Tensions between the US and Iran are likely to find further expression in cyberspace. OceanLotus’s Ratsnif kit isn’t up to the threat actors normally high standards of coding, but it’s plenty good enough. Cyberattacks in the states of Florida and Georgia. Utilities are urged to go lower tech where possible. Magecart skimmer “Inter” is being hawked on the dark web. Cryptowars update. And no, they haven’t videoed you using EternalBlue: just dump that email. Johannes Ullrich from the SANS Technology Institute and the ISC Stormcast podcast on Weblogic exploits. Guest is Nick Jovanovic from Thales on cloud security in the federal space.
Dave Bittner: [00:00:03] Tensions between the U.S. and Iran are likely to find further expression in cyberspace. OceanLotus's Ratsnif kit isn't up to the threat actors' normally high standards of coding, but it's plenty good enough. Cyberattacks in the states of Florida and Georgia, utilities are urged to go lower-tech where possible. MageCart skimmer Inter is being hawked on the dark web. We've got an update on the crypto wars, and no, they haven't videoed you using EternalBlue. Just dump that email.
Dave Bittner: [00:00:38] And now a word from our sponsor Authentic8. Authentic8, the creators of Silo, now have an app called the Silo Research Toolbox that builds a separate, isolated browser session. This allows researchers to collect information from the web without risk to their work network. With Silo Research Toolbox, researchers can go anywhere on the web and collect data without revealing their identity or exposing their resources. It runs, looks and is just as powerful as a local browser, with none of the risk. The bottom line is that any website you visit on the open, deep or dark web will not know any details about you, your computer or your internet connection. Silo is built fresh at every start and is completely destroyed at the end. It never exposes your IP address and never carries any information with you from session to session. If you're required to keep your online investigations completely anonymous and safe from cyber threats, consider checking out the Silo Research Toolbox at authentic8.com/cyberwire. That's authentic8.com/cyberwire. And we thank Authentic8 for sponsoring our show.
Dave Bittner: [00:01:53] Funding for this CyberWire podcast is made possible, in part, by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com.
Dave Bittner: [00:02:08] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, July 2, 2019. The Washington Post surveyed experts and found that most thought the U.S. cyberattack against Iranian targets was the right call. It was non-lethal, properly discriminating in that it hit clearly military targets and sensibly proportionate as a response to Iranian attacks on shipping and a U.S. surveillance drone. Reservations the experts voiced involved concerns about escalation, the semi-public way the attack was avowed, the immature state of international laws of cyber conflict and the possibility of attack tools escaping into the wild.
Dave Bittner: [00:02:49] An Iranian response can be expected. Tehran has already said it's exceeding uranium production limits it agreed to observe, and many security experts are advising businesses in the U.S. to look to their defenses. CISA, of course, has done the same and warns in particular about the threat of wiper attacks.
Dave Bittner: [00:03:09] BlackBerry Cylance has published an overview of recent activity by OceanLotus, also known as APT32 or CobaltKitty. They're particularly interested in Ratsnif, a set of remote access tools Vietnam cyber operators worked with and used since 2016. Ratsnif, which offers packet sniffing, gateway and device ARP poisoning, DNS poisoning, HTTP injection and MAC spoofing, had gone undetected for some time, probably because of its selective employment. It's not up to CobaltKitty's usual high standards of coding. And indeed, BlackBerry Cylance finds it sloppy. But then, you only have to be good enough to attain your objectives and achieve them. Ratsnif generally did.
Dave Bittner: [00:03:56] Security firm Thales recently published a report titled "The Changing Face of Data Security in the Federal Government." Nick Jovanovic leads the Thales cloud protection and licensing U.S. federal business, and he joins us to share their findings.
Nick Jovanovic: [00:04:10] Government has jumped into big data environments. They've jumped into IoT mobile payments, and multi-cloud usage is extremely high. So there's - over 80%-plus of agencies today are in the cloud, and they're putting tremendous amount of data in the cloud, as well as sensitive data in there. So...
Dave Bittner: [00:04:31] And what is driving that movement toward the cloud? What are the benefits that they're seeing there?
Nick Jovanovic: [00:04:36] That's a great question. When I've had some sidebars with some senior executives, a lot of what's driving to the cloud - while we initially thought was cost savings - there is a bit of that - but simply the ability to modernize their platform and technologies is probably the largest impetus that I'm seeing for federal agencies moving to the cloud. You've got lots of legacy systems that are very complicated and very expensive to modernize on their own. And if they migrate to the cloud, they're automatically on some of the latest technology that's out there.
Dave Bittner: [00:05:10] Yeah, that's a really interesting insight. That shift allows someone else to have responsibility for keeping everything up to date.
Nick Jovanovic: [00:05:16] But it also leaves a pretty big gap in terms of responsibility around security. When you look at digital transformation - I group cloud into digital transformation - we're looking at modernizing the environment. And it's a perfect opportunity, when you're modernizing, to take a look at your security best practices and make sure that, you know, when you do migrate to the cloud, you're not just putting all faith in the cloud service provider, and recognizing that your information and your data, whether it's sensitive or not, is still your own. And you have a responsibility to protect that. It's a shared responsibility.
Dave Bittner: [00:05:50] When it comes to the federal side of things, what are some of the specific challenges they face when it comes to securing these cloud infrastructures?
Nick Jovanovic: [00:05:58] I think the biggest thing that people look at is, what's the path of least resistance, and what's easy? And many of the federal agencies, when we poll them in our data threat report - what are they seeing from their end? We're not trying to pontificate as an organization. Overwhelmingly, they come back and say, you know, some of the most effective tools to secure their data is encryption. But surprisingly, the number of people who are using encryption to protect their data is extremely low. Only 30% or less use encryption, which is a critical technology to secure their data. So I would say that enterprise key management to control the keys for the data that goes into the cloud and then also encrypting the data, depending on where you can encrypt, is going to be critical to securing data. Outside of that, you've got to have authentication tools to be able to make sure that the right people are accessing that data and you're creating that zero trust environment.
Dave Bittner: [00:06:55] What do you suppose is behind that bit of a disconnect there - that more people aren't using things like encryption, some of those best practices?
Nick Jovanovic: [00:07:03] There's misconception around complexity with technologies like encryption. When you go back 10, 15 years, it would be very difficult to encrypt a lot of environments or use a key management technology. Technologies have shifted and changed so that there's almost no impact to the ability to process their information when you're encrypting data. And enterprise key management tools are a lot easier to use, almost simplistic to the point where you can use it between multiple technologies. So that is probably the biggest reason there's old, preconceived notions, and people haven't bothered to move forward.
Nick Jovanovic: [00:07:41] Now, there's also been a big focus around perimeter defense in organizations. And this year in particular, what I'm seeing is that senior management within organizations is recognizing that the perimeter is extremely fuzzy, especially when we're talking cloud. They, in fact, don't have a perimeter anymore. And so at that point, we are really limited to how you're protecting the data. And, you know, it's not going to be a perimeter focus anymore. People have to actually place controls closer to their data. They have to enforce these controls that are defined by them by encrypting the data.
Nick Jovanovic: [00:08:21] It really depends on what you're using in the cloud. If you're using infrastructure as a service, it's very easy to bring technologies like bring your own encryption, bring your own keys. And the closer you are to the data when you're encrypting, the stronger the protection will be in place. If we do that right, you're controlling your own keys. You're controlling access to the data and then blinding any types of privileged users from the cloud standpoint from ever seeing the information. So it gives plausible deniability for the organization. For the cloud provider, it protects your environment.
Nick Jovanovic: [00:08:58] Now, if you're using technologies like platform as a service, then you have to look at technologies like tokenization or application layer encryption, which increases your security posture further because from ingest of your data all the way down to data at rest, you're going to be protected and encrypted using access controls. Now, if you're using software as a service, you get significant value. However, you have very little control over how that software platform is being managed and what you can do to protect your data. So you're relying on those software organizations to actually protect the information.
Nick Jovanovic: [00:09:38] What you really do want to do is control your keys at that point, have the ability to report around how those keys are being accessed by the software platforms and the ability to remove access to those keys if you want to, essentially, crypto-shred access to that information.
Dave Bittner: [00:09:56] That's Nick Jovanovic from Thales. The report is titled "The Changing Face of Data Security in the Federal Government: the 2019 Thales Data Threat Report."
Dave Bittner: [00:10:07] Google has removed more than a hundred apps from the Play store after Trend Micro found 182 camera and game apps infested with adware. One hundred eleven were in Google Play. The rest were in various third-party stores.
Dave Bittner: [00:10:22] A third Florida city, Key Biscayne, has suffered a cyberattack, but it appears to have recovered better than the first two - Riviera Beach and Lake City, according to The Miami Herald. Key Biscayne disclosed that it had experienced a data security event last Sunday. The city manager said that some systems were taken offline during the recovery, but all systems were back up by Wednesday night of last week. An investigation into the extent of the attack continues.
Dave Bittner: [00:10:50] And there's been another ransomware attack in the U.S. state of Georgia. The administrative office of the courts was taken offline yesterday as it attempted to deal with the attack. As is the case with most ransomware, the problem is data availability and not data theft, so the office's assurances that no personal data were compromised is comforting but a bit wayward. All Georgia courts' .gov sites were, the last we heard, still unavailable. One would have hope that Atlanta's major ransomware mess in 2018 would have served as a warning shot across the state government's bow, but any such warning appears to have been insufficient. That's neither new nor unique to Georgia. Baltimore, for example, had not only its own warning shot last year but several years of internal warning and advice that it disregarded much to its own cost.
Dave Bittner: [00:11:41] Lawmakers in the U.S. are encouraging the power distribution sector to take a technological step back in order to improve security. In a move designed to increase manual operations in the electric grid, the Senate has, with bipartisan support, passed the Securing Energy Infrastructure Act or the SEIA. Utility Dive explains that the bill asks the Department of Energy and other agencies to look at ways to harden the electrical grid that would replace unnecessarily high-tech systems with simpler solutions that are harder to hack.
Dave Bittner: [00:12:14] There's a customizable payment site skimmer up for sale. Fortinet has described a new MageCart skimmer called Inter that's selling for $1,300 on the dark web markets. The skimmer can be customized to fit different types of websites and payment vendors, and it has built-in templates for 18 popular payment forms. Dark Reading notes that the skimmer's sophistication, ease of use and wide applicability means that it will probably be seen in use by Inter's criminal customers sooner rather than later.
Dave Bittner: [00:12:45] And finally, here are some words of comfort. You probably haven't been videoed in the process of visiting a discreditable website. Extortionists claiming to have installed a Trojan via EternalBlue-infected adult sites are lying. It's a pure scam, Bleeping Computer says. Just delete the emails, and go on with your life a little sadder, maybe a little wiser or at least a little more careful where you wander online.
Dave Bittner: [00:13:16] And now a word from our sponsor Edgewise. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time-consuming and offers limited value that's hard to measure. There's a better approach - Edgewise Zero Trust Auto-Segmentation. Edgewise is impossibly simple microsegmentation in one click, delivering results immediately with a security outcome that's provable and management that's zero-touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application in any environment without any architectural changes. They provide measurable improvement by quantifying attack path risk reduction and demonstrate isolation between critical services so that your application can't be breached. Learn more at edgewise.net/cyberwire. That's edgewise.net/cyberwire. And we thank Edgewise for sponsoring our show.
Dave Bittner: [00:14:43] And joining me once again is Johannes Ullrich. He's the dean of research at the SANS Technology Institute, and he's also the host of the ISC StormCast podcast. Johannes, it's always great to have you back. I wanted to touch base with you today about what we've been seeing with the WebLogic exploits. What's going on here?
Johannes Ullrich: [00:15:00] Yeah, so Oracle, a couple weeks ago, released yet another patch for WebLogic. And of course, these vulnerabilities are always very concerning because WebLogic is one of these big business systems. People usually keep all of their goodies kind of in this one spot, so we were a little bit concerned about, what are the hackers actually doing with these exploits? We have - are running a number of honeypots around the internet where we are looking for exploits hitting WebLogic, and what we found surprised us a little bit. Sure, they're hit pretty hard, but most of the exploits - like, more than 80% of the attacks or requests being sent to these honeypots actually don't use the WebLogic T3 protocol. When you're running WebLogic, you have the option to either set them up responding to these T3 requests, which is WebLogic's own sort of protocol that it's using, or they can respond via HTP (ph) - HTP, of course, being simpler and also simpler for the attackers, so surprising but not surprising that attackers are sending their requests using HTP. On the other hand, they may actually missing a large number of targets by not supportings (ph) of this default protocol that WebLogic is using.
Dave Bittner: [00:16:27] Interesting. Now, in terms of available patches, where do things stand there?
Johannes Ullrich: [00:16:31] Patches are available for these vulnerabilities. The problem with WebLogic is that it suffers from these ongoing deserialization vulnerabilities. What WebLogic kind of does, or how it's often used, is it receives fairly complex data objects that are then being fed back into various database - essentially, you know, things like orders, HR requests and the like. So WebLogic had a real hard time coming up with a good solution to not allow dangerous objects to be deserialized. What I have been doing over the last couple of years is essentially building a blacklist, and we all know blacklists are sort of fundamentally flawed, that you're always going to miss yet another way to sort of send a dangerous object to WebLogic. And as a result, also writing these exploits has been very easy. And just that last one, I believe, was actually found after it was already exploited in the wild.
Dave Bittner: [00:17:31] Now, is there anything, I mean, fundamentally, that folks should be avoiding these - over these WebLogic servers, or is it just a matter of keeping things patched and up to date?
Johannes Ullrich: [00:17:40] Patching is a good idea, but you definitely should not expose them to the internet. And that's actually something that seems to be getting through. We don't see a ton of them being exposed on the internet. And the one blind spot we really have with our honeypots here is, how are these WebLogic servers being exploited once the hacker's inside your network? - because that's where you may have less defenses, where you may expose - you really have to expose these WebLogic servers internally. And so that's where you may actually see some of the more sophisticated attacks. If you do see a crypto coin miner running on one of these WebLogic servers, by all means, make sure that you don't just remove the crypto coin miner. But be aware there may be other things that are also sitting on that WebLogic server, even if we didn't see them in our honeypots, which, of course, you know, may easily be detected by some of the more sophisticated attackers.
Dave Bittner: [00:18:41] All right. Well, Johannes Ullrich, thanks for joining us.
Johannes Ullrich: [00:18:44] Thank you.
Dave Bittner: [00:18:49] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:02] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Authentic8, the maker of Silo Cloud Browser and Silo Research Toolbox, ends this betrayal. Silo isolates all web data and code execution from user endpoints to provide security even while doing data analysis and collections across the dark web. Learn more about Silo at Authentic8.com.
Edgewise’s Zero Trust Auto-Segmentation delivers impossibly simple microsegmentation in one click. Edgewise policies, built by machine learning, protect any application in any environment. We provide measurable improvement by quantifying attack path risk reduction and verifying software identity before it communicates — to stop application compromise and data breaches. Learn more at edgewise.net.