BlackWater is snooping around the Middle East. It’s evasive, and it looks a lot like the more familiar MuddyWater threat actor. TeamViewer turns out to have been hacked, and the perpetrators look like the proprietors of the Winnti backdoor. An Android app is behaving badly. Another unsecured database is found hanging out on the Internet. There’s a free decryptor out for a strain of ransomware, but also it won’t help Baltimore. And the market’s look at the Huawei ban. Craig Williams from Cisco Talos discussing honeypots on Elasticsearch. Guest is Dave Venable from Masergy on cyber vulnerabilities at the infrastructure level.
Dave Bittner: [00:00:04] BlackWater is snooping around the Middle East. It's evasive and looks a lot like the more familiar MuddyWater threat actor. TeamViewer turns out to have been hacked, and the perpetrators look like the proprietors of the Winnti backdoor. An Android app is behaving badly. Another unsecured database is found hanging out on the internet. There's a free decryptor out for a strain of ransomware, but it won't help Baltimore. And the market's looking at the Huawei ban.
Dave Bittner: [00:00:36] And now a word from our sponsor, ExtraHop, the enterprise cyber analytics company delivering security from the inside out. Have login credentials been compromised? Are attackers hiding in encrypted traffic? Enterprise security teams face questions like these every day, but without complete visibility inside your network, your investigation could take hours or even weeks - and that's assuming you were able to detect potential threats in the first place. ExtraHop helps you rise above the noise of your complex attack surface with complete visibility, real-time threat detection powered by machine learning and guided investigations the SANS Institute calls fast and amazingly thorough. Learn more at extrahop.com/cyber, or be the blue team in the interactive demo. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:01:32] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, May 21, 2019. Researchers at Cisco's Talos unit have released a report on the BlackWater cyberespionage campaign that's currently active in the Middle East. Talos associates BlackWater with the previously known persistent threat actor MuddyWater. There's the usual ambiguity about whether BlackWater is to be regarded as a campaign or an actor. We'll follow Talos and call it a campaign. BlackWater seems to be unusually evasive. It's added, Talos says, three steps to MuddyWater's familiar pattern. First, it uses an obfuscated Visual Basic for Applications - that's VBA script - to establish persistence as a registry key. It then installs a powershell stager that's designed to look like a red teaming tool, which will presumably induce many defenders to overlook it. Finally, its communication, once installed, goes back to a different command and control server than the one used in the initial attack stages. Talos doesn't say who's behind either BlackWater or MuddyWater - their purpose is to describe behavior and not to answer whodunnit - but MuddyWater has, for some time, been attributed by MITRE and others to Iran.
Dave Bittner: [00:02:48] TeamViewer, the German firm that provides remote connectivity solutions to business customers, turns out to have indeed been compromised in 2016 and perhaps as early as 2014. Der Spiegel says the firm did not disclose the incident at the time because, in TeamViewer's opinion, this was unnecessary, since the intrusion affected only its infrastructure as opposed to its customers. The attack is attributed to Chinese intelligence services, largely on the strength of the use of Winnti malware, a backdoor Trojan favored by Chinese government cyber operators since its introduction in 2009. It's thought that the threat actors responsible may have been APT10 - also known as Red Apollo or, our favorite, Stone Panda, which is what CrowdStrike calls them - or APT17, sometimes associated with the name Deputy Dog - not to be confused with Deputy Dog, the Terrytoons hero who suppressed varmints' misbehavior down in the swampland. APT10 has often been linked with attacks on cloud service providers; APT17 with incursions into supply chains. In any case, ZDNet reports the tactics, techniques and procedures look like those belonging to those two APTs. Winnti malware is no stranger to German industry. It was found in attacks on both chemical and pharmaceutical giant Bayer and heavy manufacturer Thyssenkrupp.
Dave Bittner: [00:04:14] As the 5G buildout continues to gain momentum, how it will ultimately affect the security of critical infrastructure has become a topic of concern. Dave Venable is vice president of cybersecurity at security provider Masergy.
Dave Venable: [00:04:28] I tend to think of it as anything from, you know, electrical power plants, the electric grid, communications infrastructure - things that society relies on to function in a normal way. We're not talking about some website or something like that, although a website certainly could be a part of infrastructure. But I typically think of it as the things that let that website exist in the first place.
Dave Bittner: [00:04:54] Those everyday things we've come to rely on - power and water and all those sorts of things.
Dave Venable: [00:04:59] Exactly, or even, you know, telephone service or internet connections at this point.
Dave Bittner: [00:05:04] And so what are the challenges that we're facing here as the demand for those systems increases?
Dave Venable: [00:05:10] One of the big issues today is that a lot of these systems were designed, you know, 50-plus years ago, and security was not really held in mind at that time. So when these things were being developed, it just assumed that if you had access, that you were trustworthy. And as we know today, that's definitely not the case. Now, there's been a lot of progress made in sort of segmenting these things and building up security around it in the last several years. We're not typically facing problems at this level very often, although as you've seen with Baltimore, a lot of what would probably be termed as infrastructure there has been impacted recently.
Dave Bittner: [00:05:57] So what are we looking at in the future here? I see a lot of talk about how 5G is going to enable things when it comes to infrastructure. What's your take on that?
Dave Venable: [00:06:09] 5G certainly will be a huge game changer and in a positive way, but we have to do it right. I mentioned a minute ago that a lot of these, like, industrial control systems and things like that were designed years before anyone was really thinking about real security. And today, we have this fairly unique opportunity to build up a new infrastructure with a modern way of thinking about it. I mean, as we've seen with the Huawei cases and some things like that recently, there's certainly a lot of potential for this to go in very, very negative ways. We just need to proceed with caution, I would say, and keep security and integrity and all of those things in mind throughout the process.
Dave Bittner: [00:06:59] As we're on the leading edge of this transition, what are your recommendations for people to prepare themselves? From a security point of view, what are the best practices they should adopt?
Dave Venable: [00:07:08] So one of the biggest things that you can do is enable multi-factor authentication. From a privacy point of view, that actually makes a huge impact. This is where you type in a password and then an app on your phone or something along that line provides a code that you then type in as well. Now, that applies kind of ubiquitously across any infrastructure, but I always like throwing that out there. With looking at the future of 5G and big data and all of these concerns, there's unfortunately not a lot that the individual can do.
Dave Venable: [00:07:49] Altering your habits to be essentially - the way I like to think of it is with personas, right? So if you have your public persona, then here's all the things that I don't care for everyone in the world to know. If you're mindful of that and just kind of keep that out there at all times, you're far better off. There's certainly a number of ways to kind of create alternate personas that you only use at certain times - sort of an operational security perspective. But with 5G, I mean, short of becoming a prepper, having a bunch of water at home and a generator and things like that, there's really not much you can do to try to prevent sort of being impacted by an infrastructure attack or things like that. It kind of demonstrates part of the problem, I think.
Dave Bittner: [00:08:41] That's Dave Venable from Masergy.
Dave Bittner: [00:08:45] There is an app behaving badly in the Android ecosystem. Upstream Systems security lab Secure-D says that VidMate, an Android app with about half a billion downloads, is up to a lot of not-so-good things. VidMate allegedly serves adware, subscribes users to paid services without their knowledge and sucks down their mobile data. These things are all bad. VidMate told BuzzFeed it was investigating the matter but declined to say much more than that. VidMate facilitates downloads of video from YouTube, WhatsApp and other sources, but we think we'll do without it.
Dave Bittner: [00:09:21] An unsecured AWS database apparently belonging to a Mumbai-based social media marketing outfit, Chatterbox, has exposed information on millions of Instagram influencers, celebrities and brand accounts, TechCrunch reports. The data seemed to have been obtained by scraping. Bravo Emsisoft, which has released a decryptor for JSWorm 2.0 ransomware - the decryptor is available for free from the New Zealand-based security firm. If you are a victim, Emsisoft urges you not to pay but to visit their site and use their decryptor.
Dave Bittner: [00:09:55] That decryptor won't help the city of Baltimore, alas. Charm City was afflicted almost two weeks ago with RobinHood ransomware, and while reversion to manual backup has restored some city services - most notably the ability to transfer deeds in real estate transactions - recovery is looking like a long and probably costly process. The new mayor, Jack Young, said at the end of last week that he had no precise timeline for recovery but that the city was hard at work rebuilding systems in a way that would enable Baltimore to restore its business functions securely. It's going to be pricey. Apparently, Baltimore doesn't have insurance against this kind of attack. The taxpayers will be even more unhappy than usual.
Dave Bittner: [00:10:37] The U.S. continues to be serious about strictures against Huawei as markets sort out the ban's consequences. The Commerce Department has relaxed some of its restrictions Huawei's placement on the entity list imposed, but those relaxations are designed for the convenience of some U.S. businesses and don't come close to amounting to a get-out-of-jail-free card for the Chinese tech giant. U.S. companies, including Google, Qualcomm and Intel, were quick to cut Huawei off. Huawei, for its part, has warned everyone not to take it lightly, that it has resources to draw upon and that it doesn't intend to go quietly. How the markets ultimately regard the companies enmeshed in U.S. sanctions remains to be seen. Huawei suggests that its customers and vendors are likely to feel the bite more than Huawei itself, but others aren't so sure. There's also some pointing with alarm at the emergence of a new cold war in cyberspace, but the first non-lethal shots in that particular war were fired so long ago that this hardly counts as news.
Dave Bittner: [00:11:42] Now a moment to tell you about our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. According to a recent CA Technologies research report, 53% of organizations confirmed insider attacks within the last 12 months. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer, network or system data, but to stop insider threats, you need to track a combination of user and data activity. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT free - no installation required - at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:12:55] And joining me once again is Craig Williams. He's the director of Talos outreach at Cisco. Craig, it's always great to have you back. I wanted to touch base with you on some of the stuff that you and the Talos team are monitoring out there on the net. What are you seeing these days?
Craig Williams: [00:13:10] Well, we actually did have some really interesting data. One of our researchers, Chris Evans, has been out there trying out different types of honeynets, honeypots - you know, putting out things to see if people fiddle with them. And one of the more interesting things that we've seen recently is attackers specifically targeting Elasticsearch clusters.
Dave Bittner: [00:13:27] Describe to me what you're seeing.
Craig Williams: [00:13:28] Well, so they're basically trying to use older attacks. So we're looking at CVEs from 2015 and 2014, you know? But I'm sure you realize a lot of people who run these massive Elasticsearch clusters don't really keep them up to date, unfortunately. During the period we looked at this, we were able to identify what we believe were six distinct actors basically poking at these servers to see what they could do.
Dave Bittner: [00:13:51] Now, that's interesting because, you know, I guess my first inclination would be to think that if folks were using techniques that were that old, then they wouldn't be that effective. But that's not the case?
Craig Williams: [00:14:01] Definitely not. Unfortunately, a lot of times, you know, companies set up these servers, and then as long as things are working, they don't tend to mess with them. It's, you know, kind of the uptime thing, right? If it isn't broken, don't fix it. And unfortunately, they don't realize that's not always true with software because as time goes on, even if your server was perfectly functional, well, people are going to discover problems in the software. They're going to develop ways to exploit the software. And so if you don't put mitigations in place or patch it, you're going to have a bad day, particularly for those systems connected directly to the internet.
Dave Bittner: [00:14:36] And are there any patterns that are emerging here in terms of who you might think is up to this or what they're after?
Craig Williams: [00:14:43] Actually, yes. There are some very interesting little weird patterns that they're doing. One of them that allowed us to track one group is they're trying to download a file with a very specific name. Now, hilariously, the server they're trying to download it from is no longer hosting that file, so basically what that means is it was - you know, it's an automated worm-type thing just hammering on and hammering on even though the entire campaign is really broken since that file is no longer there.
Craig Williams: [00:15:10] You know, one of the other things we thought was funny was that it echoed a specific command into the server, and we believe that part of the command is actually a social media identifier. And we looked up the account for that social media identifier. It's a particular Chinese social media account, and it posts about cybersecurity and attacks periodically. Now, you know - yeah. I don't - I want to be clear here, right? This could be somebody trying to frame that particular user. It could be someone just goofing around. It could be completely coincidental. So, you know, on these type of things, you really got to look at that type of information with a little bit of a grain of salt, because you can never really say that that would be that person, right? Why would it make sense for the attacker to drop their social media account? I mean...
Dave Bittner: [00:15:59] Yeah.
Craig Williams: [00:15:59] I guess it's true bad guys have horrible OPSEC and love signing their work to make it easier for us, but seriously? Really? It's going to be that simple?
Dave Bittner: [00:16:08] So where does it go next for you all? You have this honeypot out there and you see this activity. Where do you take it next?
Craig Williams: [00:16:15] Well, you know, that's why we basically come on shows like yours and we post things to our blog, so that people are aware that this is happening. Honeypots are a useful tool, but honeypots are usually very easy to detect, and so our team will go to great lengths to try and make it very difficult for people to detect them. You know, we have customized software. We deploy it around the world. We deploy it in IP spaces not attributable to the company or any company that people associate us with. And so when we see these type of things, we're very confident that this is representative of basically the background attack traffic of the internet. And so we alerted our customers. We're alerting all your listeners and our listeners that if you're running this software, you need to be aware that it's being targeted. And so if you're running Elasticsearch 1.4.2 or lower, you've got to upgrade or you've got to get some sort of intrusion prevention system like Snort in place to protect you against those threats.
Dave Bittner: [00:17:11] All right. Craig Williams, thanks for joining us.
Dave Bittner: [00:17:18] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive editor Peter Kilpe and I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
ExtraHop provides cyber analytics for the hybrid enterprise. Using wire data and machine learning for real-time threat detection and investigation from Core to Cloud, ExtraHop delivers unprecedented visibility, definitive insights, and immediate answers so security teams can act with confidence. Learn more at ExtraHop.
ObserveIT is the leading Insider Threat Management solution with approximately 1,700 customers across 87 countries. ObserveIT is the only solution that empowers security teams to detect insider threats, streamline the investigation process, and prevent data exfiltration. Start your free trial of ObserveIT today.