Dave Bittner: [00:00:01:09] Remember, you can become more than just a listener of the CyberWire podcast, you can become a supporter. Visit patreon.com/thecyberwire and find out how.
Dave Bittner: [00:00:12:20] The Lazarus group is back at it with SWIFT. Maniber ransomware hit South Korea. Researchers cast the first KRACK-related stone at IEEE. Oracle, Blackberry and Lenovo patch. A study finds criminals turning to cryptominers. And one cryptominer seems to be tugging on Superman's cape. OPSEC isn't their strong suit, to say the least.
Dave Bittner: [00:00:38:24] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire Web, to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We at the CyberWire have long been subscribers to Recorded Future's Cyber Daily, and if it helps us, we're confident it will help you too. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:33:23] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, October 18th, 2017.
Dave Bittner: [00:01:45:20] North Korea, its economy hard hit by international sanctions, continues to find income through cybercrime. BAE researchers attribute a recent theft of $60 million from Taiwan's Far Eastern International Bank to the DPRK's Lazarus Group, the same outfit thought responsible for 2016's illicit funds transfer from the Bangladesh Bank. As they did in the 2016 robbery, the thieves exploited the SWIFT international money transfer system. How they did so isn't yet fully understood, but it appears that a ransomware attack may have functioned as misdirection.
Dave Bittner: [00:02:22:13] The Magnitude exploit kit is currently active, distributing Maniber ransomware to South Korean targets. The vector is malvertising. Maniber had until last month afflicted mostly Taiwanese targets. Trend Micro thinks Maniber is one of the few language and country-specific ransomware strains out there.
Dave Bittner: [00:02:42:16] Some security researchers argue it's IEEE's fault that the WPA2 wi-fi protocol proved vulnerable to KRACK attacks. IEEE standards, they say, aren't generally open to inspection and vetting by security researchers who might be able to discern flaws earlier. "IEEE working groups are a closed industry process," Johns Hopkins cryptographer, Matthew Green, told WIRED. Vetting standards is difficult enough, even for an organization who's technical standards and capabilities are as high as the IEEE's typically are, and the more eyes and testers the better. That's the wisdom-of-crowds critique the outside researchers are offering.
Dave Bittner: [00:03:22:08] Phishing remains an effective way for bad guys and gals to get their malware on a targeted system or network, taking advantage of the human factor to by-pass technical defense measures. One of the most effective phishing techniques? Aaron Higbee is co-founder and Chief Technology Officer at PhishMe, a security company that specializes in these sorts of things.
Aaron Higbee: [00:03:41:10] We have a lot of data on this, especially in the context of an enterprise worker or someone that works for an organization. The attackers will swap out specific techniques, and either tricky URLs or tricky attachments. But when it comes to stories, there hasn't been a lot of innovation. Many of the themes that they pick - and we can--we know why, because they're more successful - have to do with office communications. So, it could be things like, you've received a file off of a scanner. You've received an electronic fax. Someone has left you an urgent voicemail, click here to listen to. It could be something like, there's an invoice that I need you to pay that you're overdue on. You are being subpoenaed or asked to be deposed in some sort of litigation. Those are some themes that aren't new; they have been re-used for the past few years. The malware, or the thing that actually infects someone, gets swapped out, but those stories seem to be used over and over again.
Dave Bittner: [00:04:47:15] And is it, I mean, despite the training that we try to, to give people, they still seem to fall for these things?
Aaron Higbee: [00:04:54:19] They do. And we have a lot of data about that and, and why. We've also studied the different emotional triggers inside of email, and we have some great telemetry on what seems to work and what doesn't. For instance, phishing emails that try to give you that there's a sense of a word, maybe you've won a trip or you've won a free iPad, things like that, they are not as successful for the attackers. Another category that's not very successful for the attackers, which might surprise some cyber security professionals, are phishing emails about your virus scanner is out of date, click here to update it. Or your computer is missing critical patches, click here to update it. Those are not very effective for attackers. Another thing that we've observed in the wild, is that attackers are trying to make sure that their phishing emails are hitting the employees' inbox sometime during the work day, preferably during the morning.
Dave Bittner: [00:05:52:12] That's interesting. So it's a matter of that's when they're going to get the most attention?
Aaron Higbee: [00:05:58:04] There's, there's a couple of different reasons why. Many of the payloads are tailored to infect the Windows computer, your, your common enterprise desktop build, and so those attackers, they do have to worry about that because they don't necessarily want an employee opening it at night on an iPad, or in the morning on their way to work from an Android phone, when they've gone to the work to tailor a Window's exploit. The other thing that they're taking advantage of is, in your morning, it's just part of normal human behavior to do a quick read-through of your inbox, to figure out what is spam, who do I need to reply with to organize your day. And so when we get into that mode of operation, we're more likely to make mistakes.
Dave Bittner: [00:06:40:18] I see. We're just sort of breezing through our emails, deciding what needs our attention and what doesn't, so maybe not giving any particular email that much specific attention.
Aaron Higbee: [00:06:51:18] That's right.
Dave Bittner: [00:06:52:04] Yeah. So what are your recommendations? What are the best ways for people to protect themselves? Are there technical solutions, or is it a matter of training?
Aaron Higbee: [00:07:01:12] It's really a combination of the two. The technology can only do so much, and we're always improving it. But all the technology is on a traditional product release life-cycle, so it's got to be tested, and it's got--before it can be put into these products. So there's always this gap, this last mile, that we have to rely on training, and one of the things that we've observed over the years is, if you think of training in a very traditional way which is, this is how to dissect a URL, this is how to read it from right to left, we haven't seen that to be very effective. What we recommend is trying to get people to recognize the patterns and emotional triggers that an attacker are going to use in order to get you at that moment of susceptibility, when you are overworked in the morning, when you are going through those emails. So if we can get you to recognize these triggers - like fear, reward, curiosity, urgency - then we can get you better equipped to deal with that when you get a real phishing email.
Dave Bittner: [00:08:05:19] That's Aaron Higbee from PhishMe.
Dave Bittner: [00:08:10:04] A number of patches that didn't make it out last week have now been issued. Oracle's quarterly patch addresses 250 bugs, and PeopleSoft closed a remote code execution vulnerability - this patch was one of those included in Oracle's update.
Dave Bittner: [00:08:25:03] BlackBerry has updated it's Workspaces server to close two vulnerabilities. One of those - CVE-2017-9368 - fixes a file-server API that could respond to a specially crafted GET request by allowing an attacker to view file server source code. The other BlackBerry issue - CVE-2017-9367 - is rated crucial. It's a directory transversal that permits a web shell to be uploaded to the server's webroot, where it could be used for code execution.
Dave Bittner: [00:08:57:11] Lenovo's four patches - ThreatPost says were quietly rolled out - address Android flaws in the company's mobile devices, both phones and tablets, that could permit remote code execution.
Dave Bittner: [00:09:10:07] Cyber criminals usually follow a Willy Suttonesque path of least resistance to where the money is. That path right now seems to lead to cryptocurrency mining. Recorded Future sees this as a trend. Researchers at their Insikt Group see a turn to miners as a current criminal trend. One commodity mining crimeware kit, 1ms0rry MINERPANEL - obfuscated with the customary substitution of numeral one for letter 'i' and numeral zero for letter 'o' - can be bought for between $35 and $850, depending on the model.
Dave Bittner: [00:09:44:00] Some of the criminals installing the miners seem garrulous and careless, especially if they're using roll-your-own code. Thus they seem likely candidates for a sabbatical at some correctional institution. Bleeping Computer describes one such, a Russian-speaking hood whose nom de hack is 0pc0d3r - spelled zero-P-C-zero-D-3-R - the better to fool nosy people wondering who he might be. 0pc0d3r is installing Monero miners via Grand Theft Auto, and other gaming mods, and he can't seem to shut up about what he's up to. This seems curiously, if characteristically, self-defeating.
Dave Bittner: [00:10:21:20] But then the idea of the criminal genius is something of a myth. Lex Luthor is confined to the comic books. The reality is usually closer to Pacino's character in Donnie Brasco, sawing the tops off parking meters to get the change out. Our editorial desk once knew a fugitive from US justice who was caught because he took an animal act onto the Tonight Show. It still took the FBI a few weeks before they were able to present him with an invitation to the Allentown, Pennsylvania Federal joint.
Dave Bittner: [00:10:51:06] And then there's that other Russian cyber crime lord on the lam in the Black Sea region. The Bureau fingered him because said crime lord couldn't stop himself from complaining that he didn't get the rewards his hotel chain platinum rewards card entitled him to. That's Mr. Evgeniy Bogachev, AKA Slavic, recognized for his shaved head and pet ocelot. Better, he should have invested in Voppercoin, where at least you cash out in flame-broiled goodness and not some tiny little mint on your pillow.
Dave Bittner: [00:11:20:10] So keep it up 0pc0d3r, and continue counting coup so the other hackers will appreciate your mad skillz. For sure that substitution of numerals for letters will make you untrackable. If you're looking for a password, try p@ssw0rd - the at-sign and the zero really sell it. Or that's what we hear, anyway.
Dave Bittner: [00:11:47:07] A few words about our sponsors at E8 Security. If you've been to any security conference over the past year, you've surely heard a lot about Artificial Intelligence and machine-learning - we know we have. But E8 would like you to know that these aren't just buzzwords. They're real technologies, and they can help you derive meaning from what an overwhelmed human analyst would see as an impossible flood of data. So go to e8security.com/cyberwire, and let their white paper guide you through the possibilities of these indispensable, emerging technological tools. Remember, the buzz about Artificial Intelligence isn't about replacing humans, it's really about machine-learning - a technology that's here today. So see what E8 has to say about it; and they promise you won't get a sales call from a robot. Learn more at e8security.com/cyberwire. And we thank E8 for sponsoring our show.
Dave Bittner: [00:12:42:11] And joining me once again is Professor Awais Rashid. He heads up the Academic Center of Excellence in cyber security research at Lancaster University. Professor, welcome back. You know, you all do a lot of research there at Lancaster University, and you wanted to address some of the challenges that folks face when doing research when it comes to critical infrastructure.
Professor Awais Rashid: [00:13:02:20] Indeed. We, we run a number of projects on security of industrial control system environments, which are widely used in critical infrastructure. And this is really just, just our experience of some of the complexity of doing research in this kind of setting. And I think one of the big challenges comes from the fact that these environments are, as you note, critical infrastructure. So there is a, a tendency of those involved in, in these kind of organizations to not release information, which is, which is very, very good. And even if as researchers we have all the agreements in place, it's actually understanding what goes on in detail in terms of security, can often be very, very challenging.
Dave Bittner: [00:13:39:24] Is it also a matter that, you know, with these systems it's because they need to be running in real time that it can be challenging to do tests that perhaps you would prefer to do in an off-line situation?
Professor Awais Rashid: [00:13:53:23] Yes. You, you've absolutely hit the nail on the head. So I think there, there are two issues. One is, how do you actually understand the security practices in these kind of organizations when they do all sorts of concerns about security and safety? You can't actually go and observe people engaging in their day-to-day work, and how do they do security. And secondly, of course you can't go and run a penetration tester at a nuclear power station because it can have very serious consequences if you end up disrupting anything. And the way we, we solve both challenges are, are in really interesting ways. In the case of the latter, which is the, which is a penetration test, we actually run a test bed in our lab, and there are, there are others around the world who run these test beds which pretty much replicate on a smaller scale what goes on in these environments in a real setting. And that way, you are actually still working with realistic settings without safety consequences that might arise from actually working on an operational system.
Professor Awais Rashid: [00:14:51:05] The insights that come from such test beds can then be transferred in terms of knowledge and understanding to the security of the real infrastructure. And how do we deal with understanding how people do security? Certainly in our work we, we, for instance, designed a game. It's like, it's like a board and, and people play the game which, represents a critical infrastructure setting. And then by observing and hearing their discussion in the context of that scenario, we can understand as to what are the issues that they face on a regular basis with regards to security. How doe they overcome them, where the gaps are, and so on. So, I think one has to be very creative in terms of creating alternate situations where you can get good and valuable insights in terms of research that can then be translated onto the real infrastructure in terms of its protection.
Dave Bittner: [00:15:43:08] Professor Awais Rashid, thanks for joining us.
Dave Bittner: [00:15:47:10] And that's they CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help you using Artificial Intelligence, visit cylance.com.
Dave Bittner: [00:15:58:17] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.