Ransomware in industrial control systems. Phone hacks, proved and unproved. Britain’s compromise decision on Huawei. Wawa cards in the Joker’s Stash. CardPlanet boss pleads guilty.
Dave Bittner: [00:00:04] Snake ransomware appears to have hit industrial control systems and may be connected to Iran. The verdict on the Saudi hack of Mr. Bezos' phone seems to stand at not proven. But the kingdom does seem to have used Pegasus intercept tools against journalists and critics of the regime. Neither the US nor China are happy with Britain's decision on Huawei. Cards from the Wawa breach are on sale in the Joker's Stash. And Cardplanet's boss will do some federal time.
Dave Bittner: [00:00:39] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We at the CyberWire have long been subscribers to Recorded Future's Cyber Daily. And if it helps us, we're confident it will help you, too. Subscribe today, and stay a step or two ahead of the threat. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. And we thank Recorded Future for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security fueled by insight. Intelligence lets you respond to your environment. Insights empower you to change it. Identify with machine learning. Defend and correct with deep learning. Anticipate with artificial intelligence. McAfee, the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:01:57] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for January 29, 2020.
Dave Bittner: [00:02:05] OTORIO, an Israeli security firm, says that a strain of ransomware called "Snake" is both linked to Iran and probably implicated in the recent attack on Bahrain Petroleum Company. Bloomberg reports that Snake prospects many kinds of files, but it's notably interested in process controls. Many of the control systems it's been observed to go after are GE products. But as GE points out, the Snake isn't exclusively or even distinctly interested in GE systems. But to take the firm's report on how the ransomware operates when it does encounter some GE systems, according to OTORIO, Snake terminates a GE Digital Proficy server critical process, specifically one that enables connectivity to Proficy HMI/SCADA, Manufacturing Execution and Enterprise Manufacturing Intelligence systems. Process termination causes troubles in plant operation. The termination list Snake uses is similar to the one used by MegaCortex ransomware. And this, too, seems consistent with Iran's operational style; use proven malware and tailor it as necessary to a particular target. OTORIO thinks the attacker's motive is economic warfare, in particular, an attempt to influence oil prices.
Dave Bittner: [00:03:25] The matter of Mr. Bezos' phone and the crown prince's texts is increasingly regarded as inconclusive and, at best, circumstantial. Something seems to have been going on, but a more thorough look would be necessary to determine what might have been. See, for example, Errata's blog on the topic, which contains a clear and convincing discussion of why some of the apparent anomalies, like those involving the size of video files, really aren't anomalies at all. So the evidence comes down to Saudi means, motives and opportunity. But the verdict has to be, so far, not proved.
Dave Bittner: [00:04:00] In contrast with all of this, Citizen Lab's account of Saudi Pegasus use against journalists seems to be holding up. Ben Hubbard, the New York Times reporter who brought a suspicious text to Citizen Lab's attention, offers an account of his experience. NSO Group told Mr. Hubbard when he gave them a screenshot of the suspicious text that it wasn't their Pegasus tool, but they declined to say how they knew that. NSO Group has commented publicly to the effect that it's premature to blame every case of spyware on them. There are - they correctly point out - a number of other tools out there, either on the market or developed in-house, that can give interested parties a look into devices of interest. NSO Group have been among the more prominent names in the field, but it's far from being the only one.
Dave Bittner: [00:04:49] Reaction within the US government to Britain's decision to allow Huawei to play in its 5G infrastructure but only in noncore sections has been decidedly sour. Fifth Domain offers a representative sample of congressional opinion, and the judgments are harsh. They include, they've chosen the surveillance state over the special relationship, or, allowing Huawei to build the UK's 5G networks today is like allowing the KGB to build its telephone network during the Cold War. The nicest comment was simply, disappointed.
Dave Bittner: [00:05:22] There's been some congressional harrumphing about scaling back on trans-Atlantic intelligence cooperation, but what, if anything, that will amount to remains unclear. It's unclear because the effects of British policy are themselves, so far, unclear, too. Much will depend upon how noncore comes to be defined and on how confident technical authorities are that they can exclude the risk of Huawei equipment from the core components of the infrastructure. For now, high-risk vendors - and that's a euphemism for Huawei - will be excluded from core infrastructure and kept physically away from military installations and nuclear facilities. They'll also be limited to no more than 35% of the total market share.
Dave Bittner: [00:06:04] A Bloomberg op-ed calls the British policy close to a fudge but actually something that amounts to a workable compromise. It's not what the US wanted, but Huawei isn't going to be happy about it either. That there is a risk isn't seriously in question. How well that risk can be managed and the threat contained is the question. US Secretary of State Pompeo is in the UK for talks this week. The matter of Huawei will surely figure in among the agenda.
Dave Bittner: [00:06:33] And after having waited to see which way the cat would jump, the European Union enunciated essentially the same policy with respect to Huawei's participation in member states' infrastructure that Britain adopted yesterday, SC Magazine reports. Several of the EU's 28 members - that is 28 until the tally drops to 27 over this coming weekend as Britain Brexits - well, they've already put restrictions in place against Huawei. France, for example, won't allow Huawei antennas anywhere near Toulouse. Why Toulouse? That's where Airbus is. And French intelligence and security services aren't stupid about industrial espionage.
Dave Bittner: [00:07:13] Researchers have been tracking a specific vulnerability known as Pass the Hash. It's not just something you might've heard at a party on a college campus back in the '60s. It's a serious security issue. Dan Conrad is field strategist at security firm One Identity.
Dan Conrad: [00:07:29] A few years back, when customers started asking me for mitigations for Pass the Hash, I had to, you know, look back in my brain and think, I haven't heard about this in a long time. I remembered. I, you know, jump on the Google and refresh my brain on how it works. Looking back, you know, it dates back to, you know, Windows NT days when we were using with LAN Manager hashes to give yourself a single-sign-on experience.
Dan Conrad: [00:07:53] And the way it works now is, you know, it's still there because we get the capability to fall back in a Windows environment to use that form of single sign-on. And what it is is it's basically a way to elevate privileges based on a residual credential. So a scenario would look like maybe a typical phishing attack where a user's workstation gets compromised through a phishing attack, which, you know, has its own issues. The remote entity will then gain control of a workstation, maybe something - a point of sale machine, maybe a laptop that travels, and create, you know, a problem that somebody needs to log on and fix - somebody with elevated permissions. And when you log on and fix that problem, it leaves a hash in the registry.
Dave Bittner: [00:08:37] And so do you have a sense for how prevalent this is these days?
Dan Conrad: [00:08:41] Sort of. So in reality, you may not truly know. You know, it's an awareness if you've been breached, right? So the concept of they're already in the walls. I'm sure you're familiar with that from other - you know, from hacking. It's from exploits. We've got a mindset now that the attackers are already in the walls. So with that kind of concept, we don't really know what we don't know. So an organization may have been breached with Pass the Hash but not even know about it. Some of them have been subject to ransomware as a result of that. But, you know, beyond that, how would they really even know?
Dave Bittner: [00:09:19] And so what are your recommendations? What are good mitigations for this?
Dan Conrad: [00:09:25] There are some complicated ways to solve the problem. You know, Microsoft actually recommended something called the Enhanced Security Administrative Environment, which is a multi-tiered forest architecture of Active Directory that is designed to compartmentalize privileges so that you've got workstations, which are probably one of your most vulnerable resources in the environment, running all over the place, you know, in a highly mobile workforce all over the world. They're at one tier. And then you've got enterprise assets in another tier. And then above that, you've got your top-tier enterprise assets that would control everything with a trust relationship that points up, only trusting up but not down. So that's fairly complex to implement. And the concept there is that no credential would be valid across those multiple planes so that you don't have to worry about, you know, if a hash was compromised in the workstation environment, it doesn't really affect, you know, the top-tier enterprise.
Dan Conrad: [00:10:23] That's difficult to implement for a lot of reasons. The political side of that is difficult. The technical side - the policy side is very difficult. And it's very difficult to do a technical implementation of that policy, if that makes sense.
Dave Bittner: [00:10:37] So what are the takeaways here? In terms of people using this information in a practical way, what do you recommend?
Dan Conrad: [00:10:46] It's one of those things where we're trying to influence human behavior, right? So - and as we typically know, the human element of any cybersecurity practice is the most difficult to get your hands around, whether it's social engineering or changing the way users operate or changing the way administrators administer. I've been a sysadmin for many, many years. And changing my behavior, I know, during those days was difficult. I was resistant to change. The same concept is here.
Dan Conrad: [00:11:14] So if we can maybe socialize the vulnerability here of these types of attacks - and, you know, not even just these types of attacks but getting control of privilege in general. You know, you look at default admin passwords and things like that that have been a vulnerability in, you know, many breaches. Getting control of these administrative credentials and looping them in and realizing that this actually matters, even if it's something as simple as an IoT device that has a built-in admin password, the concept of getting control of those that can influence the rest of your network really needs to be grasped by both the administrators and the users. You know, one thing that I've learned in kind of the last couple years is being willing to change your behavior to behave more securely. So as we learn, we change.
Dave Bittner: [00:12:00] That's Dan Conrad from One Identity.
Dave Bittner: [00:12:04] Wawa, the convenience store and gas station chain well-known to all of us here in the mid-Atlantic, disclosed last month that it had been the subject of a criminal cyberattack that began in March, was discovered on December 10 and was contained on December 12. It now appears that the breach was larger and more consequential than previously believed.
Dave Bittner: [00:12:24] Late Monday, it was discovered that some 30 million Wawa customers' pay card information was being offered for sale on the notorious Joker's Stash, a sleazy online market that deals in such stolen goods to the accompaniment of middle school-ish pictures showing mushroom clouds being observed by a hooded figure who looks like someone of "Assassin's Creed." The Joker's Stash is advertising millions of cards in a file it calls BIGBADABOOM-III.
Dave Bittner: [00:12:53] Gemini Advisory, a New York-based anti-fraud shop, says that the Joker hasn't laid all the cards on the table but that those that have been seen map to Wawa customers mostly in Pennsylvania and Florida. Usually, carders only release their wares piecemeal to avoid depressing the black-market prices. It's supply and demand, friend. KrebsOnSecurity has a useful summary of the incident, including an account of what Wawa is doing to try to limit the damage to its customers.
Dave Bittner: [00:13:24] And speaking of carders, one of the biggest of them all, Mr. Aleksei Burkov (ph), copped last Thursday to being the guy who ran the notorious Cardplanet site, an online market where stolen pay card information was traded. He pleaded guilty in the US District Court for the Eastern District of Virginia to charges of access device fraud and conspiracy to commit computer intrusion, identity theft, wire and access device fraud and money laundering, the US Department of Justice said.
Dave Bittner: [00:13:53] Mr. Burkov, for all his tender years - the gentleman being only 29 - was apparently very well-connected, both with the Russian underworld and, arguably, the Russian government. After he was detained in Israel on an international warrant in 2015 and during the period he was fighting extradition to the United States, he received considerable support from the Kremlin. Not only did the Russian government demand his return to Russia, but they went so far as to frame an Israeli woman on drug trafficking charges. She wasn't even trying to enter Russia. She was just passing through on a short layover in the airport en route to somewhere else entirely. There are finally signs that the unfortunate woman may now be released, the Times of Israel reports. We hope so. So the Cardplanet boss is going away. Good work, justice. Now, to the Joker's Stash.
Dave Bittner: [00:14:51] And now a word from our sponsor, PlexTrac. PlexTrac is the purple teaming platform that enables red teams to report security issues and blue teams to remediate them through a single web-based interface. PlexTrac offers public, private cloud and on-premise deployment options. You can learn more and request a demo at plextrac.com/demo. That's plextrac.com/demo. And we thank PlexTrac for sponsoring our show.
Dave Bittner: [00:15:30] And joining me once again is Ben Yelin. He's from the University of Maryland's Center for Health and Homeland Security and also my co-host on the "Caveat" podcast. Ben, always great to have you back.
Ben Yelin: [00:15:41] Good to be here, Dave.
Dave Bittner: [00:15:42] A story came by. This is about - recently, the United States House Oversight and Reform Committee held some hearings on facial recognition technology. And during those hearings, Representative Alexandria Ocasio-Cortez had some interesting comments to make here. What does she have to say?
Ben Yelin: [00:16:02] Yeah, this is the second piece of news I saw from AOC over the past week. The first was - I follow her on Instagram, and she got a dog named Deco - cute little pug.
Dave Bittner: [00:16:12] (Laughter).
Ben Yelin: [00:16:12] Highly recommend following her Instagram stories.
Dave Bittner: [00:16:16] OK.
Ben Yelin: [00:16:16] On a more serious note, she used her five minutes at this House hearing to expose what she sees as the danger of pervasive facial recognition technology. At a long hearing on the House Government and Oversight Reform Committee, the speeches can be kind of monotonous. AOC is going to go at the end of these hearings because she's one of the most junior members of the committee. And why I think her particular speech is important is she has a way of making these issues accessible to people who otherwise would never pay attention to what happens in a House Government and Oversight Reform Committee meeting. And that's what happened here.
Ben Yelin: [00:16:54] So she compared some of what the witnesses said about facial recognition technology to "Black Mirror," the dystopian sci-fi series. She talked about how some mobile applications bolster their facial recognition systems through things like Instagram filters, which all of us use. You know, that's a source for real-time data to be collected on us. And she mentioned - I think this is an area of particular interest to her - about how facial recognition systems fail most frequently when it comes to people of color. There are consequences to that. Those false accusations based on faulty facial recognition technology, which, in many cases, is more prejudice than we are as humans, can lead to false arrests and incarceration.
Dave Bittner: [00:17:43] Right.
Ben Yelin: [00:17:44] So sometimes, I think it's - you know, it's not necessarily the fact that Alexandria Ocasio-Cortez is making a statement at this hearing. It's the fact that only she can generate the type of publicity and notoriety that gets these types of remarks covered...
Dave Bittner: [00:18:00] Yeah.
Ben Yelin: [00:18:00] ...By the media.
Dave Bittner: [00:18:01] Well, and that - so, yeah. I wanted to dig in with that with you because I think there's a couple of things here. First of all, as you point out, her notoriety, whether you love her or you hate her - and there are certainly plenty of people on...
Ben Yelin: [00:18:13] Sure.
Dave Bittner: [00:18:13] ...Both sides of that story - she does generate headlines. And so she has the ability to bring these things to light.
Ben Yelin: [00:18:22] Right. She has the platform. Another thing I'll say about her is she is very skilled in congressional testimony. And this is, again, whether you love her or hate her. I think a lot of her - you know, she's given five minutes to speak at every committee hearing, but she's used that time to create a lot of viral moments, whether she's questioning bank executives, whether she's talking about campaign finance. It's her remarks that go viral when the rest of the hearing has been an entire, you know, snoozer. Nobody wants to hear the 85-year-old white guy who's never used a smart device in his or her life remark on the dangers of facial recognition. She - because she is this millennial member of Congress, I think her words carry some additional notoriety, again, whether you like her or hate her. And I certainly know people who both like and dislike her very much.
Dave Bittner: [00:19:13] Yeah, yeah. So I suppose you could say because of her age and the fact that her age is unusual among folks in Congress - her youth - that perhaps she has some credibility with these sorts of issues, being a digital native, that some other folks might not have.
Ben Yelin: [00:19:32] Absolutely. So she's part of the Facebook generation. She also - a large part of her notoriety comes from her social media use. Her original campaign in the Democratic primary for Congress was fueled by social media, producing viral videos that she put on YouTube and on Twitter. That's the only way you can beat an entrenched 14-term member of Congress, which is what she was able to do in the primary. So she is sort of - her words on any digital policy carry more weight just because she is this digital member of Congress. She's the person who uses her Instagram stories to show the ins and outs of congressional life and congressional procedure in a way that I think we haven't seen before.
Dave Bittner: [00:20:17] Yeah.
Ben Yelin: [00:20:17] And that's why I think her placement on this particular committee, which conducts oversight - that means they often have the most contentious of all congressional hearings - was a really fortunate placement for her.
Dave Bittner: [00:20:30] Yeah. Well, it's certainly an interesting dynamic to see play out here. Ben Yelin, thanks for joining us.
Ben Yelin: [00:20:36] Thank you.
Dave Bittner: [00:20:41] And that's the CyberWire. For links to all of today's stories, check out our daily news brief at thecyberwire.com.
Dave Bittner: [00:20:48] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:59] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.