AMD investigates report of processor flaws. A look at OceanLotus. Patch Tuesday. Russo-British tensions high. MuddyWater threatens researchers.
Dave Bittner: [00:00:03:23] AMD investigates a report of exploitable flaws in its processors. Vietnamese threat actor OceanLotus gets a look from researchers. We've got some Patch Tuesday notes. Britain expels Russian diplomats in retaliation for a nerve agent attack. Russia demands to know what these cyberattacks are that the UK is said to be threatening. A brief history of Russo-British 21st Century espionage and cyber tensions. And Iranian threat actor MuddyWaters threatens researchers.
Dave Bittner: [00:00:37:12] Time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real time threat intelligence company whose patented technology continuously analyzes the entire web developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive, and your intelligence more comprehensive and timely. Because that's what you want, actionable intelligence.
Dave Bittner: [00:01:15:19] So sign up for the Cyber Daily email, where every day you'll receive the top trending indicators Recorded Future captures crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:55:12] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Wednesday, March 14th, 2018.
Dave Bittner: [00:02:04:20] Significant flaws in AMD processors have been reported by CTS Labs, a hitherto little-known Israeli firm. AMD says it's investigating, but also said it had never heard of CTS Labs, and that CTS gave AMD only a day's warning before going public.
Dave Bittner: [00:02:22:12] This is of course far shorter than the 60 to 90 days most companies tend to follow. Google's Project Zero, for example, uses 90 days. How quickly a flaw might be made public can depend upon other things, too. A present danger to public safety might well warrant swift public disclosure, but that doesn't seem to be the case here.
Dave Bittner: [00:02:43:04] The flaws, which affect EPYC, Ryzen, Ryzen Pro, and Ryzen mobile processors, require admin rights for exploitation. It is possible for attackers to gain admin rights in various ways, so that's not an insurmountable obstacle to exploitation. CTS Labs calls the vulnerabilities "Masterkey," "Ryzenfall," "Fallout," and "Chimera."
Dave Bittner: [00:03:06:23] Assessment of the details is difficult. CTS Labs redacted much technical information to prevent its use by bad actors. Security experts differ in their judgment of the problems severity, but few seem willing to defend the way the vulnerabilities were disclosed.
Dave Bittner: [00:03:24:09] ESET and others have been tracking OceanLotus, also known as APT 32 or Cobalt Kitty. The threat group operates for the most part against targets in Southeast Asia. Cambodia, Laos, and the Philippines are said to be particularly affected. It shows some sophistication in its approach and operations.
Dave Bittner: [00:03:44:23] Yesterday was March's Patch Tuesday. Adobe issued its regular, ritualistic patches of Flash Player, and if you use Flash Player, you should apply them.
Dave Bittner: [00:03:55:09] Microsoft came out with 14 updates that, by KrebsOnSecurity's estimation, covered more than 75 vulnerabilities. Ivanti puts the number at 78. Redmond's patches affect all the still-supported Windows versions, and also Explorer, Edge, Office, SharePoint, and Exchange Server. The critical vulnerabilities addressed are said to be in browsers and related software.
Dave Bittner: [00:04:20:10] Mozilla Firefox and Firefox ESR also issued patches. They rate their updates "Critical," and say they've fixed 21 vulnerabilities.
Dave Bittner: [00:04:31:10] Do you use a VPN to access your corporate network remotely? Plenty of people do, and it's widely considered a good practice for security and privacy reasons. Patrick Sullivan is Director of Security Tech and Strategy at Akamai. And he joins us to outline some of the challenges of VPN use and why the notion of verify and never trust is a core principle worth consideration.
Patrick Sullivan: [00:04:53:24] You know VPN is sort of a broad term. There are VPNs for point to point connectivity between offices. We won't talk about that today, I think we'll talk about the category of VPNs that are used to provide remote access. So I think really what we're seeing is at one time VPNs were, if not the exclusive, certainly the dominant technology used to provide remote access. And if we look at the assumptions that went into that, there was a network perimeter based model that almost everybody implemented.
Patrick Sullivan: [00:05:27:15] Really in that model you saw users and apps inside a trusted network segment, typically in a corporate data center. And then there was some form of network perimeter that would separate the trusted segment of the network, which was on private IPs, from the untrusted public internet. Some people call this a castle and moat architecture. VPN was the preferred technology that would be used to extend that interior of the castle and moat, if you will, to one of our trusted employees who happened to be outside of the four walls of that corporate office. So to extend that castle and moat to somebody's remote location and give them trusted network layer access that they could use to access corporate applications.
Dave Bittner: [00:06:12:06] So you all are advocating this principle of verify and never trust. Can you take us through what that means?
Patrick Sullivan: [00:06:19:05] We're certainly one voice of many there. So, I think when you look at the traditional VPNs that we're talking about today, somebody would connect in to that VPN for the duration of that session, maybe eight hours. And at that point we've decided that we trust them on that VPN session. If somebody walks into our office, they're an employee, they connect into an Ethernet or a corporate wi-fi, we're trusting them at the network layer.
Patrick Sullivan: [00:06:46:18] So really that level of trust at the network layer is dangerous, we've seen that. I think there are a number of voices out there, Forrester with Zero Trust, Gartner talks about CARTA. And really they speak about the risk of trying to make a perfect macro level security decision. Specifically, in this case, to give somebody network layer access on a VPN for the next eight hours, that's a macro level decision. And I think the opposite of that is to not trust the network layer, to proxy each and every request to inspect those and to consider identity. They consider lease privilege, which applications does somebody need to perform their job based on their role in the organization? Potentially, doing simple things like multi factor authentication, as well, as part of that configuration.
Dave Bittner: [00:07:40:10] So take us through, what you're advocating in terms of implementing this sort of thing? I have to say, it sounds more complicated than what we were dealing with earlier, but is it in fact?
Patrick Sullivan: [00:07:50:19] I don't think so. I think if you look at the way this would work, in many cases what you have is an access proxy. So rather than a network layer device that drops you into a trusted network segment, an end user would point their browser to a proxy, DNS will direct them there. And then that proxy will have information about their identity in that organization, and part of that identity would be their role, their job description. So, in many ways, it's simpler to set up and it's faster. I think when Akamai first embarked on this, we were up and running, and we first looked at third party retailers, and we had a system up in place in hours, because it is a SAS based model in the cloud, which takes away a lot of the challenges of a rack and stack.
Dave Bittner: [00:08:38:07] That's Patrick Sullivan from Akamai.
Dave Bittner: [00:08:44:09] Taking a quick look at our CyberWire event tracker coming up is the third annual Billington International Cybersecurity Summit. That's going to be on March 21st at the National Press Club in Washington DC. And if you're in the Denver area next week, on March 22nd, the Cybersecurity Summit is coming up. You can get 50% off your admission with the code CyberWire50, on their website, cybersummitusa.com. To find out more about these events, and to get your event listed, head on over to thecyberwire.com/events.
Dave Bittner: [00:09:17:18] The UK is expelling 23 Russian diplomats in retaliation for the attempted assassination of a former GRU officer. Russia offered no explanation, beyond denial, before last night's midnight deadline. Instead, demanding explanation of rumors that the UK is considering retaliatory cyberattacks against Russia.
Dave Bittner: [00:09:37:23] Prime Minister May has said she will consider the "full range of measures" available to retaliate against Russia. Business Insider has a useful quick summary of what that range looks like.
Dave Bittner: [00:09:49:05] First, expulsion of Russian diplomats. This has been done, with 23 of them declared persona non grata.
Dave Bittner: [00:09:56:03] Second, formal withdrawal of official UK presence at the upcoming World Cup, to be held in Russia. Foreign Secretary, Boris Johnson, has suggested this. It seems likely to happen.
Dave Bittner: [00:10:07:13] Third, withdrawal of credentials from RT, the Russia Today news service. Ofcom, the independent British communications regulator, is considering pulling RT's license, and many observers think it likely to do so. If it does, Russia is likely to kick British news services out of Russia.
Dave Bittner: [00:10:26:12] Fourth, cyberattacks against Russia assets. This one is risky, but it's also an option that Home Secretary, Amber Rudd, has hinted at in the past. It's also the option Russia has itself demanded an explanation of. Britain is a capable cyber power, and it's difficult to imagine London and Moscow actually wanting to swap punches in cyberspace. On the other hand, the Five Eyes have all recently attributed NotPetya to the Russian government, and British companies figured prominently among the victims of that campaign. So there may be some sense that the battle's already been drawn.
Dave Bittner: [00:11:01:19] Fifth, freezing the assets of Russian oligarchs. The Conservative Government has come under pressure from Labor, and also from others, to enact some version of the US Magnitsky Act, which would enable the freezing or forfeiture of Russian assets. The Government has been reluctant to do so, but this sort of retaliation would certainly hit what influence Russians value.
Dave Bittner: [00:11:24:09] Her Majesty's Government is asking for a UN Security Council meeting to address what it regards with reason as a Russian chemical attack on British soil. 22 people were treated for exposure to nerve agent. Three, the two targets, Sergei Skripal and his daughter, and a British first responder remain under treatment. A few hundred others in the vicinity of the attacks were offered decontamination.
Dave Bittner: [00:11:48:00] Another Russian, businessman Nikolai Glushkov, a fugitive from Russian justice in an Aeroflot embezzlement case, and a witness in the Litvinenko assassination (which also happened in the UK) died under "unexplained" circumstances Tuesday in his London home. Police report signs of strangulation. Of course, Russian wet operations are widely suspected, and authorities in the UK are investigating the death as a possible act of terrorism.
Dave Bittner: [00:12:16:16] Alexander Litvinenko was a former FSB officer and defector who became a naturalized British subject. On November 1st, 2006, Litvinenko was hospitalized for what was diagnosed as exposure to polonium-210. The dose proved lethal, Litvinenko died three weeks later. If Sergei Skripal and his daughter were hit with a chemical weapon, Litvinenko fell victim to a radiological one.
Dave Bittner: [00:12:43:23] The MuddyWater threat group, generally associated with Iran, also seems newly disposed to play rough. Trend Micro researchers probing a server connected to the group received a message in stereotypical terrorist lingo right out of the scriptwriter's world. "Stop! Kill You Researcher." Normally one would laugh this kind of thing off as skid nonsense, but anyone might be excused any additional wariness they might feel in the wake of what's been happening in the UK.
Dave Bittner: [00:13:16:24] And now a few words about our sponsors at E8 Security. If you've been to any security conference over the past year, you've surely heard a lot about artificial intelligence and machine learning, I know we have. But E8 would like you to know that these aren't just buzz words, they're real technologies and they can help you derive meaning from what an overwhelmed human analyst would see as an impossible flood of data. Go to E8security.com/cyberwire and let their white paper guide you through the possibilities of these indispensable emerging technological tools. Remember the buzz around artificial intelligence isn't about replacing humans, it's really about machine learning, a technology that's here today. So see what E8 has to say about it, and they promise you won't get a sales call from a robot. Learn more at E8security.com/cyberwire. That's E8security.com/cyberwire. Follow the behavior, find the threat. That's E8. And we thank E8 Security for sponsoring our show.
Dave Bittner: [00:14:21:14] And joining me once again is Justin Harvey. He's the global incident response leader at Accenture. Justin, welcome back. I have often heard that when you suffer a data breach, time is of the essence, and you wanted to make the point today that those first 48 hours are really critical.
Justin Harvey: [00:14:38:23] Yes. Many times you don't really know if you have an incident, and when you get that first alert, or when you get the first notification, the clock really starts ticking. So during that first 48 hours, you've got to do a few things. Number one is you've got to triage and see exactly what you have. Is it nation state? Is it cryptocurrency malware? Is it cyber criminal? Is it a ransomware? And once you establish what that type of malware is, or what that incident is, then you need to go into incident response mode, assuming that it is characterized as an incident.
Justin Harvey: [00:15:18:13] It's really critical that you follow your incident response procedures and actually that they are developed up front. What we're seeing many times is that during that first 48, there is a bit of a lip throw caution and the plan that we've worked on for the last few years or that we've always kept in this little box ready to go break in case of cyber emergency, and all that goes out the door. So it's critically important that you spend the time up front and drill around a strong incident response plan.
Justin Harvey: [00:15:55:15] It's also important to have a retainer. To be able to reach out to another firm or organization to get help. And a lot of times, what I have seen, is that there's a cyber crisis or cyber incident, and the company, or the enterprise, hasn't prepared in getting all of the necessary paperwork done for having that incident response retainer for outside help. And what ends up happening is, if it becomes public, there's a deluge of vendors trying to get their foot in the door and tell you about their solution, their service, their people that can help you. And assuming that you do pick an incident response vendor during this first 48, then you're going to go into legal hell.
Justin Harvey: [00:16:42:03] Your own legal team will be amped up, wanting to review everything, because there's an active incident. And can you imagine trying to get an incident response retainer or incident response contract done in that period of time? So you're going to go back and forth on red lines, around liability, around data protection classifications, how your data's handled and where it's stored. You don't want to do that up front. You want to be able to have that retainer in place beforehand so that it's as simple as picking up the phone and dialing an incident response company and saying, "I need your services right now."
Dave Bittner: [00:17:20:14] It strikes me that when something like this happens, there's a natural tendency for people to be emotional. Something bad has happened and the more you can plan ahead of time to help keep yourselves out of that emotional state, probably the better off you're going to be?
Justin Harvey: [00:17:37:04] Absolutely. When you're going off half cock, if you're going off and not properly framing the problem and thinking about it in a deliberate manner, you are at risk of making some poor decisions. For instance, one of the things that is very commonplace in the industry is don't destroy the evidence, meaning if you have an incident, don't turn the machine off. And don't ship it in its shut down state to somewhere else for examination. You want to put the system in hibernation mode. By putting it in hibernation mode, that gets it off the network, it is essentially sleeping, and you're able to preserve the memory for future analysis.
Dave Bittner: [00:18:23:16] Oh I see, so your volatile memory's an important part of assessing what's happened as well?
Justin Harvey: [00:18:28:24] Absolutely. We're seeing more and more fileless based attacks, meaning attacks that are only resident within memory. A lot of these are power shell based in nature, and it's very difficult to go back in time without that volatile memory.
Dave Bittner: [00:18:44:04] Yes. Good advice as always. Justin Harvey, thanks for joining us.
Justin Harvey: [00:18:47:18] Thank you.
Dave Bittner: [00:18:51:02] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit cylance.com. And thanks to our supporting sponsor, E8 Security. Follow the behavior, find the threat. Visit E8security.com to learn more.
Dave Bittner: [00:19:12:20] The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe where they're co-building the next generation of cybersecurity teams and technology.
Dave Bittner: [00:19:22:17] Our show is produced by Pratt Street Media with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe and I'm Dave Bittner. Thanks for listening.