The European Central Bank shutters a service due to a hostile intrusion. Norman quietly mines Monero. MetaMorph passes through email security filters. Some Capital One insiders thought they saw trouble brewing. Instagram crowd-sources epistemology. Deep fakes are well and good, but the will to believe probably gets along just fine with shallow fakes. US Cyber Command posts North Korea’s Electric Fish malware to VirusTotal. Johannes Ullrich from the SANS Technology Institute on IP fragmentation in operating systems. Guest is John Smith from ExtraHop on the aftermath of an insurance claim.
Dave Bittner: [00:00:03] The European Central Bank shutters a service due to a hostile intrusion. Norman quietly mines Monero. MetaMorph passes through email security filters. Some Capital One insiders thought they saw trouble brewing. Instagram crowdsources epistemology. Deepfakes are well and good, but the will to believe probably gets along just fine with shallow fakes. And the U.S. Cyber Command posts North Korea's Electric Fish malware to VirusTotal.
Dave Bittner: [00:00:36] And now a message from our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:01:25] Funding for the CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pen testers and white hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights like remediation advice to help fix faster while methodology-driven assessments ensure compliance needs are met at bugcrowd.com.
Dave Bittner: [00:01:52] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, August 16, 2019.
Dave Bittner: [00:02:00] The European Central Bank closed down one of its web sites yesterday after sustaining an unspecified cyberattack on the bank's integrated reporting system. It's called BIRD. Reuters reports that ECB says no market-sensitive data were compromised but that email addresses, names and titles of BIRD newsletter subscribers may have been taken. BIRD is used to give bankers information on the production of statistical and supervisory reports. The server for BIRD is hosted by a third party. The ECB says none of its own systems fell victim to the attack. The bank is in the process of notifying affected customers of the incident.
Dave Bittner: [00:02:40] The Norman crypto miner tracked by Varonis is said to be showing some unusual evasiveness. Its dynamic link library arrives with the Agile obfuscator. Once Norman is in, the malware also injects an obfuscated miner into an appropriate application along its execution path. Should a user suspect that something is amiss and open task manager to see what's up, Norman stops mining. Once the user's suspicions are laid and task manager is closed, Norman goes back to work, piling up the Monero.
Dave Bittner: [00:03:14] Security firm Avanan is also warning of a relatively evasive kind of attack. They call this one MetaMorph, and it's turning up in a phishing campaign that mimics Microsoft voicemail notifications. Avanan says the link the phishing presents will take the unwary to a credential harvesting site. The evasion that has passed MetaMorph through the link parsers in Microsoft Office 365 is the use of meta refresh to redirect the victim from the locally hosted HTML attachment to a phishing page out in the wild, wild internet. Avanan offers two recommendations. First, be suspicious of any email that contains an HTML or .HTM attachment, and second, admins might consider treating HTML attachments the way they treat executables.
Dave Bittner: [00:04:01] The Wall Street Journal reports that employees at Capital One expressed concern over what they saw as high turnover among the bank's cybersecurity unit. There are reports that a third of the cybersecurity staff left in 2018. The unit was responsible for threat-hunting, firewall configuration and similar security tasks. Even given the turnover, Capital One points out that total cybersecurity headcount actually increased over that period. Nonetheless, insiders complained of a poor organizational climate, lax security oversight and slow deployment of security tools.
Dave Bittner: [00:04:35] Capital One has long enjoyed a reputation as a technologically savvy organization, sometimes described as a tech company with a bank as opposed to a bank with a serious commitment to technology. Approximately five years ago, the bank began its migration to the cloud. Some observers think that migration and Capital One's tech-friendly culture paradoxically made the enterprise more difficult to secure. Many of the bank's personnel were empowered to make tech decisions, and that decentralization may have left the bank open to the sort of misconfiguration allegedly exploited by accused hacker Paige Thompson, who went by the hacker name erratic, to compromise its data.
Dave Bittner: [00:05:16] I want to take a quick moment to tell you about an exciting CyberWire event. It's our sixth annual Women in Cybersecurity Reception. It's taking place October 24 at the International Spy Museum's new facility at L'Enfant Plaza in Washington, D.C. The Women in Cybersecurity Reception highlights and celebrates the value and successes of women in the cybersecurity industry. The focus of the event is networking, and it brings together leaders from the private sector, academia and government from across the region and women at various points in their careers. The reception also provides a forum for women seeking cybersecurity careers to connect with the technical and business professionals who are shaping the future of our industry. It's not a marketing event. It's just about creating connections.
Dave Bittner: [00:05:59] We're grateful to our sponsors. Here are some of them. During the event, guests will have opportunities to hear perspectives on diversity from our industry from this year's presenting sponsor KnowBe4. Our 2019 platinum sponsors include Cooley. This year's gold sponsors include T Rowe Price, CyberArk, FTI Consulting, Saul Ewing Arnstein & Lehr, ObserveIT and Synack. And if your company is interested in supporting this important event, we still have a few sponsorship opportunities available, and if you're interested in an invitation to the event, tell us a little bit about yourself and request one at our website, thecyberwire.com/wcs. That's thecyberwire.com/wcs. We look forward to hearing from you, and we hope to see you there.
Dave Bittner: [00:06:44] Instagram is introducing a feature that would permit users to flag information they believe to be false. Reuters has an account of the tool, which appears to be an interim gesture in the direction of controlling fake news. It's not entirely clear that this sort of crowdsourcing will readily get to ground truth, which, of course, may not necessarily be the same thing as community consensus. Perhaps this represents an attempt to move toward John Stuart Mill's marketplace of ideas, but then Instagram isn't really the sort of ideal or rational market that one might hope would converge on truth.
Dave Bittner: [00:07:17] In that light, it will also be interesting to see how the tool fares in countering the Russian and other disinformation operations it's presumably intended to fend off. The Russian approach, which has aimed at disruption, might not be affected to any noticeable degree at all. If you're simply aiming at widening fissures in a targeted civil society by amplifying the more extreme and ultra voices, haven't Instagram and other social media famously served as echo chambers for the like-minded? In any case, we shall see.
Dave Bittner: [00:07:50] The other concern that's been surfacing recently has been the potential for deepfakes to influence public opinion. Axios argues this week that this particular threat has been much exaggerated. For one thing, they point to claims by ZeroFOX that it can now reliably detect manipulated imagery. For another, Axios notes that those who wish to be deceived will deceive themselves come what may. Such ploys as Stalin's airbrushing of unpersons from official photographs did the job back in the 1930s, and they can do so again. With respect to influence operations, it's hard to escape the conclusion that, as Pogo Possum said a half-century ago, we have met the enemy, and he is us.
Dave Bittner: [00:08:33] U.S. Cyber Command has posted Electric Fish malware from North Korea's APT38 threat group to VirusTotal. FireEye has reported that APT38 is heavily involved in state-directed financial crime. Its activities overlap those of the Lazarus Group. Many of you are no doubt aware that Cyber Command has a Twitter feed dedicated to telling followers when it's posted something to VirusTotal. Just search for U.S. Cyber Com malware alert on Twitter. They've got the blue checkmark and everything.
Dave Bittner: [00:09:08] Now a moment to tell you about our sponsor, ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book "SOAR Platforms: Everything You Need to Know About Security, Orchestration, Automation, and Response." The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. Download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:10:25] And joining me once again is Johannes Ullrich. He's the dean of research at the SANS Technology Institute, and he's also the host of the ISC "StormCast" podcast. Johannes, it's always good to have you back. We wanted to touch today on some stuff that you've been tracking when it comes to the fragmentation of IP within operating systems. What are we talking about here?
Johannes Ullrich: [00:10:45] IP fragmentation is, well, as old as IP itself. The problem you have with packet-based networking is that not all networks support the same packet size. So as packets traverse the internet, they may hit a network segment that has a smaller maximum packet size, also called the maximum transmission unit or MTU. And routers then need to essentially split up packets into small fragments. This process has always been problematic, particularly the way the standards, the RFCs, are written for IP. It specifically required receiving hosts to deal with some odd fragments. Like, for example, if you receive two fragments that overlap and then it's not really clear, is the first of a second copy of the packet going to get used.
Johannes Ullrich: [00:11:40] One kind of network that particular had issues with this was intrusion detection systems. Intrusion detection systems have to understand how a particular recipient will deal with the traffic. And a lot of papers have been written about how different operating systems are actually dealing with some of these ambiguities that can show up and manipulating (ph) with fragmentation.
Johannes Ullrich: [00:12:06] And even though this problem is pretty old, like, it's - like I said, as old as IPs, so about 30 or so years old, it still keeps coming up. Just last year, we had, like, a big denial of service vulnerability in Linux as well as in Windows dealing with fragments. FragmentSmack was the name there. In response, a couple of the operators like Linux and Windows, they stated that they're going to actually change how they're dealing with fragments. So I went back and looked at some of these operating systems to really sort of map out, is what we sort of assume still true?
Dave Bittner: [00:12:42] And what did you discover?
Johannes Ullrich: [00:12:43] And I discovered, for example, that one thing that surprised me a little bit, that Windows will not accept overlapping fragments at all anymore. And this is going back to Windows XP Service Pack 3. That's, like, the oldest that could easily set up there. It's not known (ph) for the newer versions of Windows, but I was kind of surprised that even these old versions of Windows, they don't accept overlapping fragments anymore. That actually is important because now you have to make sure that you're telling your intrusion detection system that this is how Windows is reacting, otherwise your intrusion detection system may actually, you know, consider packets as valid that your operating system will drop.
Dave Bittner: [00:13:24] So folks may be running under outdated information?
Johannes Ullrich: [00:13:27] Correct, folks may be using outdated information. Same is true somewhat for Linux. Now, at this point, Linux is still accepting overlapping fragments, so that's still true. That still works. But Linux announced that they will actually also start dropping them in the near future. I believe some of the more recent kernels that haven't sort of made it into the current distributions yet already drop overlapping fragments.
Dave Bittner: [00:13:55] So in terms of being proactive and getting ahead of these changes, what are your recommendations?
Johannes Ullrich: [00:14:00] Actually, I would go even further. I would tell my firewall drop fragments. One thing in modern IP stacks is that they are actually pretty good in avoiding fragmentation. The only system in your network that you should still see fragments at all is your DNS server. So give it a try and see what happens if you just drop all fragments in your firewall and just put an exception for a DNS server, if you're running one.
Dave Bittner: [00:14:32] And is - any fallout that could happen there?
Johannes Ullrich: [00:14:35] Well, there's always an odd chance if you have some interesting protocols that, you know, would get blocked by this. As a preliminary thing, it could maybe just lock all the fragments and, you know, see if anything shows up in your logs. I tried it in a couple of networks. I talked to a couple of people that install firewalls in large networks, and they pretty much confirmed it's actually safe at this point to just drop fragments.
Dave Bittner: [00:15:01] All right. Well, Johannes Ullrich, thanks for joining us.
Dave Bittner: [00:15:08] Now it's time for a few words from our sponsor, BlackBerry Cylance. You probably know all about legacy antivirus protection. It's very good as far as it goes. But you know what? The bad guys know all about it, too. It will stop the skids, but to keep the savvier hoods' hands off your endpoints, BlackBerry Cylance thinks you need something better. Check out the latest version of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection but security that's quick enough to keep up with the threat by watching, learning and acting on systems' behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit cylance.com to learn more. And we thank BlackBerry Cylance for sponsoring our show.
Dave Bittner: [00:16:08] My guest today is John Smith. He's a principal sales engineer at ExtraHop. Our conversation was sparked by the recent news that Mondelez, a company that owns the Oreo and Cadbury brands, is suing its insurance company for refusing to pay out damages caused by the NotPetya attack. The insurance company Zurich refuses to pay out the policy, stating that there's an exclusion for a hostile or warlike action by a government.
John Smith: [00:16:35] It's interesting. I first got interested in cyber insurance back in 2014, when a company called Schnucks was actually sued by their umbrella policy. And I kind of saw early on that there was going to be some friction with the insurance company when they started offering, you know, cyber insurance. They wanted to kind of move that out of the umbrella policy and offer that as a separate rider.
John Smith: [00:16:57] Obviously, the Cadbury lawsuit that stemmed from that is part of where I saw maybe there being some friction where they weren't quite fully underwriting this in the same way; they were underwriting it more as a hazard insurance, right? Like flood insurance or hurricane insurance - I live in Florida, so both of those are relevant - versus something that is inevitable, right? I mean, I have life insurance, and, you know, it is inevitable that I won't be on this earth forever, and sooner or later, they're going to have to pay. But part of that underwriting was I had to get on a scale, a nurse came, and I had to take a physical. We don't really do that with cyber insurance.
John Smith: [00:17:32] So they're sort of - I think what I saw was an issue where maybe the industry didn't have a full understanding of the risks that they were undertaking, really, as not something that is a hazard; it is more something that is an inevitability. And maybe there was going to be some changes. And, obviously, the pending friction with the myriad of both Merck and the Cadbury lawsuit - both of those have a lot of friction and will be settled in the courts. And so I kind of saw that there were some opportunities there to maybe reassess, you know, how you talk to customers, basically kind of have an understanding of where underwriting is maybe not fully understanding what they're getting themselves into.
Dave Bittner: [00:18:09] So where do you suppose we find ourselves today? If I'm an organization that wants to go out and buy an insurance policy as part of the spectrum of tools I want to use to protect myself, what am I going to encounter?
John Smith: [00:18:22] You need to have an understanding of at least one of the outcomes you need in order for them to pay out. But if you look at the - where they're basically saying the recent breach was an act of war, an act of war is becoming a common tool that insurance companies are using to basically - to limit their risk and liability for a breach.
John Smith: [00:18:40] You have to assume that there will be collateral damage in any state-sponsored cyberwarfare campaign, right? If you look at the U.S. military, they sort of cordon off or they organize their theaters by coms. There's Northcom, Africom, Southcom. Cybercom is a global command, if that makes sense, right? So while - if you look at the U.S. and the Ukraine, we are - I Googled it - we are 5,687 miles away from the Ukraine. And while you might be 5,000-plus miles away from a conflict, if it's a cyber conflict, in most cases, you are digitally fractions of a second away from that conflict. If you have a public IP address, you are basically in theater. So you have to understand exactly what risks you're going to take in terms of what Get Out of Jail Free cards are there for the insurance company. I don't know if I'm using the right term, but...
Dave Bittner: [00:19:31] Yeah.
John Smith: [00:19:31] You have to understand, like, what are the things that could nullify your policy, right? And you need to understand that we live in this world where if it's a digital conflict, if you have a public IP address, you are in theater, and you definitely run the risk of collateral damage in the way that physical confrontations don't.
Dave Bittner: [00:19:49] Yeah, it's an interesting thing to think about. I'll admit I hadn't thought about it that way. I mean, it's - in my mind, I'm imagining that the unlikely happened and Canada found themselves at war with Mexico, and, you know, Mexico is flying a plane over the U.S. heading towards Canada and accidentally dropped a bomb on someone in the U.S. Well, I suppose the insurance company could say you're not covered by that because that was an act of war even though the U.S. wasn't an active member of that war.
John Smith: [00:20:16] Absolutely. And in the world of TCP/IP - right? - in the digital cyberspace, everyone is in theater. That's why - again, that's why the U.S. sort of isolates that as a single command because it is a global conflict. Like I said, in general, you are faster than you can blink in terms of how fast it takes for communications to get to you. So you're always in the blast zone when you're on the public internet, and so you have to have that understanding when you negotiate your policy with your insurance company.
Dave Bittner: [00:20:46] It also strikes me that it seems as though some organizations - they kind of try to have their cake and eat it, too. And what I mean is this - that they will say - perhaps just from a PR point of view, they'll say, well, we got attacked and the data was breached, and we believe this was a nation-state, and so, goodness, gracious, there's nothing we could've done about that because it was a nation-state. But I suppose that opens them up with their insurance company for the insurance company to say, well, OK, if that was a nation-state, then, you know, act of war. We're not covering you.
John Smith: [00:21:19] I agree. In fact, we're probably going to have to wait for the courts to settle this and determine at least how that's liable either way, right? One of two things I think will happen, and I'm not a legal expert or an insurance expert. But what I will say is that if the insured prevail, then you're going to see tougher policies and you're going to see something a little more consistent with the underwriting of health care. You know, if - you know, for me, take, for instance, I was a little heavy and my blood pressure was a little high, and I paid a little bit more. Now I made some lifestyle changes, and now I'm paying less.
John Smith: [00:21:49] And I think you're going to see the act and the practice of underwriting cyber policies is going to evolve drastically to one that accommodates - both incentivizes the insured but at the same time also gives some assurances for the company that's on the hook, basically, that they're doing all they can to prevent the breach, right? If I'm a race car driver or I like skydiving or if I build my house on the beach in the Caribbean, my homeowner's insurance is going to be much more expensive and, obviously, my health and life insurance runs the risk of being more expensive. So I think what's going to happen is both to the insured and the insurers - how they work with one another is going to evolve over time.
Dave Bittner: [00:22:31] That's John Smith from ExtraHop.
Dave Bittner: [00:22:38] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:22:51] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.
Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
ObserveIT is the leading Insider Threat Management solution with approximately 1,700 customers across 87 countries. ObserveIT is the only solution that empowers security teams to detect insider threats, streamline the investigation process, and prevent data exfiltration. Start your free trial of ObserveIT today.
Designed by analysts but built for the entire team, ThreatConnect’s intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics, and workflows in a single platform. Start Using ThreatConnect Today for Free.
Blackberry Cylance is revolutionizing cybersecurity with products and services that proactively prevent, rather than reactively detect the execution of advanced persistent threats and malware. Learn more at cylance.com.