Some fix fast, others not at all. Ransomware campaign's demands are non-negotiable (for most victims—Russians get a hometown discount). Content filtering. Jamming in Syria.

Jack Bittner: [00:00:00:19] Hello everyone, this is Jack Bittner, you may remember me from such Patreon pitches as Jack Needs New Braces, Jack Needs A Bicycle, Jack Needs A Winter Coat and my personal favorite, Jack Needs Christmas Presents. Well, it's take your kid to work day and my dad has stepped away from the computer and we've all gone totally mad. So I'm here to tell you to visit patreon.com/cyberwire, to become a CyberWire contributor and now, back to the scary cyber security news.

Dave Bittner: [00:00:29:18] Hey, what are you doing?

Jack Bittner: [00:00:31:13] Nothing.

Dave Bittner: [00:00:36:02] More exposed databases, trouble with routers, issues with storage cameras, and problems with storage devices. Some have been promptly fixed, but others are offering users Hobson's Choice: take it or leave it. An apparent ransomware campaign says payment demands are "non-negotiable," unless, of course, you happen to be Russian, in which case let's talk. Citizen Lab complains about certain kinds of content filtering in South Asia. And what's up with Compass Call in Syria?

Dave Bittner: [00:01:09:13] Time to tell you about our sponsor, Recorded Future, if you haven't already done so, take a look at Recorded Future's Cyber Daily, we look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the Internet yourself, no matter how many analysts you might have on staff and we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web, to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses and much more. Subscribe today and stay ahead of the cyber attacks. Go to recorded future.com/intel to subscribe for free threat intelligence updates from Recorded Future, that's recorded future.com/intel and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:02:20:00] Major funding for the CyberWire podcast is provided by Cylance from the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, April 26th, 2018.

Dave Bittner: [00:02:32:14] Kromtech Security says an exposed MongoDB database has leaked information on roughly 25,000 individuals who had invested (or were considering investing) in the widely promoted Bezop cryptocurrency. The researchers, who said Bezop secured the database immediately upon notification of the exposure, report that the data included "full names, street addresses, email addresses, encrypted passwords, wallet information, along with links to scanned passports, driver’s licenses and other IDs.

Dave Bittner: [00:03:06:21] Hyperoptic's H298N broadband home routers have a hardcoded root account and suffers from a DNS rebinding vulnerability. The problems affect personal data security; they also offer the prospect of widespread surveillance or distributed denial-of-service campaigns. Hyperoptic is a British ISP, but the vulnerable routers are made by ZTE, which will no doubt harden US Government resolve against lightening up on recent sanctions against the Chinese device manufacturer.

Dave Bittner: [00:03:40:13] HPE iLO-4 remote management interfaces are reported to have been hit with ransomware. Also known as HPE Integrated Lights-Out, iLO-4 is a management processor in some HP servers that enables administrators to remotely administer the servers. It's not yet clear if the threatened hard drives are actually being encrypted, but the ransom screens say the crooks want two Bitcoins to release affected files, adding reassuringly if implausibly, that the crooks need the money "for good cause." The ransom demand is composed in clumsy non-native English.

Dave Bittner: [00:04:18:09] The note says, firmly, that the two-Bitcoin price is non-negotiable. Non-negotiable, that is, unless you, the victim, are from Russia, in which case they're willing to talk. That reservation is a common one in the Russian underground, who have no wish to consign themselves to the ministrations of their country's police and security services. This story is still developing; we'll see how extensive the campaign is, and whether it's true ransomware, a wiper, or simply misdirection to cover some other caper.

Dave Bittner: [00:04:50:02] Trustwave says that Western Digital MyCloud EX2 devices are insecure, exposing users' data to anyone with an interest in obtaining it. The problem lies in the default settings that enable DLNA (that's, Digital Living Network Alliance) streaming from a storage device. Instead of fixing the issue, Trustwave complains, Western Digital simply recommends turning off DLNA "if you don't want to use this feature."

Dave Bittner: [00:05:16:23] Hikvision has patched a vulnerability that exposes its cameras to remote control. It was an authentication problem that essentially made it possible to reach any camera through the hik-connect.com service. The researchers found it possible to see live video and playback from vulnerable devices, lock users out of their devices, take control of users' Hikvision accounts, or to add themselves as a shared user so the legitimate user would be unaware someone else was watching. Hikvision seems to have been commendably quick to respond to the bug disclosure. The vulnerability report was filed Saturday, and Hikvision had a fix out on Tuesday.

Dave Bittner: [00:05:57:12] We recently reported on compromised Magento content management systems, with at least 1000 admin panels having been affected. Paul Burbage is a senior malware researcher at Flashpoint where they have been researching the problem.

Paul Burbage: [00:06:12:17] Magento is a content management system website, built for e-Commerce and powers several large to small mom-and-pop style stores on the Internet. You would want these websites to be secure especially when people are conducting financial transactions as they are purchasing goods for sale on websites built with Magento. I was shocked to find out that these Magento website administrators are choosing poor passwords for security of these sensitive websites where financial transactions are occurring.

Dave Bittner: [00:06:41:08] And part of the issue here is that people are sticking with default passwords, is that the case?

Paul Burbage: [00:06:47:00] Yes, either that or really poor password setter, not only, well they're not unique through other compromised data sets, but the initial passwords that they're setting are also weak, not very complex passwords or just utilizing the default password that comes with the initial installation.

Dave Bittner: [00:07:08:10] And so the adversaries were brute forcing these sites?

Paul Burbage: [00:07:13:16] Yes, that's correct.

Dave Bittner: [00:07:14:10] So, once they have control of the Magento admin panel, what happens next?

Paul Burbage: [00:07:20:11] You know with any type of CMS website, be it WordPress, Joomla and Magento, Drupal even, once you have administrative access, you can upload files to that website be it other PHP server site code that runs back in on that web server. So it pretty much allows, once admin access is granted, full control over that website to execute arbitrary code. In this particular campaign we saw two attack vectors; the first one being it was a JavaScript redirect that not only send victims to a Coinhive to mine Monero cryptocurrency within the browser, but also another JavaScript redirect that presented users with a fake Adobe Flash Player upgrade notice.

Dave Bittner: [00:08:08:06] Tell me about this AZORult, is that how it's pronounced?

Paul Burbage: [00:08:12:20] I believe it's pronounced AZORult, but don't quote me. So AZORult Infostealer, the visitors are presented with an Adobe Flash Player upgrade notice, once clicking on that, update now button, the AZORult Infostealer malware was downloaded and executed on the victim's machine. Now AZORult Infostealer can harvest credentials on this system, everything from email clients to save browser credentials and it's also used as an initial loader itself, so one thing that the threat actors behind AZORult Infostealer command and control can do is load additional malware on top of that. In this particular campaign they were loading Rarog cryptominer, which was another crypto miner hidden within Windows systems that also mined Monero.

Dave Bittner: [00:09:02:22] And in this case, the attackers were also taking some steps to avoid detection.

Paul Burbage: [00:09:06:15] As far as detection is concerned with most Monero miner crypto malware, you're going to have an element of being able to detect whether or not the system is churning out a great amount of resources. But with this particular attack, the Rarog cryptominer is meant to just kind of hide in the background and mine crypto coins, unbeknownst to the victim.

Dave Bittner: [00:09:31:19] And in terms of who they were targeting, did it seem like there were any particular groups that they went after?

Paul Burbage: [00:09:39:10] There have been some industry verticals as far as the initial Magento compromised websites are concerned, such as the healthcare and education sector. This was really just a luck of the draw as far as whomever was visiting those compromised websites, so it really wasn't any type of directly targeted water hole attack.

Dave Bittner: [00:10:00:07] That's Paul Burbage from Flashpoint. You can learn more about their research on compromised Magento sites on their website, it's in the blog section.

Dave Bittner: [00:10:10:22] CheckPoint and CyberInt says they've found new phishing tackle for sale on the dark web. The new kit, compiled and offered by a criminal whose nom-de-hack is "[A]pache," enables users to craft convincing emails and redirect sites that closely mimic branding elements of well-known firms. The kit seems to cater to Spanish-speaking criminal clients.

Dave Bittner: [00:10:33:22] The University of Toronto's Citizen Lab reports that Netsweeper technology is enjoying widespread use for online censorship in South and Southwest Asia. The governments of Afghanistan, Bahrain, India, Kuwait, Pakistan, Qatar, Somalia, Sudan, the United Arab Emirates, and Yemen are said to be using the technology to block content they find objectionable. According to Radio Canada International, Citizen Lab and Ontario-based Netsweeper have been at loggerheads before, with at least one lawsuit filed against Citizen Lab and subsequently withdrawn. Citizen Lab's objection to the filtering doesn't appear to be content-neutral, but is instead based upon its conclusion that the regimes it says are misusing the technology are doing so to block content that appears to be protected under various international agreements.

Dave Bittner: [00:11:25:00] A Chinese think tank mulls a Sino-Russian condominium in cyberspace and likes what it thinks it sees. The Director of the Center for Security and Development of Eurasia, China Institute for International Studies, said at a conference in Shanghai that it would be good if Russia and China got together to cooperate on "security" and "stability" in cyberspace, which could help avert cyber war. Moscow and Beijing probably do have similar views on what would constitute security and stability, but such a meeting of the minds might not commend itself to other parts of the world.

Dave Bittner: [00:12:01:19] Speaking of cyber warfare, US EC-130 Compass Call electronic warfare aircraft are said to be encountering "disabling" Russian electronic warfare, presumably jamming, as they operate over Syria. Breaking Defense quotes General Raymond Thomas, Head of US Special Operations Command, having made remarks to this effect at the GEOINT conference.

Dave Bittner: [00:12:25:01] The US Air Force describes Compass Call as "an airborne tactical weapon system using a heavily modified version of the C-130 Hercules airframe. The system disrupts enemy command and control communications and limits adversary coordination essential for enemy force management. The Compass Call system employs offensive counter-information and electronic attack capabilities."

Dave Bittner: [00:12:48:22] Our military desk remembers Compass Call as a big, powerful flying jammer, a kind of electronic Bigfoot stumping around noisily over the battlespace, clobbering frequencies left, right, and center. When Compass Call was up and operating, Army units on the ground tended to shrug their shoulders and give up on tactical FM radio. Forget it, Jake. It's Compass Call. Our military desk trusts Compass Call has evolved into a more discriminating system.

Dave Bittner: [00:13:17:12] There's some dispute over whether the general said "EC-130" or "AC-130." The EC-130 is the dedicated electronic warfare ship. The AC-130 is a gunship, called variously Spectre, Spooky, Ghostrider and so on, depending on model and local custom. Armament on the later models include a 30mm Gatling gun, a 105mm howitzer and various other launch systems and hardpoints. It's a night-flying truck-hunter that's seen a lot of use in the relatively benign airspace one usually encounters in counterinsurgency and counterterror operations. While it isn't an EW platform, the AC-130 does sometimes carry an electronics warfare operator as part of its crew, and it's possible the General may have meant Spooky and not Compass Call.

Dave Bittner: [00:14:06:08] Whatever's being jammed, the Russians have long had a reputation for capable electronic warfare and it wouldn't be surprising if the ether over Syria is tough place to work.

Dave Bittner: [00:14:21:24] I'd like to give a shout out to our sponsor, BluVector, visit them at bluvector.io. Have you noticed the use of fileless malware is on the rise? The reason for this is simple, most organizations aren't prepared to detect it. Last year, BluVector introduced the security market's first analytic, specifically designed for fileless malware detection on the network. Selected as a finalist for RSA's 2018 innovation sandbox contest, BluVector Cortex is an AI driven, sense and response network security platform, that makes it possible to accurately and efficiently detect, analyze and contain sophisticated threats. If you're concerned about advanced threats like fileless malware or just want to learn more, visit bluvector.io. That's B-L-U-V-E-C-T-O-R.IO. And we thank BluVector for sponsoring our show.

Dave Bittner: [00:15:25:04] And joining me once again is Jonathan Katz, he's a professor of computer science at the University of Maryland and also director of the Maryland Cyber Security Center. Jonathan, welcome back. We had a story come by from the register and they were talking about mathematical backdoors and encryption algorithms. This is a topic that comes up over and over again, with privacy, what were they getting at here?

Jonathan Katz: [00:15:46:05] Well, in this talk, what they were basically showing was that these researchers were able to design an algorithm, that for all intents and purposes looked secure but actually had a particular mathematical backdoor embedded in it that would then allow the researchers to break it. And this was meant to just be a demonstration about what could potentially go wrong with standardized cryptosystems or any other cryptosystem that a researcher developed, that may look perfectly secure to an outsider but may have some secret backdoor embedded in it, that would allow the researcher to then completely break security when it was actually used.

Dave Bittner: [00:16:21:05] To a researcher who was trying to determine whether or not there was a backdoor, it wouldn't have been readily obvious that there was one in there?

Jonathan Katz: [00:16:28:11] Exactly, so number one, it wouldn't have been obvious that there was a backdoor at all and so from the point of view of everybody else evaluating it, they would see nothing wrong with the proposal and they might even consider adopting it and even if they suspected somehow that there was a backdoor, they wouldn't be able to figure out what that backdoor was and so wouldn't be able to break it themselves.

Dave Bittner: [00:16:47:08] Is this the sort of thing that we've seen out in the real world where these sorts of things have been discovered?

Jonathan Katz: [00:16:52:16] So it's unclear, I mean, there were some suggestions by people a few years ago, claiming that there was a backdoor and a pseudo random number generator that had been standardized by the US Government. It definitely was the case that there could have been a backdoor there, whether there was or wasn't is kind of up for debate. But I think really, they're just demonstrating the potential for these backdoors to be present.

Jonathan Katz: [00:17:13:22] Now, one of the things I will say is that very often the US Government nowadays, develops standards by public consensus or even by public competition. So for example; the AES block cipher was designed by a public worldwide competition where anybody from all over the world could submit their algorithms and these were studied and vetted by researchers again all over the world, and so while it's possible that one or more of the submitted algorithms had one of these backdoors present, it seems unlikely exactly because the submissions were coming from all over the world. Actually the eventual winner was a European submission not an American one.

Dave Bittner: [00:17:48:00] And one of the things the article points out, is that you can't prove a negative.

Jonathan Katz: [00:17:51:23] Yes, that's exactly right, it's very difficult, it's impossible really, without some kind of external evidence, if you had emails or you had some other evidence that this was going on, it would be very difficult to prove anything. On the other hand I think the hope would be that somebody who studied an algorithm for long enough, would be able to tell whether or not there was a backdoor or there are other techniques that people can use to try to indicate that there's no backdoor present. So for example; what some people do, if they're picking constants to feed their algorithm, they might choose them as the digital pie and the idea there is that well, if you're choosing them as a digital pie, then you clearly didn't have any influence into what those numbers were. So people are still thinking about way to prove to others that they didn't do anything fishy in the design of an algorithm, but I guess there's always a back and forth there and that always leaves open the possibility that something did actually go wrong.

Dave Bittner: [00:18:42:14] Yes, that's interesting. Alright, Jonathan Katz, thanks for joining us.

Dave Bittner: [00:18:49:12] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you, through the use of artificial intelligence, visit cylance.com. And thanks to our supporting sponsor, VMware, creators of Workspace ONE intelligence. Learn more at vmware.com.

Jack Bittner: [00:19:11:07] The CyberWire podcast is proudly produced in Maryland, at the start up studio of DataTribe where they are co-building the next generation of cyber security teams and technology. They also have yummy snacks. Our show is produced by Pratt Street Media with editor, John Petrik, social media editor, Jennifer Eiben, technical editor, Chris Russell, executive editor, Peter Kilpe and I'm Jack Bittner, thanks for listening.