Kaspersky loses court challenge to US Government ban. Cryptomix ransomware. US Departments of Commerce, Homeland Security, and Energy plan resiliency. A packrat at CIA? Reboot your routers
Dave Bittner: [00:00:04:07] Kaspersky loses its court challenge to the US Government ban on its products, but says it will appeal. CryptoMix ransomware is out in the wild. Vulnerabilities are found in Singtel routers from 67 update, include patches. The US Departments of Commerce and Homeland Security address bot nets and ask for research. The US Department of Energy plans for resiliency. Twitter takes down tweens. Is there a pack rabbit CIA? And have we mentioned reboot your routers?
Dave Bittner: [00:00:38:10] And now some notes from our sponsors Cylance, you've heard a lot of warnings about Russian cyber operators and their threat to the power grid in the UK, North America and elsewhere. Ever wonder how they get in? Sure there's phishing and spear phishing, those can never be discounted. But here's a twist. Cylance has determined that one of their ways into the grid is through routers, they've found that the bears are using compromised core routers to hit Government agencies and organizations in the energy, nuclear and commercial facilities, water, aviation and manufacturing sectors. That's a bigger haul than a fish net could catch, don't you think? Go to Threatmatrix.cylance.com and check out their report on energetic dragonfly and DYMalloy Bear 2.0, you'll find it interesting and edifying. That's threatmatrix.cylance.com and we thank Cylance for sponsoring our show.
Dave Bittner: [00:01:43:07] Major funding for the CyberWire podcast is provided by Cylance, from the CyberWire studios at Data Tribe I'm Dave Bittner with your Cyber Wire summary for Thursday May 31st 2018.
Dave Bittner: [00:01:54:15] Kaspersky's challenge to the US Government's ban on its software has failed with its suits dismissed yesterday by the district court for the district of Columbia. The company had filed two suits, one claimed under the administrative procedure act, harmed to Kaspersky's reputation and sales without due process. The other asserted that the National Defense authorization act making the ban a matter of law, amounted to an unconstitutional bill of attainder, inflicting punishment without a judicial trial.
Dave Bittner: [00:02:26:14] On Wednesday the District of Columbia, district court tossed both suits, US Judge Colleen Kollar-Kotelly dismissed Kaspersky's case, challenging the US Government's ban, on the company's products. Chief found that the NDAA did not impose any recognizable punishment but rather established a reasonable, protective policy justified on national security grounds. While the policy undoubtedly has a negative impact on Kaspersky, it's not punitive and any such negative impact doesn't outweigh the security reasons that motivated the ban. Kaspersky has expressed both its disappointment and its intent to appeal. Kaspersky isn't the only company to endure difficult times over its perceived closeness to a nation's security and espionage services. Concerns about possible security threats, Chinese device manufacturers present remain very much alive in the United States, Canada and Australia. Huawei and ZTE are most often mentioned in dispatches.
Dave Bittner: [00:03:29:21] Malware hunter team reports that a new variant of crypto mix ransom ware is circulating in the wild. There is no free decryptor available for it yet, so unfortunately some victims will be tempted to pay the ransom. The best defense against this and other ransomware strains is secure, tested and used back up. Some organizations, late comers to back up for the most part, continued to pay ransom to get out from under other strains of malware, one such victim is the public school district in Oregon, where the Roseburg school say they've paid the attackers to regain access to their data. The school district was hit with the ransomware a month ago, what they paid they haven't said, but they do say they're now taking steps to protect themselves against future infestations.
Dave Bittner: [00:04:17:06] Researchers at New Sky Security have found a vulnerability that affects most routers used by Singtel, Singapore's main Internet Service Provider. Two more misconfigured AWS S3 buckets have been found by security firm Cromtech. They belong to Honda, India, and are said to have exposed some 50,000 customers data. The customers who were affected had downloaded Honda Connect, a remote car management app that let drivers, not only interact with their Honda smart car but also to obtain and use online services, Honda car India provides.
Dave Bittner: [00:04:54:13] Threat intelligence continues to become an important part of many organizations security operations, but there's still some confusion on how to get started and how to dial in the right amount and kind of intelligence. Adam Vincent is CEO of Threat Connect and he offers his insights.
Adam Vincent: [00:05:12:15] I think that every company out there that has any kind of security wherewithal is starting to think about how to make better decisions across their business and data intelligence, is a great way to do that. Why not use intelligence to drive their security program as well?
Dave Bittner: [00:05:30:15] When you interact with folks who are considering threat intelligence, do you find that there are some common misperceptions that they might have?
Adam Vincent: [00:05:37:13] Absolutely, my biggest pet peeve is that many people think of intelligence as a bunch of data that comes in, in something called a feed from the Internet and that aggregating feeds from the Internet means that they can check the box and say we're now doing security on an intelligence driven line.
Dave Bittner: [00:05:58:14] In your mind what is that transition from data to actionable intelligence?
Adam Vincent: [00:06:02:17] We've always had the mentality here that intelligence is something that is created from managing a security program. We have feeds and other forms of extra intelligence or inputs into that process but overall the process of making a better decision started with what decisions you need to speed up or make in the first place. And so I think that most companies today that think that a feed is checking the box from an intelligence perspective, is on the journey to realizing that they're going to ultimately need to become intelligence driven. Because that's what the CEO and their boss the CISSO and their peers across the industry are doing. And that type of transition, that there's an industry is really exciting and is being communicated as something that was drawing others in. And ultimately will be the reason why someone goes from thinking a feed is good enough to realizing that intelligence is more than just a feed. It doesn't need to be a very sophisticated Government-like capability where you go out and hire a bunch of people and those people come from organizations like NSA or the intelligence community.
Adam Vincent: [00:07:29:11] Instead intelligence is to fuel the decision making process and to speed up processes that the companies that are looking to employ intelligence are already doing. So, for example, you have a phishing email process that's riddled with human capabilities today. People doing analysis, people looking at who the emails were sent to, doing some spreadsheets. And ultimately creating a PowerPoint for their boss that helps inform the decision of how phishing emails are affecting the organization. That's a great example of a process that could be data driven and could be automated to the point where we're creating knowledge about phishing and how phishing is affecting the organization. We're disseminating that information and we're even starting to automate the defensive actions we can take that are driven by that new found intelligence.
Dave Bittner: [00:08:27:23] That's Adam Vincent from ThreatConnect.
Dave Bittner: [00:08:32:03] In patching news, Google's release of Chrome 67 to the stable channel includes fixes for 34 vulnerabilities. The departments of Commerce and Homeland Security rendered a report required by the May 2017 Executive Order on cybersecurity yesterday. The report's title, enhancing the resilience of the Internet and communications ecosystem against botnets and other automated distributed threats clearly expresses it's contents. The recommendations include aspirations for the Government to lead by example and to seek public private partnerships that will build resistance to botnets, and to devices under development.
Dave Bittner: [00:09:13:02] Manufacturers are expected to play an important part in driving down device vulnerability to bot herding, commerce and DHS call not only for Government direction of research into this kind of resilience, but also for funding that would support the R&D. Another department has also reported, in accordance with the executive order, the Department of Energy has released its multi-year plan for energy sector cyber security. The plan gives pride of place to the department's office of cyber security, energy security and emergency response established this February. It also outlines three overarching goals, they are; strengthen energy sector cybersecurity preparedness, coordinate incident response and recovery. And accelerate game changing research development and demonstration of resilient delivery systems. Like everyone else, energy is interested in greater resiliency.
Dave Bittner: [00:10:10:01] Content moderation continues to trouble social media platforms. Twitter is the latest with the policy design to get a handle on such problems. In this case it's the problematic status of underage users. If your date of birth suggests you joined Twitter before you turned 13 kids, Twitter is shutting you down, it is a GDPR compliance issue and it doesn't matter how old you are now. Twitter doesn't want to be placed in a position of sorting out under 13 from over 13 tweets. If you are now of age, yet find yourself having been booted from Twitter you can arrange for a new account for yourself.
Dave Bittner: [00:10:48:16] Is there something about working in intelligence that either attracts pack rats or disposes people in the business to act like pack rats? Another case would seem to suggest so. You'll remember former NSA contractor Hal Martin, whom the FBI said kept scabs of highly classified stuff from work in his shed at home. This time it's a CIA contractor and another resident of the old Lion state, Ronaldo Regis has entered a plea of guilty to charges related to his having kept notebooks, things he saw whilst working at the agency between 2006 and 2016. In Regis' case he also seems to have been curious, accessing lots of material that had little or nothing to do with his job. He's out on bond, having surrendered his passport and promised to stay close to his Maryland home. He will be sentenced in September and could face up to five years in prison.
Dave Bittner: [00:11:44:00] So, another question, what's up with insider threat programs? What are they looking at? And does no one look at briefcases and other things people carry out of Langley?
Dave Bittner: [00:11:55:06] Finally if you haven't rebooted your router against VPNFilter, well why not? If you don't trust advice from the FBI, maybe you'll accept it from Vietnam's Ministry of Information and Telecommunications authority of information security. Yes Vietnamese authorities say that devices in that country have turned up with VPNFilter infections and they offer their users the same advice the bureau gave everyone in the US, reboot your routers.
Dave Bittner: [00:12:29:13] Time to take a moment to tell you about our sponsor Comodo. Here's the bad news, there is no way you will ever be able to stop malware from entering your network. The good news is Comodo renders malware useless. That's why Comodo customers can click on anything, over 120,000,000 new pieces of malware were created in 2017. So even at 99% you're still a target for 1.2 million pieces of malware, if you do the math that's still over 3,000 problems per day that current solutions cannot solve. Comodo doesn't settle for 99% and neither should you, they put those 3,000 daily problems into a lightweight colonel level container where the malware is rendered useless. With Comodo's patented auto containment technology, they bullet proof you down to hour zero every time. Solving the malware problem. So with Comodo you can say with confidence, "I got 99 problems but malware isn't one." Go to enterprise.comodo.com to learn more and get a free demo of the platform. That's enterprise.comodo.com. We thank Comodo for sponsoring our show.
Dave Bittner: [00:13:45:08] And joining me once again is Robert M. Lee he's the CEO at Dragos. Robert, welcome back, you all recently published some reports looking back on 2017. And I wanted to take the opportunity to look at those and talk about what you found.
Robert M. Lee: [00:13:59:18] Absolutely so we did a regular year in review of 2017 across three different sections and so really mapped to our intelligence team. And in our operation center we had a report on the vulnerabilities, a report on the threat activities group and a report on lessons learned across hunting and responding. The reports were a very strong approach to let's look at the actual numbers, let's look at the actual findings and have this approach around them. So some of the key things we found, that I thought was interesting, on vulnerabilities, as an example, one, there has always been a myth in the community that most of the vulnerabilities that we see are from free products and things that have trials and other things that you can just download. And that really there are so many of these hidden vulnerabilities because nobody can access the paid stuff. We found that a significant majority of all of the vulnerabilities released were actually from products and software that had no free version available, or no trial version available. So I completely destroyed that myth.
Robert M. Lee: [00:15:03:02] The second thing that I thought was really interesting from the vulnerabilities report is that 64% of all of the vulnerabilities were released, if you went and patched that vulnerability, it wouldn't have reduced any risk. But the vulnerability itself, was only granting to an adversary and functionality that was already available on the system. Like, hey if you accessed this vulnerability you get root permissions, except you're already running the permissions on that device, because of the way that it runs. They are known as a useless vulnerabilities, which means that in about 64% of the patching done in the community is a complete waste of resources. I'm not saying don't patch, it's just we should be patching smartly. The third thing that I thought was really interesting is 75% of all the releases, 75% of all the public vulnerabilities for our industrial control systems were wrong. They were talking about the wrong product, talking around the wrong service. Talking around the wrong vulnerability, just absolutely wrong. And that means that we've got a lot of work to do.
Dave Bittner: [00:16:06:13] What do you mean wrong? Mistaken?
Robert M. Lee: [00:16:09:05] Just completely wrong like, hey go and patch this vulnerability because this is the vulnerability that exists, the avatar can take advantage of on this product. And something about that statement would be wrong, like it's the wrong product in the advisory or it's the wrong vulnerability. Or that's not actually what you do with the vulnerability or it says. Hey, this vulnerability can cause a denial of service, but it doesn't, it might give you escalated privileges, just completely inaccurate reports. It's an astounding finding.
Robert M. Lee: [00:16:36:07] That's number one, we actually saw this happen, I don't want to get too much into details, we saw an adversary try to take advantage of a vulnerability. And they read the advisory, obviously, and did what the advisory said to take advantage of the vulnerability and it was wrong and they screwed up. It's kind of funny but that sucks for defenders as well.
Dave Bittner: [00:16:57:02] It's an inadvertent win.
Robert M. Lee: [00:16:58:07] It shouldn't be doing that and we don't want to run deception operations against our own community. That was the vulnerabilities, and the threat activity groups, it was about individual attacks. But there were groups specifically targeted towards industrial in a way that we've never seen before. It had always been like one or two a year but in 2017 there were five. And I'm not talking about the larger, there's dozens and I think there's something like 30-something that gets tracked in the community of teams that run campaigns against infrastructural companies, but not industrial control system specific. There were five teams that were specifically targeting industrial control systems. Which is a large escalation from what we've seen over the previous years.
Robert M. Lee: [00:17:38:23] And in the hunting and responding reports, there is a consistent myth that spear phishing is the number one way into industrial control system environments and in one position that's probably not accurate. It's just because all of our collection and tools and teams are in the IT environment, so that's where they see it and so we looked back at all of the cases of hunting and responding, and instant response work that our team did over the past year and found that actually that's not true. It is a big infection factor but the number one that we saw was actually VPN compromises directly into the ICS. So it's just interesting to see what's going on but I think another big key finding of that report, was that companies we're engaging with are significantly maturing in their security practices, where we were very pleased and very optimistic in our view of the industry. And it's a little bit of a collection bias because obviously the people that are coming to talk to us anyway, might already be a little bit more mature. But we were surprised even in that of the level of maturity of these companies in what they're doing for security.
Dave Bittner: [00:18:45:00] It's interesting stuff, check it out. It's on the Dragos website, a qualitative view of 2017. Robert M. Lee, thanks for joining us.
Robert M. Lee: [00:18:51:10] Thank you.
Dave Bittner: [00:18:58:03] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. Find out how Cylance can help protect you using artificial intelligence, visit Cylance.com. And Cylance is not just a sponsor, we actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMWare, creators of Work Space One Intelligence. Learn more at VMware.com. The CyberWire podcast is proudly produced in Maryland out of the start up studios of Data Tribe where they are co building the next generation of cyber security teams and technology. Our show is produced by Pratt Street Media with Editor John Petrik, Social Media Editor, Jennifer Eiben, Technical Editor, Chris Russell, Executive Editor, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.