the elections, essentially everyone else thinks they're trying to finagle.
Dave Bittner: [00:04:55:13] There may also be an approaching consensus that two mysteries are converging: what, if anything, did hackers use Kaspersky security software to accomplish, and where did the Shadow Brokers get the material they've leaked? Sources close to the US Intelligence Community are saying it looks as if the Shadow Brokers obtained the material they leaked via scans conducted by Kaspersky security tools. Kaspersky Lab has consistently denied allegations of involvement in espionage or improper collusion with Russian intelligence services.
Dave Bittner: [00:05:26:08] The identity of the Shadow Brokers has long been controversial and obscure, with the three most commonly entertained theories being that they're a Russian intelligence organ, that they're a small crew of disgruntled US Intelligence Community insiders, or that they're a very high-end and unusually capable set of anonymous-style hacktivists. Right now signs are pointing strongly toward door number one, one of the Bear sisters.
Dave Bittner: [00:05:51:03] The debate over net neutrality continues, with many unhappy that the FCC recently rolled back Obama era rules for Internet Service Providers. Lance Cottrell is Chief Scientist at Ntrepid Corporation, and he weighs in on the debate.
Lance Cottrell: [00:06:05:10] So at this point we've gone back from the net neutrality laws, which placed ISPs as being common carriers, and therefore required to follow net neutrality principles. The FCC has rolled back those rules, but they've not yet taken effect. But when they do, the ISPs will then be treated as content creators, they won't have those same requirements to treat all of the traffic the same. And then that will probably have a whole range of consequences, mostly not immediately, there'll certainly be a time delay as the ISPs decide what they want to do and start changing their policies.
Dave Bittner: [00:06:46:23] And is there any sense for how that might roll out? What we might see? Are we expecting them to nibble around the edges to see how people react to changes?
Lance Cottrell: [00:06:56:03] I think that's exactly what we're going to see. It would be a tactical mistake to make radical changes quickly, I think the odds of a major backlash would be significant. So we're going to see more of a slow progression of these behaviors, probably starting with things like privileging the price of certain services, so ISP's preferred video streaming service will become free with your subscription, or certain other traffic will be accelerated.
Dave Bittner: [00:08:12:11] And in terms of any implications from the security point of view, what do you see coming there?
Lance Cottrell: [00:08:18:02] I think the biggest problem from a security point of view is exactly that interception and modification of content by the ISPs, the more they feel empowered to engage in that sort of activity, the more risk that imposes for end users, so that every time you're going in and changing things, it obviously has the possibility of breaking the web page, but it's also a fantastic lever point for a hacker. And if that interception and modification system was ever to be subverted, that would be a gigantic opportunity for an attacker to insert malware and phishing links and disable other kinds of security right there.
Lance Cottrell: [00:08:58:11] So the most important thing for people to do is start adopting encrypted connections, VPNs, secure web pages, that sort of thing, just to ensure the integrity of that end-to-end connection.
Lance Cottrell: [00:09:09:04] One of my perspectives on this is as an entrepreneur. I started a company back in the mid '90s, and the internet was at that time absolutely flat, and I was able to go in and compete with anyone else, I was able to stand up services. The big players didn't have any meaningful systematic advantage over me, and it allowed me to get in and establish myself and be successful. And I think one of the things we're going to see here is not so much as an information security risk, but as a systemic risk, that when that neutrality ends, the ability of new players to come in and compete gets significantly reduced because the people who will be able to pay to play will be the major players. And so I think it has the potential to really reduce the diversity of offerings and new technologies and new platforms that we'll see rolling out over time.
Dave Bittner: [00:10:03:16] That's Lance Cottrell from Ntrepid.
Dave Bittner: [00:10:07:04] Canadian authorities are hearing two cyber-related cases. In one, the Mounties again get their man, Jordan Evan Bloom, former proprietor of now-defunct LeakedSource, the site that compiled and sold access to public data breaches. Mr. Bloom is appearing to answer charges that include trafficking in identity information, unauthorized use of a computer, mischief to data and possession of property obtained by crime.
Dave Bittner: [00:10:33:11] In the other case, streaming service, Twitch, is bringing a case against a British Columbia resident, Brandan Lukus Apple, who's alleged to have clogged the service with hateful spam. The criminal charge is mischief related to computer data. Mr. Apple is also under a civil injunction to stop doing what he's been doing. Motherboard points out that Twitch users are often bothered by stream sniping, that is in-game distractions, or the much more serious swatting.
Dave Bittner: [00:11:01:02] A sad and tragic swatting case in the US is proceeding, as Tyler Raj Barriss, age 25, is charged with involuntary manslaughter. If convicted, he faces up to 11 years in prison. Barriss is said by police to have made a swatting call in connection with some online game chest-beating that resulted in Wichita, Kansas, police shooting dead a completely innocent and uninvolved man. The victim's address was apparently picked at random.
Dave Bittner: [00:11:28:15] Barriss, in a jailhouse interview with Kansas TV station KWCH, said he felt, "A little remorse for what happened." He added, "I never intended for anyone to get shot and killed. I don't think during any attempted swatting anyone's intentions are for someone to get shot and killed."
Dave Bittner: [00:11:46:16] If Barriss is convicted and gets the max, he'll be getting off lightly, whether he intended for his lurid call to police to kill an unarmed father of two or not.
Dave Bittner: [00:11:56:00] Barriss also faces charges in Canada, where police in Calgary, Alberta, suspect him of other swatting calls.
Dave Bittner: [00:12:03:22] Researchers at ICEBRG, that's iceberg, but spelled I-C-E-B-R-G, have identified a large number of malicious Chrome extensions. They say they've observed the extensions used for browser proxying in the course of what looks like a click fraud campaign.
Dave Bittner: [00:12:20:09] Finally, would you plug in a USB drive you found on the street? No? Good. How about one you were given by the national police for acing a quiz about cyber security? Maybe? Well, us too. But it didn't work out so well during a national infosec event in Taiwan, where the Criminal Investigation Bureau, known as the CBI, last month handed out USB drives as prizes during a data security exposition hosted by the country's Presidential Office. The CBI was celebrating a recent crackdown on cybercrime. Unfortunately they had a contractor scan the drives to verify that they held eight gigs, and in the process an old strain of criminal spyware was uploaded from said contractor's infected machine. It's embarrassing, and a lesson to all who give away promotional swag. Stick to low-risk items. Even some of those can cause trouble. One of our stringers once worked for a company that gave away coffee mugs as promotional items. Unfortunately they went with the low-cost supplier, and when you microwaved the mugs, they exploded.
Dave Bittner: [00:13:28:24] And now a moment to tell you about our sponsor, Control Risks. Control Risks is a specialist risk consulting firm that helps its clients seize opportunities while being secure, compliant and resilient. They believe that taking and managing risks is essential to success, so Control Risks provides the insighted intelligence you need to realize business growth and support critical decision making. They enable senior executives to build organizations that operate securely, are truly compliant, and have the resilience to manage the challenges of a rapidly changing global marketplace. And they ensure that the challenges global organizations face, including acute security problems, major regulatory issues, investigation and litigation, reputational harm and other crises can be managed and resolved effectively. From the boardroom to remote locations, Control Risks has developed an unparalleled ability to bring order to chaos and reassurance to anxiety. Find out more at controlrisks.com/cyberwire. That's controlrisks.com/cyberwire. And we thank Control Risks for sponsoring our show.
Dave Bittner: [00:14:44:05] And joining me once again is Robert M. Lee, he's the CEO at Dragos. Robert, welcome back. You and I have been working our way through some of these ICS categories, going through some of the risks and complexities, and today I wanted to touch on oil. What do we need to know about the security of those systems?
Robert M. Lee: [00:15:02:09] I think oil is another one that does get a lot of attention, especially being a major energy player in any national economy, and so there have been investments in that space over the year. But there's very unique challenges that they have of course as well. So when we talk about the oil industry, we usually divide it into upstream, midstream and downstream oil. So where are we getting it? What are we doing with it? How are we getting it there? Kind of aspects. Whether it's you're going to your gas station and pumping gas or we're drilling it out of the ocean, what is this process of oil? Each one of those is a different challenge in and of itself. How do you protect the oil refinery? Is that going to be different than the drilling wells? Well, yes. Well, what about the pipelines? Okay, what about shipping? Well, we'd probably leave shipping out from them and we just put that in a classification of like shipping, for maybe next time transportation.
Robert M. Lee: [00:15:53:15] But what about the protection of those gas stations? So the risk at the gas station level is not so significant, an adversary doing just damage or disruption of one gas station, not too significant. But if we are using homogeneous devices, and the gas pumps are all the same, and we start connecting those to the internet, and they're all embedded devices, and maybe they have some default passwords on there or something, that can actually be an issue because in most places just having a default password on like a SCADA environment's not going to let you take down a power. If you're talking about end devices, if your scenario is just to annoy the heck out of the populous there, shutting off gas stations would be disruptive. Maybe even like an activist issue for them.
Robert M. Lee: [00:16:34:23] If you're now talking more of like really hurting a country, you're talking about the midstream operations or maybe even the upstream operations. Could you do something that's potentially environmentally unsound when you're talking about actually drilling for the oil? Or maybe even in the oil refinery itself? So long story short, there's a lot of different things that come into scope for them. They each have different risk scenarios, but, in a way, uniquely for the oil industry is also the activist threat, where the electric transmission substation is not truly concerned about protesters at the electric substation, that a remote adversary that it takes advantage of, or inadvertently is with, sort of combined threat scenarios, even if it's accidental, that is a consideration, definitely, for the oil industry. And that is always a hot topic for them.
Robert M. Lee: [00:17:28:20] So they had to think of a lot of different threat models. When it comes to the cyber specific one of a true cyber threat model, historically there have been a lot of different threats that we've been aware of, plenty of them active actually in the past year, going after oil sites around the world. And it's not so much where a electric substation that gets compromised in the Ukraine may not really scare the heck out of everybody in the US. It actually kind of did, but it isn't the worst thing in terms of, oh my gosh, it's happening here now, it's bad for our community neighbors of course. But those oil companies often operate in a global and interconnected way. What happens to oil production in, you know, Algeria might actually affect how we're importing it into Louisiana, and processing it. So it is a very global interconnected community as well, so the security for them I would say is very globally important on the interconnection of the community, and they have a much wider variety of types of threat landscapes that they have to deal with. And I think for that reason, more so than many industries, they need to take a very intelligence driven approach of understanding, and specifically understanding the threats they're up against and how they're actually reducing risk according to those. It can't just be every single possible thing to occur, but they've really got to consider how am I going to protect an oil refinery different than the pipeline? How am going to recover from an outage or disruption in my ecosystem or supply chain that is, you know, a continent away? So they definitely have to think about these things.
Dave Bittner: [00:19:03:20] Robert M. Lee, thanks for joining us.
Dave Bittner: [00:19:08:01] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit cylance.com.
Dave Bittner: [00:19:21:01] And thanks to our supporting sponsor, E8 Security, follow the behavior, find the threat. Visit e8security.com to learn more.
Dave Bittner: [00:19:30:02] The CyberWire Podcast is proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cyber security teams and technology.
Dave Bittner: [00:19:39:23] Our show is produced by Pratt Street Media, with editor, John Petrik. Social media editor, Jennifer Eiben, technical editor Chris Russell, executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
CYBRIC is the first to orchestrate and automate code and application security across the DevOps lifecycle. CYBRIC's Continuous Application Security Platform leverages patent-pending technology to seamlessly integrate security into the development process, delivering frictionless security assurance from code commit to application delivery. Learn more.
Control Risks is a global specialist risk consultancy. We help clients find opportunities and grow, build secure, compliant and resilient organizations, and resolve critical business issues and crises. Our unique expertise and geographical reach support decision-making with crucial intelligence and insight. Learn more at controlrisks.com.