The CyberWire Daily Podcast 5.2.18
Ep 590 | 5.2.18

New nation-state actors in cyberspace. SiliVaccine AV said to incorporate pirated code. Credential stuffing and password reuse. GravityRAT evades sandboxes. GDPR approaches.

Transcript

Dave Bittner: [00:00:00:18] If you visit our Patreon page at patreon.com/thecyberwire you'll see that at the $10 per month level you get access to an ad free version of our show. It's the same show just without the ads. Check it out. Patreon.com/thecyberwire.

Dave Bittner: [00:00:18:13] More nation-states acquire and use cyber capabilities. North Korea's SiliVaccine antivirus product appears to have pirated an old version of Trend Micro's scan engine. Despite warnings of credential stuffing, people still reuse passwords. GravityRAT now takes its victims' temperature. Many firms remain unprepared for GDPR. Questions arise about possible overpreparation by two of the biggest companies out there. And some dimwit has hacked a highway sign in Arizona. Congratulation knucklehead!

Dave Bittner: [00:00:56:16] And now a few words about our sponsor Dragos, the leaders in industrial control system and operational technology security. In their latest white paper Dragos and OSIsoft present a modern day challenge of defending industrial environments and share valuable insights on how the Dragos OSIsoft technology integration helps asset owners respond effectively and efficiently. They'll take you step by step through an investigation, solving the mystery of an inside job using digital forensics with the Dragos platform and the OSIsoft pi system. Download your copy today at thecyberwire.com/dragos. That's thecyberwire.com/dragos D R A G O S. And we thank Dragos for sponsoring our show.

Dave Bittner: [00:01:55:09] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, May 2nd, 2018.

Dave Bittner: [00:02:07:14] It's unsurprising but worth noting: FireEye says more states are acquiring effective cyber capabilities and using them for espionage and other disruptive operations. Vietnam, in particular, is mentioned in dispatches.

Dave Bittner: [00:02:23:08] North Korea has had its own homegrown anti-virus product, SiliVaccine, for some time. Upon inspection it seems less homegrown than thought. Researchers at Check Point obtained a sample sent to a journalist as apparent phishbait. They concluded that SiliVaccine is built around a decade-old version of Trend Micro's scan engine, modified to ignore certain virus signatures, effectively whitelisting some DPRK attack tools. The sample was also bundled with malware from North Korean threat actor Jaku.

Dave Bittner: [00:02:57:24] The pirated AV product is associated with two concerns: Pyongyang Gwangmyong Information Technology and STS Tech-Service. Trend Micro points out, correctly, that the pirated code in no way affects their current products' security or reliability. The producers of SiliVaccine are thought to have obtained the old Trend Micro code from some third party.

Dave Bittner: [00:03:21:23] Why, one might ask, would one decide using a North Korean anti-virus product was a good bargain? For one thing, if one were among the relatively small number of North Korean Internet users, one might have little choice. It's unlikely that the Glorious Self-Reliant Software Kiosk at the Ever-Victorious Mall carries ESET, or Bitdefender, or Cylance, or Trend Micro, or Webroot, or Kaspersky. If you're not one of the DPRK's residents, you might not realize it was a DPRK-associated product. STS Tech-Service, for example, is an organization of unclear provenance. It's not to be confused, by the way, with STS Technical Services, an honest Wisconsin business that Glassdoor says is a pretty good place to work.

Dave Bittner: [00:04:07:14] Or you might be incautious enough to accept an emailed offer of "free antivirus." A lot of reputable companies offer free versions of their products to individuals as loss leaders. Who's to say this one isn't okay?

Dave Bittner: [00:04:21:19] And, finally, believe it or not, we've actually seen descriptions by apparently serious and not obviously insane people who've made the case on-line that North Korea might be a pretty good offshore option if you're looking for affordable coders. To which idea one can only say, Just Say No.

Dave Bittner: [00:04:39:04] Widespread concern about credential stuffing attacks has brought the problem of password reuse to the fore. But reuse continues unabated, according to a LastPass study: people reuse passwords because they're afraid they'll forget them. LastPass of course is in the business of selling password managers, so their results align with their business, but their point is a good one, and well-taken. The finding that personal passwords often get reused on business sites is particularly troubling. We're not sure this is much better than writing them down on a sticky note under your keyboard. In that case, at least, you know that your big threat is an evil maid attack. For the record, we don't recommend using sticky notes as password managers. But we do know it goes on.

Dave Bittner: [00:05:23:13] Piero DePaoli works with Service Now security group. They recently teamed up with the Ponemon Institute for a global cybersecurity study surveying over 3,000 people around the world. Piero DePaoli joins us to share the results

Piero DePaoli: [00:05:38:15] Publicized data breaches are actually just a tip of the iceberg. You know, the beauty of getting to so many people in nine different countries around the world, you're able to really get a wide view of the market and what we found was that 48% of organizations who responded to our survey had had a data breach in the past two years. So just the things we're hearing about in the news is really just the tip of the iceberg.

Dave Bittner: [00:06:05:10] So one of the things that this report focuses on is patching and specifically the challenges when it comes to patching. Can you take us through some of the information you gathered there?

Piero DePaoli: [00:06:15:09] Yes, and really we came up with really three big themes around patching. The first is that the teams are overwhelmed. They're getting hit with so much data from so many different security tools and what we found is that 64% of the organizations who said that they were looking at hiring more people to go and solve the problem and on average those organizations are spending about 320 hours a week on vulnerability patching and they're looking to hire to get another 50% more capacity in that area. So if you have 320 hours a week is essentially eight full time people, you know, looking at adding another four.

Piero DePaoli: [00:07:00:07] The second was that a lot of the things they found around those processes were they were using a lot of manual process to do this work and so while they're looking at adding more people, they may be adding them to processes that are very manual in nature and so this may not actually help the problem. This is why we kind of call this patching paradox. Adding more people may not actually help.

Piero DePaoli: [00:07:22:03] And then the third is because of the big, you know, swath of people we're able to get to, we're able to cut that data by the organizations who were breached and organizations that were not. What we found is that of the organizations that were not breached, they rated themselves as being 41% better at patching vulnerabilities than the, the folks who were breached. And so we found that really being good at patching is one of the things that can really help reduce the organizations breach.

Dave Bittner: [00:07:52:22] And what did you discover in terms of feedback on, on why patching continues to be such a challenge for organizations?

Piero DePaoli: [00:07:59:19] A few different things. You know, if they're looking for more people they're struggling to hire. There's a great study from ISACA that shows that there will be a 2,000,000 people global shortage of cybersecurity professionals by 2019. When we got into the data and understand a little bit on why it's so hard, in many cases a security person is finding the vulnerabilities and it's somebody on the IT side in a parallel group that's actually doing the work for patching. And 73% of the responded said that the security and IT teams don't have a common view of all allocations and systems and that 57% of them said that things were slipping through the cracks because they're using things like emails and spreadsheets to manage this whole process versus having a more robust system for doing so.

Dave Bittner: [00:08:45:07] So in terms of take homes and recommendations, what are you suggesting people do?

Piero DePaoli: [00:08:51:24] First is that you take a non-biased inventory of vulnerability response capabilities and look for some areas. We've got this great survey that kinda goes into a bunch of data. Look for places that are hitting home and from there you can move to number two, which starts to tackle some of the low hanging fruit like, you know, being a little bit better at vulnerability scanning and prioritization.

Piero DePaoli: [00:09:12:06] The third is, I mentioned that, you know, 73% of folks were not seeing a common view of applications on the systems between security and IT. We want to like, break down those silos. Make sure that those teams are able to actually access the same data and that will solve a lot of problems.

Piero DePaoli: [00:09:28:16] The fourth was, you know, optimize the overall response process. Document this thing end to end and then look for places within that process to potentially automate.

Piero DePaoli: [00:09:39:15] And then the fifth is that really by doing a lot of this stuff you can, if you're able to put things into a more easy to use process for employees, this can actually help retain the talent that organizations already have and if you create a bit of a high performance culture within a security team, and just given they're such a dearth of security talent, this will help not only maybe recruit new people to the organization, but maybe help retain folks because jobs elsewhere just won't look as exciting.

Dave Bittner: [00:10:08:20] That's Piero DePaoli. He's from Service Now. You can check out the results of their survey on their website.

Dave Bittner: [00:10:16:02] The GravityRAT Trojan, which has troubled India for months, has, according to Cisco's Talos research group, become more evasive, using CPU temperature changes to detect virtual machines used for sandboxing. Its origins are unknown, but some think signs point to Pakistan. CERT India says that GravityRAT has been used to stage targeted attacks.

Dave Bittner: [00:10:41:05] GDPR takes effect at the end of the month and a CompTIA survey suggests that more than half of US businesses are unprepared for the new European privacy and data protection law. Two companies that appear better prepared than most are Google and Facebook, but their preparations aren't much to the liking of either European regulators or the publishing industry. The regulators see the two big advertising and data collection giants as seeking ways of evading at least the spirit if not the letter of GDPR - especially with respect to Facebook's new approach to privacy. And publishing concerns like Conde Nast, Bloomberg, Hearst, and the Guardian complain that Google is effectively trying to offload its responsibility for obtaining consent to use personal data onto the publishers, while Google itself refuses transparency in its own use of data obtained through the publishers' use of Google services. This, the publishers complain, increases both their burden and their liability.

Dave Bittner: [00:11:41:17] And we'll finish with the pointless crime news of the day: Some loser in Arizona hacked a highway sign to display the words "Hail Hitler." We assume he meant heil. And we'll leave it as an exercise to speculate about why people do such things. Talk amongst yourselves, keep your eyes on the road, because distracted driving is always dangerous.

Dave Bittner: [00:12:09:05] I'd like to give a shout out to our sponsor BluVector. Visit them at bluvector.io. Have you noticed the use of fileless malware is on the rise. The reason for this is simple. Most organizations aren't prepared to detect it. Last year BluVector introduced the security markets first analytics specifically designed for fileless malware detection on the network. Selected as a finalist for RSA's 2018 Innovation Sandbox Contest, BluVector Cortex is an AI driven sense and response network security platform that makes it possible to accurately and efficiently detect, analyze and contain sophisticated threats. If you're concerned about advanced threats like fileless malware or just want to learn more visit bluevector.io. That's b l u v e c t o r.io. And we thank Blu Vector for sponsoring our show.

Dave Bittner: [00:13:12:17] And joining me once again is Justin Harvey. He's the Global Incidence response leader at Accenture. Justin welcome back! You all have been seeing an uptake in credential harvesting activity, what can you share about that?

Justin Harvey: [00:13:24:16] Dave we work these complicated cases that involve thousands of machines. It's fascinating that some of the most simple attacks are still being perpetrated in the world and the one that we're seeing the most of is called Credential Harvesting. And the way it works is an adversary profiles an individual within a company and sometimes this individual is the CFO, it's someone that perhaps does accounts payable and, I might add, it's very easy to identify these people in organizations with tools like LinkedIn. You go in, you type in the company name, AP accounts payable, CFO, boom there they are and then there's a little bit of open source intelligence to find their email address.

Justin Harvey: [00:14:11:11] You find their email address and you send them a carefully crafted email that they're going to want to click on. Sometimes it is an association, sometimes it looks like it's from the personal email address of someone they know and it says click here or a document, or click here to find something else. So it tricks them into clicking that link, a link that looks very valid and it brings up a log in page. Now if you're doing it to a Gmail user you'll make it look like a Gmail log in. If you're doing it to a corporate user, you need to do a little bit of investigation, you can find out probably they have an Office 365 exchange, in which case you would make the, the log in page look like a Microsoft Office 365 login page, tailored right for that company.

Justin Harvey: [00:14:59:00] And many times the adversary will be able to figure out what that looks like because they'll type owa.companyname[.]com or they'll type email, that company name dot com and usually what will happen is, there's your Outlook web access page.

Dave Bittner: [00:15:12:11] Right.

Justin Harvey: [00:15:12:22] And it tricks people into going to this page and usually they change one or two letters. If it's an l they put a 1, if it's an I they'll put an l, things like that. When the user goes to there, they will type in their valid credentials because they think that there's been a problem with the system and they need to re-authenticate and then there's a blank page after that. By that time the cyber criminal has collected their username and password, maybe even takes that fake website down and then they could log in as that user.

Justin Harvey: [00:15:44:24] The next stage of the attack is usually a little bit more custom. We're seeing various abuses of their username and passwords. Sometimes it is stealing all of their email for blackmail, sometimes it is rerouting all of their emails to somewhere else. Sometimes it's even masquerading as that person and sending an instruction like the CFO instructing someone from accounts payable to pay a bill to this account member or even looking for new invoices that are coming in, getting the invoice, changing the account routing number to a foreign bank and submitting it via email to accounts payable.

Justin Harvey: [00:16:23:12] You might then think well doesn't the other person receiving that email know that the submitter's being impersonated and oftentimes they don't know. In these larger companies you might be in a completely different country than the submitter, but the request still looks legitimate. And to cover their tracks even further, an adversary will actually set up complicated or complex Outlook rules. If the accounts payable person does have a question, it gets routed to a hidden folder which then the adversary can say no this is real, please submit for sure ASAP and defraud these companies of funds.

Dave Bittner: [00:17:01:22] So it strikes me that that the bad guys do this because it works. What are your recommendations for people to protect themselves from this?

Justin Harvey: [00:17:08:12] I believe most of the entrance of cyber crime and to threats it really revolves around the people. The stock answers I always give are better user awareness, better training of the users, better simulations. I just love those companies out there that are phishing simulations and they're almost gamifying it. How many months can you go without clicking on a phishing attack? So that's number one. It always starts with user education awareness.

Justin Harvey: [00:17:38:14] A second thing would be two-factor authentication Dave. I can't stress this enough. I am still encountering large scale institutions that do not have two-factor enabled and it is critical at least for your email, at least for your VPN, at least for your virtual desktop that you enable two-factor. Now I know that two-factor may not be the easiest thing to implement, meaning that there are dependencies and there's software you need to do and there's roll outs, but if I were a listener out there today and hearing this and I didn't have two-factor and I had responsibility for this, that would be the next thing I would do. Pick up the phone and get a two-factor solution for your critical services to begin with and then try to proliferate it as necessary.

Dave Bittner: [00:18:26:11] Good advice as always, Justin Harvey. Thanks for joining us.

Justin Harvey: [00:18:29:09] Thank you.

Dave Bittner: [00:18:34:10] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you through the use of artificial intelligence visit cylance.com. And thanks to our supporting sponsor VMware, creators of workspace one intelligence. Learn more at vmware.com.

Dave Bittner: [00:18:56:12] The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media, with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe and I'm Dave Bittner. Thanks for listening.