The CyberWire Daily Podcast 7.7.17
Ep 386 | 7.7.17

NotPetya still looks like an act of state; intended result or not, companies warn of possible material effect from the attack. Another S3 database found exposed.

Transcript

Dave Bittner: [0:00:01] The CyberWire podcast is made possible in part by listeners like you who contribute to our Patreon page. You can learn more at patreon.com/thecyberwire.

Dave Bittner: [0:00:13] NotPetya still looks like a Russian campaign to Ukrainian authorities. And experts remain skeptical that affected data can be recovered. Companies warn that NotPetya may have a material effect on earnings. WikiLeaks dumps Gyrfalcon and BothanSpy documents from Vault 7, and pro wrestling fans now have something in common with registered voters, data.gov.uk and the National Geospatial Agency.

Dave Bittner: [0:00:44] Time to take a moment to tell you about our sponsor, Recorded Future, the real-time threat intelligence company. Recorded Future's patented technology continuously analyzes the entire web to give cybersecurity analysts unmatched insight into emerging threats. We read their dailies here at The CyberWire, and you can, too. Sign up for Recorded Future's cyber daily email to get the top-trending technical indicators crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and more. Subscribe today and stay ahead of the cyberattacks. They watch the web so you have time to think and make the best decisions possible for your enterprise's security. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. It's timely. It's solid, and it's on the money. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [0:01:45] Major funding for The CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, July 7, 2017.

Dave Bittner: [0:01:56] Ukraine hasn't backed off from attributing the NotPetya campaign to Russia. We'll speak a bit later with WIRED senior writer Andy Greenberg, who's taken a long look at Russia's hybrid war against Ukraine and learn why he thinks this conflict has been a testing ground for the Russian way of war in cyberspace and elsewhere. The relatively small amount of ransom paid in the course of this global attack - a bit more than $10,000 since the beginning of the attack according to reports - was moved on Tuesday from the Bitcoin Wallet nominally established to collect payment. People who claimed responsibility for the malware surfaced in dark web chat rooms to offer decryption for 100 bitcoin - slightly more than $260,000 - but their offer has been met with general skepticism. Petya's author released decryption keys for the ransomware's original form. That won't help victims of NotPetya, which is now understood to be a distinct bit of malware masquerading as Petya.

Dave Bittner: [0:02:56] It's generally agreed that NotPetya spread initially from a compromised software update for MEDoc tax accounting software, widely used in Ukraine, bleeping computer reports sourcing Cisco and others that MEDoc's vendor, Intellect Service, had been backdoored three times and that it hadn't updated its servers since 2013. The other damage the malware did around the world may have been simply collateral damage or perhaps welcome gravy from the attacker's point of view. Recovery proceeds and affected companies are still seeking to get a handle on the extent of their financial hit. In some cases, losses may prove material. That is, investors take note. This may involve a hit to revenue and share price. The companies who sustained NotPetya infections found their IT far more affected than their OT. That, of course, could change with subsequent evolution of such threats.

Dave Bittner: [0:03:51] Maersk, the shipping industry leader that was particularly troubled by NotPetya, is not among those companies who found deficiencies in their security practices. Robbert van Trooijen, Maersk's Asia Pacific chief executive, said in a call to reporters on Friday, quote, "there was nothing in terms of patches that we missed. There was no cybersecurity measures that we didn't take. So we were already in quite a strong position" - end quote. Then Trooijen also said that Maersk did not believe it was specifically targeted. So in the company's view, the incident was the adventitious result of global infestation.

Dave Bittner: [0:04:29] Maersk says it's too soon to quantify the malware's effect on quarterly revenue. The company said the disruptions it experienced had little effect on the physical handling of cargo. Instead, NotPetya's effect on the 76 ports that Maersk operates was to disrupt documentation and data flow, including customs and cargo release processes, which led to congestion and caused some customers to cancel orders. How many cancellations isn't clear yet. Maersk continues to assess the damage.

Dave Bittner: [0:05:00] On Thursday, WikiLeaks continued its weekly dump of alleged CIA tools with documents purporting to describe two implants, Gyrfalcon for Linux and BothanSpy for Windows. The alleged Linux implants still are regarded by many observers as a novelty, but their utility in compromising servers also makes them an obvious sort of move. As yet has been the case with The Shadow Brokers' release, there is no plausible public explanation yet of how WikiLeaks is getting its material.

Dave Bittner: [0:05:33] The professional wrestling impresarios at the WWE this week disclosed a breach on customer data. Researchers at security firm Kromtech found an unprotected database on - you guessed it - Amazon Web Services that contained personal data for about 3 million wrestling fans. The database didn't include, according to the WWE, passwords or credit card data. But Forbes reports that it sure contained a lot of other stuff. Among that stuff would be home and email addresses, earnings, birth dates, ethnicity, children's age ranges and gender. WWE said the exposed database has now been secured and that the WWE is working with Amazon Web Services and cybersecurity companies Smartronix and Praetorian to manage data infrastructure and cybersecurity and to conduct regular security audits.

Dave Bittner: [0:06:26] We've heard, of course, from industry experts on the matter. Ryan Wilk of NuData Security notes that this is the third exposure - what he calls a non-breach breach - of sensitive data in less than a month. He lumps it in with the experience of Deep Root Analytics and data.gov.uk. We might add, the contractor exposed data belonging to the National Geospatial Agency. Wilk says, "the incident continues to show that sophisticated hacking is not required to obtain troves of identity data that can be used to create fraudulent identities or access online personas. We have hit a turning point where financial and identity cybercrime has become something that a person with the most basic computer skills can dabble in" - end quote. The kind of data collected in this incident are, of course, the sorts of things marketers want to know, but they need to take better care of it.

Dave Bittner: [0:07:16] Another way of summarizing the issue is this, courtesy of our wrestling desk.

(SOUNDBITE OF BELL)

Unidentified Person: [0:07:22] (Impersonating WWE wrestler) Brother, if you fail to secure your data on S3, whether you think you're a face or a heel, exposing your data on AWS makes you what the late classy Freddie Blassie would have called a pencil-neck geek.

Dave Bittner: [0:07:36] So don't be one.

Dave Bittner: [0:07:42] Now I'd like to tell you about some research from our sponsor, Delta Risk. We all depend on the power grid. You've heard a lot over the last few months about the grid's vulnerability. Crash override, in particular, threw a scare into the energy distribution sector. It's a real threat, and its masters demonstrated what they can do last December in Ukraine. Even a minor disruption to the power grid could be devastating to all of us. Download Delta Risk's new white paper, "Cyber Security and the Grid: The Definitive Guide," for insight into how the North American power grid works, an overview of current regulations and a look at potential cyberthreats. You'll find the guide at deltarisk.com/grid-whitepaper. Delta Risk LLC, a Chertoff Group company, is a global provider of strategic advice, cybersecurity and risk management services to commercial and government clients. Learn more about Delta Risk by visiting deltarisk.com. And while you're there, get that guide to cybersecurity for the grid. It's deltarisk.com/grid-whitepaper. And we thank Delta Risk for sponsoring our show.

Dave Bittner: [0:08:54] Joining me once again is Johannes Ullrich. He's the dean of research at the SANS Technology Institute, and he also hosts the Internet Storm Center's "StormCast" podcast. Johannes, welcome back. We wanted to touch base today about NoSQL database security. What do we need to know about that?

Johannes Ullrich: [0:09:10] Well, NoSQL databases is a new generation of databases that distinguish themselves by being cheaper, simpler and most of all faster than traditional databases. They don't have a lot of these features that the traditional databases pride themselves of, like consistency or being able to relate large data sets. Instead, they're very simple and fast lookup databases. That makes them very popular, for example, for web applications.

Johannes Ullrich: [0:09:42] Now, from a security point of view, the problem is that when they started removing features from these databases, they also removed a lot of the security features that you're accustomed to from databases. For example, some of these databases may not have the authentication or encryption options that you're used to from these more traditional, larger databases. And that led to some large breaches recently, for example, Cloudpets, a company that does offer little stuffed animals that your kids can talk to. Now, in that case, the database that hosted all the voice snippets from these kids talking to these pets was exposed and was available for everybody to download.

Dave Bittner: [0:10:28] So what are some of the options for securing a NoSQL database?

Johannes Ullrich: [0:10:32] The problem with NoSQL databases is that there are so many of them. There are literally dozens of different databases. You certainly should not allow any network access to these databases aside from very restricted internal systems. The tricky part here is that, of course, often these databases are hosted in the cloud. And that may put some requirements forth where you do need to connect to a database across the network.

Johannes Ullrich: [0:10:59] So you have to be really careful how you configure this. And then educate yourself. Before you implement a database like this, make sure you read the actual manufacturer's - the vendor's security guidelines and implement whatever security features there are, even if they may be a little bit less than what you're used to.

Dave Bittner: [0:11:18] So even with these limitations, there are some benefits for using a NoSQL database.

Johannes Ullrich: [0:11:24] Yes, there are benefits. You know, there's, for example, speed. For example, on web applications, one problem is where do you store all this vital (ph) user information that you need to store as the user browses your site - like, for example, the shopping cart and the like? Some of these databases allow you to store all of this in memory, which of course is very fast and makes the application work a lot better.

Dave Bittner: [0:11:50] All right, interesting information. Johannes Ullrich, thanks for joining us.

Dave Bittner: [0:11:58] And now a few words about our sponsor UMBC, the University of Maryland Baltimore County. That world-class university just to our south has a question for you. In a world where over a quarter million cybersecurity jobs are unfilled, what are you waiting for, especially if you're living in this part of the world because a lot of those million-plus jobs are right here. UMBC grads are well-prepared and in demand. Apply now for Fall 2017 cybersecurity degree and certificate programs. Get all the application details at umbc.edu/cybersg, and start down the path to becoming the qualified and experienced cybersecurity professionals the industry needs right now. That's umbc.edu/cybersg. What are you waiting for? Check it out. And we thank UMBC for sponsoring our show.

Dave Bittner: [0:12:57] My guest today is Andy Greenberg. He's a senior writer at WIRED. And his cover story, "Lights Out," appears in the July issue on newsstands and available online now. The story describes the recent cyberattacks against Ukraine, specifically the attacks against their electrical grid and the implications those attacks could have on critical infrastructure around the world. Andy Greenberg joined us from New York. And I began our talk by asking about his trip to Ukraine.

Andy Greenberg: [0:13:25] You know, I write a lot about theoretical cybersecurity research - also real attacks but usually from a sort of analyst's perspective. And so I went in part just to try to tell this from the victim's perspective. I wanted to find Ukrainians who could tell me about the experience of cyberwar - like, what it felt like to have the power turned out in your home or to be in an institution, like a electric utility or a government agency, when it came under this sort of long series of cyberattacks.

Andy Greenberg: [0:13:53] And it turned out that I was very lucky to find that one of the main Ukrainian researchers who has been following this whole sort of epic hacking spree had had the power turned out in his home. So that tied things together really nicely. And Oleksii Yasinsky at this company ISSP became one of the main characters in this story.

Dave Bittner: [0:14:12] I'm curious. From your perspective, how much do you think this is the Russians sort of trying to get inside the heads of the people in Ukraine, and how much of this is a message to the rest of the world?

Andy Greenberg: [0:14:25] I think it's really tough to say which it is of those two things. I think it's both. They are trying to wage a hybrid war on Ukraine. I mean, the war in the east of Ukraine is certainly not signaling to the rest of the world. That's a real war that Russia is waging to weaken, I think, what it sees as a potential threat to its sphere of influence. It doesn't want to have a kind of Western-style, NATO-friendly democracy right on its border. So it's trying to weaken Ukraine with those kinds of kinetic attacks. But then, I think that the hacking is part of that, too. And it wants Ukraine to look like a failed state. And I heard that from Ukrainian officials that I spoke to. That's how they see a lot of this.

Andy Greenberg: [0:15:03] It was really only Oleksii Yasinsky, among all the Ukrainians, who focused the most on the idea that this was actually just training, that Russian hackers were using Ukraine as a training ground, which I think is probably the bigger picture. If you look at some of these attacks, like the use of this crash override malware to take down a fifth of the electric capacity of Kiev for just one hour, you have to imagine that they wouldn't have put so much time, so many man hours and resources into building this really impressive piece of code just to take down the power for one hour. That seemed like a test run of something they're going to want to use again. It does seem like part of what Russia must be doing is trying to rattle a sabre as well and show the West what it's capable of.

Andy Greenberg: [0:15:47] I think, in fact, that there are probably three things that Russia is trying to do, which is to weaken Ukraine, to test its capabilities and hone them and then probably to show the United States - or anybody else who has these same kind of capabilities - that it can do the same and that it wants that to serve as a sort of digital deterrence if that's possible.

Dave Bittner: [0:16:06] Do you think Ukraine is simply outgunned? And what is the sense of the defensive capabilities of, say, the United States versus what Ukraine is capable of?

Andy Greenberg: [0:16:15] It definitely seems like Ukraine is outgunned. You know, I didn't hear much about Ukraine firing back in any kind of concrete way - or even being able to defend themselves. It seems like they're just constantly remediating the last attack. And of course, as soon as my piece came out, there was this whole Petya/NotPetya ransomware that just completely flipped the country upside down again. It does seem like Russian hackers - if these are in fact Russian hackers, and every piece of evidence suggests that they are - are just running circles around the Ukrainian defenders.

Dave Bittner: [0:16:47] In the article, you mentioned how it seems as though perhaps they're testing not only the Ukrainians but the rest of the world to see how far they can go before there's pushback and what kind of pushback there will be.

Andy Greenberg: [0:17:00] Definitely. I mean, I think you can kind of see that when - well, now that we know that it was supposedly a grassroots hacker group called CyberBerkut that, in 2014, hacked the Central Election Commission in Ukraine and tried to spoof the election results. And they almost got away with it. So they did that in 2014.

Andy Greenberg: [0:17:17] Then, they eventually, in 2016, tried to hack the organizations involved in the U.S. election. You can kind of see that because they weren't censured in any way after that 2014 Ukraine election attack, they sort of escalated it and tried it on the West. And that's a sign that maybe they're doing the same thing now, that they're trying something out in Ukraine to see what the diplomatic response of the world is going to be before they risk it somewhere where there may be retaliation. Or you know, if they do the kind of power grid attack that they did in Ukraine on the United States, there would certainly be retaliation.

Andy Greenberg: [0:17:50] But you know, they, I think, did learn something by the fact that they were able to do that twice in Ukraine with no diplomatic repercussions. They're facing sanctions for their invasion of Crimea and eastern Ukraine. There's been no hacking-specific sanctions at all. It does seem like they're testing what they can get away with, and they're getting away with a lot.

Dave Bittner: [0:18:09] What are the take-homes for you? In the process of writing this article, what are the things that surprised you? What are the things that, looking forward, do you think need to be addressed?

Andy Greenberg: [0:18:18] I approached this story, to begin with, as a sort of foreign case study. What can Russian hackers do when they show no restraint? - is what I thought the Ukraine piece was going to be about. When I started to see that there were signs that this group first had planted BlackEnergy on American utilities in 2014 and that they were - you know, the theory was that they were testing this stuff to try it against the West in the future, the scope of it did expand. I was ready for this to be a story about Ukraine, and it very quickly became one, I think, about Russia and the world.

Andy Greenberg: [0:18:48] But then the big surprise, of course, is that the week after we published this piece, the whole Petya/NotPetya ransomware outbreak happened. I mean, I wrote in the story that there's a sort of cycle to these things that, in the first half of the year, this hacker group plants its seeds. And then they sort of bring them to fruition with big attacks at the end of the year. And that had happened definitely in 2015 and in 2016. And ISSP, the Ukrainian firm, was telling me that they expected that in 2017 as well.

Andy Greenberg: [0:19:16] Some of the Ukrainians I've spoken to think that this is because of our story, although I don't know if that's true. These hackers, if they are the same group - and the Ukrainian government now says they are - they sort of expedited the whole process and blew up their targets in the middle of the year, even did this to Ukrenergo and Kyivenergo, these two power utilities, which seems to be kind of burning their access to cause immediate damage. And so that's a surprise.

Andy Greenberg: [0:19:41] And, I mean, of course we're still figuring out what happened with this whole ransomware epidemic. But it's hard to understand the motivations of this group if they could have laid low until the end of the year or whenever they wanted to and caused another blackout or a series of blackouts or other attacks. So I don't know. I'm still trying to figure out how this latest set of attacks plays into the larger Sandworm playbook. I think we'll just have to stay tuned as that unfolds.

Dave Bittner: [0:20:05] That's Andy Greenberg, senior writer at WIRED. His cover story, "Lights Out," is in the July issue, which is on newsstands and available online now.

Dave Bittner: [0:20:18] And that's The CyberWire. Thanks to all of our sponsors who make The CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com.

Dave Bittner: [0:20:30] Don't forget to check out the "Grumpy Old Geeks" podcast, where I'm a regular contributor to a security segment. We call it Security, Ha. You can find the "Grumpy Old Geeks" wherever all the best podcasts are listed. And also, don't forget to check out the "Recorded Future" podcast. I'm the host of that one as well. That's at recordedfuture.com/podcast. The focus there is threat intelligence. We think it's worth your time, so check it out.

Dave Bittner: [0:20:52] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. The executive editor is Peter Kilpe. And I'm Dave Bittner. Have a great weekend, everybody. Thanks for listening.