The CyberWire Daily Podcast 9.22.17
Ep 440 | 9.22.17

Hacks shake confidence in financial system. FinFisher using MitM. CCleaner backdoor had specific targets in mind? US Forces Korea debunks bogus NEO warning. Locky masters like Game of Thrones. nRansomware asks for a different kind of payout.


Dave Bittner: [00:00:01:08] The CyberWire podcast is made possible in part by listeners like you who contribute to our Patreon page. You can learn more at Patreon dot com slash the CyberWire.

Dave Bittner: [00:00:13:19] The EDGAR breach is seen as a blow to confidence in financial systems. Credit bureaus receive heightened scrutiny after the Equifax breach. FinFisher campaign suggests ISPs may have been compromised. The backdoor in CCleaner seems to have targeted specific companies. US Forces Korea personnel receive a bogus noncombatant evacuation order. Someone behind Locky watches a lot of Game of Thrones. And poor Thomas the Tank Engine would never do what some skids some him doing.

Dave Bittner: [00:00:48:10] It's time to take a moment to tell you about our sponsor Recorded Future. Our Fun 2017 is back and Washington DC's got it. Join Recorded Future and other leaders in the threat intelligence space this October fourth and fifth. Get industry insight, hear from top cybersecurity and corporate strategy experts as they share their ideas and experiences. Teresa Shea, now of In-Q-Tel, formerly NSA's Director of SIGINT, the Grugq, expert in most things Infosec, and a connoisseur of intelligence and info operations, Mike Cole, author and cyberthreat intelligence analyst with a major Metropolitan Police Department; Priscilla Moriuchi, former enduring threat manager for East Asian and Pacific at NSA, and finally Robert M. Lee, founder and CEO at Dragos Security and National Cybersecurity fellow at the New America think tank. And say hello to us, the CyberWire. We'll be there and podcasting from the floor on the fifth. If you're a threat intelligence enthusiast, register now at Recorded Future dot com slash Our Fun. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:59:22] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner, in Baltimore with your CyberWire summary for Friday, September 22nd, 2017.

Dave Bittner: [00:02:10:24] The breach of the US Securities and Exchange Commission's EDGAR system has spooked investors and legislators alike. It's being called a blow to confidence in the US financial system, how serious a blow remains to be seen. The financial sector has long been a leader in adopting such security measures as threat information sharing, encryption, and fraud detection, and the SEC as one of that sector's principal regulatory bodies has pushed for more attention to cybersecurity and risk management in the entities it oversees. It is the SEC, for example, that has moved publicly traded companies to explicitly address cyber risk in their regular 10-k filings. As is so often the case when a high-profile breach is disclosed, closer scrutiny reveals that the Department of Homeland Security had warned the SEC of unaddressed vulnerabilities back in January, and a Congressional study released this July in which the Government Accountability Office found the SEC had failed to fully implement eleven security recommendations made two years ago.

Dave Bittner: [00:03:13:20] These are embarrassing, but not directly related to the breach, which seems to have taken place and been detected last year. It was only last month, however, August 2017, when the SEC realized that whoever hacked EDGAR probably was able to execute illicit insider trades based on early knowledge of the still non-public material information they found there. The hackers did obtain data that would have given them an illegal advantage in trading stocks. How much they may have made on such speculation remains unknown, as does the identity of the "threat actor" that found its way into EDGAR. Nation-states, terrorists, and ordinary criminals are all possibilities, and little that's been made public would incline one to choose one category over another.

Dave Bittner: [00:03:59:19] The SEC breach announcement feels like the second haymaker in a one-two punch whose first blow came two weeks ago when the credit bureau Equifax got around to disclosing that its own systems had been penetrated. But the risks the two cases involve are quite distinct. The SEC says that no personally identifying information was compromised, but with Equifax personal data was stolen with a vengeance. Here too, there's no clear indication of who might have been responsible. It now seems that whoever hit Equifax spent several months carefully establishing their presence in its systems. They started working their way into its networks at least as early as March 10th of this year. According to Ars Technica, Mandiant, the FireEye unit Equifax has brought in to clean up, says it's detected roughly 35 IP addresses the attackers used to access the company's network. The attackers' identity is still unknown, and Mandiant has so far not found any signs that point to known threat actors.

Dave Bittner: [00:05:00:19] FinFisher spyware, the controversial lawful intercept product, has been romping lately in the wild. Security firm ESET warns that ongoing campaigns distributing the FinSpy surveillance tool have features that suggest some Internet service providers may have been compromised to distribute the lawful internet product to its targets by man-in-the-middle attacks. In the past FinFisher spyware has typically been spread by spearphishing, watering-hole attacks, physical access, or zero-days, so compromised ISPs represent a departure.

Dave Bittner: [00:05:34:20] Investigation into the supply chain's insinuation of a backdoor into Avast's CCleaner security product moves toward the conclusion that the effort was more closely targeted than initially believed. Cisco thinks the hackers were after a relatively small number of large companies: Intel, Microsoft, Linksys, Dlink, Google, Samsung, Cisco, O2, Vodafone, and Gauselmann.

Dave Bittner: [00:05:59:06] Things are tense in the Korean peninsula, but not yet so tense that US civilians are being evacuated. US Forces Korea says the text and social media messages that yesterday appeared to be a Noncombatant Evacuation Order telling US civilians to leave South Korea at once was a hoax. Responsibility has not been determined. It could be a state-actor (with Pyongyang the obvious suspect) but a freelancing skid doing for the sick lulz is just as likely, maybe even more likely. In any case, US Forces Korea was quick to squash the rumor.

Dave Bittner: [00:06:35:15] Finally, we all know that ransomware is a problem. We heard late this morning from Phishme, the security company who's been tracking the latest rounds of Locky phishing infestations. Phishme's noticing that those responsible for the ransomware attacks seem to watch an awful lot of Game of Thrones. Any suggestion, however, that the extortionists are white walkers is probably unfounded. Still, today is the autumnal equinox, which does mean that winter is coming.

Dave Bittner: [00:07:03:10] And, in what could be categorised as "simply inevitable," MalwareHunter Team researchers have found a strain of ransomware that demands nude pictures of the victim, not Bitcoin, as its ransom. The newly classified malware, called "nRansomware," is actually a screenlocker that doesn't encrypt files, which leads some to classify it as more prank than criminal enterprise. Still, it's deplorable. The extortion message reads in part, "Your computer has been locked." It then tells the victim to email the hackers, and it goes on to explain, "After we reply, you must send at least 10 nude pictures of you. After that we will have to verify that the nudes belong to you." This message is displayed over a picture of Thomas the Tank Engine uttering a demotic oath enjoining parthenogenesis in the coarsest terms possible, and that seems just wrong, since no very useful engine would say any such thing. Sir Topham Hat, call your office and get your barristers working on a copyright injunction. By the way, we think the extortionists may be less than pleased should they get what they're asking for. I mean, suppose they hit up some lame security guy, the kind of Captain Obvious who tells people that "password" is a bad password? You're setting yourself up for maximal aesthetic insult, skids, you may get more than you bargained for but exactly what you deserve.

Dave Bittner: [00:08:29:20] A brief note about our sponsor E8 Security. We've all heard a lot about artificial intelligence and machine learning. Hey, who of a certain age doesn't know that Skynet achieved self awareness and sent the Terminator back to take care of business? But that's science fiction, and not even very plausible science fiction. But the artificial intelligence and machine learning, E8 is talking about aren't science fiction at all, and they're here today. E8's white paper available at E8 Security dot com slash CyberWire can guide you through the big picture of these still emerging, but already proven technologies. We all need to turn data into understanding and information into meaning. AI and machine learning can help you do that. See what they can do for you at E8 Security dot com slash CyberWire and we thank E8 for sponsoring our show.

Dave Bittner: [00:09:22:23] Joining me once again is Malek Ben Salem. She's the senior manager for Security Research and Development at Accenture Labs. Malek, welcome back. You have a new attack vector that you wanted to describe for us today. What do we need to know?

Malek Ben Salem: [00:09:36:05] Yes, thanks, David. Yes, this is a new attack factor that leverages the energy management model that's running on any device to conduct a cyberattack. So we know that devices have a dynamic voltage and frequency scaling model that basically regulates the energy consumption on the device. The operating frequency and the voltage can be configured via memory mapped registers from software, as well as with some hardware. It turns out that these software registers can be leveraged to launch an attack against the TPM or the trusted zone on the device. An attacker can stretch the operational limits of the energy components, meaning changing the frequencies or the voltage of the device and that can introduce, or induce the system to fault. And those faults can be used to break the security properties of the system, including confidentiality and the integrity of the code running within the TPM environment.

Malek Ben Salem: [00:10:49:14] Now what's unique about this attack is that unlike the traditional attacks, which require an attacker to be in a physical proximity of the victim's system, or they may need special equipment to conduct the attack, here, the attacker does not need any of that. They don't need to be close to the device. They don't need to have special equipment. They can launch the attack just through software, and this attack has been demonstrated on devices, on ARM devices, so the attack can impact 100s of millions of devices.

Dave Bittner: [00:11:26:21] So has this attack been seen in the wild, or is it merely at a stage of a proof of concept?

Malek Ben Salem: [00:11:32:07] No, this is in the stage of a proof of concept. It has been demonstrated at the USENIX Security conference in August this year, for the first time. So this is really a totally new, completely new attack vector that was demonstrated by researchers from Colombia University.

Dave Bittner: [00:11:53:21] Interesting stuff, as always Malek Ben Salem, thanks for joining us.

Dave Bittner: [00:12:01:24] Now I'D like to take a moment to tell you about our sponsor Domain Tools. If you're a listener to this podcast, you already know that over the past year, ransomware has wreaked havoc on hospitals, transportation, nuclear plants and more. This flavor of malware is particularly vicious and shows no signs of slowing. But on the positive side, much has been and can be learned from these attacks and profiling ransomware actors is a smart way to create an informed cybersecurity strategy. Join Domain Tools for an insightful webinar with info security leader Kyle Wilhoit, who will help you understand ransomware trends, motivations, business workings and, of course, how to combat ransomware attacks. Visit Domain Tools dot com slash CyberWire to see the webinar today. That's Domain Tools dot com slash CyberWire, and we thank Domain Tools for sponsoring our show.

Dave Bittner: [00:13:02:01] My guest today is Robert Sell. He's a senior IT manager for a major aerospace company and this past year, he competed in the social engineering competition at the DEFCON conference in Los Vegas, where he discovered it's remarkably easy to gather information on a targeted organization and to use it to get their employees to tell you even more.

Robert Sell: [00:13:22:14] Every year, the social engineering village, what they will do is they will target a certain industry and this year, it was the gaming industry. And so what they will do is they will give all the candidates, this year there was 16 competitors, and we all got a company from that particular industry. And sometimes they will warn each other and they'll say hey, this is going on, be careful when you answer the phone, and it's really interesting to see how it evolves over those couple of days, because a lot of the security people from those companies are actually at DEFCON, sometimes even in the room, and they react differently depending on how they view the whole exercise. There's two stages to the competition. The first stage is really the OSI stage, that's open source intelligence. And so what they want you to do, they give you certain flags. There's about 29 flags with different amounts of points, depending on the difficulty of the flag. They want you to then collect that information into a report. So, for example, one of the flags would be: "who does your garbage disposal?" And that would be worth so many points. Another one might be: "what's your SSID for your WiFi?" And that would be a little more difficult to get, so that would be worth more points. And so just using open source inTelligence, not engaging with the company at all, basically what you find on the internet, you want to collect all those points and put it into the report.

Dave Bittner: [00:14:51:03] And so what was your strategy for gathering up that sort of information?

Robert Sell: [00:14:55:10] Well, because it's a corporate organization, one of the best sources, I found, was to start with anyway, was Linkedin. It's amazing how much information you can pull off of that, just to get started. And I started building an excel spreadsheet based off of that, and very quickly I had 100s of data points. Everything from executive personal cellphone numbers, home addresses, you name it, gym memberships, what they eat for lunch, their pet names, and that really helps you to develop really solid pretexts. So yes, there is a ton of information out there.

Dave Bittner: [00:15:31:19] And so you arrive at DEFCON and the moment of truth is there. It's time for your 20 minutes in front of an audience. Take us through that.

Robert Sell: [00:15:40:07] Yes, when they called my name, or you know, ushered me into the booth, I was so excited because this is something I'd been thinking about for over a year, and I just remember trying to, I wasn't nervous at all. There's a few 100 people in the room and they're all watching you, so you'd expect some level of nervousness, but I was just so excited to go in there and do my part and be part of this, this whole village experience and so it was, I was just trying to calm down and get my heart rate to go down a little bit. This was the first probably 30 seconds, and then making those first few calls. And the first few calls I did, I just got voice mail. And they start the clock. You've got 20 minutes and that 20 minutes goes by incredibly fast, probably because it's so fun, but the first the minutes, I had a real problem getting anybody. The phone would just ring. It would go to voicemail. I think most people perhaps were at lunch, because I was calling around that time. So it was a bit disheartening at first. And then I had to fall back on my backup plan, and I started calling reception because they were always there, and that's when I finally got somebody and finally started scoring points. So the first ten minutes was really uneventful and I could feel everybody's sympathy in the room, and the last ten minutes is really where I really started to get points, and the last three minutes was where I really started to get points very quickly. I had a very rapid fire pretext, which was actually an engagement survey and as soon as they agreed to do it, I just started firing off the questions and they couldn't write down the points fast enough for those last two minutes, which was exciting.

Dave Bittner: [00:17:17:03] What was the information that you were assigned to collect? And what was your successful strategy to do so?

Robert Sell: [00:17:23:19] Yes, so for the OSINT report, you basically collect all the flags that you can, and I'm just going through the list, for the live 20 minutes at DEFCON. For each person, you can get the same points. So for example, if I get the SSID from person A, I can then go get it from person B, as well. For me, basically what I wanted to do was run through as many flags as possible with anybody that I got. So one of my favorite pretexts is the engagement survey. So it would be hello, I'm so and so, calling from this company. I'm working with your VP of HR who is this person and she gave me your name as a person that could help me to really build this engagement survey. I just want to ask you a few questions really quickly. It'll only take two minutes, and then boom, boom, boom, boom, boom, boom, boom. And that usually works very effectively.

Dave Bittner: [00:18:20:11] So what were some of the takeaways for you? What are some of the lessons you took home after experiencing this?

Robert Sell: [00:18:27:07] It was interesting to see how susceptible to attack this sort of attack, companies are, and there is a ton of information out there. It's, I don't think many people are looking at how protected their organizations are from this, or how they're going to mitigate that risk. And so for me, coming back to the company where I work, it was immediately wanted to look at how I could defend against that. So user awareness training, especially at the executive level, doing OSINT on yourself and your, your company, to see what's out there, I think is really important, and then looking at who's responsible should you get a breach of this kind. If your executive comes to the IT security group and says hey, I just gave all my information to so and so, because I thought it was real. What does that mean to you? Right, odds are that we are responsible for that, but we often don't think about that very much.

Dave Bittner: [00:19:23:22] Our thanks to Robert Sell for joining us. We've got an extended version of this interview for our Patreon subscribers at Patreon dot com slash the CyberWire. There's lots more in that interview, including Robert's advice for first timers at DEFCON. So check that out at Patreon dot com slash the CyberWire.

Dave Bittner: [00:19:44:09] And that's the CyberWire. Thanks to all of our sponsors, who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit Cylance dot com. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Have a great weekend. Thanks for listening.