TSMC recovers from WannaCry infection. OpenEMR fixes 30 bugs. UK will ask Russia to extradite two GRU operators for Novichok attacks. Twitterbots flourish.
Dave Bittner: [00:00:03]: A chipmaker says the virus that shut it down in Taiwan was WannaCry. OpenEMR fixes bugs that could have exposed millions of patient records. British authorities are said to be readying an extradition request for GRU operators they hold responsible for the Novichok attack in Salisbury. The incident has prompted Russian hacking and disinformation.
Dave Bittner: [00:00:31] Time for a moment to tell you about our sponsor ThreatConnect. With ThreatConnect's in-platform analytics and automation, you will save your team time while making informed decisions for your security operations and strategy. Find threats, evaluate risk and mitigate harm to your organization. Every day, organizations worldwide leverage the power of ThreatConnect to broaden and deepen their intelligence, validate it, prioritize it and act on it. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. The pioneer in threat intelligence platforms, ThreatConnect provides organizations a powerful cyberthreat defense and the confidence to make strategic business decisions. And if you're in Vegas for Black Hat this week, stop by ThreatConnect's booth, No. 1414, to get a demo and see the platform in action. And you can always learn more and get a free ThreatConnect account at threatconnect.com. And we thank ThreatConnect for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.
Dave Bittner: [00:01:44] From the Black Hat conference in Las Vegas, this is your CyberWire summary for Tuesday, August 7, 2018. There's now some clarity about the cyber incident that struck Taiwan-based chipmaker and Apple supplier TSMC. The company has brought its plants back online after a cyber incident that caused them to shutter operations over the weekend. The malware in question is said to have been WannaCry, which is familiar from last year's widespread infestation.
Dave Bittner: [00:02:14] The company said the outbreak happened during software installation of a new tool, which then evidently carried the infection into other parts of the company's network. TSMC added that neither data integrity nor confidential information were compromised. The incident appears to have been due to operator carelessness, a secondary infection and not a direct attack, as had been widely feared in Taiwan when the malware infection was first reported. TSMC's CEO bluntly told the press, quote, "this is purely our negligence, so I don't think there is any hacking behavior." TSMC attributes the infection to failure to scan software for known threats before installation, and they say their staff won't make the same mistake again.
Dave Bittner: [00:03:00] To review its history, WannaCry is a ransomware strain that propagates itself as a worm. It was discovered on May 12 of 2017, and it's been associated with North Korea's Lazarus Group. As TSMC implied, it's a known threat with readily available detection and mitigation - still, a nasty piece of work the world has probably not seen the last of.
Dave Bittner: [00:03:25] The BBC reports that Project Insecurity has found vulnerabilities in the widely used medical malpractice management system OpenEMR. The researchers disclosed the bugs to OpenEMR, which worked with them to fix the system. Some 100 million patients' records worldwide are thought to touch OpenEMR.
Dave Bittner: [00:03:46] Many organizations have put bug bounties in place to incentivize outsiders to report vulnerabilities in their code and to keep them from going to the highest bidder on the black market. Bugcrowd is a company that looks to crowdsource that effort. Casey Ellis is CEO at Bugcrowd, and he notes that more and more organizations are getting on board and putting old preconceived notions aside.
Casey Ellis: [00:04:09] There is this general perception that's been carried over the past, you know, 20 years that if you can do bad things to a computer, you're inherently a bad person. So that's been the biggest thing I think. You know, they look at the model - like, when you think about the crowdsource model, the economics are actually a perfect match to what they're trying to face on the bad guy's side. Like, they've got a crowd of people that have lots of different reasons to attack and have an incentive based on results. Bug bounties actually replicate that same resourcing and economics and make it available to defense. So it's perfectly logical. You just have to get over that kind of initial gut fear of the - you know, the person in the balaclava, so to speak.
Dave Bittner: [00:04:48] Yeah. And do you find that organizations are I guess - I don't know - emotionally defensive to people coming and pointing out the flaws in their products?
Casey Ellis: [00:04:59] Sometimes. You know, what we're seeing as a sort of adjacent trend is this idea that, you know, vulnerabilities are inherent to software development. Like, people aren't perfect. People are creatively powerful, and that's what allows us to build all these great things. But in the process of doing that, mistakes are made because people aren't perfect. So, you know, a vulnerability existing in software isn't necessarily a point of shame. It's something that's just a function of development itself. That thinking is starting to grow and starting to catch on. I still think there is, you know, a lot of instances where people don't like their baby being called ugly (laughter), so to speak.
Dave Bittner: [00:05:38] (Laughter).
Casey Ellis: [00:05:39] But that is the shift that we're starting to see. So, yeah, there is reservation sometimes. But that's changing, too, which is a good thing.
Dave Bittner: [00:05:45] Well, take us through this - the notion of crowdsourcing this.
Casey Ellis: [00:05:50] Yeah.
Dave Bittner: [00:05:50] You know, rather than having individuals, what are the advantages there?
Casey Ellis: [00:05:54] Yeah. So the basic model is that, you know, all or part of a community is invited to come in and find vulnerabilities in a system or a set of systems or even right across a company. And the first to find each unique issue that's within the scope of the program gets paid for that finding. And, you know, the incentive is the more severe or the more critical the issue you find, the more you get paid.
Casey Ellis: [00:06:16] So what it does is it encourages breadth. There's people - you know, the whole idea of being paid first encourages people to go very wide and try to find as many things as possible. But it also encourages depth in testing by, you know, incentivizing more highly those more critical results, which are often more difficult to find.
Dave Bittner: [00:06:36] And does it instill a certain level of discipline, sort of put - I don't know - for lack of a better word, you know, guardrails on the communications channels between the developers and the folks out there finding the bugs?
Casey Ellis: [00:06:49] Yeah. I mean, you know, what we do and what we've seen done in other places as well is to basically, you know, start with this assumption that hackers and companies don't really have a rich history of understanding each other very well. So, you know, a lot of what Bugcrowd's actually done is through the platform put those guardrails in that you talk about within the platform itself.
Casey Ellis: [00:07:10] But then we've also got a fairly large team that essentially acts as translators between these two communities. And I think that's really important because, you know, there is - you know, this is a new thing. I think this conversation between people with a breaker mindset and people with a builder mindset - you know, the idea of that happening at scale is something that's new to the businesses. And they actually need help making that successful.
Dave Bittner: [00:07:34] Now, one of the things that you pointed out is that this approach can improve code velocity. What do you mean by that?
Casey Ellis: [00:07:40] What we're seeing happen is, you know, pretty much everyone is working out how to move towards a more agile approach to development. And that's a fairly recent thing. Like, that's obviously been a thing that's common with companies that are, you know, 10 years old or less. But what we're seeing now is the more traditional organizations have at least some parts of their organization that are adopting, like, agile or fast, you know, release methodologies 'cause they see the value of it, right?
Casey Ellis: [00:08:08] What you need when you do that is this continuous feedback loop between people that are operating with a builder mindset and folks with a breaker mindset that can catch those vulnerabilities that I mentioned before. And really what happens is if you can, you know, incentivize the continuous coverage from that breaker community of the code that's being released, what it does is it allows code to be pushed faster 'cause they're less concerned - I mean, for starters, they're learning how to code more securely from the feedback that they're getting, which is the primary goal. But also, if they do release a vulnerability into their code, they know it's going to be caught quickly.
Dave Bittner: [00:08:43] That's Casey Ellis from Bugcrowd.
Dave Bittner: [00:08:47] British authorities are reported to be preparing extradition requests for Russian operators their investigation has concluded are responsible for the Novichok nerve agent attacks in Salisbury. The operation claimed one life, apparently incidentally to attack on the intended targets, and injured four more. The targets were Sergei Skripal and possibly his daughter Yulia Skripal.
Dave Bittner: [00:09:11] Sergei Skripal had been a GRU double agent working against Russia for the British MI6 intelligence service. He was handed over to the U.K. in a spy swap with Russia. He's lived in England for several years. Both he and his daughter were injured and hospitalized in the attack. Wiltshire Detective Sergeant Nick Bailey, exposed to Novichok during the response to the Skripals' poisoning, was also hospitalized. Some months later, Charlie Rowley and Dawn Sturgess were exposed through a vial of Novichok apparently left behind in England. Rawley was injured but survived. Sturgess died in the hospital.
Dave Bittner: [00:09:54] British authorities hold Russia's GRU military intelligence service responsible for the chemical attack. The Crown Prosecution Service is readying a request for extradition of two Russians who are suspected of committing the attacks, a request Russia is sure to deny. The case has figured prominently in Russian information operations and will no doubt continue to do so. The Russian line has been that the attack is either a hoax or a provocation, the provocation by some Russian accounts a put-up job by MI6 and the U.S. CIA with an assist from Czech intelligence whom the Russians have said could well have provided the Soviet-era chemical agent to its co-conspirators. They also claim the British are illegally detaining the Skripals and have rather brassily demanded that Russia consular officers be permitted to meet the father and daughter to ensure that they're OK, not in any distress and so on.
Dave Bittner: [00:10:52] Various international investigations are in progress, and at least one laboratory consulted about the attack, the Spiez Laboratory in Switzerland, came under a phishing attack during the last week in July. Investigation resulted in quick attribution of the phishing campaign to Sandworm, a lesser but still well-known relative of Fancy Bear, both of which of course are GRU hacking operations.
Dave Bittner: [00:11:17] Russia's foreign ministry claimed back in April that Spiez confirmed the Novichok samples as being of non-Russian, Western origin. Spiez, of course, said nothing of the kind. The Novichok agent is Russian. The entire incident shows the full convergence of the elements of hybrid warfare on the low but still very dangerous side of the spectrum of conflict. It includes denial, lethal kinetic operations, an extensive information operations campaign and cyberattacks directed against targets involved in the response to the campaign.
Dave Bittner: [00:11:51] Twitter botnets are said to be growing in reach and sophistication. Experts warn of their potential for exploitation in information operations. Duo Security is presenting research at Black Hat on the increasing effectiveness of spoof accounts, often difficult to distinguish from genuine accounts. Their impersonation of celebrities serves to draw followers and amplify the noise the networks emit. There's a great deal of Russian activity in evidence, Duo notes.
Dave Bittner: [00:12:20] We are represented this week at Black Hat in Las Vegas and look forward to learning more about these varieties of disinformation. Things are still getting set up for the main events that begin tomorrow, but a couple of our stringers did notice none other than Pete Rose signing autographs between the Luxor and the Mandalay Bay. They're sure it was Charlie Hustle himself because they were right there in the physical space, not even looking at their phones.
Dave Bittner: [00:12:47] And now an open letter from your dedicated SOC analyst. Our team works around the clock, yet we're being flanked on all sides and can't get in front of threats fast enough. If we had a theme song, it would be "The Roof is on Fire." Speaking of fire, each attack is more sophisticated than the last, and our current operations aren't advanced enough to keep up. Our team is already stretched thin, and companies keep poaching our talent pool, affecting our level of tradecraft. We need help and fast. On the metro, I heard an ad from a company called LookingGlass Cyber Solutions. They have, as a service, security solutions built upon 20 years of experience, proper security chops and the infrastructure to support security teams like ours. It's time the good guys scored a point. Learn more at lookingglasscyber.com.
Dave Bittner: [00:13:48] And I'm pleased to be joined once again by Mike Benjamin. He's a senior director of threat research at CenturyLink. Mike, welcome back. We wanted to check in today on DDoS attacks and what you all are seeing there at CenturyLink and how this is evolving. What do we - what can we expect in terms of the next generation of DDoS attacks?
Mike Benjamin: [00:14:07] DDoS attacks are something that have been really front of mind for us for the last couple of years. Obviously, as a large-scale network provider, our customer's very interested in being protected from it. And so a lot of the work we've been doing and done is on the IoT DDoS botnet space. It's been a relatively low-hanging fruit for actors, and they've been able to create some relatively powerful instances over the last couple years with some well-publicized events.
Mike Benjamin: [00:14:35] And what we've seen evolve over that time is very interesting, is we see the lower-sophistication actors move away from the more difficult malware families. And so Mirai is a very popular DDoS malware that - utilized in order to launch attacks. We've seen the actors use it less. The reason for that is that ourselves and a number of other groups that focus on DDoS attacks have been successful in breaking their botnets.
Mike Benjamin: [00:15:03] And if you're going to use something that requires standing up a few different processes, potentially even infecting multiple computers in order to launch the botnet, that's harder than doing a single computer and a single process and a less sophisticated codebase. So they've gone back to malware that they utilized in the past, namely the Gafgyt malware family, in order to launch their attacks.
Mike Benjamin: [00:15:24] The other, however, is that we've seen the higher-sophistication actors branch the Mirai codebase and continue to monitor - whether you want to call it one days or whatever you want to describe - but they're looking for other published bugs to inject into their malware. And they've been relatively successful in integrating newly released exploits against more IoT home router-type embedded Linux devices in order to grow their potential pool of infected devices.
Mike Benjamin: [00:15:52] And so from our perspective, the work is really focused on looking for the infection pool, isolating what's common about it and then ensure that we inform the operators of that infrastructure that they need to be cleaning it up. And so we're constantly working to minimize the available pool for their infections as well as of course, you know, break their infrastructure when it becomes a point at which it's a risk to the internet.
Dave Bittner: [00:16:16] So you all can actually see when these potential DDoS botnets are staging themselves. The warning can go out that we're not sure this is going to happen, but there's some potential here.
Mike Benjamin: [00:16:30] Yeah, absolutely. So think about the fact that in order to build a large-scale botnet of infected devices, you have to scan a large chunk of the internet in order to find that. And so by watching network traffic, we're able to isolate either large associated pools of devices scanning for common things or for new things. And so in the example of where they found a new exploit or new bugs integrated into their code, we'll see an anomaly in a group of devices scanning for a new port or maybe a new URL in terms of what's going on. And so the ports are obviously able to be gleaned from network communication data.
Mike Benjamin: [00:17:10] However, URLs - we need to be more sophisticated in how we glean that. And so the operation of honeypots is really effective in order to collect that type of data. And so anybody with a virtual machine running in a VPS provider or even their home connection - if you were to simply packet capture things connecting and scanning the external IP space that you have at your house or that one VM you have, you'll actually see a lot of this traffic on a pretty constant basis. And so what we've been able to do is actually group it together and associate it and find the commonality in order to understand, how big has the botnet gotten? How impactful could it be to the internet from a volume perspective?
Dave Bittner: [00:17:47] I see. No, it's interesting. All right. Well, as always, thanks for bringing us up to date. Mike Benjamin, thanks for joining us.
Dave Bittner: [00:17:58] And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com.
Dave Bittner: [00:18:06] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.
Dave Bittner: [00:18:33] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.