The CyberWire Daily Podcast 5.24.18
Ep 606 | 5.24.18

Short Title VPNFilter and battlespace preparation. XENOTIME may be back, and after industrial systems. GDPR updates. Following Presidential Tweets.


Dave Bittner: [00:00:03:20] VPNFilter, described by Cisco's Talos research unit, looks like battlespace preparation for Fancy Bear. The FBI may have succeeded in impeding its operation. Dragos describes XENOTIME, the threat actor behind the TRISIS industrial safety system attacks, and they say we can expect them back. GDPR is coming tomorrow, and a company has found a way of letting worried CISOs sleep at night. And your right to follow theRealDonaldTrump on Twitter has now been secured by the US Federal Court for the Southern District of New York.

Dave Bittner: [00:00:45:18] Now a moment to tell you about our sponsor ThreatConnect. ThreatConnect will be an exhibitor at the upcoming Gartner Security and Risk Management Conference, being held at National Harbor, beginning June 4th. Adam Vincent, ThreatConnect CEO will lead a discussion focusing on cyber service-oriented architecture, a modern service-enabled security stack, communications plan and an analysis layer, positioned to support critical security decisions at speed.

Dave Bittner: [00:01:19:06] Vincent will be joined by members of the JP Morgan Chase Security Team, ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. The pioneer in threat intelligence platforms, ThreatConnect provides organizations a powerful cyber threat defense and the confidence to make strategic business decisions. With ThreatConnect your team works as a single cohesive unit, reinforced by a global community of peers. Visit ThreatConnect at booth number 227 at Gartner Security and Risk Management. We thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:02:11:00] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, May 24th, 2018.

Dave Bittner: [00:02:23:21] Cisco's Talos research unit yesterday reported its discovery of VPNFilter, a modular and stealthy attack that's assembled a botnet of some 500,000 devices, mostly routers located in Ukraine. There's considerable code overlap with the BlackEnergy malware previously deployed in attacks against Ukrainian targets, and the US Government has attributed the VPNFilter campaign to the Sofacy threat group, a.k.a. Fancy Bear, or Russia's GRU military intelligence service.

Dave Bittner: [00:02:56:19] It's believed that VPNFilter has been quietly out there for nearly two years. Its precise infection mechanisms aren't entirely clear, but consensus holds that it established itself by exploiting known vulnerabilities left unpatched, and by gaining its entry into devices by taking advantage of weak or default passwords.

Dave Bittner: [00:03:17:24] The malware is regarded as sophisticated. It can use any one of three redundant means of communicating with its command-and-control servers: through the Photobucket photo-sharing site, through a hardcoded domain ToKnowAll[.]com, and finally, if all else fails, a fall back direct connection from the attackers to the compromised device itself.

Dave Bittner: [00:03:40:03] Cisco notes that the malware moves through a three-stage process. In stage one VPNFilter installs itself in such a fashion as to survive device reboots and to discover the IP address of the stage two deployment server. In stage two it downloads malware to the affected device. That malware can collect and exfiltrate files and data as well as manage the device and execute code on it. Stage three involves installation of plug-ins. Researchers have analyzed two of them: one sniffs and collects traffic passing through the device, and the other enables communication via the Tor network. Researchers believe it likely that VPNFilter has more stage three plugins that have yet to be isolated and analyzed. Thus the malware has complex functionality, and the ability to carry any number of malicious payloads.

Dave Bittner: [00:04:31:16] One interesting capability is destruction of infected devices, although researchers believe this is probably intended for use once VPNFilter's cover is blown. The devices affected include routers from Linksys, MikroTik, Netgear and TP-Link. It also affects QNAP network storage devices, and researchers are looking for infestations in other devices.

Dave Bittner: [00:04:55:23] Ukrainian cybersecurity authorities think, and a lot of others agree with them, that Russia was gearing up a major cyber attack to coincide with a soccer League Championship match scheduled this Saturday in Kiev as part of the run-up to the World Cup. They also think it possible an attack could be timed for Ukraine's Constitution Day, June 28th. The botnet is adaptable enough to serve a variety of disruptive purposes. Its BlackEnergy cousin, for example, appeared in conjunction with earlier attacks on Ukraine's power grid.

Dave Bittner: [00:05:28:11] Talos' Craig Williams told WIRED that, "This actor has half a million nodes spread out over the world and each one can be used to control completely different networks if they want. It's basically an espionage machine that can be retooled for anything they want."

Dave Bittner: [00:05:45:07] VPNFilter has been under investigation by US authorities since August, when a Pittsburgh resident agreed to let the local FBI Field Office inspect her router - infected with what at the time was characterized simply as "Russian malware" - and to put a network tap on her router to monitor traffic passing through it.

Dave Bittner: [00:06:03:22] On Tuesday the FBI obtained a warrant from a US Federal Magistrate that enabled it to seize control of ToKnowAll[.]com. Thus the Bureau has taken over the key node that enables VPNFilter to reestablish itself after the infected device was rebooted. US authorities hope this will cripple the campaign. The Justice Department says that VPNFilter could be used for "intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities."

Dave Bittner: [00:06:37:08] So, while it's early to cry victory, bravo Cisco and bravo to the FBI, especially its Pittsburgh office. Cozy and Fancy, don't even think about snuffling through the Steel City.

Dave Bittner: [00:06:50:06] Since this obviously involves at least the potential for cyberwar, it's worth noting that Britain's Attorney General has this week said that a massive cyber attack could constitute an act of war, and that a nation so attacked had the right to self-defense. This is either, as the peace-loving Putinists at Sputnik suggest, a bloodthirsty provocation just shy of dropping the SAS into Red Square, or, as the lads and lasses at the Register think, a threat to give you another good talking to, only louder. We hope things quiet down in cyberspace.

Dave Bittner: [00:07:25:22] As we install more smart devices with cameras and microphones in our homes, offices and vehicles, there are understandable concerns about the ability to leverage those devices for eavesdropping. Researchers at security firm Checkmarx took a closer look at Amazon's Alexa smart assistant and came up with a clever way of listening in. Erez Yalon in an Application Security Research Manager at Checkmarx.

Erez Yalon: [00:07:50:12] The only way to do it was actually to create an eavesdropping malicious Amazon application known as an Alexa Skill. This is something that can be either built-in in the Alexa device or you can find other skills in the Amazon Skills Store. It was decided to use a malicious skill. So without you knowing the code hears everything you say in the room. What the researchers in Checkmarx did was to create what looks like a calculator skill and the benign skill actually works. The calculator actually gave us the answer for whatever calculation we gave it to run, but unlike other built-in or benign skills it didn't stop listening when the response was given. It will keep on listening to what you are saying, transcribing it, and sending it to the attackers, which were us.

Dave Bittner: [00:08:51:10] Take us through how you got this skill to perform this task.

Erez Yalon: [00:08:56:02] The first thing we needed to address was that after Alexa gives a response, the session ends. We wanted to make sure that it kept listening. There is a flag in Alexa, it's called should end session, which you flag when you want the session to stay alive for another cycle. We figured that if we can make Alexa still be live and listening for endless cycles we could eavesdrop for as much time as we want.

Dave Bittner: [00:09:24:01] When you evoke Alexa there's a time limit on the amount of time that the device will listen before it prompts you to speak some more. Is that how it works?

Erez Yalon: [00:09:34:04] Exactly. It's the time limit and also it makes sure you said the correct thing. We found out that we could actually create an interim prompt which means that the re-prompt would be silent. This brought us to the point that we have endless cycles which between them the re-prompt is silent and the user cannot know that another cycle of listening just started.

Dave Bittner: [00:09:59:11] Is there a limit to the length of a transcription that you will get? Is it a situation where as long as someone keeps talking, you'll keep getting that transcription?

Erez Yalon: [00:10:10:24] No, there is absolutely no limit. We tested it - it just keeps on recording, keeps on transcribing. We didn't hit any limit in our tests.

Dave Bittner: [00:10:19:13] You have worked with Amazon to close up this vulnerability. What was their response to your research?

Erez Yalon: [00:10:26:11] Their response was amazing, and I'm saying that with my experience of disclosure with many other vendors and developers. We disclosed it to Amazon Lab126. We worked closely with them. They were extremely proactive. They mitigated the risk, and actually went the extra mile. What they did was very interesting. They first of all added some criteria to identify what we call eavesdropping skills during certification. Every skill that goes up to the Amazon store goes through some sort of process of certification. We don't really know what that is, but as far as we know from Amazon it didn't check the specific eavesdropping features. So now it should check them.

Erez Yalon: [00:11:16:02] The second thing they did was they're going to try and detect empty re-prompts and take appropriate actions when they find them. This would actually be enough to mitigate what we found. But Amazon decided to go the extra mile, very proactive, and they decided to detect longer than usual sessions in future skills, and take the appropriate actions. This means that if a future researcher, hacker or attacker will find another way to eavesdrop, even if it doesn't use the exact mechanism we did, probably the detection of longer than usual sessions will raise a flag.

Dave Bittner: [00:11:59:12] That's Erez Yalon from Checkmarx. You can learn more about their research into the Amazon Alexa on their website.

Dave Bittner: [00:12:07:13] Dragos has an update on XENOTIME, the threat actor behind the TRISIS malware used to disable Schneider Electric Triconex instrumented industrial safety systems. The TRISIS attack last December disrupted operations at a Middle Eastern petrochemical facility. Targeting safety systems represents a dangerous escalation in attack patterns. Dragos is moderately confident that XENOTIME means we should be prepared for further campaigns. Although its initial targets were located in the Middle East, there's little reason to think that the threat actor will confine its operations to that region. Dragos believes XENOTIME operates worldwide and has no known connections to other threat groups. They also probably have capabilities that enable them to work against systems other than the already targeted Schneider Triconex.

Dave Bittner: [00:12:57:13] XENOTIME's objectives are clearly disruption, not espionage. The threat actor establishes itself in systems where it can cause future disruption or destruction. Their earlier attempt back in December wasn't fully successful. As Dragos explains, "The group created a custom malware framework and tailor made credential gathering tools, but an apparent misconfiguration prevented the attack from executing properly. As XENOTIME matures, it's less likely that the group will make this mistake in the future."

Dave Bittner: [00:13:30:11] GDPR comes into full effect tomorrow, attended by much advice for enterprises. A lot of people have said they're losing sleep over the data protection regulation and its hefty fines. One enterprising company in the UK has a cure for that. Calm, a firm that specializes in providing a range of soothing noises for relaxation, mediation, and sleep, has realized that the text of the General Data Protection Regulation is so stupefying that it can do you more good than counting sheep, listening to white noise, or reciting a nice Zen koan. They've added "Once Upon a GDPR" to their soothing repertoire, and engaged Peter Jefferson to read it. Mr. Jefferson is famous in the UK as the BBC's "voice of the Shipping Forecast," a maritime weather report that became known as Britain's unofficial national lullaby.

Dave Bittner: [00:14:20:20] Finally, the US Federal Court for the Southern District of New York says President Trump can't block you from his Twitter feed. It's a First Amendment issue. So your right to see and comment on @theRealDonaldTrump is secure. The President, of course, is under no legal compulsion to pay attention to your comments, so don't get cocky, kids.

Dave Bittner: [00:14:46:09] Now a bit about our sponsors at VMware. Their Trust Network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption and they'll round out what they can do for you with micro-segmentation and analytics. VMware's white paper on A Comprehensive Approach to Security Across the Digital Workspace will take you through the details and much more. See what Workspace ONE can do for your enterprise security, We thank VMware for sponsoring our show.

Dave Bittner: [00:15:47:06] Joining me once again is Dr. Charles Clancy. He's the Director of the Hume Center for National Security and Technology at Virginia Tech. Dr. Clancy, welcome back. We've seen stories coming by recently about the ability to locate mobile devices and specifically some of the cellular providers selling off that data. I'd never really thought it through the notion that even if I have my GPS turned off that, by design, these systems need to know my location.

Dr. Charles Clancy: [00:16:18:05] Of course, in order for you to receive an incoming phone call the network needs to know which tower to route that call to in order to reach your phone. The networks typically don't know where you are 100% of the time, they only know where you are when they need to complete a call or you need to complete a call or complete some sort of data transaction. Whenever you initiate any sort of data service or phone call the towers obviously have to know where you are, and they record that information in their records. Similarly, if you have an inbound call or inbound data, then they will use the system called the Paging Channel to try and find you, and then would record your location in their logs as part of that.

Dave Bittner: [00:16:59:12] Now is there any sort of triangulation going on here? Are multiple towers comparing notes to decide who will best serve you?

Dr. Charles Clancy: [00:17:08:15] No. In fact the networks do not do that. Currently the networks only record the ID of the cell sector that you're communicating with, which particularly in rural areas, could be a very large area, but in urban areas could be a very small area. The triangulation feature only kicks in if you were to, for example, dial 911 and the E-911 system was to kick in and perform a more precise location of you. But right now, the carriers are only allowed to do that if you dial 911.

Dave Bittner: [00:17:36:01] That's interesting. So in terms of the accuracy of being able to pinpoint where someone is, what's a reasonable expectation of what these systems are capable of?

Dr. Charles Clancy: [00:17:47:01] So again, in an urban environment, where you have maybe a cell tower every 500 meters, you could imagine an accuracy to within a few hundred yards perhaps. Again, in a rural area though you may have a cell site that's on the top of a mountain that's providing coverage to a valley below and there it could be tens of kilometers of location uncertainty associated with those measurements.

Dave Bittner: [00:18:13:12] And in terms of just a policy situation here, is this another example where perhaps the policy needs to catch up with the technology?

Dr. Charles Clancy: [00:18:21:16] That's a great question. Certainly law enforcement uses this feature now. So if they have an ongoing case they can serve a warrant on a cell phone company and retrieve those records and use that as part of their case. It's important to have that information, it's also important generally for counting purposes for the cell phone carriers. I think the real policy question is under what circumstances can they sell that information and should the consumer have the ability to opt out of that kind of sale or not.

Dave Bittner: [00:18:49:16] Well we'll certainly keep an eye on it as it develops. Dr. Charles Clancy, thanks for joining us.

Dave Bittner: [00:18:59:10] That's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using Artificial Intelligence, visit Cylance is not just a sponsor, we actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE intelligence. Learn more at

Dave Bittner: [00:19:27:11] The CyberWire podcast is proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cyber security teams and technology.

Dave Bittner: [00:19:37:06] Our show is produced by Pratt Street Media, with editor John Petrik, social media editor, Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.