The CyberWire Daily Podcast 1.21.20
Ep 1007 | 1.21.20

RATs, backdoors, and a remote code execution zero-day. Hoods breach Mitsubishi Electric. Telnet credentials dumped.

Transcript

Dave Bittner: [00:00:00] Hey, everybody. Dave here. We here at the CyberWire are excited to announce our new subscription program, CyberWire Pro, that will be coming in February. For those whose interests and responsibilities lead them to be concerned with cybersecurity, CyberWire Pro is an independent news service you can depend on to stay informed and to save you time. This offer includes such valuable content as exclusive podcasts and newsletters, exclusive webcasts, thousands of expert interviews and much more. And you can rely on us to separate the signal from the noise. Sign up to be one of the first in the know about CyberWire Pro at thecyberwire.com/pro. That's thecyberwire.com/pro. Check it out. 

Dave Bittner: [00:00:48]  A new RAT goes after Arabic-speaking targets. Updates on U.S.-Iranian tension in cyberspace. An Internet Explorer bug is being exploited in the wild. A patch will arrive in February. A pseudo-vigilante seems to be preparing Citrix devices for future exploitation. Mitsubishi Electric closes a breach. A booter service dumps half a million Telnet credentials online. And tomorrow is the last day to file a claim under the Equifax breach settlement. 

Dave Bittner: [00:01:23]  And now a word from our sponsor, KnowBe4. There's a reason more than half of today's ransomware victims end up paying the ransom. Cybercriminals have become thoughtful, taking the time to maximize your organization's potential damage and their payoff. After achieving root access, the bad guys explore your network, reading email, finding data troves. And once they know you, they craft a plan to cause the most panic, pain and operational disruption. Ransomware has gone nuclear. But don't panic. The good folks at KnowBe4 have an exclusive webinar where you can find out why data backups - even offline backups - won't save you, why ransomware isn't your real problem and how your end users can become your best last line of defense. Go to knowbe4.com/ransom and learn more about this exclusive webinar. That's knowbe4.com/ransom. And we thank KnowBe4 for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee - security fueled by insight. Intelligence lets you respond to your environment. Insights empower you to change it. Identify with machine learning. Defend and correct with deep learning. Anticipate with artificial intelligence. McAfee, the device-to-cloud cybersecurity company. Go to mcafee.com/insights. 

Dave Bittner: [00:02:52]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, January 21, 2020. 

Dave Bittner: [00:03:01]  Cisco's Talos unit has described JhoneRAT, a remote access Trojan currently active against Arabic-speaking targets in Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain and Lebanon. It's custom code, not a commodity attack tool, and its use seems to be part of an espionage campaign. The attack begins with phishing, offering a Microsoft Word file hosted in Google Drive, the better to evade detection by email screening tools. The document itself has the naive name Urgent, which ought to place people on their guard. The next step is to induce the recipient to enable editing, after which the RAT will install itself on the victim's machines. The malware also is installed in four distinct stages. Cisco Talos points out that this particular campaign offers a good example of how attackers can make use of cloud services to render its traffic more obscure and less immediately suspicious. 

Dave Bittner: [00:04:04]  CISA director Krebs is quoted in Fifth Domain to the effect that the threat of a retaliatory Iranian cyberattack was diminishing over time. But the U.S. Federal Deposit Insurance Corporation has warned the more than 5,000 banks and financial services institutions it supervises that they should be on heightened alert for cyberattacks. While Iran may not, as the Verdict argues, rush into attacks on U.S. infrastructure, it's nonetheless worth reviewing Iranian capabilities. APTs 33, Elfin; 34, OilRig; 35, Charming Kitten and 39 all have well-established track records. And as IntSights explains in this context, there's also an active hacktivist community more or less aligned with Tehran's goals. So far, the U.S. has seen the hacktivists conduct some low-grade vandalism, but the big, professional APTs beyond their yearlong reconnaissance of infrastructure targets have so far been no-shows. Still, looking to your defenses remains a good idea. As an op-ed in The Hill points out, the U.S. and Iran have been swapping cyber operations for about a decade. Both sides have shown patience and some strategic focus, and this seems likely to continue going forward. 

Dave Bittner: [00:05:23]  An Internet Explorer vulnerability is being exploited in the wild, but Microsoft won't have a patch available until February, Tech Crunch reports. Microsoft has offered some workarounds and advice in the interim. It's assigned the identifier CVE-2020-0674 to the bug, but information is sparse. The zero-day, whose exploitation Redmond optimistically characterizes as consisting of limited targeted attacks, is a remote code execution flaw. It's believed possible that it may have some similarities to the Firefox bug Mozilla recently patched. Qihoo 360, which ZDNet says Mozilla credited with tipping them off to the Firefox vulnerability, tweeted that the attackers hitting Firefox were also exploiting Internet Explorer, but that tweet has been deleted, and Qihoo 360 hasn't elaborated. 

Dave Bittner: [00:06:15]  Over the weekend, Citrix issued firmware patches for Citrix Application Delivery Controller and Citrix Gateway versions 11.1 and 12.0. CISA, the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, recommends that users apply the patches promptly and to do the same with other fixes for CVE-2019-19781 the company is expected to release over the course of the week. The vulnerability is being exploited in the wild and in an interesting way. Security firm FireEye late last week reported that someone is scanning for vulnerable NetScaler devices, clearing them of any malware they find and then installing a backdoor payload FireEye is calling NOTROBIN. FireEye acknowledges the possibility that this may be a vigilante operation, but the installation of a backdoor in addition to clearing out other people's malware suggests it's probably not so. The company thinks that whoever has been compromising NetScaler devices may well be preparing for a campaign, and so it's probably prudent to regard this as more battlespace preparation than, you know, "The Man Who Shot Liberty Valance." As FireEye explains, the actors, quote, "remove other known malware, potentially to avoid detection by administrators that check into their devices after reading Citrix Security Bulletin CTX267027. NOTROBIN mitigates CVE-2019-19781 on compromised devices but retains a backdoor for an actor with a secret key. While we haven't seen the actor return, we're skeptical that they will remain a Robin Hood character, protecting the internet from the shadows," end quote. And those, friends, are words to the wise. 

Dave Bittner: [00:08:02]  We are a good 18 months or so into GDPR being in effect. The world keeps on spinning, as it tends to do, but how much of an impact has GDPR actually had? Carole Theriault takes a look. 

Carole Theriault: [00:08:15]  So the world of GDPR - on the 11th of December, a German internet provider, 1&1, faced a whopping $10.6 million fine for not adequately protecting personal information of its users. Now, according to the BBC, Germany's data protection watchdog said that anyone who called 1&1 Telecom could get extensive personal information about someone else solely by giving their name and date of birth. 

Carole Theriault: [00:08:45]  I've invited Jon Fielding of Apricorn, who is a bit of an expert on all things GDPR, to try and give us some insight on where GDPR is today and whether all these fines are working. Jon, thanks so much for coming on the show. 

Jon Fielding: [00:08:58]  It's my pleasure. Thank you for inviting me. 

Carole Theriault: [00:09:00]  So what do you think about fines like this one, the one that 1&1 are facing? 

Jon Fielding: [00:09:05]  There have been some significant fines and/or notices of intent to fine that been applied since GDPR became live. I think the notable ones are British Airways and Marriott Hotels in the U.K., at least, who have an intention to fine from the ICO around about 300 million pounds - just short of that - and Google in France, who were hit for 44 million euros. 

Carole Theriault: [00:09:28]  Do you think - in your own opinion, do you think GDPR is a good thing for the EU? 

Jon Fielding: [00:09:33]  Yeah. So I think in respect of geography, it's good for you and me as a resident - as a citizen of a country. The main tenet of GDPR is to make sure that that data that we provide - whether it be, you know, our health information or our financial information, you know, or whatever else - is protected. 

Carole Theriault: [00:09:50]  Do you think companies that are headquartered outside the EU take GDPR seriously? So, like, big American companies which have perhaps less strong data protection laws in most states, as far as I know - it must be very difficult for them to have to meet these standards. 

Jon Fielding: [00:10:08]  Yeah, I agree. I mean, I think if we're talking about, you know, something that's happening wholly within the European Union, then it's much easier to understand how the sanctions will apply and the process will be followed. When you start to look at companies outside of the EU but still handling EU citizen data, then, you know, I'm not truly sure how that would all work. I think it's more about, you know, where is your data going to be held, all right? So if the output is in a country that you don't necessarily trust, then you could make a personal decision as to whether you wanted to move forward with it. 

Carole Theriault: [00:10:41]  The one big beef I had is that every company seemed to implement it in their own way with their own plugin, and they all had different layouts and approaches. And that seemed, to me, just incredibly wrong. 

Jon Fielding: [00:10:53]  Yeah, I agree. But I think one of the challenges that we've had with GDPR - that it's been completely nonprescriptive in terms of technology and how people do things. So it gives you kind of best practices buzzwords about - you know, you will keep information secure. You will protect the individual. But there's actually nothing underneath that as to how you - or recommendations or suggestions on technology or, as you say, page layout. So that then is left to each individual company. 

Carole Theriault: [00:11:20]  Jon Fielding, thank you so much for all your insights. It's been very interesting. 

Jon Fielding: [00:11:25]  OK, it's my pleasure. Thank you very much for inviting me. 

Carole Theriault: [00:11:26]  This was Carole Theriault for the CyberWire. 

Dave Bittner: [00:11:30]  According to The Japan Times, Mitsubishi Electric yesterday disclosed that Chinese actors hit the company with a massive cyberattack last year. In addition to personal information on some 8,000 individuals, attackers may have obtained, quote, "email exchanges with the Defense Ministry and Nuclear Regulation Authority, as well as documents related to projects with firms including utilities, railways, automakers and other firms," end quote. The personal data exposed in the incident belong to nearly 2,000 new graduates who applied for jobs at Mitsubishi Electric between October 2017 and April 2020. Others who were job-hunting with the Tokyo-based firm between 2011 and 2016 were also affected. The company noticed an anomaly in its networks in June 2019. Investigation of irregular activity on devices in Japan eventually revealed that someone had obtained unauthorized access to management networks. Those parties are believed to be Chinese criminal gangs. 

Dave Bittner: [00:12:31]  In other news from the cyber underworld, the operator of a booter service - that is, a service that offers distributed denial of service attacks for hire - has published Telnet credentials for more than half a million servers, home routers and smart devices. Why would they have done this? According to ZDNet, which asked them, the booter service has now been upgraded to a higher-end model instead of just riding atop vulnerable IoT devices. Henceforth, it will rent high-output services from cloud providers, thus the fire sale, we guess, although the specific motive for making mischief in this way still strikes us as obscure. The leaker said they compiled the list by scanning for devices with exposed Telnet ports and then tried, first, factory default credentials, followed by easy-to-guess password combinations in a credential-stuffing effort. 

Dave Bittner: [00:13:24]  And finally, are you thinking of filing a claim in the Equifax breach settlement? Well, if you are, the deadline is tomorrow, and you'll need to have your paperwork ducks in a row to qualify. 

Dave Bittner: [00:13:41]  And now a word from our sponsor, ExtraHop - delivering cloud-native network detection and response for the hybrid enterprise. The cloud helps your organization move fast, but hybrid isn't easy. Most cloud security failures will fall on customers, not service providers. Now that network detection and response is available in the public cloud, it's finally possible to close the visibility gaps inside your network. ExtraHop Reveal(x) Cloud brings cloud-native network detection and response to AWS, helping security teams spot, contain and respond to threats that have already breached the perimeter. Request your 30-day free trial of Reveal(x) Cloud today at extrahop.com/trial. That's extrahop.com/trial. And we thank ExtraHop for sponsoring our show. 

Dave Bittner: [00:14:41]  And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host on the "Hacking Humans" podcast. Joe, great to have you back. 

Joe Carrigan: [00:14:49]  It's good to be back, Dave. 

Dave Bittner: [00:14:50]  You have an interesting story to share with us... 

Joe Carrigan: [00:14:53]  Right. 

Dave Bittner: [00:14:53]  ...This week. I think for folks who are getting into the industry or think about how they got into the industry, you've got some interesting insights here. 

Joe Carrigan: [00:15:01]  Yeah. I didn't start off in the tech industry at all. I started off in trying to go into mass media, and that turned out not to work out well for me. And then I went into what I called my failed sales career. 

Dave Bittner: [00:15:13]  (Laughter). 

Joe Carrigan: [00:15:14]  I'm not really a good salesperson. 

Dave Bittner: [00:15:16]  OK (laughter). So you learned? 

Joe Carrigan: [00:15:19]  So I learned. Yeah, so I learned. I thought I was. I was not. 

Dave Bittner: [00:15:21]  Right, right. 

Joe Carrigan: [00:15:23]  After my failed sales career, I took a job doing some test and evaluation stuff for a government contractor. And it was good work, but it was not very engaging. And at the time, I was living in a place called Knoxville, Md., which is next to Brunswick, Md., which is way out by West Virginia and Harpers Ferry - just across the river from Harpers Ferry in Maryland. 

Dave Bittner: [00:15:46]  OK. 

Joe Carrigan: [00:15:47]  So... 

Dave Bittner: [00:15:47]  The middle of nowhere. 

Joe Carrigan: [00:15:48]  The middle of nowhere. 

Dave Bittner: [00:15:49]  Yeah (laughter). 

Joe Carrigan: [00:15:50]  And my job was in Arlington, Va., down in Crystal City, right? 

Dave Bittner: [00:15:53]  Yeah, that's... 

Joe Carrigan: [00:15:53]  So my... 

Dave Bittner: [00:15:54]  For those who aren't from this area, that is a hike. 

Joe Carrigan: [00:15:56]  That is a hike. So my commute every day involved getting up, driving to the metro. Then that took about 45 minutes. And then taking the metro for about an hour down to Crystal City and then coming back - it was a long, arduous commute. 

Dave Bittner: [00:16:09]  Yeah. 

Joe Carrigan: [00:16:10]  And, you know, I'm sitting there. I've got a wife and a daughter at home - you know, infant daughter at the time. And I'm wondering, you know, what am I going to do with my life? That's really the kind of phase of my life that I was in. And one day, I'm walking out of the metro, coming home from work, and there's a guy standing there. And he goes, I need a ride to the park and ride. I need a ride to the park and ride. I missed the last bus. I need a ride to the park and ride. And he's just standing there, asking for a ride. And I said, I'll take you. And he gets in my car, and we drive up to the park and ride. And on the park and ride, he goes, you have any technical skills, right? And I said, well, you know, not really officially. I taught myself how to program a computer when I was 12, but I haven't really spent a lot of time working around computers lately because this was the early '90s. And, you know, I have a computer, and I know how to work on it and fix it and everything. And the technology fascinates me, but I don't know that I have the skills that I could - that merit calling myself technical. 

Dave Bittner: [00:17:08]  Yeah. 

Joe Carrigan: [00:17:08]  And he goes, if you have any technical capabilities, you need to get into this field now. And he tells me that he has a high school diploma - right? - he doesn't have a college education and that he is a Linux administrator. And he is making twice what I'm making, right? And I'm thinking, that's interesting. 

Dave Bittner: [00:17:26]  Yeah. 

Joe Carrigan: [00:17:26]  That's very interesting. So I take him up to the park and ride. I drop him off, and he gets in his car. And I never see him again, right? To this day, I've never seen him again. 

Dave Bittner: [00:17:36]  He did not try to sell you any magic beans or anything like that. 

Joe Carrigan: [00:17:39]  Nothing like that. 

Dave Bittner: [00:17:39]  Just off he went. 

Joe Carrigan: [00:17:40]  Just off he went. 

Dave Bittner: [00:17:40]  OK, yeah. 

Joe Carrigan: [00:17:41]  As far as I know, he walked out of my car and disappeared, right? But the next day, I was talking to a guy I shared a cubicle with. And he said, you know, you already have one degree. You could just go get a second degree at University of Maryland University College, now Global Campus - University of Maryland Global Campus. 

Dave Bittner: [00:17:56]  Right. 

Joe Carrigan: [00:17:57]  At the time, they had in-person classes, but it was targeted for military and working people. And that's what I did. I went out, and the first thing I did was took a Novell NetWare class to be a NetWare administrator. And immediately after taking - completing that class, I had a job in IT. So this guy changed the entire course of my life in one car ride, and I had never had the chance - I think I at least owe this guy dinner. 

Dave Bittner: [00:18:24]  (Laughter) Right, right. 

Joe Carrigan: [00:18:26]  So if you're out there listening... 

Dave Bittner: [00:18:29]  Oh. 

Joe Carrigan: [00:18:29]  Reach out to me. 

Dave Bittner: [00:18:29]  Oh. 

Joe Carrigan: [00:18:30]  I'd like to say thanks. It was - you know, it was about 20 years ago. 

Dave Bittner: [00:18:33]  Yeah, yeah. 

Joe Carrigan: [00:18:34]  So... 

Dave Bittner: [00:18:34]  In the Maryland area. 

Joe Carrigan: [00:18:35]  In the Maryland area - right. 

Dave Bittner: [00:18:37]  Yeah. How interesting if that person would remember that encounter that set you off on a particular path. 

Joe Carrigan: [00:18:43]  There is a very good chance that person has absolutely no recollection of this encounter, that it was unremarkable to him and... 

Dave Bittner: [00:18:49]  Yeah. 

Joe Carrigan: [00:18:50]  You know, but to me, it was absolutely life-changing. 

Dave Bittner: [00:18:52]  Well, and I think there's an important lesson for our listeners here, which is that you should be open to having your life go in a different direction. 

Joe Carrigan: [00:19:00]  Yeah. 

Dave Bittner: [00:19:00]  You never know where that catalyst is going to come from. 

Joe Carrigan: [00:19:04]  That's right. 

Dave Bittner: [00:19:05]  And also, you took the initiative to take those classes. 

Joe Carrigan: [00:19:08]  Yep. 

Dave Bittner: [00:19:08]  It didn't take a lot for you to equip yourself to be able to go on that other path. And you probably - who knows if you would have even explored those possibilities had it not been for this person? 

Joe Carrigan: [00:19:19]  Yeah. 

Dave Bittner: [00:19:19]  You found out that - hey; I can do this. 

Joe Carrigan: [00:19:21]  Right. Yeah. 

Dave Bittner: [00:19:22]  And here you are today. 

Joe Carrigan: [00:19:23]  And here I am, yeah. 

Dave Bittner: [00:19:24]  Yeah. All right - good story, good stuff to know. 

Joe Carrigan: [00:19:28]  Yep. 

Dave Bittner: [00:19:28]  Joe Carrigan, thanks for joining us. 

Joe Carrigan: [00:19:30]  My pleasure, Dave. 

Dave Bittner: [00:19:36]  And that's the CyberWire. For links to all of today's stories, check out our daily news brief at thecyberwire.com. 

Dave Bittner: [00:19:42]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:19:54]  Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Hah. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. Every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast. 

Dave Bittner: [00:20:22]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.