The CyberWire Daily Podcast 6.7.18
Ep 615 | 6.7.18

New criminal campaigns out and about. Fancy Bear changes style, but not management. VPNFilter hits more devices. CloudPets overshare, but maybe more benignly than Google and Facebook.

Transcript

Dave Bittner: [00:00:00] Hey, everybody. You might have noticed that the second episode of our Hacking Humans podcast has been released. And you get a copy of it in this feed. We're only going to put the first few episodes here. And then if you want to hear more, you'll have to subscribe on the standard Hacking Humans podcast feed. You can find that on our website, thecyberwire.com. It's also available in iTunes and all the normal places that you get podcasts. We hope you'll subscribe. Check it out. Spread the word. And help support the show. Thanks so much.

Dave Bittner: [00:00:31] Iron Group is set to use Hacking Team source code to build a backdoor. Operation Prowli both cryptojacks and sells traffic. Fancy Bear may be getting noisier. VPNFilter has a more extensive set of victim devices than previously believed. ZTE pays a billion dollar fine. CloudPets are oversharing via an unsecured server. And the U.S. Senate wants answers from both Facebook and Google about their user data sharing with Chinese companies.

Dave Bittner: [00:01:05] Time to take a moment to tell you about our sponsor Comodo. Here's the bad news. There is no way you will ever be able to stop malware from entering your network. The good news is Comodo renders malware useless. That's why Comodo customers can click on anything. Over 120 million new pieces of malware were created in 2017. So even at 99 percent, you're still a target for 1.2 million pieces of malware. If you do the math, that's still over 3,000 problems per day that current solutions cannot solve. Comodo doesn't settle for 99 percent, and neither should you. They put those 3,000 daily problems into a lightweight, kernel-level container where the malware is rendered useless. With Comodo's patented auto-containment technology, they bulletproof you down to hour zero every time, solving the malware problem. So with Comodo, you can say with confidence, I got 99 problems, but malware ain't one. Go to enterprise.comodo.com to learn more and get a free demo of their platform. That's enterprise.comodo.com. And we thank Comodo for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [00:02:26] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday June 7, 2018. InTeRCeR researchers say they've found a backdoor in the wild that's based on Hacking Team tools. The security firm says that the Iron Group, which they suspect of being a Chinese criminal gang, is behind the backdoor. Iron Group's code is based on Hacking Team's leaked RCS source code. Most of the victims, as well as the perpetrators, appear to be in China.

Dave Bittner: [00:02:57] Guardicore Labs describes Operation Prowli, a campaign that manipulates traffic and mines cryptocurrencies, there are roughly 40,000 infected machines in a wide range of organizations and sectors. Guardicore regards Prowli as a straight-up criminal caper, not something mounted by a nation-state. They get paid in two ways - first, through cryptojacking, installing a cryptocurrency miner in victim machines, and, second, they also earn some change through traffic monetization fraud in which the Prowli operators sell traffic for routing to various dodgy domains, many of which hock hemi-semi-demi-bogus goods or services or simply distribute malware.

Dave Bittner: [00:03:39] Guardicore has seen two principal attack vectors - a worm that propagates through machines running SSH and Joomla! servers, whose K2 extension renders them vulnerable to a file download bug. To defend yourself, Guardicore recommends patching, hardening and, if you are hit, changing credentials as part of the mop-up.

Dave Bittner: [00:04:00] Palo Alto's Unit 42 thinks the Sofacy Group is quietly changing its tactics. Sofacy, generally regarded as belonging to Russias GRU, also known as Fancy Bear, Pawn Storm, Sednit and Tsar Team, had tended to prospect a small number of selected individuals within a targeted organization. They also tended to use the same exploits and malware against those individuals. For all of Fancy Bear's reputation for being noisy, this is a relatively unobtrusive approach. But now Unit 42 sees the group adopting parallel attacks - a shotgun approach to many more individuals.

Dave Bittner: [00:04:37] They're also using a more diversified set of exploits and malware, presumably to achieve higher infection rates. All in all, the new approach reminds observers more of a criminal gang's work than a nation-state's intelligence service. But don't be deceived. This is a change in style not management.

Dave Bittner: [00:04:56] Duo Security recently published the results from their third annual Trusted Access Report, comprising data from nearly half a billion authentications per month and almost 11 million devices. Kyle Lady and Olabode Anise both worked on the report, and they join us to share the results. We hear first from Olabode.

Olabode Anise: [00:05:15] One of the major themes of this report - or major points of research was trying to to look into like, what are some of the behaviors of users? Like, can we - we have a hypothesis of people are working more remotely, people are more mobile. We want to see that would bear out in our data. We did find that our hypothesis was validated and that people are often communicating from more unique external networks.

Olabode Anise: [00:05:38] So we saw a big increase, especially in the enterprise space - about 24 percent of people, in terms of looking at the ratio of unique external networks that were accessed to users for each one of our customers in each of the market segments.

Olabode Anise: [00:05:53] So that was particularly interesting because it kind of goes the point of, like, let's allow people to work where they work best whether that's a coffee shop, whether that's their home or some other area. Of course, that does present some different challenges for that IT admin. But that was one of our bigger points. The other thing was - the next point was at the Windows 10 adoption.

Olabode Anise: [00:06:13] We saw a huge increase in Windows 10 adoption going from 2017 to 2018, almost hitting that 50 percent mark but not quite yet. And lastly we saw that phishing was still as effective from the data that we gathered from our - and the Duo Insight phishing simulation tool.

Dave Bittner: [00:06:28] Now, do you find that folks out there have common misconceptions when it comes to authentication?

Kyle Lady: [00:06:34] A lot of times, people don't see the value in additional security measures. And a lot of that is a communication question. A lot of users don't understand the threats that are out there. That said, they shouldn't have to have a comprehensive understanding.

Dave Bittner: [00:06:54] Yeah. One of the things that your research pointed out was - as you touched on, was the prevalence of phishing and how successful it is. One of the things that caught my eye was how quickly people who are phishing are successful.

Olabode Anise: [00:07:06] Yeah, that's one of those interesting things, especially when you have maybe a well-crafted phishing email that's not just like a spear phishing template. I don't think it's a matter of someone being really negligent in a way but more so just trying to get their work done. They see - hey, maybe this is an email from my boss or a superior or something that I need to get done.

Olabode Anise: [00:07:26] And so let me try to access that email and do it as quickly as possible. So I think it's one of those things where, of course, you have to increase user education in terms of phishing and trying to - have to identify some of the signals of, OK, maybe this is not the website I'm supposed to be on. But that can be a little bit more difficult depending on the environment or the particular device that you're using. Of course, like, when you're on a desktop, you can hover over link and say, OK, that is not the internal page that I'm expecting from this link versus when you're on mobile, it's a little bit more difficult.

Kyle Lady: [00:07:56] We see with all of these password leaks - while passwords are certainly important as a first factor, if you've ever reused a password, there's an increasingly good chance that it's out there somewhere. And so having the second factor at least stops an attacker and, depending on the system, hopefully alerts your administrator that somebody was trying to get into your account and that they already have your password.

Dave Bittner: [00:08:24] Now, was there anything - based on your report, the research that you did, was there anything that was particularly surprising? Were there any unexpected results that came back?

Olabode Anise: [00:08:33] I guess one of the things that we were kind of surprised at was kind of, like, the big kind of jumps that we saw in terms of remote access. We expected increases obviously. In our report, we see that, like, very small businesses had the smallest increase. But they were already the most mobile of the terms of market segments. I mean, it almost kind of makes sense in terms of when you look at - these are very small businesses, so you maybe expect a remote team that's distributed.

Olabode Anise: [00:08:56] So they may be accessing from their home or a coffee shop and things like that. But it seemed like the really big gauge in enterprise shows that people are moving to the cloud. There are a lot of people that are working where they want to - or they're moving applications - excuse me - for the cloud. Even though it was something that we thought, we didn't know that they - those increases would be as big as they were.

Kyle Lady: [00:09:15] Another surprising result was actually seeing this increase in Windows 10, which is really encouraging. It almost doubled over the past year. This is, in particular, encouraging because Windows 10 has a lot of security improvements, just simply as a baseline as well as then you're setting yourself up for that many more years of updates before it's obsoleted. And so seeing that more businesses are using Windows 10 than other versions of Windows is definitely a positive result that we saw.

Dave Bittner: [00:09:50] That was Kyle Lady. We also heard from Olabode Anise. They're both from Duo. You can check out their authentication report on the Duo website.

Dave Bittner: [00:10:00] VPNFilter is not only attempting to reconstitute its botnet of routers, but it's now been found to infect more models than it had formerly captured. Cisco's Talos unit has found infestations in Asus, D-Link, Huawei, Ubiquiti, UPVEL and ZTE devices.

Dave Bittner: [00:10:19] Seeking to return to American good graces, ZTE pays a $1 billion fine and replaces its leadership. So China's No. 2 device maker seems to have gotten a reprieve, but suspicion continues to surround it.

Dave Bittner: [00:10:35] Several retailers have pulled CloudPets from their physical and virtual shelves. The plush toys share audio messages in a cloud, which is fine. But those messages transit an unsecured MongoDB server - a known issue, as the kids in IT say, for some time. This reminds us somehow of the earlier-problem with Furbies, bestsellers in the 1998 Christmas season. By the middle of January 1999, the Scrooges and Grinches who then ran Fort Meade made everyone in NSA leave their Furby friends under the trees. Furbies, it seems, tended to repeat the things they heard.

Dave Bittner: [00:11:13] As the Washington correspondent of The Independent put it at the time, having endearingly asked for a cookie, the Furby might then suggest bugging the Russian embassy and intercepting wireless traffic from the Iraqi military. No mistletoe for you, Mr. and Mrs. Cratchit - not if you want to keep that clearance. Oh, wait. That's right. The Cratchits work on the other side of the pond, not in Laurel.

Dave Bittner: [00:11:35] Sometimes you can't tell your five eyes without a scorecard. Anyway, this time, it's Amazon and Walmart and the likes playing the killjoy. But they're probably right to do so. Little kids should leave their unsecured interactions with strangers on their smartphones, just the way Silicon Valley intended.

Dave Bittner: [00:11:55] Speaking of Silicon Valley, the U.S. Senate wants answers from both Facebook and Google about data sharing with Huawei and other Chinese manufacturers. Salons on both sides of the Atlantic just won't let it go. Over in Westminster, Parliament is still chewing on the former head of Cambridge Analytica. What's a little bit of data sharing among colleagues anyway? Besides, people probably must have consented to it somewhere. We're pretty sure there was something in the EULA and terms of service about it. And besides, as everyone knows, the large print giveth, and the small print taketh away.

Dave Bittner: [00:12:35] Now, a moment to tell you about our sponsor ObserveIt. It's 2018. Traditional data-loss prevention tools aren't cutting it anymore. They're too difficult to deploy, too time-consuming to maintain and too heavy on the endpoint. They are high-maintenance and require endless fine-tuning. It's time to take a more modern approach. With ObserveIT, you can detect insider threats, investigate incidents quickly and prevent data loss. With it's lightweight agent and out-of-the-box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization. That's because ObserveIT focuses on user behaviour. It's built to detect and respond to insider threats. And it's extremely difficult even for the most technical users to bypass. Bring your data loss prevention strategy into the modern era with ObserveIT. Learn more at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:13:44] And I'm pleased to be joined once again by Daniel Prince. He's a senior lecturer in cybersecurity at Lancaster University. Daniel, welcome back. You wanted to take us through some information about industrial control systems today. What do you have to share?

Daniel Prince: [00:13:59] So in Lancaster, we do quite a lot of work on what we call cyber-physical systems. That includes industrial control systems, the internet of things - anything that's really a smart piece of technology that can affect or sense the environment in which it operates. Industrial control systems are our particular concern because they control some of the most important parts of our lives - from water treatment, power generation, power distribution.

Daniel Prince: [00:14:25] And so there's - they form naturally a part of the critical national infrastructure. And there's considerable concern about how open and vulnerable they are. But we've been doing some work here, looking at industrial control systems and how complex they actually are and how you would actually formulate a way to get into them - at a sophisticated level.

Daniel Prince: [00:14:46] So one of the key things is that, in some levels, industrial control systems are quite easy to stop working - so to shut them down. And in and of itself, that is a particular problem. But to be able to produce the more sophisticated effects, the type of effects that we might see within standard computing systems - the subtle manipulations, the theft of data, that type of thing - is actually quite complicated.

Daniel Prince: [00:15:14] And the reason for that is within the industrial control system, there's a device - typically called a PLC - that controls the process. And all that does is run a specific program. Now, that program doesn't have any other additional details on it about what it does. So if you took that program, all you're doing is you're getting a binary effectively of how the device works. And there's no other information about what about device is connected to - the sensors and actuators. So being able to reverse-engineer from that is incredibly difficult.

Daniel Prince: [00:15:47] So when attackers are trying to look at more complex and sophisticated attacks, they're having to go for other devices within the whole control system itself - so looking at things like historians that record data and looking at the devices which provide the graphical representation of the control system. And from that, they can - you have to then start piecing together how the whole plant infrastructure works.

Daniel Prince: [00:16:14] So that's unlike a standard operating system and computer network, in which a compromise of, say, a server or something like that can lead to a quite sophisticated understanding of the rest of the infrastructure. With a sophisticated attack against industrial control systems, you have to start doing a much broader attack against multiple systems. And that makes it much harder for the attacker. But as defenders, we must be aware that actually to be able to do this - that sophisticated attack, we need to defend across a much larger part of our operation environment.

Dave Bittner: [00:16:49] Now, it's true as well - isn't it? - that part of the complexity of these systems is that very often these are one-off systems. It's not like every power plant or every water treatment plant across a nation are identical to each other. These are custom-built.

Daniel Prince: [00:17:07] Yeah, that is true. So even the same supplier to, say, a large electrical distributor will have a series of engineers, which may implement phase-control systems completely differently because of their background, because of their programming environments, because of the specific environment that that part of the, say, electricity grid is operating in. And so even if you compromise one particular environment or small section, you can learn some lessons about the overall structure.

Daniel Prince: [00:17:39] But it's very difficult to then extrapolate to other parts of the operation environment. And so the data-gathering part - if you're going through sort of the kill-chain approach to thinking about how an attacker gets into the operation environment, the information-gathering phase is much larger - has to be much larger and much more comprehensive for the really sophisticated software attacks against control systems.

Dave Bittner: [00:18:04] All right. Well, as always, it's interesting stuff. Daniel Prince, thanks for joining us. And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at VMware.com.

Dave Bittner: [00:18:13] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media, with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.