The CyberWire Daily Podcast 7.24.18
Ep 647 | 7.24.18

Warnings of Russian cyber threat to power grids. Phishing rises. Patch gets patched. SingHealth breach. Satori botnet. Bluetooth MitM. Evil maids?


Dave Bittner: [00:00:00] Hey, everybody, Dave here. If you're headed to Black Hat this year, just a heads-up that we are joining the folks from the "Beers with Talos" podcast at the Ri Ra Irish Pub on Wednesday the 8 for a live lunchtime podcast. And if you see me or any of our CyberWire team at Black Hat, please stop and say hello. We'll have laptop stickers and other goodies to give out. We hope to see you there - nothing like Las Vegas in August.

Dave Bittner: [00:00:27] Warnings of Russian prep for an attack on power grids become more pointed. Phishing and impersonation attacks continue to rise. Microsoft patches a patch. The SingHealth breach remains under investigation. The Satori botnet may be taking another run at Android devices. Bluetooth vulnerabilities render paired devices susceptible to man-in-the-middle attacks. And evil maid attacks may be less difficult than you thought.

Dave Bittner: [00:00:57] A few words from our sponsor, Cylance. They're the people who protect our own endpoints here at The CyberWire. And you might consider seeing what Cylance can do for you. You probably know all about legacy antivirus protection. It's very good, as far as it goes. But guess what? The bad guys know all about it too. It will stop the skids. But to keep the savvier hoods' hands off your endpoints, Cylance thinks you need something better. They've just introduced version 2.3 of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection, but security that's quick enough to keep up with a threat by watching, learning and acting on systems behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit to learn more. And we thank Cylance for sponsoring our show. Major funding for The CyberWire podcast is provided by Cylance.

Dave Bittner: [00:02:04] From The CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, July 24, 2018. Security experts continue to expect renewed Russian attention to electrical power grids in the U.K. and the U.S., the period of relative restraint coinciding with the World Cup having ended when France edged Croatia. The World Cup hangover mood is more prevalent in the U.K., where tensions with Russia have been heightened by a death from Novichok poisoning. The U.K. and essentially everyone else thinks the Novichok attack is Russian wetwork. Russia says it was framed.

Dave Bittner: [00:02:44] In the U.S., the concerns have a different source - evidence that Russian operators have successfully phished various elements connected to the power grid. The U.S. Department of Homeland Security has been warning of this for some time. But yesterday, it issued an unusually stark and direct alert. Energetic Bear, the name this particular threat actor has come to be known by, succeeded in compromising hundreds of victims in a long-running campaign against electrical distribution control centers. Energetic Bear got in by targeting vendors in phishing campaigns. It's worth noting that phishing was the Russian entry point, many believe, in their demonstration attacks on segments of the Ukrainian power grid.

Dave Bittner: [00:03:25] We heard from Phil Neray, VP of industrial cybersecurity at CyberX. He pointed out, quote, "it's dangerous and reckless to assume that Russian cyber reconnaissance can be discounted because no one has actually turned off the power yet. It's clear that our adversaries now have direct access to hundreds or potentially thousands of systems that monitor or control our electrical grid. And they vacuumed up all kinds of sensitive information to help them plan their attacks. Now it's only a matter of political will and desire to test our red lines that's holding them back from throwing the switch. The potential consequences would be dramatic, ranging from human safety issues to a temporary shutdown of our entire economy," end quote.

Dave Bittner: [00:04:09] Phishing remains a problem, and not just for power grids. Mimecast's second annual report on the state of email security, released today, indicates that phishing and impersonation attacks continue to trend upward. Why pursue exotic zero-days when social engineering gets you what you're after?

Dave Bittner: [00:04:29] Singapore continues to take measure of the SingHealth breach. The attackers seemed principally interested in the prime minister's records, but they scooped up millions of others too. The story is developing, but investigators in Singapore continue to pursue the theory that the attacker was a nation state.

Dave Bittner: [00:04:49] Security firm Trend Micro reports a spike in what appear to be Satori infestations that are using open Android Debug Bridge - ADB - ports to install themselves. Satori is a variant of the Mirai botnet. And the code TrendLabs is observing looks like the work of the Satori botmasters. If you're an Android user, consider turning off ADB USB debugging and apps from unknown sources. And, of course, updating your system is also a good idea, as newer versions of the Android software tend to be more resistant to this kind of attack.

Dave Bittner: [00:05:24] Brian Martin is vice president of vulnerability intelligence at Risk Based Security. And his team recently tracked a vulnerability that seemed to be affecting governments and municipalities using a software package called Click2Gov. Brian Martin shares what they found.

Brian Martin: [00:05:41] They noticed that there was a pattern where Click2Gov kept coming up either in the description or the website URL or, you know, some aspect of the disclosure. They decided to investigate a little further and try to figure out if they're all related, if there was a single website like a hosting provider that had been compromised, or if these were multiple different organizations or, in this case, cities. And it turned out to be one piece of software they had in common, but they were different deployments across the U.S.

Dave Bittner: [00:06:17] So can you describe to us what exactly is Click2Gov?

Brian Martin: [00:06:20] It's basically a piece of software written by a company called Superion. And it basically handles a wide variety of government-related resources, everything from allowing citizens to pay bills online for, like, water or trash. And it can also be used to manage and allow people to look up property records, basically a wide variety of those government services.

Dave Bittner: [00:06:49] And one of the things it does is it enables credit card processing. And that seems to be where some of the problems occurred.

Brian Martin: [00:06:56] Well, the credit card processing is one of the aspects that basically brought this to light when those credit cards were compromised, and cities had to notify people. But the actual flaw is kind of underneath that. It wasn't a flaw in the credit card processing per se but the underlying software that Click2Gov runs on, actually.

Dave Bittner: [00:07:21] So let's dig in here. What did you all discover? Once you had established that there was a pattern here, how did you go about look - trying to discern what was going on? And what did you discover?

Brian Martin: [00:07:32] Right. So the first thing we did is basically click to and load a lot of these sites just to get a feel for what they were like. The first thing we had to identify is if this was a piece of software that a city would download and host on their own servers or if is this was part of a managed service, or a combination. And after quite a few sites and going through this, we determined that it - the Click2Gov software is run on separate servers by the cities, but the payment processing goes through Superion. So it was kind of a blended solution.

Brian Martin: [00:08:13] And then once we determined that information and more, we wrote a pretty extensive blog piece covering all of it. After that, several journalists took interest. And they were able to get a comment from Superion, who did not reply to us when we asked for a comment.

Brian Martin: [00:08:31] And that's when it came to light that the vulnerability that was being exploited was actually in the underlying software called Oracle WebLogic, which Click2Gov runs on. So Superion was very quick to say that their security patches were widely deployed. Over 99 percent of the customers have applied them, et cetera, et cetera. What they didn't really cover is that while their software may have been patched, the vulnerable web server that it's running on wasn't being patched.

Dave Bittner: [00:09:02] So in your estimation, was Superion being coy about this because, you know, they didn't want to highlight the fact that there was - that they were running on this Oracle system?

Brian Martin: [00:09:12] It's hard to determine. I think, based on the wording that I've read personally, that, yes, they are trying to be a little coy, that this is a case where the vendor, even though it's not their software, since they require it to run their software should have been more proactive. They should have been telling customers, hey, there's a new set of security patches for WebLogic. You need to install these in addition to the patches that we send out - and basically help drive the - their customers to maintain a better security posture.

Dave Bittner: [00:09:44] That's Brian Martin from Risk Based Security. You can find a complete accounting of their research into Click2Gov along with Superion's response on the Risk Based Security website.

Dave Bittner: [00:09:58] Microsoft's July patches include a patch of a patch. A zero-day fix made in May to a VBScript engine bug open to exploitation by Internet Explorer turned out to not fix things at all - but fixed now, most people think.

Dave Bittner: [00:10:14] A vulnerability found in Bluetooth secure connections pairing and secure simple pairing can expose paired devices to man-in-the-middle attacks. As Carnegie Mellon's CERT puts it in their vulnerability note, quote, "Bluetooth firmware or operating system software drivers may not sufficiently validate elliptic-curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may allow a remote attacker to obtain the encryption key used by the device," end quote. The good news is that fixes are currently available from most vendors of Bluetooth products, and more are to come soon. You'll need to be within wireless range to exploit the vulnerability, but that's possible for a wardriver or even an evil maid. Apply the updates as they're available, and stop looking over your shoulder or in the rearview mirror, as the case may be.

Dave Bittner: [00:11:06] Speaking of evil maid attacks, how about those hostile housekeepers, eh? An evil maid attack is one in which someone with physical access to an unattended machine compromises that machine. This kind of attack has long been known, but there's been a tendency to treat it as a kind of interesting outlier - a real possibility, to be sure, but maybe too complicated and time-consuming to be something you'd worry about on a regular basis. But if you thought that, maybe you should think again.

Dave Bittner: [00:11:35] Security firm Eclypsium has posted a demonstration video that shows how a firmware backdoor could be installed in a laptop in under five minutes - four minutes and three seconds, to be precise.

Dave Bittner: [00:11:47] Eclypsium researcher Mickey Shkatov built a small device that he can slip on to a chip to flash a laptop's firmware, or BIOS, with a backdoor or rootkit. He built the little wonder for the low, low price of just $285. And he used a generic backdoor that anyone can find for free on GitHub. You can watch the video easily at Motherboard's article on the proof of concept. So four minutes and three seconds does it. And we can't help but notice that he fumbled with his screwdriver a bit, so a mechanical virtuoso could no doubt achieve an even quicker hack.

Dave Bittner: [00:12:21] And there are some physical attacks available that don't even require you to open up a computer's case. All of these attacks would leave the evil maids plenty of time to make the bed, empty the trash, leave a mint on your pillow and pocket the tip. You do tip housekeeping, don't you?

Dave Bittner: [00:12:38] As a public service, we'd like to remind all you planning to attend Black Hat and DEF CON at the beginning of August that, yes, it's the right thing to do. Remember housekeeping when you stay in a hotel. Travel and Leisure Magazine says that two to $5 per occupant per night is customary and just good manners. Just leave a few bucks to take care of the people who take care of you. Remember, most maids are good and not evil. If you find that housekeeping flashed your firmware, of course you can reflect your displeasure in the amount you leave. Installing a rootkit would be housekeeping's equivalent of the waitstaff sticking their thumbs in your soup - be worse, I guess. A side note on human intelligence tradecraft, when recruiting agents, the smart HUMINT officers don't necessarily want to recruit the head of the enemy's secret police. They'd be just as happy to obtain the services of the cleaning crew employed by the head of the enemy's secret police, especially if the head of the enemy's secret police leaves his Chromebook lying around. Think about it, chief. And take a look at what you're leaving behind in that hotel wastebasket before you head out to the arsenal or the business hall.

Dave Bittner: [00:13:50] And now, a bit about our sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open-platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with microsegmentation and analytics.

Dave Bittner: [00:14:21] VMware's White Paper, on a comprehensive approach to security across the digital workspace, will take you through the details and much more. You'll find it at See what Workspace ONE can do for your enterprise security - We thank VMware for sponsoring our show.

Dave Bittner: [00:14:51] And I'm pleased to be joined once again by Emily Wilson. She's the director of analysis at Terbium Labs. Emily, welcome back. You recently attended a fraud conference, which - news to me that there is such a thing. But you had some interesting conversations there. Bring us up to date. What did you learn?

Emily Wilson: [00:15:08] Definitely. I am fresh back from Vegas. And not just a fraud conference, but the fraud conference, in fact...

Dave Bittner: [00:15:14] (Laughter).

Emily Wilson: [00:15:14] ...Hosted by the Association of Certified Fraud Examiners. And I spent a couple of days surrounded by all different kinds of fraud professionals, everything from investigators to law enforcement, auditors, people who are working on different kinds of internal controls, you know, risk and compliance. I have to tell you, it was a great experience. If you have any interest in getting a better grasp on what fraud professionals are dealing with, I would recommend this conference. It was really informative.

Dave Bittner: [00:15:42] Now, one of the things you discovered was that not - the fraud folks and the InfoSec folks may not be communicating effectively.

Emily Wilson: [00:15:50] I did. I used this chance to sort of - you know, I go to a lot of different kinds of security conferences and industry events. And so this was a chance for me to kind of be a minority practitioner and do a little kind of impromptu survey of the audience. And I was asking people, you know, hey, on the fraud side, are you guys discussing kind of your workflow? Are you working with your security teams? You know, are you guys sharing tools or resources?

Emily Wilson: [00:16:16] And I was surprised to get consistent answers. They were kind of uniform and uniformly optimistic, I'll say. I heard from people consistently that they are not working as fraud professionals with their security teams, but they're starting to. It's starting to get better, is how everyone phrased it.

Emily Wilson: [00:16:36] And everyone expressed a real desire to see more collaboration. They understand that security professionals have access to data and intelligence and resources that can impact the fraud departments, and they want to get their hands on that. They want to collaborate. They're just not quite sure how to get there.

Dave Bittner: [00:16:55] Now, one of the other things you shared with me is that you spoke to some folks from some large companies that had had breaches. And they found that to be a place to kind of pivot on their - on how they deal with these things.

Emily Wilson: [00:17:07] That's true. I spoke with a couple of different individuals from companies who have not had the best year or last 18 months.

Dave Bittner: [00:17:15] (Laughter).

Emily Wilson: [00:17:16] Sort of that reaction of, oh, how's - how are (laughter) things at your organization, once you see the name tag. And what they told me was that these crises, while unfortunate and really disruptive, have actually been the catalyst for allowing fraud teams to communicate with security teams.

Emily Wilson: [00:17:36] Now, whether because they're getting what they've always asked for, which is more conversation and more collaboration, or because of the changes in oversight - it's now required that the teams work together. And so they have shared budgets and shared resources. And they're moving people around in departments so that they're - you know, they're shifting perspective to try and figure out how to prevent these crises from happening again.

Emily Wilson: [00:17:59] And so what I'm trying to figure out - think we should all be trying to figure out - is, how can we get ahead of that? You know, we had - we shouldn't have earth-shattering crises to get to the point where departments are talking to one another.

Dave Bittner: [00:18:10] Right.

Emily Wilson: [00:18:11] What if we can get to it before that happens? And how do we get there?

Dave Bittner: [00:18:14] Yeah. Learn from the lessons that they've experienced and get ahead of the problem.

Emily Wilson: [00:18:19] Yes. If we can get ahead of the problem, if we can stop this constant struggle of each department reinventing a portion of the wheel only to find out that everyone else is working in parallel, if we could - God forbid - all work together on solving problems that impact multiple departments, maybe some of these crises wouldn't have happened.

Dave Bittner: [00:18:39] Interesting insights. Emily Wilson, thanks for joining us. And that's The CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at

Dave Bittner: [00:18:55] Thanks to all of our sponsors for making The CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at The CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE intelligence. Learn more at

Dave Bittner: [00:19:22] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik. Social media editor, Jennifer Eiben. Technical editor, Chris Russell. Executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.