BlueKeep is being exploited in the wild, not too seriously, yet, but you should still patch. Nunavut’s government is recovering from a ransomware attack is sustained Saturday morning. The NSO Group controversy spreads into an Indian politcal dust-up. Different Magecart groups are found to be be independently hitting the same victims. GandCrab provided a new template for the cyber underworld. And US Cyber Command deploys to Montenegro. Joe Carrigan with thoughts on the Coalfire pentesters criminal case.
Dave Bittner: [00:00:03] BlueKeep is being exploited in the wild - not too seriously yet, but you should still patch. Nunavut's government is recovering from a ransomware attack it sustained Saturday morning. The NSO Group controversy spreads into an Indian political dust-up. Different Magecart groups are found to be independently hitting the same victims. GandCrab provided a new template for the cyber underworld. And U.S. Cyber Command deploys to Montenegro.
Dave Bittner: [00:00:35] And now a word from our sponsor ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire, and we thank ObserveIT for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee - security built by the power of harnessing one billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:01:47] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, November 4, 2019. BlueKeep, the wormable vulnerability in Microsoft's remote desktop protocol that Redmond disclosed in May of this year, has finally been exploited in the wild. That's not good, but it's not nearly as bad as months of warnings had led observers to expect. BlueKeep spooked the industry when its discovery was announced because a worm that enables remote code execution could be a serious matter indeed. NotPetya, a different worm that exploited a different Microsoft vulnerability, did a great deal of damage, so the announcement by several security researchers that a BlueKeep exploit had turned up in their honeypots drew much attention. But as WIRED summarizes the attacks, the exploitation so far hasn't gone farther than the installation of some cryptojackers, so there's no reason to panic but also no grounds for complacency. About three-quarters of a million machines are thought to still be vulnerable to BlueKeep, so again, if you haven't patched against BlueKeep, what are you waiting for?
Dave Bittner: [00:02:55] Ransomware hit the Canadian province of Nunavut's government Saturday morning, taking agencies offline and rendering services unavailable. Local and provincial governments have recently proven unusually attractive targets for ransomware - school districts around the United States, cities like Atlanta and Baltimore and now a Canadian provincial government. There's no word yet on which strain of ransomware was involved, but the remarks by provincial officials to the press suggest that the infection entered the system by the usual way - by phishing. Some governments are taking prudent steps to avoid becoming the next victim. The city of Grand Forks, N.D., for one, has decided to transfer some of its risk by purchasing insurance. The city of 53,000 has taken out a $500,000 policy that will cost it nearly $8,000 a year in premiums.
Dave Bittner: [00:03:46] The controversy between WhatsApp and NSO Group has grown into an Indian domestic scandal. WhatsApp has accused NSO Group of installing Pegasus spyware in WhatsApp users' devices, targeting journalists, activists and politicians. Reuters reports that one of the politicians so targeted is the Congress party's general secretary Priyanka Gandhi Vadra. A spokesman for Congress, the largest opposition party, said that leaders in other opposition parties were also warned by WhatsApp that they'd been exposed to Pegasus. The Times of India says it's received information from the Internet Freedom Foundation NGO that suggests the Ministry of Electronics and Information Technology's CERT.IN knew about the buffer overflow vulnerability in WhatsApp that is believed to have allowed Pegasus in. WhatsApp has filed suit against NSO Group in a U.S. federal court. NSO Group, which is based in Israel and has, in recent months, publicly committed to rights-respecting corporate code of conduct, denies WhatsApp's contentions and says it intends to defend itself vigorously. Israel's government has basically said, leave us out of this. We don't have anything to do with it.
Dave Bittner: [00:04:57] Security firm PerimeterX says it's found a new trend in Magecart attacks - different groups hitting the same victims at the same time. There's been some criminal-to-criminal trade and even some signs that rival groups occasionally coordinate their campaigns, but the essentially opportunistic nature of this particular part of the underground has produced a number of independent attacks on targets. If it's vulnerable, they will come.
Dave Bittner: [00:05:22] Researchers at Advanced Intelligence explain how GandCrab changed ransomware, moving it from a craft practiced in isolation by small gangs to a full-fledged black market commodity. GandCrab, whose announced retirement seems retrospectively to have been considerably exaggerated, began offering ransomware as a service in January of 2018. GandCrab seems to have represented not only a rationalization of the black market, but it appears to have also been a cultural phenomenon redolent with the romance of crime. Crab seemed alive and benefited from a kind of personification. They offered jobs, solicited feedback and communicated with both accomplices and victims. GandCrab even operated the sort of charity campaigns and microloan partnerships traditional mobsters have run with insular communities. Many an ambitious skid began his or her career with the Crab, and through social contagion, the gang has persisted. Advanced Intelligence sees GandCrab's development as having provided a template for other criminal enterprises.
Dave Bittner: [00:06:27] And finally, CyberScoop reports that, looking ahead to next year's U.S. elections, U.S. Cyber Command and U.S. European Command have deployed an undisclosed number of cyber operators to Montenegro, where they will work with the host nation to shore up mutual defenses against Russian influence operations. Montenegro is one of the European countries that received close and intense attention from Fancy Bear - that is, if you're just joining us, Russia's GRU military intelligence service - during Montenegro's own recent elections. The cooperation is expected to be mutually beneficial.
Dave Bittner: [00:07:07] And now a word from our sponsor ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest book, "SOAR Platforms: Everything You Need to Know About Security Orchestration, Automation and Response." The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. You can download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:08:20] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host on the Hacking Humans podcast. Joe, it's great to have you back.
Joe Carrigan: [00:08:29] It's good to be back, Dave.
Dave Bittner: [00:08:31] We are going to discuss the incident that's going on with a couple of employees from Coalfire...
Joe Carrigan: [00:08:37] Right.
Dave Bittner: [00:08:38] ...And some pen testing that they were doing in Iowa.
Joe Carrigan: [00:08:42] Right.
Dave Bittner: [00:08:43] And things took a turn for the worse for them.
Joe Carrigan: [00:08:45] That's right.
Dave Bittner: [00:08:46] What happened here, Joe?
Joe Carrigan: [00:08:47] Well, they had a contract with the state of Iowa to do some penetration testing somewhere in the judiciary of the state of Iowa. And during the course of their penetration testing, they got into a building - first off, when they walked up to the building, they found the building unlocked.
Dave Bittner: [00:09:05] And this was late at night.
Joe Carrigan: [00:09:06] Late at night, around midnight.
Dave Bittner: [00:09:07] OK.
Joe Carrigan: [00:09:07] The building was unlocked. They actually locked the doors and, you know, wrote - noted that the building was unlocked, and that's probably a security violation. But then they actually picked the lock, which they were authorized to do by their contract - right? - and the documents clearly show that lock-picking was authorized. Then, once they got inside, they set off a burglar alarm.
Dave Bittner: [00:09:29] On purpose?
Joe Carrigan: [00:09:29] On purpose.
Dave Bittner: [00:09:31] OK.
Joe Carrigan: [00:09:31] Deliberately setting off a burglar alarm, and then waited outside for the police to show up.
Dave Bittner: [00:09:34] Which they did.
Joe Carrigan: [00:09:35] Which they did - these deputies showed up. And when the deputies arrived, they told the deputies they were penetration testers from Coalfire, and they showed them all the documents. The deputies made the phone calls, and everything was great.
Dave Bittner: [00:09:48] Everything happening the way it should happen...
Joe Carrigan: [00:09:50] The way it should happen.
Dave Bittner: [00:09:50] ...With the penetration test.
Joe Carrigan: [00:09:51] Right.
Dave Bittner: [00:09:51] Everything's in order.
Joe Carrigan: [00:09:53] When you're doing a physical penetration test, you have a thing called a get-out-of-jail-free card. Right? They showed that to the deputies that showed up.
Dave Bittner: [00:09:59] The deputies make phone calls to verify everything is on the up and up.
Joe Carrigan: [00:10:03] And they say to the guys, you're good - you should be good to go.
Dave Bittner: [00:10:08] But then?
Joe Carrigan: [00:10:08] Sheriff Chad Leonard shows up.
Dave Bittner: [00:10:11] OK.
Joe Carrigan: [00:10:11] Right? And he disagrees with his deputies and says that these guys don't have authorization to try to break into this building because it's owned by the taxpayers of Dallas County, Iowa, and that the state legislature - or state judiciary, rather - doesn't have the authority to authorize a break-in or a penetration test at a county facility. And he arrests the two penetration testers.
Dave Bittner: [00:10:36] OK.
Joe Carrigan: [00:10:37] Right? Now, there is a video from KCCI, which is a TV station out of Des Moines that shows Sheriff Leonard talking. And one of the senators - state senators - is questioning him. And he says that this could have ended up with five deputies on administrative suspensions while they investigate why they killed two people at a courthouse.
Dave Bittner: [00:11:00] The sheriff said this?
Joe Carrigan: [00:11:01] The sheriff says this. Chad Leonard says that.
Dave Bittner: [00:11:03] OK.
Joe Carrigan: [00:11:05] So first off, that's a gross misstatement of what actually transpired. According to all accounts, the transactions - the conversations between the deputies and the two pen testers were professional and handled well. It wasn't until Chad Leonard shows up that things went south.
Dave Bittner: [00:11:22] And to be clear, these pen testers - I'm assuming they were not armed.
Joe Carrigan: [00:11:27] No, they're not armed, right.
Dave Bittner: [00:11:28] They were not wearing ninja outfits or anything.
Joe Carrigan: [00:11:31] Yep.
Dave Bittner: [00:11:31] They were professional. Like you say, everything was done on the up and up, by the book, showing professionalism for what they do.
Joe Carrigan: [00:11:38] Right. Chad Leonard arrests them for felony burglary and possession of burglary tools, presumably being the lock picks, right? Now since then, those charges have just been reduced to criminal trespass, which is a misdemeanor.
Dave Bittner: [00:11:51] OK.
Joe Carrigan: [00:11:51] And Tom McAndrew, who is the CEO of Coalfire, says no, no, no, no, no. This is not going away. Just because you're lowering the charges to a misdemeanor does not mean that this is still valid in any way, shape or form. And I agree with Tom McAndrew. This is bogus. This should not be happening. This is happening purely because of Sheriff Leonard. I don't know what his issue is with this, but it's...
Dave Bittner: [00:12:14] It seems like we've got a bit of a turf war here.
Joe Carrigan: [00:12:16] Yeah.
Dave Bittner: [00:12:16] Dare I say a pissing match...
Joe Carrigan: [00:12:18] Right, yeah.
Dave Bittner: [00:12:19] ...Between two different jurisdictions. And one's saying you don't have the authorization to do this.
Joe Carrigan: [00:12:24] Sure.
Dave Bittner: [00:12:24] And these pen testers are stuck in the middle.
Joe Carrigan: [00:12:27] Yeah. These pen testers are collateral damage to a political discussion - you know, a political dispute, rather.
Dave Bittner: [00:12:33] Yeah.
Joe Carrigan: [00:12:33] And it's sad. And these charges should be dropped immediately against these two pen testers.
Dave Bittner: [00:12:38] Yeah.
Joe Carrigan: [00:12:39] And no further action should be taken because they are not going to win in court, period. If this goes to court in any way, shape or form - and McAndrew has said that they are going to go to court over this and get a jury trial if it goes to court. And they will not win.
Dave Bittner: [00:12:54] Yeah, interesting. I think one thing you noted was I wonder if their contract holds the state of Iowa on the hook for legal expenses (laughter).
Joe Carrigan: [00:13:03] Yeah, that's right because when they negotiate this - I put that on Twitter. When they negotiate these things, they say we're going to have these get-out-jail-free cards. And I've always wondered - I don't know this because I've not worked in a physical penetration testing organization - that if things do go south like this, is there a clause in the contract that says that the customer is going to pay for our legal fees? And then Coalfire could go after the state of Iowa for all the costs that are associated with defending these two pen testers...
Dave Bittner: [00:13:32] Yeah.
Joe Carrigan: [00:13:33] ...Because this is not going to be cheap.
Dave Bittner: [00:13:34] No. No, the whole thing just seems like it spun out of hand.
Joe Carrigan: [00:13:38] It is ridiculous.
Dave Bittner: [00:13:39] And I have to say I agree with what Coalfire's CEO Tom McAndrew said. He said, I hope the citizens of Iowa continue to push for justice and common sense.
Joe Carrigan: [00:13:50] Yeah, common sense - that's a great way to put it.
Dave Bittner: [00:13:51] Yeah.
Joe Carrigan: [00:13:51] It's just not that common.
Dave Bittner: [00:13:52] Yeah. All right, well, time will tell. We'll see how this one plays out. Joe Carrigan, thanks for joining us.
Joe Carrigan: [00:13:58] My pleasure, Dave.
Dave Bittner: [00:14:04] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com. Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security, Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. And check out the Recorded Future podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:14:45] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
ObserveIT is the leading Insider Threat Management solution with approximately 1,700 customers across 87 countries. ObserveIT is the only solution that empowers security teams to detect insider threats, streamline the investigation process, and prevent data exfiltration. Start your free trial of ObserveIT today.
Designed by analysts but built for the entire team, ThreatConnect’s intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics, and workflows in a single platform. Start Using ThreatConnect Today for Free.