Warnings and advice about Emotet and BlueKeep, both being actively used or exploited in the wild. Two new carding bots are in circulation against e-commerce sites. Expect more of this as criminals test stolen credentials in advance of the holiday shopping season. Amazon fixes a security flaw in its Ring doorbell. A Long Island company is charged with selling bad Chinese security systems as good made-in-USA articles. Michael Sechrist from BAH on preventing supply chain attacks. Guest is Andy Greenberg, senior writer at Wired an author of the book Sandworm — A new era of cyberwar and the hunt for the Kremlin’s most dangerous hackers.
Dave Bittner: [00:00:03] Warnings and advice about Emotet and BlueKeep, both being actively used or exploited in the wild. Two new carding bots are in circulation against e-commerce sites. Expect more of this as criminals test stolen credentials in advance of the holiday shopping season. Amazon fixes a security flaw in its Ring doorbell. My conversation with WIRED senior writer Andy Greenberg on his new book "Sandworm." And a Long Island company is charged with selling bad Chinese security systems as good made-in-the-USA articles.
Dave Bittner: [00:00:41] And now a word from our sponsor ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire, and we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:01:29] Funding for this CyberWire podcast is made possible in part by McAfee - security built by the power of harnessing one billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:01:52] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, November 8, 2019.
Dave Bittner: [00:02:00] The Australian Signals Directorate is urging enterprises to look to their defenses against Emotet and BlueKeep, which are showing renewed levels of attention by threat actors in the wild. Emotet is the widely deployed malware that emerged in 2017, when a criminal group - TA542, also known as MUMMY SPIDER - used it as a banking Trojan. It went into temporary eclipse earlier this year but resurfaced on August 22 and, by September, had resurfaced with a bang as a multi-purpose Trojan. Proofpoint says in its third quarter threat report that Emotet alone accounted for 12% of the malicious email samples they looked over that quarter. It's fallen off a bit this week, but it remains an active threat.
Dave Bittner: [00:02:45] And so the ASD's Australian Cyber Security Centre and its state and territorial partners is advising everyone to be on the lookout for Emotet. They recommend blocking Microsoft macros from all but the most trusted sources, backing up systems daily, scanning email contents and segmenting networks. The Australian Cyber Security Centre, if you're unfamiliar with it, fills a role analogous to the one GCHQ's National Cyber Security Centre has in the U.K. and to those filled in the US by the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency and NSA's Cybersecurity Directorate.
Dave Bittner: [00:03:23] The other warning ASD issued pertained to BlueKeep, which has given people the willies since the discovery that it's being exploited in the wild. To be sure, it's only been confirmed to have been exploited to spread a cryptojacker, but that's been startling enough for many. The BlueKeep vulnerability affects Microsoft's remote desktop protocol. It's been patched for months, yet as BleepingComputer points out, the enterprise patching rate for this particular vulnerability is about 83% - a big majority, but on the other hand, surprisingly low. Home users have probably patched at far lower rates and are probably proportionally more vulnerable to exploitation. Microsoft is again reminding people to patch.
Dave Bittner: [00:04:08] So why so much fuss over a cryptojacker? Well, for one thing, cryptojacking is an irritant in its own right, a resource hog and just an untidy mess. But BlueKeep worries people most because it's wormable and because they remember the widespread and costly damage the WannaCry pandemic wreaked against a sister vulnerability, EternalBlue. Bitdefender, while acknowledging the potential risk, has posted some notes they call debunking, but that might with equal justice be called reassuring. Their point is that this risk is manageable. They suggest three steps. One, patch. Two, mitigate the risks of remote desktop protocol, perhaps by configuring remote desktop service with network level authentication. And three, maintain strong network attack defenses.
Dave Bittner: [00:04:59] As the holiday season approaches, new attacks on retail and e-commerce begin to take shape. Security firm PerimeterX has found two new carding bots - Canary Bot, which exploits major e-commerce platforms, and Shortcut Carding Bot, which exploits card payment vendor APIs, bypassing e-commerce web sites. This form of carding, PerimeterX notes, aims at validating cards by making small purchases. Canary Bot is interesting for the way it mimics user behavior, filling a shopping cart and heading for the online checkout.
Dave Bittner: [00:05:33] Yes, we know the holidays do seem to creep up. Some of our retail stringers say they see Halloween stuff on the shelves as early as August, and that includes candy, which, well, just doesn't seem right. But this kind of holiday creep is understandable, at least from the criminal's point of view. While the traditional start of spend-it-like-a-sergeant-on-pay-day holiday shopping in the United States is the ill-omened Black Friday, the day after Thanksgiving, forward-thinking hoods like to be prepared as if they're Boy Scouts from the Upside Down or some other malign dimension. Anywho, they're leaning forward in their foxholes and getting ready for the holiday crime rush. Arkose Labs is seeing some of the same things that have come up in PerimeterX's research. Arkose's own third quarter report shows a 70% increase in bot-driven account registration fraud, as the gangs test their stolen credentials in advance of the Christmas rush.
Dave Bittner: [00:06:29] Bitdefender reports finding a flaw in the Amazon Ring doorbell security system that could expose users' Wi-Fi credentials. They disclosed it responsibly to Amazon, and Amazon has pushed an automatic security update that fixes the problem. So Ring users should be out of the woods.
Dave Bittner: [00:06:48] The US attorney for the Eastern District of New York has filed charges against Long Island-based Aventura Technologies Ltd. The government alleges that the company sold Chinese-made security and surveillance equipment falsely marked as made in the USA. The charges cover fraud, money laundering and illegal importation of equipment manufactured in China.
Dave Bittner: [00:07:11] In effect, this amounts to a hardware supply chain problem. The systems Aventura sold may not have been, strictly speaking, counterfeits. But if the government is right, their origins were misrepresented.
Dave Bittner: [00:07:23] The agencies cooperating in the investigation suggest the scope of the alleged fraud - the FBI, US Customs and Border Protection, the Internal Revenue Service, the US Air Force Office of Special Investigations, the Naval Criminal Investigative Service, Defense Criminal Investigative Service, the inspector general of the General Services Administration, the Treasury Inspector General for Tax Administration and the inspector general US Department of Energy. Whew.
Dave Bittner: [00:07:53] An update to the case of alleged infiltration of Twitter by persons working on behalf of Saudi Arabia saw a new development overnight. One of the men charged, the Telegraph reports, worked at Amazon for three years after leaving Twitter. Ahmad Abouammo, the one defendant in custody, moved to Amazon from Twitter in 2015. There's no word on whether he or his alleged confederates were up to anything at Amazon, but Mr. Abouammo's work history suggests the difficulty of detecting malicious insiders.
Dave Bittner: [00:08:30] And now a word from our sponsor, ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest book, "SOAR Platforms: Everything You Need to Know about Security, Orchestration, Automation, and Response." The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. You can download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:09:43] And joining me once again is Michael Sechrist. He's chief technologist at Booz Allen Hamilton, and he also leads their manage threat services intelligence team. Michael, it's always great to have you back. I wanted to touch today on supply chain attacks. You had some information that you wanted to share about preventing those kinds of attacks. What do you have for us?
Michael Sechrist: [00:10:03] Sure, yeah. Thanks again for having me on. One of the things that we're seeing is sort of third-party and fourth-party risks being a significant concern for enterprises. There is growing number within the ecosystem and IT environments of vendors and vendor management - become a top concern for security professionals. One of the aspects of that is that - that falls on is how do you secure your ecosystem when you're dealing with so many significant parties that have access to potentially critical data, critical assets within your enterprise?
Michael Sechrist: [00:10:36] One of the things we're working on with those clients is to work to profile the client's enterprise and identify sort of where are those critical nodes and links for the enterprise with the - with those vendors and providers. And so we do that by doing sort of baseline profiling assessments, sort of risk prioritization and mitigation strategies. And we implement those with the clients in order to build up their program awareness and their visibility into their entire ecosystem.
Dave Bittner: [00:11:09] How do you recommend that organizations go about sort of dialing in how far down that chain to go?
Michael Sechrist: [00:11:16] It goes pretty far. I don't think it's the ability to kind of just be reliant on a questionnaire or a survey - is going to satisfy concerns or kind of the security risks that are present today. It's going to take actual baseline profiling of, you know, which IP addresses potential vendors are using in order to relay or have some sort of communications with your IT environment. It's going to be the exact sort of software that has to be downloaded, the versions that are being used, how software packages get updated. Those type of details are very important today in order to identify anomalous activity.
Dave Bittner: [00:11:57] What are your recommendations for people getting started with this, kind of starting that journey of trying to get a handle on what's going on with their supply chain?
Michael Sechrist: [00:12:06] Top priority is understanding your critical risks and where your critical data and assets lie. Without knowing that, it's going to be very difficult when you're looking at your vendor ecosystem, so to speak, and identifying which ones or which vendors you want to make sure you have a very strong profiling of. You know, without that sort of internal linkage, you're going to kind of maybe have to boil the ocean, which is going to drain resources and be kind of inefficient over the long term.
Dave Bittner: [00:12:40] All right. Well, Michael Sechrist, thanks for joining us.
Michael Sechrist: [00:12:43] Thank you very much.
Dave Bittner: [00:12:48] And now a word from our sponsor, OpenVPN. OpenVPN Access Server is a flexible VPN solution that secures data communications, from remote access to IoT to networking cloud data centers. While private networks have the security advantage of isolating critical IT services, it can be costly to extend to different sites, devices and users. Enter OpenVPN Access Server, a full-featured and cost-effective VPN solution. Access Server has an economical licensing model based on the number of concurrent VPN connections rather than the number of users. OpenVPN Access Server can be deployed on premises or on the cloud and allows load balancing, failover, and fine-grained access controls, making it the best solution for small- to medium-sized enterprises. You can test drive OpenVPN Access Server for free. It comes with two VPN connections. Get started today at openvpn.net/cyberwire. That's openvpn.net/cyberwire. And we thank OpenVPN for sponsoring our show.
Dave Bittner: [00:14:01] My guest today is Andy Greenberg. He's a senior writer at WIRED and author of the 2012 book "This Machine Kills Secrets," which was a New York Times Editor's Choice. His latest book is titled "Sandworm
Andy Greenberg: [00:14:33] That's part of the story of the book, is that the world did not really react to this series of attacks that just got more and more aggressive and indiscriminate. The West, including the US, really just watched these attacks unfold in Ukraine and treated it as somebody else's problem. You know, this is Russia's sphere of influence. We've sanctioned them for their illegal war. We don't need to say anything. That, you know, seemed to be the attitude about these unprecedented attacks.
Andy Greenberg: [00:15:00] I mean, you would think that the first time in history that hackers actually turn off the power to civilians, that the US government would want to say something about that. Like, hey, that's a red line that maybe you shouldn't cross. Or you know, this is a reckless act of indiscriminate aggression against civilians and will not be tolerated, no matter who the victim is. You know, Ukraine is not a part of NATO, but nonetheless, it seemed to me that this was the sort of red line that we want to establish in cyberwar, and yet nobody said anything, not after the first blackout and nor after the second. It seemed to me that this was what allowed these hackers, Sandworm, to escalate with impunity, until they released what became the worst cyberattack in history.
Dave Bittner: [00:15:48] Yeah. You know, it's interesting that you mentioned Dragos, and one of the characters throughout your book is Rob Lee, who I've spoken to many times on the CyberWire. And sort of a running theme through the book - that Rob shares his frustration with our response or, I suppose you could say, our lack of it.
Andy Greenberg: [00:16:11] Yeah, Rob was one of the kind of Cassandras - not quite a whistleblower but some sort of, like - one of the researchers who spotted what was going on early and tried to sound the alarm. I think that John Hultquist at FireEye is another. And then the Ukrainians, of course, were trying to tell the world, too, that something dangerous was happening here.
Andy Greenberg: [00:16:32] And I think - you know, they did even say to me that what happened in Ukraine seemed to be bound to spill out to the rest of the world, that what Russia was doing to them and Ukraine Russia would sooner or later do to the West as well. And there was a kind of precedent for that because Russia had hacked the Ukrainian election, tried to spoof the results actually and just barely kind of failed. The Ukrainian Central Election Commission caught the fake results just in time, before they were posted on their website. And then Russia meddled in the US presidential election.
Andy Greenberg: [00:17:03] At this point, we were seeing Russia mess with Ukraine's power grid, and the kind of logical conclusion was that maybe they would try that against targets further abroad as well, just as they had kind of tested out election hacking in Ukraine. I initially wrote a story for WIRED that kind of made that prediction. It came true far more quickly than I expected in the form of NotPetya. We published this story, the cover story in WIRED, that essentially said that what happened to Ukraine should not be ignored because it would eventually spill out to the rest of the world. And the day that it hit newsstands was the day that NotPetya hit - a Russian attack on Ukraine that, within hours, spilled out to the rest of the world and became the worst, most expensive, devastating cyberattack ever.
Dave Bittner: [00:17:49] Well, let's dig into NotPetya. You know, you mentioned earlier that this notion that people were saying that these attacks would spill out into the rest of the world, and that is what happened with NotPetya.
Andy Greenberg: [00:18:01] NotPetya was, of course, this worm that looked like ransomware but wasn't. It was just a destructive wiper that seemed to be targeted at Ukraine but was entirely reckless in its scope. It spread initially via this Ukrainian accounting software, but that accounting software, M.E.Doc, was used by really anybody who filed taxes or did business or had partnerships in Ukraine. As I'm sure everybody who listens to the show knows, it first hit Ukraine. It really carpet-bombed the networks there. But it immediately spread beyond Ukraine and hit a long list of multinational companies like Merck and Maersk and FedEx and Mondelez. And, you know, these are massive multinationals. And in each case, it did hundreds of millions of dollars in damage, kinds of numbers that we had never seen anywhere before, totaling to $10 billion in total damages according to a White House assessment, which is more than we'd seen, you know, even in WannaCry the month before.
Dave Bittner: [00:19:00] And again, the global reaction in terms of additional sanctions or punishment or any sorts of actions against Russia were what?
Andy Greenberg: [00:19:10] Well, initially nothing. And that was so vexing to not just me. But I had been speaking to people like John Hultquist and Rob Lee, who have been warning about this group and the Ukrainians. Now I felt like I was part of this weird club of Cassandras who were saying watch out, this group is dangerous. And its attacks are escalating and will hit us sooner or later. But then they did hit us in the West. I mean, Merck eventually lost $870 million to NotPetya, and they're in New Jersey. This is an American company. And yet, in the wake of NotPetya, it took eight months for anyone to call out Russia as the aggressor. That includes, like, all of these companies who were simply totally unwilling to name Russia as the source of this attack that had devastated their balance sheets.
Andy Greenberg: [00:19:56] I thought I was going crazy. I followed this group for a year at that point. I could understand in this kind of cruel logic why the West would ignore these attacks on Ukraine. You can make this kind of realist argument that that's Ukraine's problem. It's not our problem. But once NotPetya spilled out and hit all of these Western targets as well, that, of course, was our problem. And yet, nobody was saying anything. The US government didn't say anything until February of 2018, eight months later. None of the companies said anything. I just couldn't understand this, the silence around what was starting to become clear to be the biggest cyberattack in history.
Dave Bittner: [00:20:35] So what are your conclusions there? I mean, why - was this silence coordinated? I mean, obviously President Trump has a peculiar affection for Russian leaders. Was it at all related to that?
Andy Greenberg: [00:20:48] I never really got to the bottom of why it took so long to attribute to NotPetya because after all, ESET, the Slovakian cybersecurity firm, they found forensic connections between NotPetya and the BlackEnergy attacks, which they called TeleBots, but, you know, everybody else calls Sandworm. Within days of NotPetya, they could kind of show this sort of interlinked series of components used in those early attacks that evolved into NotPetya. It was very clear that this was Russia to me from the beginning. And of course, it's, like, who else is going to be targeting Ukraine?
Andy Greenberg: [00:21:24] I mean, it's confusing because NotPetya spilled out to Russia, too. And that, I think, speaks to the fact that the damage done to the West was probably collateral damage, like the damage done to Russia. But it was totally avoidable collateral damage. It would have been easy for NotPetya's creators to filter its infections using the actual tax ID numbers that were available in the M.E.Doc software that they hijacked. They could have made sure that the attack only hit Ukraine, and they didn't.
Andy Greenberg: [00:21:53] But yeah, I don't know why the US government was so slow to do this. I think maybe the attribution took a long time. It could be also a factor that nobody wanted to go into the oval office and talk to President Trump of all people about Russian hacking, that that was just the kind of uncomfortable subject and one that you were not rewarded for bringing up in an intelligence briefing. I ultimately couldn't kind of get the palace intrigue in the White House to understand why it took so long. But eventually, I did hear the story from, you know, Tom Bossert of the decision to finally call out Russia eight months later.
Andy Greenberg: [00:22:32] I don't want to take credit away from the White House for eventually acting and calling out Russia, imposing sanctions, in fact, coordinating this attribution that all five Five Eyes carried out together. Canada, Australia, the U.K. and New Zealand all together named NotPetya as a Russian act. It took a long time to do it. The real mistake in my eyes is that we waited until it hit us to make that call when everyone knew that this highly dangerous group of hackers was escalating its attacks on Ukraine and doing things that should not have been acceptable in the first place. We waited for it to bite us before we took action.
Dave Bittner: [00:23:13] That's author Andy Greenberg. We were discussing his book "Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers." We'll be publishing an extended version of this interview in the next few days. Watch for it in your CyberWire podcast feed.
Dave Bittner: [00:23:33] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:23:45] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.
Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
ObserveIT is the leading Insider Threat Management solution with approximately 1,700 customers across 87 countries. ObserveIT is the only solution that empowers security teams to detect insider threats, streamline the investigation process, and prevent data exfiltration. Start your free trial of ObserveIT today.
Designed by analysts but built for the entire team, ThreatConnect’s intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics, and workflows in a single platform. Start Using ThreatConnect Today for Free.
OpenVPN is the provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. Learn more.