In today's podcast, we hear that German security authorities warn about the possibility of sleeper sabotage malware. A botnet to rival Satori, this one called Hakai, continues to spread to new classes of router. SamSam ransomware remains dishearteningly successful. The US Director of National Intelligence warns against foreign influence in elections. Facebook's former security chief says the midterms could be the World Cup of information Warfare. Silicon Valley comes to Capitol Hill, but without Google. Craig Williams from Talos at Cisco with an update on the Remcos RAT. Guest is Robert Holmes from Proofpoint on the DHS’s Binding Operational Directive (BOD) 18-01 mandate to secure their email systems.
Dave Bittner: [00:00:03] German security authorities warn about the possibility of sleeper sabotage malware. A botnet to rival Satori, this one called Hakai, continues to spread to new classes of router. SamSam ransomware remains dishearteningly successful. The U.S. director of national intelligence warns against foreign influence in elections. Facebook's former security chief says the midterms could be the World Cup of information warfare. And Silicon Valley comes to Capitol Hill, but without Google.
Dave Bittner: [00:00:40] And now a word from our sponsor, the upcoming Cybersecurity Conference for Executives. The Johns Hopkins University Information Security Institute and Navigant will host the event on Tuesday, October 2 in Baltimore, Md., on the Johns Hopkins Homewood Campus. The theme this year is cybersecurity compliance and regulatory trends, and the conference will feature discussions with thought leaders across a variety of sectors. You can find out more and register at isi.jhu.edu and click on the Fifth Annual Cybersecurity Conference for Executives. Learn about emerging regulations and how the current cybersecurity landscape is changing as companies must adhere to these regulations and take actionable steps to become compliant. Check out all the details at isi.jhu.edu and click on the Fifth Annual Cybersecurity Conference for Executives. Major funding for the CyberWire podcast is provided by Cylance.
Dave Bittner: [00:01:44] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, September 5, 2018. The head of Germany's domestic security agency, the BfV, noting extensive Russian and Chinese cyber-espionage, yesterday warned against the real possibility of sleeper malware, destructive code installed into crucial systems well in advance of its intended use. Hans-Georg Maassen clearly had industrial control systems in mind. Germany has had some experience with cyber interference in manufacturing processes, and Maassen thinks this threat hasn't abated.
Dave Bittner: [00:02:24] The Hakai botnet has moved beyond its initial Huawei targets and now infests D-Link and RealTek routers. The botnet is growing, but the botmaster's doing less crowing, the recent arrest of rival Satori's alleged botmaster having evidentially put the fear of the law into him. He had formerly been marked by his willingness to boast not just to victims and fellow hoods but to journalists, as well.
Dave Bittner: [00:02:53] SamSam ransomware spreads largely unabated as victims continue to swallow its phish bait. Preventive measures are fairly well-known and available - regular secure backup, appropriate measures against phishing and sound basic cyber hygiene. But the attacks continue to succeed.
Dave Bittner: [00:03:12] In October 2017, the U.S. Department of Homeland Security issued Binding Operational Directive 18-01 which intends to enhance email and web security for organizations within the federal government. There have been several deadlines and milestones along the way, and joining us to help explain where things stand is Robert Holmes, vice president of products at Proofpoint.
Robert Holmes: [00:03:36] So there are various requirements of the BOD, and probably the least well-understood, certainly at the point at which it was issued. It was DMARC, Domain-based Message Authentication Reporting and Conformance, and that's really key to solving for email fraud. The BOD was issued in October of last year, and agencies were afforded a year to enforce the strongest policy of DMARC. With two months to go, we're about halfway there.
Dave Bittner: [00:04:08] And what is the expectation? Are they going to make the deadline?
Robert Holmes: [00:04:11] Difficult to say. I think there will be a flurry of activity. Just as calling for the gates to your board your flight, there's a last-minute panic when everyone rushes. What I would say is I suspect what we'll see is some of the smaller agencies will fail to meet the deadline. So some of the largest agencies have been making great progress on this. But the smaller agencies are lagging, and I think those people won't probably make it.
Dave Bittner: [00:04:37] And what is going on behind the scenes here? Why is it taking folks so long to get with the program?
Robert Holmes: [00:04:44] It starts with it's not that well-understood. DMARC is the most recent of technologies that the BOD requires people to deploy. And that's really only kind of 6 years old. That may sound like a long time, but this is pretty techie stuff. So I think, first of all, it's not well-understood. And if you were to care to understand it, there are some 300 pages of technical specs. And then you actually have to understand that in the world of email we're not always working on complete information. So we're having to make best guesses in some cases and fill in blind spots, which is both difficult and risky because what's at stake here is the deliverability of email. Really what DMARC is, it's a form of whitelisting. And whitelisting is great. It's very strong. But unfortunately, if good email is not on that whitelist, it doesn't get in.
Dave Bittner: [00:05:42] Now, what are the teeth behind this? If folks fail to make the deadline, what happens?
Robert Holmes: [00:05:47] Some wrists may be slapped. That's a good question. And I think, actually, there is a general sense that so long as you can demonstrate best endeavors that maybe the DHS would afford agencies who are otherwise unable to meet the deadline a little bit of leniency. There may be kind of a call in to see what's going on and why they missed it, but understand that just like enterprises, agencies have budgeting cycles and they have headcount constraints. And so this BOD 18-01 rather came out of nowhere. Senator Wyden obviously had issued a letter indicating that he was hoping that it was going to happen. But it happened very, very fast. And some agencies just may not be prepared for that and may not have been able to absorb the additional workload. So I think there will be some wrist slaps - I can't imagine that there will be penalties or sanctions - and then maybe the carrot might be replaced with a bit of a stick.
Dave Bittner: [00:06:46] That's Robert Holmes from Proofpoint.
Dave Bittner: [00:06:50] U.S. Director of National Intelligence Coats said yesterday that the prospect of foreign interference with U.S. elections remains real and troubling. Facebook's recently departed security chief Alex Stamos was more direct. The U.S. elections risk becoming, quote, "the World Cup of information warfare," end quote. Some of those concerns found their way into congressional hearings today. The U.S. Senate Select Committee on Intelligence this morning questioned Facebook COO Sheryl Sandberg and Twitter's CEO Jack Dorsey about foreign influence, censorship, cooperation with repressive regimes and other matters. Their concerns included Russian influence operations, with special attention devoted to the possibility of voter suppression, protection of personal privacy, the relative preference an American company might be expected to have for supporting American interests and the U.S. government over the governments of other countries where the company might operate, the suppression of hate speech and bullying and the potential for legislation imposing liability on tech companies for the content that resides on their platforms. Facebook's Sandberg was clear on her company's intentions and described a defensively principled way of navigating content moderation without restricting expression, at least with respect to the challenge of weeding out disinformation.
Dave Bittner: [00:08:15] Facebook clearly intends to concentrate on culling inauthentic accounts from its service, that is, accounts that falsely represent themselves as belonging to anyone other than their actual owners and controllers. They've purged a number of inauthentic accounts recently and clearly find that easier than directly policing content. Their approach to fake news, fanciful stories retailed as fact, and political disinformation sounds as if it will hearken back to traditional rumor control - when known false stories appear, put true stories beside them. Twitter's Dorsey gave similar answers, especially on inauthenticity, but his company's plans were less clear. He did note that bot detection remained a problem still only partially solved. More than one senator was at pains to point out that neither Twitter or Facebook do business in China, both being blocked by that country's government. Facebook's Sandberg took the opportunity to say that the company declined to do business under conditions that would violate its values.
Dave Bittner: [00:09:19] A company that does do business in China and was conspicuously absent at the hearings is, of course, Google, which declined to send a comparably senior executive to testify and so was symbolically shamed with an empty chair. Google apparently offered their chief legal officer, but he was insufficiently senior to interest the committee so Mountain View went unrepresented.
Dave Bittner: [00:09:43] Most of the senators, with both parties being represented among the critics, noted Google's absence with displeasure. Sen. Rubio, Republican of Florida, was particularly scathing, characterizing the company's decision not to send a senior leader as arrogance. He also suggested it may have been cowardice, given the recent demonstration by researchers from the Campaign for Accountability that it's still easy for trolls to buy ads from Google. The Campaign for Accountability, a liberal, which is to say, center-left, good government advocacy group, sought to buy ads from Google AdWords, and they did so in ways that obviously impersonated a Russian troll account, down to borrowing images and content from St. Petersburg's notorious Internet Research Agency and linking to sites that have been publicly and officially identified as Russian controlled. And for the low, low price of $35 and a 48-hour waiting period, the researchers got their ad approved. They also got 20,000 impressions and some 200 click-throughs. And they say Google never flagged them as a problem, which they say they clearly were.
Dave Bittner: [00:10:55] Google didn't like it. They said they have, too, now that they know, taken the politically divisive ads down and that they're working on making AdWords better. They also called the thing a stunt and point to the donations Oracle has given to the Campaign for Accountability with the suggestion that this is at least in part motivated by Oracle marketing. In addition to keeping trolls from buying ads, Google has also committed to clearing malicious apps from its Play Store. It's met with indifferent success here, as well, according to reports in Bleeping Computer. The fight Google picked was a good one. They determined to go after tech support scams. The problem is the scammers have gotten good enough at handling their ads that they pass for legitimate and get right through Mountain View's filters. The moral here seems to be that content moderation is difficult and doesn't really lend itself to technical solutions. And as far as human solutions are concerned, when it comes to social engineering of the crooked timber of humanity, no straight thing may be made.
Dave Bittner: [00:12:04] Now I'd like to share some words about our sponsor, FireEye. They're hosting their annual Cyber Defense Summit in Washington, D.C., from October 1 through October 4. The first two days are devoted to introductory, intermediate and advanced training. It's hands-on, small group and interactive, and it's going to be conducted by some of the best in the business, FireEye's experienced cybersecurity experts. Check out the list of courses at summit.fireeye.com. But, of course, there's more, and you won't want to miss that, either. The 64th U.S. Secretary of State Madeleine K. Albright will be there to deliver the guest keynote. Her topic - economy and security in the 21st century. And former Home Depot CEO Frank Blake will share what he learned from his company's 2014 data breach. Don't miss it. To learn more and to register, go to summit.fireeye.com. That's summit.fireeye.com. And we thank FireEye for sponsoring our show.
Dave Bittner: [00:13:12] And joining me once again is Craig Williams. He's director of Talos Outreach at Cisco. Craig, welcome back. We wanted to touch today on Remcos. Bring us up to date. What do we need to know about this?
Craig Williams: [00:13:24] Well, Remcos is another one of these - we call them gray-area tools, where conceivably, there is a legitimate purpose of it. It's basically a RAT - so a remote access Trojan. It allows people to do things like install keyloggers, compile new binaries that would evade antivirus detection. They even tend to go one step further, and they even provide a dynamic DNS C2 system, which would make it much more difficult to detect, and even a mailing tool that can effectively be used as a mass mailer. So, you know, at a really high level, it's a botnet in a box. You know, if you needed to conceivably remotely manage a machine that had to have a payload that was avoided by antivirus to install a keylogger over something, say, like a phishing email...
Dave Bittner: [00:14:07] (Laughter).
Craig Williams: [00:14:07] ...And then use a dynamic DNS C2 to control it, conceivably, it could have a legitimate purpose.
Dave Bittner: [00:14:13] Right. Go on.
Craig Williams: [00:14:14] But, you know, I was discussing with some colleagues. And Matthew Olney, who I believe you've met, pointed out the fact that typically that kind of usage would come with a warrant.
Dave Bittner: [00:14:21] (Laughter).
Craig Williams: [00:14:22] So, you know, it's this area where people have designed what certainly appears like something that could be used for malware, and they sell it kind of semi-openly with their real name in some cases or a very, very poorly hidden identity, like in this case. And it's one of those situations where we tend to find these, and we look at them, and we're not saying that everyone's using this for malicious purposes. I think it's safe to say that a large number of people are using these for malicious purposes. We know specifically in this one, we've actually seen a reasonable increase in usage lately. The author built a new, you know, GUI interface that was much more friendly to people, say, without experience. And as a result, we saw the numbers climb as blocks. So that's when we started looking into this.
Dave Bittner: [00:15:11] And what sort of things are you discovering when you dig into it?
Craig Williams: [00:15:15] Well, it gets a little bit more gray. So there's YouTube videos of, supposedly, the author of the piece of software - or at least, someone using that name - you know, trying to push people to use this and use the other tools they sell, like Octopus Protector, to basically encode the malware so they can't be detected by AV or walking people through how to set up other parts of what conceivably could be a botnet. And so when it comes down to it, you know, it seems like this kind of thing, while there might be a legitimate use for it, it's really being used maliciously in a lot of cases. And when that happens, we just have to block those for our customers to protect them.
Dave Bittner: [00:15:56] I see. Now, is this a - I mean, you sort of remind me of, you know, back in the old days, years ago, when people started selling radar detectors, which, you know, the use for a radar detector is so that you can speed. There were some states that tried to outlaw radar detectors and did. You can't use a radar detector in Virginia, I believe. Is this a similar type of thing, where, even though there might be legitimate uses for this, we could find law enforcement saying, hey, you know, we're going to come after you if we find you using this?
Craig Williams: [00:16:28] Well, as someone with a radar detector, I want to say no.
Dave Bittner: [00:16:30] (Laughter).
Craig Williams: [00:16:31] But, you know, I got a new car, got a radar detector - you know, long story...
Dave Bittner: [00:16:36] Yeah.
Craig Williams: [00:16:36] ...But just for safety.
Dave Bittner: [00:16:38] (Laughter) Right, exactly - informational uses only.
Craig Williams: [00:16:39] But it's funny. Right. You know, it's funny you say that because I was surfing along the internet today, and - I don't know if you remember from a couple weeks ago, but there was a similar piece of software called LuminosityLink - very similar, designed to be a remote administrative tool for people who maybe weren't as computer savvy, and it would allow them to basically manage a computer remotely. And it was widely advertised on malware forums, much like Remcos. And the author had videos and things, much like Remcos. And recently, it turned out that they were charged by the FBI, and I think today they pleaded out to some massively long sentence.
Craig Williams: [00:17:18] And so what caught my eye on this, though - what was really interesting is this morning, I was, you know, surfing Reddit, reading the news in the morning as one does, and I happened to flip over to legaladvice because, you know, it's one of those things I look at from time to time to see what's going on. And they have this weirdly worded "The FBI asked Google for my information!" thread. So you look at it, and at first, it doesn't really look like there's anything related. And then if you look at one of Reddit's mirrors - you know, one of the ones that mirror the comments that have been deleted - it turns out this thread is filled with people who actually bought LuminosityLink and paid for it with PayPal using their Google account. And so, you know, we don't know that this is what happened, but reading through it, I think a reasonable assumption is that a lot of these people were buying this type of gray-area software, and as a result, the FBI apparently investigated their Google accounts, which I think is great. You know, I think this type of software that's clearly designed to cater more towards the attacker than, say, the pen tester or security researcher is something that should be investigated.
Dave Bittner: [00:18:17] That is interesting. And does it seem - in that particular case, is the FBI going after, you know, the kingpin at the top?
Craig Williams: [00:18:25] Well, I think they already got the kingpin.
Dave Bittner: [00:18:26] Yeah.
Craig Williams: [00:18:27] So you got to remember, this was one of those sealed indictments. So basically, all this happened a year ago. And so, presumably, if they were going to go after people, they would have been arrested by now, much like the malware author. I'm assuming these people were just grouped in because - who knows? - maybe the FBI wanted to check to see if there was any overlap between the purchasing IP and attacker IPs or something like that.
Dave Bittner: [00:18:45] Right. Oh, interesting. All right. Well, as always, it's an interesting story to follow. Craig Williams, thanks for joining us.
Dave Bittner: [00:18:55] And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com.
Dave Bittner: [00:19:04] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.
Dave Bittner: [00:19:30] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.
Copyright © 2018 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the is the audio record.
The 5th Annual Cyber Security Conference for Executives, hosted this year by The Johns Hopkins University Information Security Institute and Ankura, will be held on Tuesday, October 2nd, in Baltimore, Maryland. This year’s theme is cybersecurity compliance and regulatory trends, and the conference will feature discussions with thought leaders across a variety of sectors. Join the discussion and learn about current and emerging cyber security threats to organizations, and how executives can better protect their enterprises. To receive the early-bird rate, register now!
Get trained by a FireEye expert at our annual Cyber Defense Summit. Training opportunities at this event offer attendees hands-on, small-group, interactive sessions with some of the most experienced FireEye cyber security experts.