How were US agents in China compromised between 2010 and 2012? EternalBlue updates (including notes on WannaCry and EternalRock).

Dave Bittner: [00:00:00:03] I want to give a quick shout out to our latest Patreon supporters. Thank you so much for helping us do what we do here. If you want to help support the CyberWire, go to patreon.com/thecyberwire to find out more.

Dave Bittner: [00:00:14:24] The FBI and CIA are reported to be looking for the source of a compromise that shut down CIA agents in China between 2010 and 2012, hackers or moles, no one knows. Or was it just a tradecraft mismatch? WannaCry has been slowed, at least temporarily. Observers speculate the ransomware may have been a probe. Other uses of EternalBlue exploits look more focused and more disciplined and arguably more serious. And WikiLeaks dumps another leaked implant.

Dave Bittner: [00:00:47:23] Time to take a moment to tell you about our sponsor Recorded Future. You've heard of Recorded Future. They're the real time threat intelligence company. Their patented technology continuously analyzes the entire web, to give info sec analysts unmatched insights into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email and every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyber attacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and the price is right. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:52:09] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, May 22nd, 2017.

Dave Bittner: [00:02:02:18] The New York Times reported Saturday that Chinese counterespionage efforts from 2010 to 2012 rolled up CIA assets, agents recruited in China to collect information on that country, causing considerable damage to US intelligence efforts. It also had tragic consequences for those arrested, who are said to have been imprisoned and perhaps, in some cases, executed.

Dave Bittner: [00:02:26:09] This is an older case that's only now come to public light. The agents' identities were compromised in some fashion but whether by careless tradecraft routines, a mole in the US intelligence Community or successful hacking of US clandestine communications or data, is so far unknown. The compromise is being compared to the damage done by rogue CIA officer Aldrich Ames, arrested in 1994 and convicted of spying for the KGB, and treasonous FBI special agent Robert Hanssen, arrested in 2001 and convicted of betraying US agents to Russian intelligence services.

Dave Bittner: [00:03:04:14] In a more recent development, China's government has decided to put the brakes on new information security regulations its Cyberspace Administration was set to implement this coming month. The regulations would have imposed stringent security review and data sovereignty restrictions on companies doing business in China. The projected rules attracted a great deal of international resistance from industry groups. The ultimate outcome is, of course, unknown but at least in the short-term Chinese authorities have decided to listen to objections from some 50 organizations. Among those industry groups are the US Chamber of Commerce and the Business Software Alliance.

Dave Bittner: [00:03:42:18] WannaCry infestations slowed late last week but there are signs of an attempted revival as botnets assail the domain that sinkholed the ransomware. Looking back at the WannaCry incident, Russian banks, Britain's National Health Service and many, many Chinese users of unauthorized and unpatched Windows software seem to have been the most prominent victims. Preliminary and circumstantial attribution continues to focus on North Korea. In a statement at the UN, Pyongyang dismissed the accusations as "ridiculous," but of course we bet Pyongyang says that to all the boys and girls.

Dave Bittner: [00:04:18:17] The connection to North Korea runs through what investigators see as traces of Lazarus Group code in the campaign. The Lazarus Group of course being the North Korean state-criminal threat actor thought to have been involved in the Bangladesh Bank heist. Those skeptical about North Korean involvement point to the fact that the most severely affected countries were Russia and China, who seem on the face of it unlikely targets. But relations between North Korea and Russia and China have cooled of late and the WannaCry attack seems to have been indiscriminate more by mistake than design. There are reasons to suspect, however, that WannaCry may have been deliberately sloppy in its execution. Eric Schlesinger of security company Polaris Alpha this morning told the CyberWire that WannaCry might be considered "a shot across the bow," a probe to determine how vulnerable enterprises were to known but unpatched vulnerabilities.

Dave Bittner: [00:05:11:16] Cyphort and other security researchers report that EternalBlue, the exploits that enabled WannaCry, are being used to distribute a remote-access Trojan. The RAT appears to be establishing persistence in networks whence it could stage future operations. Unlike WannaCry, it's not ransomware and it's not a worm. It looks like espionage. There's also a WannaCry successor that uses seven of the tools dumped by the ShadowBrokers. The Croatian government's CERT has been observing and describing it. They call it "Eternal Rocks." It can be readily weaponized, not only with ransomware, but with a variety of RATs as well.

Dave Bittner: [00:05:50:13] We heard from Plixer's Michael Patterson, who sees the incident as the opening gun in a race between hackers and sys admins, the admins needing to patch the SMB file-sharing protocol before the hackers can infect systems. Patterson says, quote, "Once a device is infected, applying a subsequent patch does not remove the malware. The most effective way for security teams to monitor for any infected device is to leverage network traffic analytics to look for any historical Tor connections leaving the organization. EternalRocks uses a delayed Tor communication with a command and control server. By delaying the communications the bad actors are attempting to be more stealthy," end quote.

Dave Bittner: [00:06:31:09] There is some good news on WannaCry, however. It's been reverse-engineered and decryptors are now available from several sources. Malwarebytes has posted instructions on how to use them.

Dave Bittner: [00:06:42:22] There are other variants of ransomware out that are unrelated to WannaCry. "XData," a new strain of ransomware, hit Ukraine hard over the weekend, with signs of preliminary infections spreading to Estonian and German targets.

Dave Bittner: [00:06:57:21] And finally, where WikiLeaks and the ShadowBrokers get the material they're leaking remains an open question. WikiLeaks continues to disgorge the contents of its Vault7 with another document dump late Friday. This latest tranche continues WikiLeaks' recent concentration on alleged CIA tools, in this case an implant, "Athena," said to be capable of infecting Windows systems from XP to Windows 10. WikiLeaks' Julian Assange may be out from under the shadow of Swedish criminal law but the Americans continue to be interested in him and so Mr. Assange can be expected to maintain his residence in Ecuador's embassy to the United Kingdom. British police still have an eye on him, although a somewhat less focused eye now that Sweden has dropped its intentions to prosecute.

Dave Bittner: [00:07:45:02] For their own part, the ShadowBrokers still plan to open their Leak-of-the-Month Club to subscribers beginning in June. They're selling, still, what they claim are Equation Group, that is, alleged NSA, tools. Their most recent dump included the EternalBlue exploits used with significant, albeit ineptly executed, effect last week. The Brokers themselves say they are not interested in "stealing the grandmothers retirement money," but in doing battle with the Equation Group. So for a price you can subscribe to the club. We'll leave you with two good words, caveat emptor, buyer beware.

Dave Bittner: [00:08:25:03] And now a word about our sponsors at E8. We've all heard a great deal about artificial intelligence and machine learning in the security sector and you might be forgiven if you've decided that maybe they're just the latest buzz words. Well, no thinking person believes in panaceas but AI and machine learning are a lot more than just empty talk. Machine learning, for one thing, is crucial to behavioral analytics. You can't recognize the anomalous until you know what the normal is and machines are great at that kind of baselining. For a guide to the reality and some insights into how these technologies can help you, go to e8security.com/ai-ml and download E8's free white paper on the topic. It's a nuanced look at the technologies that have both future promise and present payoff in terms of security. When you need to scale scarce human talent, AI and machine learning are your go-to technologies. Once again, find out more at e8security.com/ai-ml. And we thank E8 for sponsoring our show.

Dave Bittner: [00:09:30:20] Joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Joe, with the recent story about the FCC rolling back privacy rules when it comes to ISPs, this has really brought the subject of VPNs to the fore. I thought maybe we'd just talk about some basics. It's nice to cover some of these things, start from the beginning. What is a VPN and why should you be using one?

Joe Carrigan: [00:09:54:08] Okay. So VPN stands for Virtual Private Network. And basically what it is, it's an encrypted tunnel between your machine-- it can actually be between any two points on the Internet. In the case of most commercial VPNs that users are going to use, it's a piece of software you install on your machine that then takes all of your network connection and encrypts it and sends it to one location on a provider's site.

Dave Bittner: [00:10:23:17] So the VPN provider's site?

Joe Carrigan: [00:10:24:14] The VPN provider's site, right. It's not really a site. Well, I mean, when you say site I think website but it's a computer that has a server that listens for your VPN connection, authenticates you as a valid user of the system and then all of your traffic is routed through their network. So it comes out of their network from wherever they want it to. And some of these VPNs, the one I use, I actually do pay for a VPN to use for my purposes and on my home computer it's on all the time. As a matter of practice I keep it on all the time.

Dave Bittner: [00:10:57:01] And so it's just running. You don't even notice that it's there.

Joe Carrigan: [00:10:58:24] I don't even notice that it's there, exactly.

Dave Bittner: [00:11:00:18] Okay, and what does this do for you in terms of privacy and security?

Joe Carrigan: [00:11:03:12] So in the case of what just happened with the, with the change of, of the rules, now my ISP is Verizon. Now, when Verizon watches my traffic, they don't see anything other than encrypted traffic from my computer to the VPN site. That's all they ever see coming out of my computer.

Dave Bittner: [00:11:21:13] So they can't tell where you're going, what you're visiting?

Joe Carrigan: [00:11:23:19] No. They don't know anything about that.

Dave Bittner: [00:11:25:12] They just don't know what you're up to?

Joe Carrigan: [00:11:25:20] They don't know what I'm up to and that means they can't gather, you know, marketing information on me and other things. I'm not saying that Verizon is going to do this, or any other ISP, although now that they can do it, you know, I would not be the least bit surprised if they monetized that.

Dave Bittner: [00:11:41:11] Sure. And if you're someone who's interested in privacy, you know, a few bucks a month seems like a decent investment to make.

Joe Carrigan: [00:11:47:09] Sure. Yeah, my, my-- the one I pay for costs me less than $40 a year and just to have the level of security that I think it provides, I enjoy it. I think it's a good value.

Dave Bittner: [00:11:58:20] All right. Interesting stuff, as always. Joe Carrigan, thanks for joining us.

Joe Carrigan: [00:12:01:22] My pleasure, Dave.

Dave Bittner: [00:12:04:10] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. Thanks once again to all of our supporters on Patreon and to find out how you can contribute to the CyberWire go to patreon.com/thecyberwire. I want to remind you all to check out the Grumpy Old Geeks podcast where I join Jason and Brian for what is quite often a colorful and sometimes salty review of the week's cybersecurity news. We do have a lot of fun and you can find Grumpy Old Geeks wherever the fine podcasts are available. So, check it out. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.