Payment system hack investigated. Patch weaponization. Medical zero-days for sale. Responsible disclosure. Bad bots attack. Car hacking. Trends in phishbait.
Dave Bittner: [00:00:00:00] Payment system intrusions are investigated in Mexico. Medical zero-days are for sale, and not on the black market. SamSam continues to spread. What to look for in bad bots. Patched vulnerabilities are being weaponized at higher rates. Proof-of-concept car hacking demonstration shows in-vehicle infotainment system vulnerabilities. And when you see these phishbait phrases in an email subject line, be sure to spit the hook.
Dave Bittner: [00:00:36:19] And now a few words about our sponsor Dragos, the leaders in industrial control system and operational technology security. In their latest white paper Dragos and OSIsoft present a modern day challenge of defending industrial environments and share valuable insights on how the Dragos OSIsoft technology integration helps asset owners respond effectively and efficiently. They'll take you step by step through an investigation, solving the mystery of inside job using digital forensics with the Dragos platform and the OSIsoft pi system. Download your copy today at thecyberwire.com/dragos. That's thecyberwire.com/dragos D R A G O S. And we thank Dragos for sponsoring our show.
Dave Bittner: [00:01:35:14] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, May 1st, 2018.
Dave Bittner: [00:01:48:13] Mexico's central bank continues its investigation into a possible cyberattack against payment systems. Connections between the central bank and three financial institutions - two banks and a brokerage - appear to have been disrupted in a cyber incident. Again, the central bank itself believes it was unaffected and the three institutions are thought to have swiftly contained the attack.
Dave Bittner: [00:02:12:23] Here's a story that shows both the worrisome dual-use nature of testing tools and the very divergent perspectives on researchers' disclosure practices. Moscow-based security firm Gleg, which BoingBoing breathlessly calls a "cyber arms dealer," offers an annual subscription service with which customers receive zero-days for healthcare-related software. The annual subscription charge is four-thousand dollars.
Dave Bittner: [00:02:39:23] Gleg offers at least three different subscription packages. "Agora" consists of zero-days for general-use web software. "SCADA+ Pack" has exploits for industrial control systems. And "MedPack," of course, holds vulnerabilities in software used by hospitals. An annual subscription gets you twenty-five exploits, most of them zero-days.
Dave Bittner: [00:03:02:08] Motherboard points out that the zero-days are marketed for use in conjunction with penetration-testing, specifically with security Canvas tool. This isn't a black market operation, but it does highlight the very different perspectives circulating concerning disclosure of vulnerability research. Gleg's Yuriy Gurkin gave their perspective on proper practice in an email to Motherboard, as he put it, "To disclose is not an obligation."
Dave Bittner: [00:03:31:06] So, a question for the industry: would well-structured, well-compensated bug bounty programs effectively induce brokers like Gleg to participate in them, or would they simply fuel the digital equivalent of a bandit economy, maybe moderated with some inflationary pressure on the bandits?
Dave Bittner: [00:03:51:12] SamSam ransomware continues its malign spread, rapidly propagating copies of itself across targeted enterprises. The goal is to infect as many devices in an enterprise as possible, and then offer a volume discount on the decryptor, which they hope the victim will fork over. SamSam really did give the city of Atlanta fits, and those fits have proven both expensive and enduring.
Dave Bittner: [00:04:16:21] Distil Networks' 2018 Bad Bot Report is out. The company's research finds that account takeover attempts jump by roughly 300% in the wake of a major, publicly announced breach. So here's not only news you can use, but a way of using the news. Distil's Senior Director of Security Research, Anna Westelius, puts it this way in the company's announcement: "Every time a breach comes to light and consumer credentials are exposed, any business with a login page should prepare themselves for a swell of volumetric credential stuffing attacks."
Dave Bittner: [00:04:52:14] Some of their specific findings are interesting. About half of the account takeover attempts Distil saw were volumetric credential stuffing attacks. These bad-bot attempts look like a fast spike in requests. The other half are harder to recognize, what the researchers call "low and slow credential stuffing and credential cracking." About a fifth of the attacks Distil analyzed were preceded by a small test round a few days before the main event. Such a test should show up as a deviation from the customary baseline of failed logins. And when do the bad guys hit? On Fridays and Saturdays, probably because they expect security personnel to be likelier to be off on those days.
Dave Bittner: [00:05:35:19] Phishing emails often find success in imitating popular well known brands, fooling the email recipient into thinking they've received a notice or important message from a brand they trust. There's an organization working on making it harder for the bad guys and gals to do this with a system they call BIMI, Brand Indicators for Message identification. Patrick Peterson is Executive Chairman and founder of Agari and he helps us understand what BIMI is all about.
Patrick Paterson: [00:06:04:15] Over the last decade a band of kind of pioneers has come together and the first thing they did was they brought us DMARC - Domain-based Messaging Authentication and Conformance and that solved the first half of the problem which is how do I actually know that that email from Agari or Aetna or Groupon is really from them and this next step is now going to beyond getting rid of the phishing and the spoofing to actually put trust back into email, to actually allow you, when you wake up in the morning, to know, is that message really from my healthcare provider or my daily deals offer.
Dave Bittner: [00:06:38:18] And so take us through how it works. As an email user what would be different for me?
Patrick Paterson: [00:06:43:15] This assumes that DMARC is the base layer and we actually know that the message from Groupon is in fact authentic. Then BIMI comes in and what it changes for the end user is instead of looking at their email and seeing their offer from Groupon, they now see a trust indicator. They see the Groupon brand, both when they look at a list of message to click on and then when they click on the message they see in a reserved space that only the email client can put it there, so the bad guys can't place any kind of logos or trust marks there. They see the Groupon logo.
Patrick Paterson: [00:07:16:02] And so now they know they can engage safely, they know it comes from a trusted party and our research and experience says this is going to dramatically increase the level of engagement over email, the brand trust and revenue for people who are sending email. It's also going to make us safer as well.
Dave Bittner: [00:07:33:22] And in terms of the standard that you are all developing, this is an open standard?
Patrick Paterson: [00:07:38:07] Absolutely. DMARC and BIMI, the two of them together are both open standards, royalty free, anyone on the planet can implement them and folks like Agari, Oath, Aetna, and Groupon have made sure that all these contributions will be available for anyone as an open standard.
Dave Bittner: [00:07:56:02] And what's your progress so far? Do you have buy-in from both the folks who make the email clients and from brands?
Patrick Paterson: [00:08:04:02] We do very much so, and so the last two years has really seen us in the lab on those Internet mailing lists coming up with standard itself and the organizations who have been involved in that have been organizations like Microsoft, Google, Oath which represents Verizon, AOL, and Yahoo, as well as some of the big brands also. What's happened in the last couple of weeks is we've done the first pilot. You know, basically we've sat around and said we're designing the car, we've done the drawings, we've done the modelings, we've done the wind tunnel testing. You know, we're really not going to learn more about this car design until we take it out for a couple laps on the track. And so this BIMI pilot with Oath, Groupon and Aetna are really those pilot laps where we're actually testing for vibrations, you know, seeing if there's things that we couldn't think of in the lab and we think that will be a key point of proof for some of those larger players who have been very active in the standards development, to actually start their pilot activities as well.
Dave Bittner: [00:09:01:00] Yes, I can imagine with email having been problematic for so long that you're going to run into a lot of people who are skeptical. When people push back on you what kinds of things are they saying?
Patrick Paterson: [00:09:11:05] So, I think one of the most common misconceptions is if this has not been designed securely. Part of that is just a misconception, part of that is there were some earlier versions that were first sketchy prototypes that may not have had all the security considerations. The BIMI group has gone through with it and ensured that in order for you to display your logo you have to prove you are who you say you are, you have to prove the logo is yours and then there are various cryptographic and secure methods to ensure your logo can be fetched and applied to your brand.
Dave Bittner: [00:09:42:21] And in terms of vetting the process, the security behind the scenes, what's that process been like?
Patrick Paterson: [00:09:49:18] The first thing is we've actually introduced a new authority for the Internet, for the standard, it's called the Mark verifying authority, quite analogous. You know, if want to see a web certificate for Agari, we have to go get our HUTVS certificate by proving we own agari.com and we are actually legally the Agari entity. Similarly, Groupon reaches out to a mark verifying authority and says we are Groupon, we do own these logos and we do own these domains. And then the mark verifying authority verifies that in a secure but lightweight process and they bind those three things together, Groupon, Groupon domains, like groupon.co.uk and their logos.
Patrick Paterson: [00:10:31:13] Then when they publish those with cryptographic security and the ISP is verified using DMARC, this is truly from groupon.co.uk they can fetch the logo and display it securely. And there's more on the BIMI website, but that's really the overview of how it works and why we think it's going to be quite secure.
Dave Bittner: [00:10:50:18] That's Patrick Peterson from Agari. You can learn more and sign up for their data at brandindicators.org.
Dave Bittner: [00:11:00:11] Hackers are actively scanning for vulnerable Oracle WebLogic Servers, patched earlier this month. The patch proved incomplete and the vulnerability was weaponized with unusual speed.
Dave Bittner: [00:11:12:21] The recently patched Drupal vulnerability CVE-2018-7602 was also swiftly weaponized, and is being actively exploited in the wild.
Dave Bittner: [00:11:23:13] It remains to be seen whether these two cases represent a new normal in weaponization rates, or if this is just an unfortunate anomaly. We hope it's the second.
Dave Bittner: [00:11:34:17] Researchers at Computest report proof-of-concept hacking of in-vehicle infotainment systems in the Volkswagen Golf GTE and the Audi A3 Sportback. There's no suggestion that attackers could pivot to vehicle controls, but they could gain information about the vehicle's movements.
Dave Bittner: [00:11:53:17] And finally, what's the best fishing bait? Here around the Chesapeake, it's usually clams, sandworms, eels or menhaden but the phishing experts from Tampa, KnowBe4, yesterday published their quarterly top ten phishbait email subject lines: "Staff Review 2017," was popular, as was "UPS Label Delivery," with the very specific label identifier "1ZBE3112TNY00015011." Don't worry, you don't have to remember those numbers, but it's interesting that they came up ten percent of the time. Here's another ten-percenter, the saucy "Company Policy Update for Fraternization," and if that don't fetch 'em, I don't know Arkansas, or any other workplace, right? Some of the significant also rans were "Revised Vacation and Time Policy" "Urgent Press Release to All Staff," "Deactivation of email in Process, "Please Read: Important from HR," and the more hopeful, "W-2," which popped up thirteen percent of the time.
Dave Bittner: [00:12:58:02] And the number one phishbait edging out "Change of Password Required Immediately" which came in at a distressingly high 20%, was "Delivery Attempt Was Made". So read 'em and weep friends, but don't open 'em.
Dave Bittner: [00:13:17:10] I'd like to give a shout out to our sponsor BluVector. Visit them at bluvector.io. Have you noticed the use of fileless malware is on the rise, the reason for this is simple. Most organizations aren't prepared to detect it. Last year BluVector introduced the security markets first analytics specifically designed for fileless malware detection on the network. Selected as a finalist for RSA's 2018 innovation sandbox contest, BluVector Cortex is an AI driven sense and response network security platform that makes it possible to accurately and efficiently detect, analyze and contain sophisticated threats. If you're concerned about advanced threats like fileless or just want to learn more visit bluvector.io. That's bluvector.io. And we thank BluVector for sponsoring our show.
Dave Bittner: [00:14:20:09] And I'm pleased to welcome back Emily Wilson. She is the Director of Analysis at Terbium Labs. We had some news come in back in March about some takedowns on Reddit. It had relations to the dark web. Can you take us through what's going on here?
Emily Wilson: [00:14:36:14] At the end of March Reddit decided to enforce some of its existing policies and make it clear where it stands on some of the elicit communities that had been operating on these subreddits, these communities on Reddit for years now frankly. Everyone who is even tangentially involved in the dark web knows that a lot of these discussions take place in the open and were taking place on Reddit, and frankly it's a little surprising it took them this long to shut it down. But Reddit was a big source of information for not only security researchers, but also law enforcement professional, academic researchers.
Emily Wilson: [00:15:13:06] What Reddit did is they went in and shut down, and by shut down I don't just mean blocked new posts but actually closed out and locked communities related to not only to the dark web but also sex work and other activities they deemed inappropriate for their users. And so these communities where people were sourcing information, people were discussing scams and fraud and forgery schemes, people were buying and selling and reviewing drug purchases, these are all gone now. They're no longer on Reddit.
Dave Bittner: [00:15:46:11] And so when you say gone, does that mean the archives are gone as well?
Emily Wilson: [00:15:50:03] The archives are technically gone, yes. There have been a couple of sources circulating of people who had copies or access to copies, different archiving functions that had been used previously, but yes there was a big loss there, not only for some of the more ridiculous things we've seen over the years, but also a lot of the institutional knowledge building that was taking place there on Reddit.
Dave Bittner: [00:16:14:06] And I suppose, I mean, this is the old supply and demand thing. If Reddit shuts these down, would we expect they're just going to pop up somewhere else? Have they already popped up somewhere else?
Emily Wilson: [00:16:23:21] They have already popped up somewhere else. In fact, this will be of no surprise to anyone. The dark web really is like a hydra in that sense. You cut off a head and another one, sometimes two pops up. There was a smaller on-line community that was set up before the Reddit takedowns that has seen a huge influx in users. It went from, you know, a few hundred to a few thousand to now over 10,000 just in the past few weeks and that's registered users. You can view the site openly without registering. So I'm sure the actual traffic is significantly higher.
Dave Bittner: [00:16:57:04] It's interesting to me that from a law enforcement point of view, does this move these folks farther underground? Does it make it harder to, to keep tabs on what they're up to?
Emily Wilson: [00:17:08:11] It's an interesting question. I would say that I'm sure there are new struggles, but I'm guessing there are also benefits and opportunities here as people scrambled to re-establish themselves as they try to figure out what's going on, as they contact each other figuring out where things have moved. I think if you're in the right place at the right time this could be good for you.
Dave Bittner: [00:17:28:07] All right. Emily Wilson, thanks for the information. As always, good to see you.
Dave Bittner: [00:17:37:08] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you through the use of artificial intelligence visit cylance.com. And thanks to our supporting sponsor VMware creators of Workspace One intelligence. Learn more at vmware.com.
Dave Bittner: [00:17:59:06] Don't forget to check out the Grumpy Old Geeks pod-cast where I contribute to a regular segment called Security Huh! I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the podcasts are listed and check out the Recorded Future pod-cast which I also host. The subject there is threat intelligence and every week we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:18:27:19] The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media, with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe and I'm Dave Bittner. Thanks for listening.