The CyberWire Daily Podcast 10.20.17
Ep 459 | 10.20.17

IoT DDoS hurricane forming? Sofacy exploits patched Flash bug. NotPetya continues to impose costs. Snooping with mobile app ads.

Transcript

Dave Bittner: [00:00:01:07] The CyberWire Podcast is made possible in part by listeners like you who contribute to our Patreon page. You can learn more at patreon.com/thecyberwire.

Dave Bittner: [00:00:13:20] An IoT botnet hurricane may be forming among IP cameras. IP cameras are to DDoS what the West African coast is to Atlantic tropical depressions. Sofacy rushes to exploit a patched Flash bug in a use it or lose it espionage race. Want to spy on someone? Go buy an ad. Cisco patches the wi-fi KRACK. NotPetya's still costing manufacturers and their insurers a lot of money. MalwareTech, a.k.a. Marcus Hutchins, gets to take off that GPS and stay out late, since the judge decided his pretrial behavior has been pretty good.

Dave Bittner: [00:00:53:07] Time to take a moment to tell you about our sponsor, Recorded Future, the real time threat intelligence company. Recorded Future's patented technology continuously analyzes the entire web to give cybersecurity analysts unmatched insight into emerging threats. We read their dailies here at the CyberWire and you can too. Sign up for Recorded Future's cyber daily email to get the top trending technical indicators crossing the web; cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and more. Subscribe today and stay ahead of the cyber attacks. They watch the web so you have time to think and make the best decisions possible for your enterprise's security. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and it's on the money, that's recordedfuture.com/intel and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:55:03] Major funding for the CyberWire Podcast is provided by Cylance, I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, October 20th, 2017.

Dave Bittner: [00:02:05:23] Reports warn breathlessly that a new Internet of things botnet is shaping up into a kind of cyber hurricane, and indeed the reports do look, metaphorically, like Atlantic tropical storm season warnings of a depression forming off the West African coast. In this case the early storm warnings are being sounded by researchers at security firm Check Point, who say the coming distributed denial of service wave could be worse than the earlier big IoT botnet Mirai. They say they see some possible connections with, and similarities to, Mirai but, on the whole, they regard this new, so far unnamed threat as an entirely new and far more sophisticated campaign. The botmasters have concentrated on herding IP cameras, which of course also figured prominently in the original Mirai. Check Point says that, "More than a million organizations," have been affected. They noted the problem shaping up late last month, and they advise everyone to get out the virtual equivalents of plywood, bottled water, and other storm necessities.

Dave Bittner: [00:03:08:09] We hear a lot about zero days, of course, but not all exploitation is of hitherto unknown vulnerabilities. Security company Proofpoint reports a campaign that's pursuing a bug that was swatted this Monday. In this case it's the Adobe Flash vulnerability, CVE 2017 11292. Researchers at Proofpoint say they're seeing a great deal of activity on the part of APT28, the Russian threat actor also known as Sofacy, targeting the flaw for exploitation before enterprises get around to applying the patch. The vector is a familiar one, a maliciously crafted Word document corrupted with DealersChoice.B, Sofacy's attack framework, that enables them to load exploit code on demand from one of their command and control servers. The phishbait dangling the malware is a document describing how North Korea says it was pushed into pursuing its nuclear weapons program by a terrorist United States. The bait could appeal to gullible phish of various sympathies, on the one hand it unmasks the US as terroristic, but on the other it calls Pyongyang tyrannical and makes liberal use of scare quotes around the more outrageous claims. So whether you're a follower of Mr Kim's or President Trump, don't bite.

Dave Bittner: [00:04:25:06] So it seems this is a case of a Russian intelligence service threat actor working to get as much as it can in the wild before the world gets around to applying the patch. It's interesting to note that on Monday, Kaspersky connected exploitation of the flaw to Black Oasis, an advanced persistent threat distinct from Sofacy. Proofpoint thinks Sofacy also has the exploit and is trying to use it before patching renders it worthless.

Dave Bittner: [00:04:51:17] University of Washington researchers demonstrate how third party attackers can exploit smartphone apps targeted advertising systems to conduct surveillance of users. How can they do it? Easy, they buy an ad that contains within it, code that lets them, say, use geolocation to know where their target is, or what they're browsing for on the device. It costs about $1000. Sure, there may be other ways of doing it, and black market malware is commoditized enough that you might get more bang for your thousand bucks elsewhere, but it's still a possibility worth considering.

Dave Bittner: [00:05:26:16] Cisco joins the ranks of vendors who have patched against the KRACK WPA2 vulnerability. Others will follow, it will take some time to mop this vulnerability up.

Dave Bittner: [00:05:37:14] Facebook draws adverse attention from those concerned with information operations and security. The social media giant says it's working to secure itself a painful process, they say, and promises to help secure upcoming Canadian elections.

Dave Bittner: [00:05:54:05] Fairly or unfairly, suspicion of Kaspersky products as being the Russian FSB's royal road into the enterprise, has taken a firm root in the commercial sector. Data centers are being advised to get rid of the company's security software, and editorialists in the US are telling consumers that they should do likewise.

Dave Bittner: [00:06:14:00] NATO leaders feel unsure of their ability to counter Russian hybrid warfare, and fear losing the battlefield advantage they've tended to assume as their right since the end of the Cold War.

Dave Bittner: [00:06:25:23] The cost of NotPetya pseudoransomware continues to be counted. Verisk estimates that Merck's insurers will pay out some $275 million, with the big pharma company itself on the hook for more.

Dave Bittner: [00:06:40:12] And finally, Marcus Hutchins, the hacker known as, Malwaretech, credited as a kind of inadvertent hero for flipping the kill switch on WannaCry ransomware, is out on bail and unencumbered, awaiting trial. He's living and working in Los Angeles, part of that city's large British expatriate community, where a US judge thinks he's behaved well enough, showing up in court as required, and so on, to deserve having his curfew lifted. He can also take off that GPS tracker he was wearing. Mr. Hutchins was arrested in August on US Federal charges alleging that he created and sold Kronos malware.

Dave Bittner: [00:07:21:24] Here's a quick note about our sponsor, E8 Security. We've all heard a lot about artificial intelligence and machine learning, hey who of a certain age doesn't know that Skynet achieved self awareness and sent the Terminator back to take care of business? But that's science fiction and not even very plausible science fiction, but the artificial intelligence and machine learning that E8 is talking about isn't science fiction at all, they're here today. And, E8's white paper, available at e8security.com/cyberwire can guide you through the big picture of these still emerging, but already proven, technologies. We all need to turn data into understanding and information into meaning. AI and machine learning can help you do that. See what they can do for you at e8security.com/cyberwire and we thank E8 for sponsoring our show.

Dave Bittner: [00:08:14:09] And joining me once again is Emily Wilson, she's the director of analysis at Terbium Labs. Emily, welcome back, you know, after all of this Equifax mess one of the other credit companies has been, sort of, tooting their own horn and saying that they will search the dark web to find out anything about you and there's been a lot of pushback on that. People have been saying, well you can't search the dark web, that's why it's called the dark web. This is a specialty of yours and your colleagues at Terbium, so I thought who better to ask than you. What-- if I want to go out and engage with a company and say I want to find out everything there is to know about me on the dark web, how possible is that really?

Emily Wilson: [00:08:52:22] It's certainly possible in that, as you said, we do this for a living at Terbium. Depending on which company you're talking to, whether, as an individual, you know, you mentioned, you know, one of these credit organizations as offering a dark web scam or, if as a company you're, kind of, looking at different providers, it's absolutely possible, depending on who you're talking to, you're going to get different kinds of information. Whether you're looking for financial information, whether you're looking for more threat intel, whether you're looking for personal information, in the case of the individuals who are, kind of, turning to this, this credit organizations, it's certainly possible. It's definitely difficult, I mean, that's one of the engineering challenges we all face, right? In this space is the dark web is a difficult thing to navigate, sites go up and down, many of these sites don't particularly want to be found and so doing reliable data collection at scale on this part of the Internet, it's, it's definitely difficult but it is certainly possible.

Dave Bittner: [00:09:51:16] And so this is, sort of, the secret source that various companies have if they, if they when they're telling you that they can do dark web scans?

Emily Wilson: [00:10:00:10] Absolutely and it really does depend on who you're turning to and what problem you're trying to solve because companies are trying to solve this problem differently and companies are looking for different kinds of information. So, you could be looking for more threat intel information about threat actors, you could be looking for information about vulnerabilities that may impact your company. In the situations like you're discussing, you're typically looking for more personal information or financial information and that, kind of, information is out there. Whether it's something that's been discussed or that's been leaked or that's available for sale and it's also important to note that not all of this is on the dark web. Plenty of this information shows up on, you know, really sketchy clear websites too. The fraud trade isn't exclusively on, what we think of as, traditionally, the dark web.

Dave Bittner: [00:10:45:10] So this notion that we can't scan the dark web because it's the dark web and that's why they call it the dark web, that's sort of a myth?

Emily Wilson: [00:10:52:14] It is, sort of, a myth and that's, you know, one of my favorite things to talk about with people in and out of the industry is the fact that the dark web is complex and it changes constantly and it's messy just like the rest of the Internet. But it is a problem that you can approach and that you can figure out how to solve. It's a difficult problem, that's why many of us are working very hard to figure out how to solve it, but it's definitely something that is measurable and tractable and accessible and you can track data there.

Dave Bittner: [00:11:18:18] Alright, Emily Wilson, thanks for joining us.

Dave Bittner: [00:11:25:13] I'd like to take a moment to share our thanks to our sponsors, partners and attendees of our fourth annual Women in Cybersecurity reception, that was held here in Baltimore on Tuesday October 17th. We had a great time meeting with everyone and we hope that you enjoyed yourselves and were able to create some valuable connections. We couldn't have pulled off the event without the support of our sponsors, presenting sponsors CenturyLink and Cylance, our platinum sponsors, Exelon and Northrop Grumman, our gold sponsors E8 Security, IBM and LookingGlass Cyber, our silver sponsors, Booz Allen Hamilton, Brown Universities Executive Master in Cybersecurity, ClearedJobs.net, Cyberpoint International, CyberSec Jobs, Delta Risk and Defense Point Security and our women owned spotlight sponsor, Creatrix. We're fortunate to have some great partners that help us as we plan and execute the event, including the Cybersecurity Association of Maryland and Maryland Arts Place. We're already starting to plan for the fifth annual event, next fall which, thanks to our 2018 hosting sponsor, Northrop Grumman, will be held at the National Cryptologic Museum.

Dave Bittner: [00:12:29:18] Stay tuned for photos from this year's event and details about 2018 as they become available. If your company is passionate about empowering women to succeed in the cybersecurity industry we invite you to sponsor our fifth annual Women in Cybersecurity event. Again, thanks to all of our sponsors, thanks to everyone who came out and we look forward to seeing you next year.

Dave Bittner: [00:12:57:20] My guest today is, Michael Sutton, he's the chief information security officer at, Zscaler. Prior to Zscaler he helped build some other security startups including SPI Dynamics, who were later acquired by Hewlett Packard and iDefense which was later acquired by Verisign. Michael Sutton is also the co-author of the book, Fuzzing: Brute Force Vulnerability Discovery. Our conversation centers on zero days, bug bounties and whether the US government is following their own guidelines when it comes to zero day hoarding.

Michael Sutton: [00:13:29:21] In the early days, let's say 20 years ago, it was really underground or government entities that would be willing to pay for vulnerabilities. So, there was no, sort of, open marketplace. That started to change in about 2002, I actually at the time, was part of the first, sort of, commercial organization to start up bug bounty vulnerability program which, at the time, was super controversial but, since then, it's evolved and it's become a very normal, commercial process. There are lots of companies that will pay for vulnerabilities and it's now very normal that most vendors will pay for vulnerability information, so that's really evolved but, there has always been an element of hoarding in that, whether it's governments, whether it's criminals, anybody that wants to use a vulnerability for an offensive purpose.

Dave Bittner: [00:14:18:20] And I suppose these days, the notion of having a bug bounty isn't really controversial any more.

Michael Sutton: [00:14:23:23] No, I, I remember so-- I had mentioned that we had launched the first commercial one, that was with a start up called, iDefense at the time, we did it in 2002, we called it the vulnerability contributor program and I remember, at the time, there were people who were just vehemently opposed to it. You know, we believed very strongly in it, we had insight into the fact that hey, this is happening in the underground, wouldn't you rather have this out in the open and we felt that hey, it was much better for us to do this very publicly, out in the open, we gave everything to the vendors to get it fixed. Over the past 15 years, I think attitudes have changed dramatically. You know, now it is a very regular business, there are companies that specialize in bug bounties. Pretty much every major software vendor or Internet provider, has a bug bounty program, they pay for it, so, it's actually quite satisfying to see, you know, all of these people who had their pitchforks out against us have really changed their mind on this topic.

Dave Bittner: [00:15:25:00] It seems as though the controversy has stirred up again with organizations like, the Shadow Brokers, releasing vulnerabilities that allegedly had been hoarded by government agencies.

Michael Sutton: [00:15:35:21] Yes, so throughout this entire time there has always been hoarding, certainly not just by the US government, I mean, most governments have some, sort of, offensive cyber capability and yes, they want to use vulnerabilities for their offensive purposes. Now, that's where I think the controversy comes into play because, of course, there is always a delicate balance to strike there that you may be hoarding it for the benefit of your country but, if your citizens, companies in your nation are also impacted by somebody else using that same vulnerability, are you doing more harm than good by hoarding?

Dave Bittner: [00:16:18:15] So, where do you think it's going to go?

Michael Sutton: [00:16:21:09] The US does actually have a, a policy in place to make that decision. They, they call it the Vulnerability Equities Process, so, we're not in a situation where, if the United States government comes into the possession of a vulnerability, either through their own research or because they purchase it from another party and both of those things occur, that they simply hoard it outright or even have the ability. There are different players, different agencies get, get invited to the table, that process has evolved over time and, supposedly, the process is designed to lean in the direction of, hey, we're going to disclose this to the vendor, unless we can prove certain things, and that we don't feel there's a large risk to the public. Unfortunately, as with most government policies, especially those that involve sensitive information, there's very little transparency. So, we in the general public, are left to make evaluations based on leaks that have occurred or, snippets of, you know, statements that are made off the record, to decide if this process actually works. And, and I'd say, at best we're left to question whether the, the VEP, the Vulnerability Equities Process, meets its true intent.

Dave Bittner: [00:17:39:14] So, I think it leaves the general public with, perhaps, a sense of uncertainty?

Michael Sutton: [00:17:43:18] Indeed. There isn't much out there. There have been some reports, Jay Healey, had done an excellent one with some grad students out of, I believe, Columbia University where he, sort of, compiled what information was available and so, you know, we're left in a position where, where the government has told us that, hey, this process is in place. We know the broad strokes of how it works, we know that the intent is to disclose vulnerabilities, zero day vulnerabilities, especially in situations where they pose a risk to the public; meaning, that they are either high risk vulnerabilities or they're broadly used within the infrastructure of the United States. The problem is that some of the anecdotal evidence that we have, Shadow Brokers being a really important one, that you know, here was leak of a treasure trove of NSA tools and we're left to say, wait a minute, it was very clear that-- the, the fact that these were hoarded did not tie to the intent of the VEP. You know, these were vulnerabilities that impacted a huge portion of, of the computers and the infrastructure in the United States. EternalBlue, being a big part of that which was the vulnerability that was used with WannaCry and NotPetya. If the intent of the VEP was to make sure that we don't hoard vulnerabilities that could have a very negative impact because they're high risk and widely used, well clearly the NSA should have disclosed these to the vendors.

Michael Sutton: [00:19:13:10] So, that leaves us with big question marks, you know, we don't have the transparency to truly know how the VEP works. We don't-- we certainly don't know the vulnerabilities that have gone through the VEP vetting process so, we are left to question how effective this process truly is.

Dave Bittner: [00:19:31:01] Do you think there needs to be an evolution of the way that these vulnerabilities are disclosed?

Michael Sutton: [00:19:37:01] Well, I think we have seen an evolution and, and I think that this is continually revisited, you know, there's been an evolution just, overall, like, as I mentioned back in the-- 15 years ago, people just couldn't wrap their head around paying somebody for a vulnerability and vendors were vehemently opposed. I, I remember when Microsoft finally launched it's bug bounty program a few years ago, I, I was shocked and, and very pleased because they were a strong hold out. Like, when we launched that vulnerability contributor program, they were one that begrudgingly worked with us and they were actually good, they really did do a 180 but, you know, they did-- they wanted people to just give vulnerabilities to vendors, that was their view, they said, we're never launching a bug bounty program, and so they did. So, I think, I think the general public has really evolved and, and now this is a very accepted piece of it, but, even at the government level, we've certainly seen evolution.

Michael Sutton: [00:20:29:23] Like the whole concept of the VEP actually started, within the Bush administration, George W. Bush. Back then, it was solely run by the NSA, chaired by the NSA and they seemed to have, kind of, full say over it and, and it has been reinvigorated, or was reinvigorated, under the Obama administration to, to change the process. It's not longer directly chaired by the NSA, it seems to have broader participation so, I think the government has also evolved as they have seen things occur, some of the major events where hoarded vulnerabilities cause damage. Whether it was Shadow Brokers or even things like, Heartbleed, which, was an open SSL vulnerability that was arguably the most damaging or the highest risk vulnerability that we've ever seen, that had the greatest impact. And there were rumors that the NSA had known about that for a couple of years before, never verified. But I think it was moments like that that caused the government to say, hmm, maybe by hoarding vulnerabilities we're doing more damage than good. I think this will be an ongoing debate, both publicly and within the government, I, I think it will have to evolve. I don't think there is ever going to be one right answer.

Dave Bittner: [00:21:48:03] That's Michael Sutton from Zscaler.

Dave Bittner: [00:21:54:22] And that's the CyberWire, thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, check out cylance.com.

Dave Bittner: [00:22:07:19] The CyberWire podcast is produced by Pratt Street Media, our editor is John Petrik. Social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Have a great weekend. Thanks for listening.