The CyberWire Daily Podcast 8.18.20
Ep 1154 | 8.18.20

Patriotic hacktivism? Cryptomining worm steals AWS credentials. Carnival discloses data incident.


Dave Bittner: Suspected patriotic hacktivists are defacing websites. A cryptomining worm is stealing AWS credentials. Cruise company Carnival suffered a ransomware attack that involved data theft. U.S. measures against Huawei are expected to make things much more difficult for the Chinese company. Ben Yelin on new tools tracking cyber data on U.S. borders. Our guest is Jesse Rothstein from ExtraHop on what happens to enterprise security when the network goes dark. And a look at the organizational structure of North Korea's hacking units.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, August 18, 2020. 

Dave Bittner: It's difficult to distinguish spontaneous hacktivism from government-run cyberattacks, but two current campaigns look more like patriotic hacktivism than espionage. The Greek Reporter says that government websites in Eastern Macedonia and Thrace have been defaced with Blue Homeland messaging that evidently came from Turkish operators. And Zee News trumpets the activities of the Indian Cyber Troops who've hoisted the Indian tricolor on some 80 Pakistani websites. 

Dave Bittner: Researchers at Cado say they've found a cryptomining worm that steals credentials for Amazon Web Services when it infects Docker or Kubernetes instances running on AWS. The worm also swipes local credentials and scans the web for misconfigured Docker instances. The malware is used by a cybercrime gang that calls itself TeamTNT. The researchers have observed these attackers successfully compromised a number of Docker and Kubernetes systems. The group's activities were also described by Trend Micro in May, when they were targeting open Docker ports with a cryptominer and DDoS bot. The TeamTNT worm installs the XMRig cryptominer to mine Monero. The malware isn't particularly sophisticated, but it seems to be relatively successful, as far as cryptomining operations go. 

Dave Bittner: The method by which the malware steals AWS credentials is simple - the AWS Command Line Interface stores credentials unencrypted in a file called credentials, and the malware simply uploads this file to the attackers' server. It also steals the AWS configuration file for additional information about the setup. The Cado researchers note that this is the first worm they've seen that has AWS credential-stealing functionality, but they expect to see more malware using this tactic in the near future. 

Dave Bittner: Cruise line company Carnival Corporation and Carnival PLC disclosed a data incident to the U.S. Securities and Exchange Commission in an August 15 8-K filing. The company says the incident was a ransomware attack that accessed and encrypted a portion of one brand's information technology systems. The incident also involved exfiltration of some of the company's data. The incident was discovered on August 15, the same day the company reported it to the SEC, and the investigation is ongoing. Carnival's subsidiaries include Princess Cruises, Carnival, the Holland American Line, Seabourn, P&O Cruises, Costa Cruises, AIDA Cruises, P&O Cruises and Cunard. 

Dave Bittner: Carnival's SEC filing states that while the company doesn't expect the incident to have a material impact on its business, operations or financial results, quote, "we expect that the security event included unauthorized access to personal data of guests and employees, which may result in potential claims from guests, employees, shareholders or regulatory agencies. Although we believe that no other information technology systems of the other company's brands have been impacted by this incident, based on our investigation to date, there can be no assurance that other information technology systems of the other company's brands will not be adversely affected," end quote. 

Dave Bittner: According to The Wall Street Journal, new U.S. measures are making it harder for Huawei to get chips made with American technology. The Washington Post sees the new measures as evidence of the difficulties in stopping an inherently complex trade. Huawei has continued acquiring chips that contain U.S. technology despite increasingly tight restrictions. The Commerce Department's restrictions announced yesterday are thought to be broad enough to cut Huawei off from these workarounds. The Post cites an anonymous industry executive as saying, this kills Huawei; any chip made anywhere in the world by anyone is subject to this. 

Dave Bittner: Many North Korean government hackers operate from locations in other countries, according to a U.S. Army assessment. The report, summarized by ZDNet, says North Korea's Cyber Warfare Guidance Unit, also known as Bureau 121, had more than 6,000 members in 2015, up from 1,000 in 2010. The U.S. Army believes the number is probably much higher than 6,000 by now. These hackers frequently work from other countries other than North Korea, including Belarus, China, India, Malaysia and Russia. 

Dave Bittner: The report also details the organizational structure of Bureau 121. The unit has four subdivisions. Three are focused on cyber warfare, while one is responsible for traditional electronic warfare, such as jamming equipment. The three cyber-focused subdivisions are known in the industry as the Andariel Group, the Bluenoroff Group and the Lazarus Group. Andariel is made up of approximately 1,600 members and primarily focuses on reconnaissance of targeted networks and identifying exploitable vulnerabilities. Bluenoroff consists of around 1,700 members who are tasked with conducting financial cybercrime by concentrating on long-term assessment and exploiting enemy network vulnerabilities. Lazarus consists of an unknown number of operators and is the group the government uses to create social chaos by weaponizing enemy network vulnerabilities and delivering a payload, if directed to do so, by the regime. ZDNet clarifies that the industry often uses the Lazarus Group as an umbrella term to refer to any hacking associated with North Korea. 

Dave Bittner: And finally, Pyongyang's hackers may have also adopted a technique well-suited to extracting payment in ransomware attacks as they dip their toes into the ransomware game. NK News says the Lazarus group - its eye on insurance coverage - is pricing its ransom below the cost of backup and restoration. 

Dave Bittner: Emerging standards like TLS 1.3 and DNS over HTTPS make good use of encryption to keep data from prying eyes online, but they also present challenges for enterprise security who may have a harder time monitoring network traffic. Jesse Rothstein is co-founder and CTO at ExtraHop, and he explains what can happen to enterprise security when the network goes dark. 

Jesse Rothstein: I think anybody responsible for the security posture of an enterprise environment thinks about these things in the broader context of visibility and, how do I secure the environment? So I'll just jump right in and say that I believe very strongly in network security. I think it's a very valuable source of data, you know, one of the few, maybe three most fundamental sources of data that we have. We can always instrument specific endpoints and run, you know, endpoint protection platforms. We can always aggregate and gather log files and telemetry, and we should do all of those things. But a fundamental source of data in truth is all of the network traffic, all of the communication that exists. It's extremely difficult to tamper with, and it's basically impossible to turn off. And that's why network security has been, really, a fundamental kind of tool in the toolbox for so very long. 

Dave Bittner: Well, as more and more folks shift their attention towards encrypting the data that flows through these networks, how does that affect visibility? 

Jesse Rothstein: Well, it can make it more challenging. First and foremost, I'll mention that there's a lot of traffic analysis that we can do, even with encrypted traffic. We can analyze communication paths and flows of data. We can run some heuristics - traffic analysis heuristics to determine if we're looking at interactive traffic or bulk downloads. There - we can do some amount of fingerprinting, even for encrypted traffic. These are where fingerprints like JA3 and JA3S and the H-A-S-S-H, the HASSH fingerprints, can all provide some visibility into encrypted traffic. 

Jesse Rothstein: But at the end of the day, nothing beats actually inspecting the payload itself. If encrypted traffic analysis were to provide too much information, then encryption wouldn't be doing its job. So when we're talking about environments that we control and when we are ourselves the defenders of these environments, we have a couple of choices. For campus environments, we can certainly perform some sort of SSL, TLS interception. There are a variety of ways of doing this, but this basically means, you know, breaking and inspecting the traffic, right? You know, and there are some pros and cons to doing that. But if the goal is to actually analyze user traffic and maybe, you know, with the hope of looking for, you know, rogue and unmanaged devices and compromised credentials, that might be very, very important. We can take a very different approach with services that we control and applications that we ourselves are delivering because in those situations, we manage all of the infrastructure that's actually terminating the encryption. 

Dave Bittner: That's Jesse Rothstein from ExtraHop. 

Dave Bittner: And I am pleased to be joined once again by Ben Yelin. He is from the University of Maryland's Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Ben, it's great to have you back. 

Ben Yelin: Good to be with you again, Dave. 

Dave Bittner: Interesting article from CNET. The title is "Homeland Security Details New Tools for Extracting Device Data at U.S. Borders." What's going on here, Ben? 

Ben Yelin: So the Department of Homeland Security is required to release a privacy impact assessment about its data collection practices at U.S. border crossings. They just released that report at the end of July. What that report said is that people who are crossing the United States border - and that includes U.S. citizens and non-U.S. citizens alike - have been subject to pretty robust data collection practices. The DHS at least has had the capability to extract a lot of very valuable data from your devices - so contacts, call logs, IP addresses, previous GPS location, cell site information, pretty personal information. And over the past several years, the number of device searches at the border has really multiplied significantly. They noted that in 2018, there were 33,000 such searches of devices at U.S. border crossings. 

Ben Yelin: Now, the good news for civil libertarians on this issue is that there was a court case - I believe we talked about it on our podcast - decided towards the end of 2019 that declared that, at least as it applied to U.S. persons, law enforcement or U.S. Customs and Border Patrol requires reasonable suspicion to search a digital device. So they no longer can conduct warrantless searches at the border. But what was going on before this case I think was much more concerning from a civil liberties perspective. There basically were no requirements. So Customs and Border Protection would be allowed to conduct warrantless searches of your device and collect all this extremely personal information. And obviously, that's a major invasion of privacy. 

Dave Bittner: A couple of things struck me in this article. One, the policy that they have means they retain the data for 75 years. 

Ben Yelin: Yeah, that's a long time. 

Dave Bittner: That seems like a - that seems like a long time (laughter). Also, they point out that the data is saved to DHS's local digital forensics network but then transferred to a company called PenLink, which they describe as being a phone surveillance software company that helps manage this metadata - so perhaps a little bit of third-party risk there. 

Ben Yelin: Absolutely. Whenever you're transferring data to a third party, if you are not engaging in best practices in data protection, you're going to introduce some vulnerabilities. One thing they noted in this article that was interesting is that - and this is purely a coincidence - but in the same week that this report was released, the NSA released guidance to its own employees about how to protect information on their own employees' digital devices, saying, use your latest software patches, turn off Bluetooth, et cetera, et cetera. You know, I think if you were to read these two guidance documents together, the overarching message is protect your device from us, the federal government. We the federal government are telling you to protect your device from, maybe a different federal department, but from the federal government itself. 

Dave Bittner: (Laughter) Right, right, right, right. Yeah, I love this statement here, too. In the article, they say that DHS said the privacy risks of using the tools are low because only trained forensics technicians will have access to the tools and only data relevant to investigations will be extracted. Hmm (laughter). 

Ben Yelin: That's just - I know. That's just so funny. It's hard to believe that a DHS spokesperson would have the gall to put that in a statement just because it's such an obvious - anybody who's well-versed in these issues would know that that's just such a thin line that indicates that your data is not actually secure because there are just so many potential vulnerabilities there. You're transferring this data to a third party. We've known not just from Customs and Border Protection but from other federal surveillance programs that very frequently not just the particular data relevant to a criminal investigation is being collected when you're talking about a dragnet program. And so you know, anybody who is well-versed in these issues would see that statement and their eyes would roll into the back of their head. 

Dave Bittner: (Laughter) I mean, I suppose it's good that DHS has to publish these impact assessments, yes? 

Ben Yelin: Absolutely. You know, and that's, you know, where Congress comes into play when they authorize these programs. Department of Homeland Security was authorized in 2002 and has been reauthorized since. When you have these reauthorization programs, one thing you can do is require a certain level of transparency - so require semiannual reports, annual reports. That's often the only way we know about, you know, what our government is doing as it relates to digital data or, frankly, anything else. So you know, that is one stick that Congress has that can really force agencies to be transparent. 

Dave Bittner: All right. Well, interesting stuff for sure. Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.