The CyberWire Daily Podcast 5.24.17
Ep 356 | 5.24.17

Manchester bombing investigators look at bomber's network. EnSilo patches ESTEEMAUDIT. Cron cyber gangsters arrested. What we hear at the Cyber Investing Summit.

Transcript

Dave Bittner: [00:00:00:18] I got a message from a listener the other day that said the CyberWire is as much a part of his day as his morning cup of coffee. Well, for less than the cost of a cup of coffee, you can become a supporter of the CyberWire on Patreon. Visit patreon.com/thecyberwire and find out how. And thank you.

Dave Bittner: [00:00:20:00] The Manchester bombing investigation is looking closely at the bomber's networks, with international cooperation. NSA says it's waging cyber war against ISIS. FireEye gives us a rundown on some EPS zero days, and the Cyber Investing Summit opened with demonstrations of the use and abuse of misdirection in hacking.

Dave Bittner: [00:00:44:19] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real time threat intelligence company, whose patented technology continuously analyzes the entire web, to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We at the CyberWire have long been subscribers to Recorded Future's Cyber Daily and, if it helps us, we're confident it can help you too. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:41:17] Major funding the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, May 24th, 2017.

Dave Bittner: [00:01:52:00] Investigation into the Manchester terror attack continues. ISIS has, of course, praised the attack as an inspiration, and claimed the bomber as a "soldier of the Caliphate." Authorities in the UK are increasingly approaching the conclusion that the attack wasn't the work of an isolated fanatic, but rather one carried out with some degree of encouragement, inspiration, and support from others. Police won't say yet whom they're looking for, but the investigation is reported to be concentrating on unraveling Abedi's network. One of the arrests made so far occurred in Libya. A counter-terrorism task force took Abedi's father into custody during a raid in Tripoli.

Dave Bittner: [00:02:31:03] France's Defense Minister has pledged closer intelligence cooperation with the UK, and such an arrangement was part of President Macron's projected policies during his campaign. US President Trump has also offered solidarity and collaboration. In testimony yesterday, before the US Senate, NSA Director Admiral Rogers said that the US was conducting extensive cyber operations against ISIS, doing everything possible within the scope of existing law. What those operations are, of course, remains unspecified.

Dave Bittner: [00:03:03:00] Remediations for the EternalBlue exploits used by WannaCry and other campaigns continue to appear. One notable one was announced earlier today. Security firm EnSilo released a patch it devised for one of the more significant EternalBlue vulnerabilities. Their work closes off ESTEEMAUDIT, which had been used to exploit Windows XP and Windows Server 2003. So bravo, EnSilo.

Dave Bittner: [00:03:28:18] Another noteworthy patch was issued yesterday by Trend Micro, who have fixed a serious vulnerability in their ServerProtect for Linux 3.0 product. Trend Micro offered a tip of the hat to Core Security, whose researchers found and reported the bug.

Dave Bittner: [00:03:44:14] Ben Reed is an analyst at FireEye Eyesight Intelligence, working on their Espionage Research Team. They recently discovered some zero days taking advantage of a flaw in the way Microsoft software handled EPS files. He joins us to share their findings.

Ben Reed: [00:03:59:10] So we've got a total of three vulnerabilities being exploited in the wilds, sort of before patch or as zero days. There were two EPS vulnerabilities that allowed remote code execution and there was one escalation of privilege vulnerability. So one of the EPS vulnerabilities, CVE-2017-0261, was actually being used by two different groups. One of the groups we track as Turla. They are a Russian cyber espionage group. They have been around for a long time. Probably up to 20 years. They're sort of one of the old ones on the block. So they were using the zero day to drop their signature Shirime malware, and they used it against a European diplomatic target. The second group using this vulnerability was an unidentified group we hadn't seen before, but they were targeting Middle Eastern banks. So they were hitting both regional banks, sort of based in the Middle East, and the Middle Eastern branches of global banks. The second set was activity by APT28 - which people are hopefully familiar with if they're interested enough to be listening to this podcast - with the hack of the Also acting in support of Russian goals. They were targeting again European military entities and diplomatic entities, things like Ministry of Foreign Affairs, Ministry of Defense, and the sample we recovered from them actually was exploiting two different zero days. This was CVE-2017-0262 and 0263. 0262 was also exploiting a vulnerability in how Microsoft Office handles EPS files. The same as 0261. Different ways they handle EPS files, so very different vulnerabilities. Not linked. And they also bundled that with an escalation of privilege vulnerability. So they were using two zero days in this one campaign. So, that's a lot of firepower in one document, so likely these were targets that were of high value to them.

Ben Reed: [00:04:58:17] The second set was activity by APT28 which people are hopefully familiar with. If you're interested enough to be listening to this podcast, you probably have heard of APT28. So they actually associated with the hack of the DNC - a long time espionage activist, also acting in support of Russian goals. They were targeting again European military entities and diplomatic entities, things like Ministry of Foreign Affairs, Ministry of Defense, and the sample we recovered from them actually was exploiting two different zero days. This was CVE-2017-0262 and 0263; 0262 was also exploiting a vulnerability in how Microsoft Office handles EPS files. The same as 0261. Different ways they handle EPS files, so very different vulnerabilities. Not linked. And they also bundled that with an escalation of privilege vulnerability. So they were using two zero days in this one campaign. So that's a lot of firepower in one document, so likely these were targets that were of high value to them.

Dave Bittner: [00:05:59:05] These are out in the wild. What are the recommendations for making sure that people are protected against them?

Ben Reed: [00:06:06:05] If you apply Microsoft's latest patch, you will be protected. We worked with Microsoft on following responsible disclosure guidelines, so we let Microsoft know as soon as we found these. They were able to patch them quickly and so this past patch Tuesday, which I think was May 9th, there were patches released. So if you install those patches you will be protected. There are two interesting things that I think it's worth pointing out. The first is about 0261. It was used by both a nation state group and a likely financially motivated group, which tells us some interesting things about the gray market and vulnerabilities. Both vulnerabilities were implemented very similarly, where it looks like they sourced the vulnerability from the same place. So somebody out there is selling to both the Russian government and to criminals. So it's interesting to see that both criminals had access to some of the highest caliber stuff out there, but also that this vulnerability market is fluid. So that's one point. but there's been talk about hey, if they're this big bad Russian group, why are they using things like credential stealing that, you know, I can stand up a website that looks like Google and tell somebody to go to it. But this shows that this group following the same patterns that we track following sort of all the things that lined up with attributing to them using two zero days in one thing. So they really can bring their fast ball. But they only use these valuable things and sort of expose these vulnerabilities to being patched when they need to. If they can get in with using just credential stealing or a document with a macro, they'll do that.

Ben Reed: [00:07:03:16] There's been some discussion about APT28 and this is casting a little bit of a straw man, but there's been talk that, "Hey, if there is this big bad Russian group, why are they using things like credential stealing." I can stand up a website that looks like Google and tell somebody to go to it? But this shows this group following the same patterns that we track, following all the things that lined up with attributing to them, using two zero days in one thing. So they really can bring their fast ball, however, they only use these valuable things and expose these vulnerabilities to being patched when they need to. If they can get in with using just credential stealing or a document with a macro, they'll do that.

Dave Bittner: [00:07:44:01] That's Ben Reed from FireEye.

Dave Bittner: [00:07:48:11] Taking a quick look at our CyberWire events calendar, If you're going to be in Seattle on the 1st of June, consider looking into that city's Cyber Security Summit. You'll get the skinny on the latest threats and solutions from the US Department of Justice, CenturyLink, root9B, IBM and others. Register with promo code CyberWire50 for half off your admission. The regular price is $350, so it's a nice savings. Another conference you might be interested in meets June 19th in Fairfax, Virginia. CyberTech Fairfax will cover global cyber threats, solutions, innovations and technologies and, if you're looking to continue your professional education in cybersecurity, did you know that the Sans Institute offers a Master Degree? They do. Find out more in their free online session Tuesday, June 13th at noon eastern daylight time or visit sans.edu.

Dave Bittner: [00:08:39:05] We spoke a minute ago of the possibility that WannaCry was misdirection for some other, possibly more serious, campaign. In cyberspace, the possibility of misdirection should never be dismissed out of hand. We saw some of that yesterday in New York at the second annual Cyber Investing Summit. The once notorious hacker, Kevin Mitnick, now famous and much petted since turning in his black hat for a white hat and signing on with KnowBe4, gave an opening keynote in which he traced his own interest in hacking to a high-school period in which he was interested in magic. We mean, of course, conjuring, like the Amazing Randi, not real magic like you see in Harry Potter. He showed the uses of misdirection in several live demonstrations. We'll just say this. If Mitnick comes within three feet of you, he's probably remotely read the various cards you carry with you to open doors. We'll have more on the Cyber Investing Summit in tomorrow's CyberWire, but until then we've got our eye on you, Mitnick.

Dave Bittner: [00:09:37:05] Finally, Russian police are said to have rolled up members of the "Cron" gang on a beef involving the sale of the Tiny.z android banking trojan and the PonyForx Windows spyware. The CyberWire heard from Alien Vault's security advocate, Javvad Malik. He said the android trojan in particular is a good reminder of the growing threat to mobile security and there are things users do that render them more vulnerable than necessary, like jail breaking their phone, or downloading apps from unofficial third-party stores, or indiscriminately clicking links in unsolicited emails or SMS messages. He said, "Users should be wary of what permissions an app is asking for, and exercise caution where excessive permissions are being sought." Heard and noted. So don't try any of that stuff on us, Mitnick.

Dave Bittner: [00:10:29:24] A few words about our sponsors at e8 Security. If you've been to any security conference over the past year, you've surely heard a lot about artificial intelligence and machine learning. We know we have. But e8 would like you to know that these aren't just buzz words. They're real technologies and they can help you derive meaning from what an overwhelmed human analyst would see as an impossible flood of data. Go to e8security.com/ai-ml and let their white paper guide you through the possibilities of these indispensable emerging technological tools. Remember, the buzz around artificial intelligence isn't about replacing humans. It's really about machine learning. A technology that's here today. So see what e8 has to say about it and they promise you, you won't get a sales call from a robot. Learn more at e8security.com/ai-ml. And we thank e8 for sponsoring our show.

Dave Bittner: [00:11:27:13] And I'm pleased to be joined once again by Jonathan Katz. He's a Professor of Computer Science at the University of Maryland and also a Director of the Maryland Cybersecurity Center. I saw an article in Naked Security that was called 'Internet Routing Weaknesses Could Cost Bitcoin Users.' What's going on here?

Jonathan Katz: [00:11:42:18] Well the bitcoin protocol fundamentally relies on the assumption that different users in the network are able to communicate with each other. So, in particular, it's very important for the consensus mechanism that bitcoin uses. It allows everyone to agree on a content of view of transactions in the system and, if you can partition the network into two disconnected halves, or if you can partition a user from the network, it could have serious implications for the security of the bitcoin protocol.

Dave Bittner: [00:12:11:01] So walk me through. What exactly would that mean from a practical point of view?

Jonathan Katz: [00:12:15:04] Well, what they were showing here was that, under certain conditions, your ISP, if they were malicious, could actually induce this kind of a disconnection in the network. So, for example, they could look at things that you're trying to send if you're a bitcoin miner and they could refuse to forward those to the rest of the network, or they could choose to partition the network into two halves that couldn't communicate with each other. So, looking at the first case, for example, that would mean that a bitcoin miner that had been able to find one of these proofs of work that effectively allow them to mine fresh bitcoin would not be able to communicate that with the rest of the network and that would mean they would lose out on those bitcoin that they had mined. So, basically, an ISP that really disliked or wanted to get at one particular user could, in effect, make it impossible for that user to ever mine for a bitcoin.

Dave Bittner: [00:12:59:23] And so once a user got segregated, got forked from the main fork of bitcoin, I suppose, is there no way to join them back together again?

Jonathan Katz: [00:13:10:02] So they can. I think, actually, this attack is pretty theoretical and, for several reasons, I doubt it's very practical. I think the main point, something that you're hinting at, is that the user would certainly notice. So it might be possible for an ISP to carry out this attack, although I think it's unlikely because, if they were ever caught doing that, it would really risk a lot of business for them. But, anyway, it would certainly be possible but then the user would notice and they would then have to switch ISPs to get reconnected to the network. So it's not something that would be catastrophic for the user but, until they noticed, it would certainly be very damaging.

Dave Bittner: [00:13:44:16] The way bitcoin works is that it can resolve these forks automatically when people reconnect, correct?

Jonathan Katz: [00:13:49:15] That's true. But let me just say that it would be pretty bad if that disconnection went on for a long time. So just let's say that this was going on undetected for, I don't know, let's say a two week period, well eventually the network would re-stabilize and everybody would be able to re-agree again on a common set of transactions. But any transactions that had occurred in that two week period might get undone. So even though you could eventually recover, it would certainly be bad for the network as a whole.

Dave Bittner: [00:14:15:17] I see. All right. Interesting stuff. Jonathan Katz, thank you for joining us.

Dave Bittner: [00:14:25:01] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik, Social Media Editor is Jennifer Eiben and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe and I'm Dave Bittner. Thank you for listening.