APT10's Operation TradeSecret. BrickerBot may be vigilante PDoS. Amnesia and Sathurbot exploit known vulnerabilities in, respectively, DVRs and WordPress. Ransomware, surveillance, and info ops updates.
Dave Bittner: [00:00:01:17] Operation TradeSecret looks for intelligence on US trade policy during the run up to the Sino-American summit at Mar-a-Lago. BrickerBot is out, a PDoS campaign that looks like nasty vigilante work. The Amnesia campaign is after unpatched DVRs. Sathurbot exploits unpatched WordPress instances and infects Torrent users. Surveillance and influence operations allegations in the last US Presidential campaign have their counterparts in the current French one.
Dave Bittner: [00:00:37:02] Time for a message from our sponsor Palo Alto Networks. You can learn more about them at go.paloaltonetworks.com/secureclouds. With the adoption of software as a service applications data now lives beyond the traditional network perimeter. What are you doing to keep your organization's data protected in this new environment? Palo Alto Network integrated platform provides details SaaS visibility and granular control, data governance, automated risk remediation, and malware prevention, so organizations can achieve complete SaaS protection. Palo Alto Networks has the broadest, most comprehensive cyber security for all cloud and SaaS environments. Because secure clouds are happy clouds. Get started at go.paloaltonetworks.com/secureclouds. And we thank Palo Alto Networks for sponsoring our show.
Dave Bittner: [00:01:37:06] Major funding for the CyberWire Podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire Summary for Friday, April 7th, 2017.
Dave Bittner: [00:01:47:12] This week Fidelis Cybersecurity released a timely report on APT10, a Chinese cyberespionage threat actor, that's been active for some time. Fidelis is calling the campaign they've unearthed, "Operation TradeSecret."
Dave Bittner: [00:02:01:07] Like Operation Cloud Hopper, another related APT10 action being tracked by BAE and PWC, Operation TradeSecret works its way to the targets by getting through cloud and managed service providers. While most of the targets being prospected in Cloud Hopper are European, for the most part UK businesses, TradeSecret is going after US organizations. The goals of both campaigns appear to be intellectual property and other economic intelligence. TradeSecret, however, seems to be taking a particularly close look at emerging US trade policy, collecting against US trade lobbying shops like the National Foreign Trade Council.
Dave Bittner: [00:02:39:10] This of course is timely, given the Sino-American summit now underway at Mar a Lago. Presidents Trump and Xi will be discussing such matters of mutual urgency as North Korean nuclear and long-range missile programs, for which US patience with which has reached an announced end. US observers and policy analysts hope they take up cooperation and confidence-building in cyberspace. President Xi is said to be anxious to avert a trade-war between the two large trading partners, which would explain APT10's interest in industry groups and lobbyists.
Dave Bittner: [00:03:12:23] There are concerns expressed by NSA officials to Defense One, that the PLA could be at work weaponizing a supercomputer for use in espionage campaigns. President Trump has so far struck an optimistic note in his remarks about the meetings, as has President Xi, but it will be worth watching whether bilateral relations in cyberspace prove amenable to diplomatic confidence-building. There are signs that they have in the past.
Dave Bittner: [00:03:39:12] A strange in the campaign in the wild that's being called "BrickerBot" is looking for insecure IoT devices and then bricking them, that is rendering them incapable of operation. Discovered by security firm Radware when the malware began hitting honeypots on March 20th, BrickerBot is baffling because it's motive is unclear. It doesn't appear to serve any obvious criminal, hacktivist, or nation-state purposes. Many of the observers suspect that BrickerBot is a vigilante action conducted by a gray hat hacker who's trying to kill IoT devices before they can be herded into a botnet. As usual, vigilante action, particularly destructive action, doesn't draw rave reviews. BrickerBot is being called a PDoS as opposed to a DDoS attack, permanent denial-of-service, which suggests the seriousness of it's effects. Two strains of BrickerBot have been observed, and both appear bent on punishing users who's IoT installations are insecure.
Dave Bittner: [00:04:35:23] Two other recent campaigns are worth mentioning. Palo Alto's Unit 42 reports on what they're calling "Amnesia," a campaign to exploit vulnerable DVRs as bots. Amnesia is a variant of the "Tsunami" IoT Linux botnet reported in March of 2016. It affects unpatched DVRs manufactured by TVT Digital and related products sold by more than 70 other vendors. Its effects could be serious. Palo Alto thinks the coder behind Amnesia was trying to defeat malware analysis sandboxes, and that in some cases the malware could infect Linux servers in ways that wiped the server. Obviously, Palo Alto adds, that "Could be catastrophic if back-ups are not available."
Dave Bittner: [00:05:18:08] The other botnet of current interest has been around for a while, but it's becoming troublesome as it continues to find and compromise insecure WordPress sites. It's called "Sathurbot," and it uses torrents, those favorites of cheapskates who wish to use software without paying for it, as its vector. The criminals behind it appear to be establishing an infrastructure that could be used to sell services to other criminals on the black market. Sathurbot currently contains some 20,000 devices. Security firm ESET, which is tracking and working against the campaign, advises users to protect themselves by not running executables downloaded from sources other than respected developers. ESET also warns against downloading files from sites not primarily in the legitimate file-sharing business.
Dave Bittner: [00:06:04:16] Taking a quick look at our CyberWire event calendar. On Wednesday. April 19th, the Cybersecurity Association of Maryland, which you may know by their acronym CAMI, has organized a program on "Cyber Warrior Women: Blazing the Trail." It will meet at the Community College of Baltimore County's Center for the Arts in Catonsville, Maryland. Join them in person or online from 9:30 am to noon for stories of triumph and tribulation, advice and inspiration from some of Maryland's diverse and dynamic female cybersecurity professionals. To register, you can click on the linked banner at our site, thecyberwire.com/events. CAMI notes with gratitude, by the way, the support of Exelon in making the event possible.
Dave Bittner: [00:06:45:05] Concerns about influence operations and allegedly improper surveillance persist, in both the US and now France. Us Congressional investigations, now on hiatus during the two week recess which begins at close of business today, are looking into both allegations of improper surveillance and allegations of collusion with Russian influence operations. France's presidential election is being roiled a bit by both as well. The candidate of the center-right Republic party François Fillon, alleges that President Hollande has used police to dig up discreditable information on him, information the truth of which Fillon denies.
Dave Bittner: [00:07:24:12] It is perhaps noteworthy that RT, also known as Russia Today, has given the allegations prominent coverage in its French-language service. News needn't be fake to be influential, or so we've heard.
Dave Bittner: [00:07:41:15] Time to take a moment to tell you about our sponsor Control Risks. If you own cybersecurity in your organization, let's be honest, you might not sleep easily. If you lie awake thinking about new threats over the horizon, or how to allocate your limited resources, Control Risks can help. It's often impossible to separate threats to you data from geopolitical swings, local regulatory shifts, and competitors maneuvering. Without a risk led approach how can you be sure all your shiny tools are working? Talk to Control Risks. They treat information security as a business risk, not just a technical problem. For over 40 years they've helped clients proactively identify and mitigate risk. Respond to, and recover from disruption, and capitalize on opportunities. In short, they bring order to chaos. And reassurance to anxiety. Let Control Risks help you spend money were it really counts, protecting what really matters. Find out more at controlrisks.com/cyberwire. That's controlrisks.com/cyberwire. And we thank Control Risks for sponsoring our show.
Dave Bittner: [00:08:53:13] Joining me once again is Professor Awais Rashid. He heads up the Academic Center of Excellence in Cybersecurity Research at Lancaster University. Professor, you maintain that one of the issues we have with IoT devices is not just their vulnerability, but the fact that their actual interfaces are in many cases extremely limited?
Professor Awais Rashid: [00:09:12:17] Absolutely. This is a big challenge. Securing regular systems is hard as it is, and we do quite a lot of work as a wide community on that. However, users already find it very difficult to make sense of the security controls or features that are available to them on regular devices, like laptops and computers, where they can have a lot of information. They also find it very hard to make sense of that information. And in the case of IoT, the problem is much harder, because you do not have those traditional screen-based dissemination mechanisms, that can provide additional information. A lot of the users interaction with IoT tends to be implicit. And which leaves us the really interesting challenges as to how do we convey information about security to the users? But, on the other hand, how can we make it easier for them to, for example, configure these kind of IoT devices for security purposes?
Dave Bittner: [00:10:09:18] So what kind of approach should we be taking?
Professor Awais Rashid: [00:10:12:02] I think there are multiple ways that this can be tackled. One issue is that of how IoT devices are designed. And they should probably be designed to be secured by default. So, one of the issues that we saw in the Mirai botnet attack, which was made up of a lot of IoT devices, or at least used a lot to IoT devices amongst others. Was that people hadn't changed, for example, default passwords, or these kinds of default settings were available. And on the one hand, it's quite easy to blame the users, that they didn't change these passwords, or these default settings. But, equally, perhaps we can be hardening these devices before they are actually shipped.
Professor Awais Rashid: [00:10:54:00] The big challenge there, of course, is this balance between usability and security. And really I think we need more of a shift in our approach. We need to stop thinking about it in terms of usability in a traditional human computer interaction sense. Because the computers are no longer these screen-based devices that we used to use, or still use quite a lot. I think we need to move from usability to a notion of some kind of security ergonomics. Which basically makes it easier for the user to understand and make sense of what goes on within an IoT device and its interactions with other devices.
Professor Awais Rashid: [00:11:28:21] There are really fundamental challenges here in terms of how we design these devices, how we can weigh information. But, also, how easy it is for a regular person in the world to configure security and manage their security and privacy in these kinds of devices.
Dave Bittner: [00:11:46:20] Awais Rashid. Thanks for joining us.
Dave Bittner: [00:11:53:18] Here is some research from our sponsor Cylance that we think you'll enjoy. If you've been a CyberWire listener, or reader, you're familiar with iPyramid, a cyber espionage tool that had been quietly active in Italy's political and financial circles for several years. Until the brother and sister duo who were controlling it were snapped up by Italian police. It's a clever keylogger that exfiltrated sensitive information from infected machines. And it did so while quietly disabling firewalls and various Windows updates and services, the better to remain undetected. You can get the lowdown on this still dangerous iPyramid at cylance.com/blog. See what Cylance's threats spotlight can show you about iPyramid and how to protect yourself against it. That's cylance.com/blog. And we thank Cylance for sponsoring our show.
Dave Bittner: [00:12:51:04] All this week we've been hearing from some of the people we met at the 2017 Women in Cybersecurity Conference. My guest today is Andrea Little Limbago, she's chief social scientist at Endgame.
Andrea Little Limbago: [00:13:02:11] I do a lot of research into the geopolitics of cybersecurity, which over the last year, as everyone knows, has been on everyone's radar much more so than it was before. So that has evolved a lot as far as the interest in it. And then I also work a lot with our data scientists, our malware researchers, our vulnerability experts, in bringing together their research into something that's consumable for a larger audience.
Dave Bittner: [00:13:23:12] What do you think people should know when it comes to the geopolitical world of cybersecurity at this point in time?
Andrea Little Limbago: [00:13:30:22] One, is not to look at it as its own stovepipe. It's integrated into Foreign Policy National Security. So, we need to stop looking at it as just within the cybersecurity realm. It's integrated into all of the aspects of foreign policy at this point. And so we really need to look at it from that larger more holistic view as far as how it integrates with other military operations, we've seen that over the last year, integrated into certain country's military operations. We've seen it as part of diplomatic operations. It's impacting economics. So really, it crosses the board in that area, and so that's where we're really starting to see that. And it's only going to become more and more integrated across the entire spectrum.
Dave Bittner: [00:14:05:15] Is it fair to say that a certain amount of chaos has been injected into things lately?
Andrea Little Limbago: [00:14:10:06] I think the chaos has been there. I think it's becoming more visible and it's escalating, is the other thing that we're seeing. We just recently wrote about some of the wiper malware going on, and so you see between Iran and Saudi Arabia, for instance. And so those tensions have been there. Those are regional rivalries that have been going on decades, if not centuries. But what we're seeing now is some of it behind the scenes, some of it very overt, as far as the destructive aspects of their inter-state relationship.
Andrea Little Limbago: [00:14:38:23] We're seeing that in addition to some of the other aspects of their rivalry. It's escalating a bit more in that area. I think certain countries are becoming more adventurous in what they're doing and they're pushing the envelope a little bit more to see what can be done in this realm. At the same time, other countries are also cooperating. So, we're seeing sort of this double movement of conflict in one area, but also of countries moving towards cooperation, and looking for ways to maintain privacy and security at the international level.
Dave Bittner: [00:15:05:21] So, does cyber give countries the opportunity to engage, and yet still not have to drop bombs? Not have to send missiles? Not have to send soldiers?
Andrea Little Limbago: [00:15:15:03] Right. That is what's going on right now, and that's some of the debate that's going on in the legal and more diplomatic global area. And so they're falling short of the law of armed conflict, so certain behavior so far is falling short of that. But, at the end of the day, it's going to be up to each country to actually define where that red line is. And so especially if it becomes integrated with other aspects, it does become actual parts of war.
Andrea Little Limbago: [00:15:39:12] And so we'll look at some countries actually moving their military forces into a country, they're also incorporating some cyber aspects to it. Shutting out cities and so forth. It hasn't happened much, you know, we've got only one or two instances of that, but it's one of those things that now the genie's out of the bottle, and it's going to be hard to put back. And so we do see more and more countries doing their versions of cyber commands, and looking at information operations, policies, and strategies and so forth. And so it is something that is growing, it's not just something for the major powers any more.
Dave Bittner: [00:16:08:10] Looking back, what would be the advice that you would give a younger version of yourself? Knowing what you know now, what would you tell a younger version of yourself who's just starting out?
Andrea Little Limbago: [00:16:19:10] Yeah, that's interesting. That's probably the reason why I come to this conference is that I talk to a lot of the younger women here and help and encourage them. Because we do need women to just keep pursuing this field and then want to stay in it. The mission is essential. I mean, you're getting back to geopolitical aspect of it, this is one of the most challenging fields of our time, and impactful.
Andrea Little Limbago: [00:16:36:22] Probably own you experience, and own your expertise. I think that women especially, even if they've gone through however years of education, still portrait it like other people may know more in the room. And so own your expertise, be more vocal about some of those aspects of it. Do all those things, you sit at the table, some of the basic things that we hear. But also you reach out and network more, and don't be afraid to do that. That's especially hard for introverts, which a lot of us in this field are. It's not natural for us to naturally you go up and talk. But, networking is almost underrated. Everyone talks about networking and the importance of it, and I feel like they think about that way more from like a sales or something like that. But networking's really important for just building communities, so that when you do struggle, or when you do hit some roadblocks, you've got that community to actually help build you up and keep you within the field.
Andrea Little Limbago: [00:17:26:00] And so for me now, like over the last year, one of the things I've been focusing on is expanding out and building out my network of both men and women that I know who work in various domains, industry academics, government, so that when any of us do actually start, you know, hit one of the challenges that we're all going to hit. You know, we heard that in the key note. You have a community there to support you. And so that's really, really important.
Andrea Little Limbago: [00:17:49:06] But, we need to be more vocal. I wish I'd started going out speaking and writing a lot sooner. Too often the women cybersecurity issue becomes something that is something for us, a problem for women to solve. It's also a problem for men to solve. Especially in this field, most of the executives are men. We need men at all levels to be allies. Which doesn't mean just saying, "Okay, we support diversity. We support women," and kind of stopping there. You need to actually do more than that.
Andrea Little Limbago: [00:18:12:04] And being an ally can be anything from, you know, on social media, like if you're re-tweeting something that someone else does as far as showing their expertise in that area. So being a sponsor of them. If you're in meetings. You know, all the data shows that when even have an idea, it usually tends to be taken over by someone else and they get the credit for it. Instead of that, if you see that happening step in and say, "Well, that idea that Lindsay said, you know, she's the one who actually--" and be vocal in that area and helping sponsor and promote the women. You know, we're not lowering the bar, we're not expecting to be treated differently, but just help. Be a much more explicit sponsor in that area.
Andrea Little Limbago: [00:18:48:01] It's amazing, just those little aspects like that can really go a long way to help elevate and amplify the voice of the other women, and that's what we really need. Because, again, we're only 10% of the workforce, we can't do it alone. We need that 90% to also help advocate. And I think that's, in many places, where we've been lacking so far. There are a lot of male allies. A lot of great male advocates. We need more.
Dave Bittner: [00:19:09:13] That's Andrea Little Limbago from Endgame.
Dave Bittner: [00:19:16:20] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance uses artificial intelligence to protect you, visit cylance.com.
Dave Bittner: [00:19:29:15] The CyberWire Podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.