In today's podcast, we hear reports of cyber reconnaissance of Turkish financial institutions: Hidden Cobra is the suspect. The Chinese government appears to have finagled its national vulnerability database to afford misdirection to cyber operations. Cryptomining attempts hit Windows endpoints. Other cryptojacking campaigns afflict vulnerable servers. Memcrash DDoS hits new targets. The US Administration hints at possible cyber policy changes. Emily Wilson from Terbium Labs, on the issue of trying to spend our way to security. Guest is Priscilla Moriuchi from Recorded Future, with research documenting a backdating issue in the CNNVD, China’s National Vulnerability Database.
Dave Bittner: [00:00:00:00] Thanks to everyone who's shown their support for the CyberWire by being a Patreon supporter. You can check it out at patreon.com/thecyberwire.
Dave Bittner: [00:00:12:20] Cyber reconnaissance of Turkish financial institutions is reported: Hidden Cobra is the suspect. The Chinese government appears to have finagled its national vulnerability database to afford misdirection to cyber operations. Cryptomining attempts hit Windows endpoints. Other cryptojacking campaigns afflict vulnerable servers. Memcrashed DDoS hits new targets. And the US Administration hints at possible cyber policy changes.
Dave Bittner: [00:00:43:13] Now a moment to tell you about our sponsor ObserveIT. It's 2018, traditional data loss prevention tools aren't cutting it anymore. They're too difficult to deploy, too time consuming to maintain, and too heavy on the endpoint. They are high maintenance and require endless fine tuning. It's time to take a more modern approach. With ObserveIT, you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out of the box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization, that's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats and it's extremely difficult, even for the most technical users, to bypass. Bring your data loss prevention strategy into the modern era with ObserveIT. Learn more at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:01:52:16] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Friday, March 9th, 2018.
Dave Bittner: [00:02:02:00] There appears to be a reconnaissance campaign underway, conducted by North Korea in what appears to be preparation for state-directed looting. According to McAfee, North Korean threat actor Hidden Cobra is prospecting Turkish financial institutions. The campaign appears to be reconnaissance for some larger, future operation yet to develop. It's likely the Turkish financial sector is a set of targets of opportunity in the DPRK's ongoing efforts to redress the pressure international sanctions have imposed on its country.
Dave Bittner: [00:02:32:12] It's worth recalling, however, that not everything that looks like a DPRK hack is. Something that's pretty clearly not Pyongyang's work is the series of attacks surrounding last month's Winter Olympics. Signs pointing toward North Korea in those attacks are now generally regarded as false flags, probably hoisted by Russian state operators.
Dave Bittner: [00:02:53:08] Recorded Future has a report on China's National Vulnerability Database the CNNVD. Dating in that database seems to have been altered in ways designed to obscure Chinese government hacking. We'll have a conversation with one of their lead researchers later in this podcast.
Dave Bittner: [00:03:09:03] At midweek, Microsoft succeeded in stopping a large-scale cryptojacking infestation that attempted to infect some 400,000 users over the space of a few hours. The mining software was carried as the payload of the Dofoil (or Smoke Loader) Trojan. The mining application supports NiceHash, and so can work with a variety of cryptocurrencies.
Dave Bittner: [00:03:30:21] Other cryptomining attacks are afflicting a variety of servers. The SANS Institute particularly notes attempts on vulnerable Apache Solr, Redis and Windows servers.
Dave Bittner: [00:03:41:24] Memcrashed Distributed Denial-of-Service attacks have spread across a variety of targets. In addition to the well-known attack on GitHub, other victims have included Google, the National Rifle Association, PlayStation Network, Amazon and Kaspersky. These are only some of the more high-profile victims. There have been others. Recall that Corero reported earlier this week that it had found a kill-switch for this exploit. May it soon be put to good use.
Dave Bittner: [00:04:10:16] A debugging app appears to have been left on OnePlus phones, leaving them open to attackers who could abuse the app to obtain root access.
Dave Bittner: [00:04:19:19] In patching news, Adobe has issued more than 50 fixes for Flash Player, Acrobat and Reader.
Dave Bittner: [00:04:27:00] In the US, White House officials note that cybersecurity reports required of Federal agencies under Executive Order 13800 are for the most part in, and that the public can expect to see policy changes as a result. Some Administration officials are hinting at more extensive information-sharing.
Dave Bittner: [00:04:45:19] SINET ITSEF wrapped up yesterday. We'll have more extensive reports on the proceedings up on our website early in the coming week. We will offer a brief account of one point several speakers made yesterday. Some of yesterday's presentations touched on resilience, and the speakers all agreed on the importance of planning and practice in achieving resilience: the ability to continue to do business in the aftermath of a successful cyberattack.
Dave Bittner: [00:05:10:17] That planning and practice should, the experts who spoke said, concentrate on incident response. More than one speaker thought the military model of planning, exercising those plans, refining them and using them to inculcate a sense of the plan's total goal, and those who will have to manage the incident response, can serve as a very useful model for businesses to adapt to their own needs.
Dave Bittner: [00:05:34:23] Finally, we've been following reports from the UK concerning the attempted assassination of a former GRU officer convicted by Russian courts of spying for British intelligence services, then resettled in the UK after a spy swap agreement. Russian media have been following the story as well, but from a different point of view. One prominent Russian television news presenter, while making a pro-forma statement of opposition to violence, framed the news as a warning to traitors. The two targets of the attempt, which used a nerve agent, remain in serious condition, as does one of the first responders who came to their aid.
Dave Bittner: [00:06:17:06] Now a word about our sponsor, The Johns Hopkins University Information Security Institute. Providing the technical foundations and knowledge needed to meet our nation's growing demand for highly skilled professionals in the fields of information security assurance and privacy. We value their expertise and insights as one of the CyberWire's academic partners, and, of course, they're one of the world's great research universities. The Institute is also an NSA and DHS designated center of academic excellence in information assurance in cyber defense and research. Visit isi.jhu.edu to learn more, and there are scholarships available. That's isi.jhu.edu. And we thank The Johns Hopkins University Information Security Institute for sponsoring our show.
Dave Bittner: [00:07:12:01] And joining me once again is Emily Wilson. She's the Director of Analysis at Terbium Labs. Emily, you were at a conference recently in New York and you came back having heard from multiple people about, when it comes to hiring folks in our business, in cybersecurity, this notion that we can't spend our way to security. Fill us in here. What did you hear?
Emily Wilson: [00:07:34:12] I heard this a couple different ways. One, you can't spend your way to zero risk, and you also can't spend your way to complete security. You can't spend enough money to solve all of your problems with technology. And on the heels of that, I also heard a lot of conversations about issues around recruiting. That we can't spend our way out of the staffing deficit that we're going to be facing over the next couple of years, right. We're in a world now where every company is a technology company, one way or another, and everyone is facing these deficits in resources and in budget, and you need to recruit effectively. You need to bring on people who can face these challenges, and the technical workforce just isn't going to grow rapidly enough over the next several years to account for that.
Dave Bittner: [00:08:19:07] Yeah, but I hear stories from HR folks and recruiting folks about people, you know, bouncing from place to place. They're given, you know, five figure bonuses to jump back and forth. So, while, on the one side, I hear you that people say we can't do this, it seems from a practical matter lots of people still are.
Emily Wilson: [00:08:36:17] And I think we'll see how that bears out over the next couple of years. It's say, I think one of these things that we're seeing a lot of is a desire to build solutions that are smart enough that you can, you know, staff with the resources that you have, right. We hear a lot about that. But, I think one of the other things here is, not just drawing on people who are coming out of computer science backgrounds. A lot of these considerations in recruiting, and this is something else I heard people talking about this past week, is the diversity of thought in the workforce. So, not just looking at having people in computer science being drawn into tech, but people from a variety of different backgrounds, whether you're talking about, you know, liberal arts, or other parts of STEM. Being able to bring those people in and kind of draw them in some of these more technical fields, we need that, right.
Emily Wilson: [00:09:31:07] That's something that we have, where I work, which is really helpful. You have people solving problems from a variety of different backgrounds. And I think it's this idea that tech cannot be staffed by tech people alone.
Dave Bittner: [00:09:41:08] And do you think that's actually happening? Do you think it's being paid more than just lip service?
Emily Wilson: [00:09:46:06] I think it's hard to tell right now. I don't think it's as widespread as it could be, because it strikes me as the kind of thing that when I see it happening I notice, because it stands out. And so, I think some companies are doing a good job of this. I think this is something that's being discussed in a lot of communities, and I think it's a little too early to know yet if we're drawing enough people in.
Dave Bittner: [00:10:05:16] Yeah. It strikes me as something that I can understand a company being hesitant to do that, because they could perceive the risk as being high, but then if you see the true benefits of having that diversity of thought, that it is a better way to solve problems, then I suspect you'd be all in with it.
Emily Wilson: [00:10:23:03] Right. I think there's a way to be reasonable about this, right. You obviously need to have someone who is qualified for the job that they're taking on. I'm not suggesting that you hire, you know, someone to be a software engineer who doesn't know how to code. But I think when you're looking at backgrounds, I think looking at skill sets as much as you look at familiarity with an industry. Industries can be learned, skills can be learned too, but not all of us in cybersecurity come from computer science backgrounds. A lot of us come from a lot of other fields, a lot of other experiences. I think being open to that and hiring is going to be a good move for a lot of companies.
Dave Bittner: [00:11:01:02] Emily Wilson, thanks for joining us.
Dave Bittner: [00:11:07:08] Now I'd like to share some words about our sponsor Cylance. You know you've got to keep your systems patched, right? Patching is vital and WannaCry which hit systems that hadn't been patched against a known vulnerability, well that's Exhibit A. But you also know that patching is always easier said than done. Cylance has some thoughts about how you can buy yourself time and breathing room, if you went for modern endpoint protection. Think about protecting the endpoints from the threats you never see coming. Cylance and endpoint security solutions will do exactly that. Bend the bad stuff off and do your patching quickly, but systemically. It's artificial intelligence and it's a natural for security. Check out the Cylance blog, Another Day, Another Patch at cylance.com. And we thank Cylance for sponsoring the CyberWire. That's cylance.com. For cybersecurity that predicts, prevents and protects.
Dave Bittner: [00:12:08:06] My guest today is Priscilla Moriuchi. She's the Director of Strategic Threat Development at Recorded Future, and co-author of their newly published research, Chinese Government Alters Threat Database Records. It takes a closer look at the CNNVD, the Chinese National Vulnerability Database, and discovers Chinese government manipulation of data, which could have an effect on security researchers.
Priscilla Moriuchi: [00:12:31:23] We wanted to see which one was faster, which one was more comprehensive, you know, if there is any way merely for our customers to get the most comprehensive view of which vulnerabilities could be covered and how fast we can do it. So, you know, we profiled the two databases and we found, you know, for example, that China's vulnerability database, or CNNVD, they're generally faster than the USNVD when it comes to publicizing and publishing vulnerabilities. It takes them on average about 13 days, and it takes the USNVD on average 33 days. There are also like almost 1,800 CVEs that were currently CNNVD but were not in USNVD.
Priscilla Moriuchi: [00:13:16:06] We kind of started there and then we went and we decided to dig a little further into CNNVD data. So, we kind of hypothesized that because CNNVD is so fast on average, and USNVD is slower, that if we look at our group of CVE where China is very slow but the US is very fast, that might give us insight into China's process.
Dave Bittner: [00:13:43:11] And there's a component to this as well where the CNNVD is a component of the Ministry of State Security. Can you describe the background with that?
Priscilla Moriuchi: [00:13:54:03] Yeah, sure. So the Ministry of State Security, or the MSS, is roughly China's equivalent to the American CIA. So, they have a foreign intelligence, they're like a foreign human intelligence organization, but like half of their mandate is domestic intelligence. Keeping an eye on their citizens and making sure that the Communist Party can stay in power. So, the MSS hasn't been a lot, sort of known on how the MSS works within China, and within China's broad information security system. So, when we were doing this particular research, you know, we were able to discover that the MSS actually runs China's National Vulnerability Database, which is sort of the equivalent to, like, in the US, the CIA running USNVD, which is not the case.
Priscilla Moriuchi: [00:14:46:14] In the United States, Department of Homeland Security and the National Institute for Standards runs the USNVD. In China, the equivalent CIA or the MSS runs China's NVD. So, that is kind of a disturbing trend in terms of the mission of NVDs. So, mission in our mind, the mission of NVDs is a public service mission, right? To put out information on vulnerabilities, you know, so that companies and individuals can protect their own networks. The US is not perfect, of course, nobody's perfect, but China really doesn't seem to take this public service mission very seriously when they have their primary intelligence service running their NVD.
Dave Bittner: [00:15:35:12] Take us through the deeper digging that you did and what you discovered.
Priscilla Moriuchi: [00:15:39:07] So when we looked at these, what we'll call statistical outliers, so these vulnerabilities where NVD took six days or less to publish, and CNNVD took over four weeks. So, we're trying to account for like bureaucratic lags and things like that. So, when we got that number originally, there were about 287 vulnerabilities that fell into that category. When we did a lot of research on those vulnerabilities, we found out that we had likely discovered what we call the threat evaluation process, where the MSS was using CNNVD to evaluate high threat vulnerabilities for use in their own offensive operations. So, for example, a vulnerability would get discovered by CNNVD, we saw evidence of this evaluation process in hiding these vulnerabilities from publication in the data that we saw.
Dave Bittner: [00:16:39:23] So, you all conclude that there's this lag going on with some of these vulnerabilities, come to these conclusions, and so in your mind, that's a way to track which vulnerabilities China is interested in exploiting for their own use? But then it gets a little more interesting from there.
Priscilla Moriuchi: [00:16:59:17] Yeah. So, you know, we kind did that research and we decided to take a look at it again last month to do a kind of six month follow through to see if anything had changed. So, you know, we re-examined the data from the NVD side. For example, we saw that the USNVD had gotten a little faster. So, the average delay had dropped from 33 days to 27 days, which is good. NVD was also catching up on the backlog of unpublished CVEs. They had published almost a thousand CVEs in just a couple months of that backlog. So, that was quite good. And then we took a look at the CNNVD data and tried to just see what they had, if anything had changed.
Priscilla Moriuchi: [00:17:41:09] What we discovered was, we started looking at the initial publication dates for these outlier CVEs, and we realized that instead of trying to remove the MSS or the influence of security services over this transparency process, essentially, they tried to cover it up by backdating the initial publication date of 99% of the CVEs that we identified. They sort of tacitly confirmed that they're actually using CNNVD, you know, as a kind of experiment in testing ground right for vulnerabilities that they could find useful. They're trying to hide the evidence of this process and we think limit the methods in which cybersecurity researchers and professionals can use to try and anticipate Chinese APT behavior.
Dave Bittner: [00:18:32:06] So, take us through why this matters. How does this affect security researchers?
Priscilla Moriuchi: [00:18:38:05] For security researchers, it's going to be a little bit more difficult to anticipate, at least from MSS and vulnerability side, which vulnerabilities that the MSS may be using. But, you know, I think more broadly, we're sort of talking about a system. China's manipulation of their NVD data fits into this larger sort of MO that they have, which is kind of data control. Controlling the data of their own citizens, of foreign companies within the country, and how that impacts, you know, foreigners and particularly westerners, for those of us kind of who are listening here. It takes you back to some kind of research that we've done earlier on China's cybersecurity law, which is kind of like their information control law, and how that requires western companies, for example, to submit to these reviews that are run by the MSS of their technology. And we really see this data manipulation by CNNVD as all part of this larger system of control that China's imposing, not just on its own people, but on anyone, any company, any entity, that does business or travels to China.
Priscilla Moriuchi: [00:19:56:14] So that's meaningful for all of us really, because we all use products from large multinational companies, products that have, store, and use our data, for example. It could be privacy concern for some people in the future. This is just one thread of a larger story about how China's controlling of their information and manipulation of the domestic Chinese information environment, how it can affect the whole world.
Dave Bittner: [00:20:29:01] That's Priscilla Moriuchi from Recorded Future. There's an extended version of this interview on this week's Recorded Future podcast. You can check that out at recordedfuture.com/podcast.
Dave Bittner: [00:20:42:05] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit cylance.com.
Dave Bittner: [00:20:55:16] And thanks to our supporting sponsor E8 Security. All of the behavior, find the threat. Visit e8security.com to learn more.
Dave Bittner: [00:21:04:14] The CyberWire podcast is proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.
Dave Bittner: [00:21:14:07] Our show was produced by Pratt Street Media, with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
ObserveIT is the leading Insider Threat Management solution with approximately 1,700 customers across 87 countries. ObserveIT is the only solution that empowers security teams to detect insider threats, streamline the investigation process, and prevent data exfiltration. Test drive ObserveIT today – no installation required.
The Johns Hopkins University Information Security Institute provides the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the fields of information security and information assurance. Learn more at isi.jhu.edu.
Cylance is revolutionizing cybersecurity with products and services that proactively prevent, rather than reactively detect the execution of advanced persistent threats and malware. Learn more at cylance.com