Leafminer wants to learn from the best, and that's not good. Shipper hacked. Old malware resurfaces in improved form. Russian grid and election threats. What insurance covers.

Dave Bittner: [00:00:03] Leafminer infests networks in the Middle East. Red Alert, Kronos, Mirai and Gafgyt make their reappearance in new forms. Shipping firm COSCO is dealing with a cyberattack. U.S. officials raise warnings about Russian threats to the power grid and elections. And a dispute over cyber insurance coverage lands the insured and the insurer in court.

Dave Bittner: [00:00:31] And now some words from our sponsor Cylance. The cloud is great, and it's opened up major efficiencies for enterprises of all missions and sizes, but the cloud's not the whole of IT. In fact, about two-thirds of all computing still occurs in on-premise data centers. And reality for the foreseeable future, Cylance tells us, will be the sort of hybrid environment that 90 percent of organizations will have adopted by 2020. As users of their endpoint security products, we at The CyberWire were interested to learn that they've now made available two new options of their flagship CylancePROTECT - CylanceHYBRID and CylanceON-PREM. They're now ready for use, and they serve whatever environment you operate in - a public cloud, a private cloud or an air-gapped network. It doesn't matter. Cylance protects you in all of them. Go to threatvector.cylance.com and check out their announcement of CylanceHYBRID and CylanceON-PREM. That's threatvector.cylance.com. And we thank Cylance for sponsoring our show. Major funding for The CyberWire podcast is provided by Cylance.

Dave Bittner: [00:01:43] From The CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, July 25, 2018. Symantec researchers are reporting a new cybercampaign active in the Middle East. Earlier today, the security company released its report on Leafminer, which is what they're calling the threat actor. They say it's been active against governments and business verticals in the region since 2017. The affected countries include Saudi Arabia, which leads in the number of infections, Lebanon, which clocks in second, and Israel and Kuwait rounding out the field. Leafminer's target list, obtained due to the attacker's missteps, is written in Farsi, and it calls out enterprises in Saudi Arabia, United Arab Emirates, Qatar, Kuwait, Bahrain, Egypt, Israel and Afghanistan.

Dave Bittner: [00:02:34] Leafminer makes good use of known exploits and commodity attack tools. Symantec also points out that the threat actor, quote, "seems to be actively following developments and publications of the offensive security community when selecting their toolkit," end quote. They're active, committed to learning from the best but also a bit sloppy with their own operational security. This suggests, the researchers say, a degree of inexperience, but Leafminer will bear watching.

Dave Bittner: [00:03:02] Several familiar criminal tools are resurfacing in updated form. Security firm Sophos is seeing a new version of the Red Alert banking Trojan, Red Alert 2.0. Cybersecurity company Proofpoint reports that Kronos is back. Kronos is also a banking Trojan, this one first observed in 2014, and it made its reappearance recently with attacks in Germany and Poland. It's being spread largely by phishing, with the phish bait taking the familiar form of a malicious Word document attached to an email. Proofpoint notes that its masters are using Tor for command and control traffic. Kronos is also available on a criminal-to-criminal basis. And Proofpoint thinks they've observed circumstantial evidence that Kronos has been rebranded as Osiris and that it's available under that name on the black market. And Palo Alto Networks and others note a resurgence of the Mirai and Gafgyt botnets which are run and rerun as commodity attacks against vulnerable internet of things devices.

Dave Bittner: [00:04:06] Wiretap is a company that helps provide organizations with insights on how their employees are using social collaboration and messaging tools to make sure they're in compliance and that employees aren't misbehaving. They recently published the results from their "Human Behavior Risk Analysis" report. Jason Morgan is vice president of behavioral intelligence at Wiretap.

Jason Morgan: [00:04:27] With our Aware platform, we help companies monitor their enterprise social networks, like Yammer or Workplace by Facebook or Microsoft Teams. And so in building the behavioral intelligence models - the artificial intelligence for this platform - we've gathered a great deal of data from several hundred data-sharing customers. So this is what came out of it - the human behavioral risk analysis. In the report, we highlight some of the risky behaviors that people actually participate in in these enterprise social networks - things like toxic behavior. Maybe people are sharing crude jokes or photos they shouldn't be. Maybe they are participating in harassing behavior, and maybe they're actually sharing intellectual property when they shouldn't be or customer data. That said - now, that's kind of where we went with this report, highlighting some of these risky behaviors.

Jason Morgan: [00:05:22] What we really want to convey in the report is also that these risky behaviors - while they exist, they're not that common. And, in fact, it's just usually a few employees - a few messages in a network per day, per month that really cause any kind of problem. And so we really want to highlight the fact that these enterprise social networks can help companies be more productive. Maybe that is reducing some communication complexity, you know, getting away from email, making communication more rapid. It may help companies also just get ahead of problems. Maybe this is - problem's morale. So - and it will also help companies, we hope, understand that they can get at the root of complexity and toxicity in the networks.

Jason Morgan: [00:06:12] We want the companies to understand that they can use these enterprise social networks to get insight into the patterns of communication on their networks, that they can possibly - in the future - use them to identify stellar employees or employees that are being excluded from conversations and excluded in a way that may be a drain on the overall culture of a company.

Dave Bittner: [00:06:36] Now, in terms of managing risk - I mean, what are your recommendations for organizations as they deploy these tools, which clearly are useful and can help workers be more efficient and, I suppose, as you lay out, also can help with employee morale? You know, you sort of have this virtual water cooler where people can get questions answered quickly or check in with their co-workers. What's the balance there? How - what are your recommendations based on the data that you got from this report?

Jason Morgan: [00:07:03] The first thing that I would tell companies that are looking to roll out something like Workplace by Facebook or Yammer or Teams is that on these platforms - because they are a centralized place of communication - it's probably easier to manage risk on these platforms than it is, for example, face-to-face conversations around a water cooler. Companies have always dealt with issues, whether or not it's crude jokes that are - you know, crude, racist or other jokes around the water cooler that are extremely hard to monitor and to control, whereas on these collaboration networks, they have an opportunity to, first off, monitor and make sure those type of toxic behaviors are not occurring and, at the same time, to extend their knowledge about how work within their company gets done.

Jason Morgan: [00:07:58] So this is something I noticed coming from Enterprise, and I've spoken to other people here at Wiretap and then their customers - is that they don't know, a lot of times, how work actually gets done. You don't know who the important people are at a company. They aren't always the people sitting in the seats that you would think they are. These social networks - while they do raise another vector of potential risk, they actually, if you ask me, decrease the ultimate risk to the company because it can be monitored. At the same time, they're opening up opportunities to identify productive employees, identify where problems might be arising that wouldn't even ever be talked about otherwise.

Dave Bittner: [00:08:43] That's Jason Morgan from Wiretap. You can check out their "Human Behavior Risk Analysis" report on their website.

Dave Bittner: [00:08:52] The maritime shipping firm COSCO reports that a malware infection is impeding but not stopping its operations. The infestation apparently began at the COSCO terminal in the U.S. port of Long Beach, Calif. It said, by industry publication Loadstar, to have spread last night to the line's U.K. operations. The incident has reminded observers of the effect NotPetya had on the Maersk line last year. That particular attack is reckoned to have cost Maersk some $300 million, and NotPetya was, in all probability, directed principally at Ukrainian targets. The disruption and economic losses elsewhere were just so much gravy. The COSCO incident seems not to be as serious as the one that affected Maersk and other logistics companies. COSCO says that ship operations are unaffected, and the company stresses that safety of navigation is not impeded at all. But business communications are being hit. How the company handles the attack will provide a good indication of how the shipping sector has improved its resilience since last year's Russian wake-up call.

Dave Bittner: [00:10:00] And speaking of the Russians, they're much in the mind of the U.S. Congress and media this week. Warning has come from several official quarters that Russian hacking of American infrastructure, especially the power grid, is a looming threat. Several reports rendered both to Congress and the media describe the extensive battle space preparation and successful compromise of electrical power infrastructure control centers that Russian operators - call them Energetic Bear for short - have achieved.

Dave Bittner: [00:10:29] Obviously, the North American power grid hasn't been taken down. Canadian and U.S. electrical power distribution is so closely coupled that disruptions cross the 49th parallel north easily and freely, so this is a Canadian issue, as well. But while it could happen, industry sources vigorously second the official warnings. Security industry comments run from, well, this is the new normal, to, well, we've known this for years; what took you so long? - to - and why all of a sudden are you shouting the obvious from the rooftops? - to - keep calm and take a deep breath. In truth, as many point out, such alerts have been sounded for some years, but they're being delivered with unusual urgency this time around. It's not just the power grid either.

Dave Bittner: [00:11:16] Christopher Krebs, the U.S. Department of Homeland Security undersecretary for National Protection and Programs Directorate, yesterday testified about election security to the House Committee on Oversight and Government Reform. His statement for the record offered a comprehensive overview of the measures the National Protection and Programs Directorate has taken to help state and local election authorities protect themselves against vote hacking narrowly conceived. Much of this takes the form of intelligence sharing, technical assistance and mutual cooperation.

Dave Bittner: [00:11:49] Undersecretary Krebs did say - with respect to the, in many ways, more interesting issue of Russian information operations - that Moscow had, as he put it, quote, "continued malign influence operations," end quote, into this year, although not apparently on the same scale that was observed in 2016. This seems only right since, after all, this is an off-year election. And it's reasonable to think the bears have a civics class understanding of the relative importance of presidential and midterm voting.

Dave Bittner: [00:12:19] DHS isn't writing off the prospect of direct hacking either, especially given reports that some 21 states have seen scans of electoral systems attempted over the past two years. Whether the executive branch is crying wolf or not, Congress is certainly howling. The warnings come as the U.S. Congress shapes the defense authorization bill in which cyber provisions figure prominently. Congress is in a mood to take a hard line with calls for retaliation in kind, or worse, to cyberattacks. There's also a move afoot in the Senate to form a commission to study and develop advice on cybersecurity policy.

Dave Bittner: [00:12:58] Finally, a Virginia bank, the National Bank Of Blacksburg, is reported to be suing its insurer, Everest National Insurance, over coverage of two cyber bank heists that netted thieves about $2.4 million. The crooks were probably a Russian gang, from evidence the bank's security consultants found when they were called in to help with the mop-up. The policy Blacksburg had with Everett had two riders - a computer and electronic crime rider with a single-loss-limit liability of $8 million and a $125,000 deductible and a debit card rider, which limited single-loss liability to $50,000 with a $25,000 deductible and an aggregate limit of $250,000. The bank complains that the insurance company regarded the crimes as covered by the debit card rider, presumably since they involved ATM exploits. Whatever the case's outcome, the National Bank of Blacksburg was certainly pwned - twice. So beware of phishing, and remember; when it comes to transferring risk, the large print giveth, but the small print taketh away.

Dave Bittner: [00:14:14] And now a bit about our sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single-open-platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with microsegmentation and analytics. VMware's White Paper on a comprehensive approach to security across the digital workspace will take you through the details and much more. You'll find it at thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security - thecyberwire.com/vmware. And we thank VMware for sponsoring our show.

Dave Bittner: [00:15:15] And I'm pleased to be joined once again by professor Awais Rashid. He's a professor of cybersecurity at the University of Bristol. Awais, welcome back. We wanted to touch today on this notion of IoT and operational technology and how they're converging. What do you have to share with us?

Awais Rashid: [00:15:31] So operational technology, which is a casual term, is the kind of systems that you use in industrial infrastructure. So these are the kind of systems that are used to control water treatment, power grid, manufacturing facilities and increasingly widely used in high-level manufacturing and those kind of settings. With the emergence of IoT, we are seeing such devices being incorporated into these kind of operational environments. And there are plenty of good reasons for that. This provides enhanced visibility and integration, which means that you can have more effective business processes. You can glean more real-time intelligence from your operational technology. You can reduce costs. You can fine-tune physical processes.

Awais Rashid: [00:16:14] However, this convergence also means that the boundary between what are your traditional legacy operational technology environments, which were not originally supposed to be connected to other networks, and - at least the internet - is now interacting with more contemporary IoT sensors and actuators that are connected and are supposed to have remote connectivity and control. And that poses a number of interesting challenges for security.

Dave Bittner: [00:16:40] So take us through. What are some of the challenges there?

Awais Rashid: [00:16:43] You can imagine a scenario where you have a number of, say, older devices like programmable logic controllers or remote telemetry units (ph), you know, sometimes running on protocols which do not have authentication and encrypted communication built into that now interfacing with an IoT gateway which is gleaning intelligence and pushing that data into the cloud. And so - and that in itself provides interesting challenges and new problems in terms of the attacks they face of this kind of a convergent environment. We need to understand what the attacks look like in this kind of convergent environment.

Awais Rashid: [00:17:22] The cyber kill chain is very well-known as a model in industry showing how the attacker may be disrupted at different stages of an attack. In a simplistic way, maybe we need some kind of a cyber kill chain that represents this kind of convergent IoT and operational technology environment.

Dave Bittner: [00:17:39] And where do you suppose things stand right now? Are we where we need to be? Or what do you see as we look forward?

Awais Rashid: [00:17:47] I think one of - there are a number of things that we can look at. One of the things is to understand as to how the convergence leads to potential vulnerabilities being exposed to attackers. We need to understand what the attack models in this kind of convergent setting might look like. So, for example, attackers pivoting from the operational technology onto the IoT or vice-versa - what are the possibilities of lateral movement or, you know, privilege escalation in these kind of settings?

Awais Rashid: [00:18:17] So there are a number of unknowns at this point in time simply because, traditionally, these kind of environments haven't had this level of connectivity. And I think we do need to have better ways of analyzing attacks in this kind of convergent environment. We also need more specific and perhaps specialized intrusion detection systems that are attuned to the - what you would think of as the melting pot of legacy and nonlegacy technologies and protocols coming together.

Dave Bittner: [00:18:48] Professor Awais Rashid, thanks for joining us.

Dave Bittner: [00:18:55] And that's The CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com.

Dave Bittner: [00:19:03] Thanks to all of our sponsors for making The CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at The CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.

Dave Bittner: [00:19:30] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.