The CyberWire Daily Podcast 8.9.21
Ep 1392 | 8.9.21

Home router vulnerabilities exploited in the wild. ACSC warns of a LockBit spike in LockBit. Flytrap Android Trojan is out. SCADA recon. Child protection. Wiretaps and social media.

Transcript

Elliott Peltzman: Home router vulnerabilities exploited in the wild. ACSC warns of a spike in LockBit ransomware attacks. The FlyTrap Android Trojan is still concealed in malicious apps. An unidentified threat actor has been prospecting SCADA systems in Southeast Asia. Rick Howard checks in with the Hash Table about backups. Mike Benjamin from Lotus Labs on watering hole attacks. Apple's new child protection measures attract skepticism from privacy hawks. Wiretaps extend into social media. And using three random words for your password.

Elliott Peltzman: From the CyberWire studios at DataTribe, I'm Elliott Peltzman, in for Dave, with your CyberWire summary for Monday, August 9, 2021. 

Elliott Peltzman: Bad Packets has observed active scanning for vulnerabilities in Arcadyan Buffalo routers. The flaws, discovered and disclosed by Tenable, could allow unauthorized remote actors to bypass authentication. Juniper Networks has confirmed that the vulnerabilities are, in fact, being exploited in the wild. 

Elliott Peltzman: Juniper also draws some lessons from the incident - quote, "it is clear that three actors keep an eye on all disclosed vulnerabilities. Whenever an exploit PoC is published, it often takes them very little time to integrate it into their platform and launch attacks. Most organizations do not have policies to patch within a few days, taking sometimes weeks to react. But in the case of IoT devices or home gateways, the situation is much worse as most users are not tech savvy, and even those who are do not get informed about potential vulnerabilities and patches to apply," end quote. 

Elliott Peltzman: The Australian Cyber Security Centre, ACSC, warns of a coming spike in LockBit 2.0 ransomware and offers recommendations on mitigating risk. LockBit is an affiliate program offered through Russophone criminal markets. It's known for using double extortion. LockBit's ads on criminal-to-criminal fora provide some suggestions as to how they're likely to operate. They've sought partnerships with other criminals who might offer credential-based access to remote desktop protocol or virtual private network solutions. They've also shown an interest in recruiting Cobalt Strike and Metasploit jockeys. 

Elliott Peltzman: The ACSC says that the sectors affected so far have been professional services, construction, manufacturing, retail and food, but the center sensibly points out that any sector is, in principle, vulnerable to ransomware and that no one should take the earlier targeting patterns as a reason to drop their guard. 

Elliott Peltzman: Zimperium describes an emergent Android Trojan, FlyTrap, active since March in at least 140 countries. Believed to be the work of a Vietnamese gang, FlyTrap works through infected apps. The malicious apps were initially distributed through Google Play but were ejected from that store after their detection. They're now distributed in third-party stores, where the bait involves such things as coupon offers and opportunities for fans to vote in sports polls. 

Elliott Peltzman: Once installed, FlyTrap hijacks victims' Facebook accounts. And once a Facebook account is compromised, it can use that account to spread the Trojan to other connected users by suggesting they visit the malicious links. 

Elliott Peltzman: Symantec last week described a campaign against infrastructure targets in Southeast Asia that ran from November through March. The unnamed country prospected by what appeared - the evidence is circumstantial, and Symantec stopped short of unambiguous attribution - to be a Chinese intelligence collection and reconnaissance effort which saw intrusions into water, power, communication and defense companies. The threat actor seemed interested in SCADA systems. It was also successful in living off the land, using legitimate services in its operations and in keeping a low and hence difficult-to-detect profile. 

Elliott Peltzman: Symantec's conclusion reads in part, quote, "a skilled malicious actor from a different country gaining a deep insight into a country's critical infrastructure by compromising multiple critical infrastructure organizations, including a defense organization, could deliver a lot of valuable intelligence into the hands of adversaries. The Colonial Pipeline attack in the U.S. in May 2021 showed the serious repercussions attacks on critical infrastructure can have, and this campaign makes it clear that it is not just U.S. infrastructure that is under threat from malicious actors," end quote. 

Elliott Peltzman: It's also worth noting that this sort of collection is also consistent with the reconnaissance necessary for a battlespace preparation. 

Elliott Peltzman: Apple has announced child protection features that have aroused suspicion among privacy advocates. The measures involve, among other things, scanning iCloud content for objectionable imagery. Some critics see a slippery slope to intrusive surveillance of users. Others see Apple as having taken some careful steps toward protection against child exploitation. We'll have more on Apple's changes and the reaction to them in this afternoon's pro-privacy briefing. 

Elliott Peltzman: The Baltimore Sun reports that police in Harford County, Md., in the course of a drug trafficking investigation last year, sought and obtained a warrant to listen to the suspect's phone conversations. That's ordinary enough, but as The Sun observes, the authorities also had the warrant extended to cover communications over Facebook. The interception works only when end-to-end encryption isn't enabled. This is expected to become more common as people increasingly rely on social media for communication. 

Elliott Peltzman: Aaron Mackey, a senior staff attorney for the Electronic Frontier Foundation, told The Sun, "I think there's a reality that when you have a system that allows for users to create content to message others, it will be a valuable source of investigative leads for law enforcement. What this sounds like to me is use of existing law to access communications. It is perhaps novel that they have deployed it in this particular context and law enforcement is realizing that they have this capability," end quote. 

Elliott Peltzman: And finally, looking for a complicated, hard-to-remember password? Are you substituting certain characters for letters, like a zero for the letter O or an exclamation mark for the letter I? Most of us do. It's a way of meeting the kind of complexity criteria many sites and services now require. The character substitutions are a way of making something complex that you still have a chance of remembering. 

Elliott Peltzman: Britain's National Cyber Security Centre, however, recommends using three random words instead. The various bad actors who seek to compromise your passwords are as wise to the character substitution as you are, and they've tailored their attacks to account for it. Could they guess the three random words, too? Sure, but that's a different and arguably more complex process. 

Elliott Peltzman: The NCSC writes, quote, "faced with making yet another password with specific requirements, users fall back on variations of something they already know and use, falsely believing it to be strong because it satisfies password strength meters. None of this is helped by long-standing and poor advice that passwords have to be memorized and storing them in any way, either in a password manager, a browser or on a piece of paper, is risky," end quote. 

Elliott Peltzman: Is there a chance someone could access your storage place? Sure, the NCSC acknowledges in a footnote. Take writing it down for example. If it's on a Post-it note that's going to wind up in the vain selfie you take, then consider it discovered. But they think the risk is lower than the risk of using the same password everywhere. 

Dave Bittner: And it is my pleasure to welcome back to the show the CyberWire's chief security officer and chief analyst, Rick Howard. Hello, Rick. 

Rick Howard: Hey, Dave. How's it going? 

Dave Bittner: Not bad. Not bad. So for this season of "CSO Perspectives," you've been talking about resiliency as a first principle strategy and the key and essential tactics that we all need in place to have a strong resiliency program. Now, you did a deep dive on encryption in the first two episodes, and you're winding up two episodes on enterprise backup programs. Our listeners will remember our... 

(LAUGHTER) 

Dave Bittner: That sob story from hell. 

Rick Howard: Sob story - yes, yes. 

(LAUGHTER) 

Dave Bittner: But this week, you are talking to a couple of our Hash Table members. I'm curious. Anything surprising coming out of those conversations? 

Rick Howard: Always, David. Always. OK? 

(LAUGHTER) 

Rick Howard: The Hash Table members are security executives and former security executives who have all been in the infosec trenches for years now, and they have the scars on their backs to prove it. And I love those discussions. They have a way to bring me back down to earth when I say stupid things like, you know, all you need to do to protect against ransomware is encrypt everything and back up everything, as if those two actions were the easiest things in the world to do. 

Rick Howard: You know, it's kind of like when I go home on vacation to visit my mom, and I'm thinking, you know, I'm this big, fancy-pants security executive - you know, important. And she says, yes, dear, you're very important, but if you want to eat dinner, take the trash out. You know, so you can always count on Mom to bring you back to home to reality. 

Dave Bittner: Oh, absolutely. Absolutely. Well, what sort of words of wisdom did you get from the Hash Table members this week? 

Rick Howard: So we had Jerry Archer, the Sallie Mae CSO, and Jaclyn Miller, the NTT CISO. They came to visit at the Hash Table. And let me tell you, these two are very smart and both help their organizations run robust resiliency programs. 

Rick Howard: The big takeaway I got out of those discussions is that resiliency in the form of encryption and backup programs - you know, it's a team sport. There's no CISO that I know of that is the king of the kingdom and can just say, go forth and implement encryption and backups under my authority. You know, it doesn't work that way. Disaster recovery and business continuity planning and execution touches every business unit. 

Rick Howard: And then once you get everybody on the same page about the plan, testing those schemes and keeping the other company executives in the loop about decision points in a crisis, that's a full-time job that never ends. 

Dave Bittner: Yeah, absolutely. All right, well, do check it out. It is part of "CSO Perspectives," and that is over on CyberWire Pro. You can learn all about that on our website, thecyberwire.com. Rick Howard, thanks for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: And I'm pleased to be joined once again by Mike Benjamin. He's vice president of security and head of Black Lotus Labs at Lumen Technologies. Mike, I wanted to check in with you on some work that I know you and your team are doing when it comes to router hacktivism. What can you share with us today? 

Mike Benjamin: Yeah, so back in the May time frame, we saw an actor go into a number of devices and replace their configuration with a text file. And we thought that the - at first glance that the attacker was breaking in in order to do something nefarious with the configuration, reroute traffic, do things we see when people typically attack routers. 

Mike Benjamin: But in this case, the text file was literally text. It was writing. And so the person who took this action was releasing a manifesto, so to speak, and overwriting the configuration with their, you know, view on the world, so to speak. And as you might imagine, when you replace a router configuration that has certain syntax with just blobs of text, it's not particularly good for the router. 

Dave Bittner: (Laughter) That's - I was - that was my next question. So, please, what happens next? 

Mike Benjamin: Well, as the router tries to interpret the configuration, you might think that it puts us in a position where it would just fail syntax. But the actor actually replaced the configuration. And so in this case, the router had no configuration, and it would cease to operate. It didn't have any of its IP addresses, its interfaces. All the things that you need in order to allow routing were all gone, and so the device was no longer serving its purpose. And whatever its purpose was was now causing an outage. 

Dave Bittner: Wow. How broad was this? How many organizations got hit this way? 

Mike Benjamin: We saw a range of about a hundred organizations hit by it. And the good news is that it's only a hundred. Obviously, if you were one of those hundred, that wouldn't have been a particularly good day for you. But really, it's an ode to the fact that the way the actors attacked had been cleaned up over the last couple years. So they abused something called the Smart Install protocol. That's a default configuration in certain classes of equipment. 

Mike Benjamin: And as we think about making technology easier to use, of course, zero-touch provisioning and plugging things into a LAN and having them just auto light up and auto register themselves is where a lot of technology has gone. Unfortunately, some folks in a misconfiguration still leave that exposed to the internet. So when you have a device that's made for simplicity of install and you leave it plugged into the open internet, you're asking for trouble. And so this particular actor was able to access what was meant to be sort of a plug-and-play protocol remotely and just walk right in and take control of the devices. 

Dave Bittner: I see. So in a perfect world, the folks who had these devices - they would have locked out these capabilities from being remotely accessed. 

Mike Benjamin: Absolutely. So this is not dissimilar to the lessons that we would tell a consumer around SSDP or UPnP protocols. These things are really handy inside of a closed environment where it's just you as a network administrator, your business or whether you're a home user. When you have those protocols, don't expose them to the internet. Keep them locked down. And really, it sort of relates back to that underarching philosophy we should all have in information security, which is to minimize the attack surface. 

Mike Benjamin: And so if this protocol shouldn't have been allowed out, there should've not been an ability for it to get out, just a default deny on some of those outbound exposed services, a default way to make sure that those things don't get out on the internet 'cause we're all human beings. We're all going to forget a step when we do things from time to time. So making sure those defaults are there so that it can't happen in the first place is really important. 

Dave Bittner: Yeah, it strikes me, too. I mean, wouldn't a router be something that would typically have a more - I don't know - a gentle way of going into some sort of fail-safe mode? 

Mike Benjamin: The particular devices probably are more accurately described as switches. And so while they - modern switches all are capable of being routers 'cause a lot of us find reasons for running them that way... 

Dave Bittner: (Laughter). 

Mike Benjamin: ...They weren't intended to be WAN routers. They weren't intended to be exposed at the edge of an infrastructure. And that's really where that sort of default would come into play. 

Dave Bittner: I see. So in terms of lessons learned here, I mean, any broad advice for the folks out there? 

Mike Benjamin: Well, No. 1, I think really make sure that you understand the technology you're deploying. Make sure that you understand what might be exposed. 

Mike Benjamin: Two, set those defaults within an environment. A default policy is something that can, you know, save your bacon, so to speak, when you deploy things that may be amiss or maybe you don't fully understand. 

Mike Benjamin: And then lastly, pay attention to news like this when things occur, and make sure you double-check your policies and your infrastructure. We still see a huge volume of devices. Over 18,000 are still exposed out on the internet to this particular vector. And we need those folks to continue to be cleaning it up, continuing to be paying attention. Otherwise, this inevitably will happen to them as well. 

Dave Bittner: All right. Oh, boy, what an interesting story. Mike Benjamin, thanks for joining us. 

Elliott Peltzman: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Elliott Peltzman: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Tre Hester, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Elliott Peltzman, filling in for Dave Bittner. Thanks for listening.