The CyberWire Daily Podcast 4.30.18
Ep 588 | 4.30.18

Bank hack in Mexico. FacexWorm goes cryptomining. SamSam's volume discount. Influence ops. Researchers confirm that teams use teamwork.

Transcript

Dave Bittner: [00:00:03:22] An attempted banking hack in Mexico. Hidden Cobra gets busy around diplomacy. The FacexWorm adds cryptomining functionality. SamSam ransomware looks to capture entire enterprises. A Sunday Times investigation finds that Russian Twitterbots tried to swing British voters toward Labour. The US House Intelligence Committee has released its report on influence operations during the last US Presidential election and researchers find that teams and committees are different things.

Dave Bittner: [00:00:38:15] And now a few words about our sponsor, Dragos. The leaders in industrial control system and operational technology security. In their latest white paper, Dragos and OSIsoft present a modern day challenge of defending industrial environments and share valuable insights on how the Dragos OSIsoft technology integration helps asset owners respond effectively and efficiently. They'll take you step by step through an investigation, solving the mystery of an inside job using digital forensics with the Dragos platform and the OSIsoft pi system. Download your copy today at thecyberwire.com/dragos. That's thecyberwire.com/dragos D R A G O S. And we thank Dragos for sponsoring our show.

Dave Bittner: [00:01:37:12] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, April 30th, 2018.

Dave Bittner: [00:01:49:03] At the end of last week, hackers made a raid on Mexico's banking transfer system. Three banks are said to have been affected: Banco del Bajio SA, Bancomext, and Grupo Financiero Banorte. They experienced unspecified difficulties in connecting to Mexico's central bank through SPIE, the country's interbank electronic transfer system. The attack seems to have been contained. The banks quickly shifted their connections to an alternative contingency system, but details still remain sparse.

Dave Bittner: [00:02:21:09] Hidden Cobra, the North Korean cyberespionage unit, has recently exhibited a higher level of activity. Observers expect this. Increased espionage often accompanies periods of high-stakes diplomatic interaction, like the recent North and South Korean summit, and projected meetings between DPRK leader Kim and US President Trump. While the US Department of Homeland Security has also recently warned of the reappearance of destructive wiper malware wielded by North Korean actors, the spike in cyber operations seems largely motivated by wide-ranging espionage interests. That, and, of course, the prospect of theft, never to be overlooked when considering Pyongyang's straitened finances and the means it uses to redress its shortfalls.

Dave Bittner: [00:03:08:09] Trend Micro offers an update on the FacexWorm, which researchers have been tracking since last year. The malware has picked up new, cryptomining functionality. It circulates as a malicious Chrome extension and now both installs a cryptominer in victim devices and redirects users to sites hosting various cryptocurrency scams.

Dave Bittner: [00:03:32:03] Estimates of the cost of the Atlanta ransomware attack have now risen above $5 million, which should be more than enough to scare any municipal government straight. SamSam, the ransomware that so badly infested Atlanta's networks back in March, appears to be moving toward a fresh target set, with signs that it may now be going after corporations. In doing so, the SamSam masters are exploiting known vulnerabilities in addition to the more common phishing and social engineering approaches. They seek to infect machines across an entire enterprise, and then offer a "volume discount." You can get your data back for the low, low price of $45,000 in Bitcoin. Why the discount is pegged at $45,000 no one seems to know. Researchers at security firm Sophos guess that the figure might fall below some reporting threshold, but they freely admit they're in the dark themselves.

Dave Bittner: [00:04:28:00] The range of devices being wired up to the Internet continues to grow quickly, to the point where it can be challenging to wrap your head around the scope of the issue. It's a big attack surface made up of lots of devices of all sizes, from industrial control systems to consumer electronics and toys. Dan Lyon is a Principal Consultant at security firm Synopsys and he joins us to share his view on IoT security.

Dan Lyon: [00:04:54:00] I don't know that anybody fully grasps the full scale of connecting all of these systems to the Internet and just all of the different threats and risks that that exposes across the Internet. So I would say we're still learning about that. People are still coming to terms with it. It's immature from the perspective of other systems that have gone through this, such as financial systems, web systems. We went through this ten years ago or more. We went through it with mobile apps and now we're starting to go through it with IoT devices.

Dave Bittner: [00:05:28:19] And so where do you think successful pressure is likely to come from? Is this a situation where we need regulation or are people going to gravitate towards the safer devices just through market forces?

Dan Lyon: [00:05:41:23] I think that regulation is the only thing that has shown itself to be truly effective. Self-regulation is really slow and I don't believe that self-regulation drives the same types of behaviors, because of all of the trade offs that need to happen, you know, time, cost, schedule. In an ideal world, the market forces would drive this, but it's too complicated, I think, for market forces to truly drive.

Dave Bittner: [00:06:13:15] And I remember when I was a kid, my grandfather pulling me aside and showing me on a box for a portable radio, he said, "Look, this box has this UL listing sticker on here and that means that it's been tested. The electrical systems in here are safe." Do you think that push to have something similar to UL, perhaps even UL themselves, is something that could be effective?

Dan Lyon: [00:06:39:17] So, I think that's a great analogy. I think it has some promise in terms of pushing some change in the industry, which I would argue some change is better than perfect change. But I think what's different with security, when you're talking about electrical safety, you're coming down to ultimately the laws of physics. How do electrical signals work? What are the laws of physics that govern those? You can do more analysis that holds up longer on that type of system than you can on security, where security is definitely not governed by the laws of physics and is changing at a very rapid rate. We don't learn about new laws of physics that need to be incorporated into the UL electrical safety standards, but we learn about new security things every day that need to be reviewed and understood and possibly introduce a new design consideration that has to be accounted for.

Dan Lyon: [00:07:42:05] One of the problems with IoT, I think, is that the use is so pervasive across multiple organizations. You've got the large global organizations that have resources that they can bring to bear to help this problem for them. They can bring staff on, they can hire staff, they can pay for third-party testing. But if you start to look at smaller organizations, they don't have those same resources. They don't have the staff, they don't have the skills, they don't have the budgets to hire those people. They can hire third-parties to help them assess things that they may want to bring into their networks, so that's one view of the risk. They can start to look at maybe the provenance of how these devices are created. That's going to vary depending upon the maturity of the manufacturer that they're building these from.

Dan Lyon: [00:08:36:09] So I think it's kind of a combined approach, looking for those things they can do such as third-party assessments on off the shelf things and then they can work to identify and develop compensating controls. They can work together to try to drive change into the manufacturers and make sure that the manufacturers are building secure devices by design, so that the risks are reduced when they purchase them. And that's going to require working together as groups, working across industry, to drive that type of change, to make sure that it's a viable purchasing consideration.

Dave Bittner: [00:09:14:16] That's Dan Lyon from Synopsys.

Dave Bittner: [00:09:18:23] There are some senior leadership changes among the Five Eyes. In the UK, Home Secretary Amber Rudd has resigned over the Windrush immigration scandal. Sajid Javid will succeed her as Home Secretary. And in the US, former Director of Central Intelligence Mike Pompeo has been confirmed as Secretary of State.

Dave Bittner: [00:09:40:11] Investigations into Russian influence operations targeting British elections show some notable Twitterbot activity mounted in the interests of Labour leader Jeremy Corbyn. An inquiry by the Sunday Times finds that a significant number of bogus accounts run, apparently from Russia, sought to amplify Labour talking points and, in the Times' view, swing the election toward Corbyn's party. Labour has retorted that remarks by Russia's embassy in London show that, in fact, Moscow preferred a Tory victory. Thus influence operations continue to lend themselves to divergent partisan interpretation. That remains true in the US as well, where the House Intelligence Committee's report on the 2016 election elicits reactions that break down along party lines.

Dave Bittner: [00:10:26:15] Essentially, the conclusions hold that the Russian government did indeed seek to interfere with the election, but that there's no serious evidence of collusion with those efforts on the part of the Trump presidential campaign. Democrats say it's not over and that there's more to be looked at. Republicans are raising eyebrows over possible improprieties on the part of former Director of National Intelligence Clapper, which Democrats maintain were nothing more than legitimate engagement with a news organization, in Clapper's case CNN, which has lent the matter its name: Clapper to Tapper.

Dave Bittner: [00:11:00:13] Let us move to academic cyber competitions and consider a result researchers obtained by watching the National Cyberwatch Center's Mid-Atlantic Collegiate Cyber Defense Competition in the spring of 2017.

Dave Bittner: [00:11:12:24] The researchers, which included experts from the Army Research Laboratory's Cyber and Networked Systems Branch at Aberdeen Proving Grounds, and National Cyberwatch Center, and Carnegie Mellon University, found that teams worked better when they functioned as teams. That is, teams as opposed to committees or communities. As they put it, "Functional specialization within a team and well-guided leadership could be important predictors of timely detection and mitigation of ongoing cyber attacks."

Dave Bittner: [00:11:43:21] Anyone disposed to take the "team" metaphor seriously will be unsurprised. Teams, whether athletic or military, are characterized by clear, distinctive roles among their members. Think of the different functions in a football or baseball team. A football down begins, for example, when the center snaps the ball, and there's no need to discuss, in the huddle or on the line, whether a tackle, guard, or tight end should really be doing that, nor what's actually involved in the snap. That's what we've heard from our Sports Desk, at any rate.

Dave Bittner: [00:12:14:01] Similar observations could be made about any athletic team. They could also be made about small military units. An artillery section, for example, has clear responsibilities assigned to each cannoneer when it occupies a firing position. The gunner, the assistant gunner, the number one and number two cannoneers and so on, all have very specific roles and their section chief is in charge. Or so we've heard from our Gunnery Desk.

Dave Bittner: [00:12:41:18] All of these cases are noteworthy for their susceptibility to improvement through drill, and they're also noteworthy for the team's ability to work without discussion or constant direction. Observing the collegiate competition came to the same conclusion: the winning teams were the ones in which the members knew and did their jobs, usually without needing to turn away from their keyboard. In fact, the researchers said, "Face-to-face interactions emerged as a strong negative predictor of success." That is, chit-chat, waffling, and negotiation, or waiting to be told to do something—these things are bad.

Dave Bittner: [00:13:17:04] It's sometimes said by unreflective coaches, sportscasters, and company grade officers, that good teams don’t think. That's not true. They think a lot. But they do it in advance and they reduce their thinking to practice.

Dave Bittner: [00:13:32:22] Congratulations, by the way, to the University of Maryland's CyberDawgs, which were what the researchers called a "purposive social system." They won because, as Ars Technica's headline writers put it, "They shut up and work."

Dave Bittner: [00:13:51:02] I'd like to give a shout out to our sponsor BluVector. Visit them at bluvector.io. Have you noticed the use of fileless malware is on the rise? The reason for this is simple. Most organizations aren't prepared to detect it. Last year, BluVector introduced the security market's first analytic specifically designed for fileless malware detection on the network. Selected as a finalist for RSA's 2018 Innovation Sandbox Contest, BluVector Cortex is an AI driven sense and response network security platform that makes it possible to accurately and efficiently detect, analyze and contain sophisticated threats. If you're concerned about advanced threats like fileless malware, or just want to learn more, visit bluvector.io. That's bluvector.io. And we thank BluVector for sponsoring our show.

Dave Bittner: [00:14:54:17] Joining me once again is Robert M. Lee. He's the CEO at Dragos. Rob, welcome back. I saw recently on Twitter you made some comments about regulation in the electrical sector. Specifically about the difference between regulation and incentives. Take us through what you're getting at here?

Robert M. Lee: [00:15:11:00] Regulations can set a good base for what we expect to be done, either programmatically or performance based, on what actions and minimum standards we want companies to comply with. And across the years, electric grid, they've been doing that for over a decade now, with the NERC-CIP regulations and they do set a strong base standard of what we want to see. Like, two form authentication for communications into a control center. The problem though is that regulations only can apply to a past state that we're interested in. In other words, it's not good at predicting where we need to be. It's not good about allowing innovation. It's saying hey, here's what we have perceived to be a good base previously. Let's work towards that.

Robert M. Lee: [00:15:53:22] This is ultimately a good thing, but we must understand that regulations can't regulate out the human adversary. Regulations themselves can't protect us. They can just apply sort of a base level of defensibility and opportunities for defenders. And in that way I think that some industries could still do with some regulation, like who regulates for them? But there are decentralized industries where that might make sense. But in certain industries where it's much more centralized and are community driven and maybe even that we've already had regulations, we need to open up for incentives instead. In the case of the US electric sector, I testified in front of the Senate that we needed to take a pause for a while. New regulations in the power sector come out every three or four years and that creates an extreme pressure of the companies to keep up with regulations instead of focusing on new innovative ways to do security, and it would beneficial to take a three to four year period where we stop coming out with new regulations, allow the companies to do anything for security that they deem appropriate for their companies, and then have those lessons learned and extract out best practices from that, instead of just trying to focus on regulation.

Dave Bittner: [00:17:04:19] Thinking of the political incentives here that if I'm a politician, it's easier for me to get hit by saying why didn't you regulate these people? Why did you just let them run free and do whatever they wanted to do?

Robert M. Lee: [00:17:15:16] That's actually exactly why this all happens. I've talked to just about everybody in this discussion in terms of like, sides of the conversation from the government to regulators to asset owners and that is entirely what it comes down to usually. Like, we know that the regulations have been good, but nobody wants to be the person that suggests less regulations. The power company doesn't want to say hey, you know what? We've kind of exhausted this, because then they don't look willing to move the needle. And the government want to say yes, let's take a break on this because if a cyberattack happens they look like a weak administration, a weaker party on taking action for security. The regulator doesn't want to not do regulations, because those regulators are generally political appointees and they're only there for three to four years. The idea of not doing anything for three to four years looks very bad on them and their party, and this was their opportunity to get involved and try to influence change.

Robert M. Lee: [00:18:11:05] So, it's a tricky subject because, quite frankly, everybody is incentivized to do regulations whether or not they do anything for anybody. I think they have been beneficial, to be honest. Our power grid is much better off than what it was a decade ago, but there is a time to say, okay folks, let's work towards programmatic regulation or let's work towards incentivizing through tax credits or programs from the government to find new best practices and innovation and security that's going to be cool and exciting and helpful, instead of check boxes.

Dave Bittner: [00:18:53:24] Alright. Interesting stuff. Robert M. Lee, thanks for joining us.

Dave Bittner: [00:19:00:14] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit cylance.com. And thanks to our supporting sponsor VMware, creators of workspace ONE intelligence. Learn more at vmware.com.

Dave Bittner: [00:19:22:24] The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.

Dave Bittner: [00:19:32:09] Our show is produced by Pratt Street Media, with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe and I'm Dave Bittner. Thanks for listening.