The CyberWire Daily Podcast 8.29.18
Ep 673 | 8.29.18

Unpatched Apache Struts installations being exploited in the wild. Windows local privilege escalation flaw. Similarities among spyware. Stalkerware hack. Criminal threats to the grid. Breaches.

Transcript

Dave Bittner: [00:00:03] An Apache Struts vulnerability patched last week is being actively exploited by cryptojackers. Microsoft works on a fix for local privilege escalation flaws in Windows. Trend Micro sees similarities among Urpage, Confucius, Patchwork and Bahamut campaigns. Air Canada suffers a breach, criminal threats to power grids and searching for search engine optimization in all the wrong places.

Dave Bittner: [00:00:35] Now a few words about our sponsor, Invictus. We've all heard that cyberspace is the new battle space. Invictus International Consulting was founded by people who know a battle space when they see it. This leading cybersecurity company headquartered in northern Virginia boasts an expert staff with decades of cybersecurity, technology solutioning and intelligence analysis experience. Its customers in the intelligence, defense and homeland security communities highly value these Invictus cyberwarriors and their professional ethos. Invictus is a service-disabled veteran-owned small business - that's SDVOSB - with over 60 percent of the Invictus workforce comprised of veterans. The company excels in achieving mission success not only within the government space, but it has been a game changer within its commercial clientele as well. An award-winning company recently named a 2018 cybersecurity 500 list as one of the world's hottest and most innovative cybersecurity companies, Invictus recently won the Most Valuable Industry Partner award at (ISC2)2 15th annual Information Security Leadership Awards as well as several others. Check them out at invictusic.com to learn more and to see if you have what it takes to become a cyberwarrior. That's invictusic.com And we thank them for sponsoring the CyberWire. Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [00:02:09] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, August 29, 2018. The Apache Struts vulnerability discovered by Semmle and patched last week by Apache is now undergoing active exploitation in the wild. The security firm Volexity reports that it's being used to run a cryptojacking campaign against unpatched systems. The researchers have detected extensive automated scans looking for vulnerable installations, and they found that subsequent attacks can install versions of CNRig miner, a cryptojacker that runs on Linux distributions. Attacks can also plant script that downloads other malicious code. Thus, while the current threat is cryptojacking, other forms of exploitation are entirely possible. In the current cases, the scans seem to be originating from Russian and French IP addresses. The actors appear to be criminal. As we've mentioned, this is a known and patched vulnerability. Many will recall that last year's notorious and damaging Equifax data breach was enabled by an unpatched vulnerability in Apache Struts. To avoid a repetition, by all means patch. The Apache Software Foundation has got the fix out. It's time to apply it.

Dave Bittner: [00:03:28] A previously unknown Microsoft Windows local privilege escalation zero-day was announced on Twitter late Monday by Sandbox Escaper, whose Twitter account displayed some misgivings about the disclosure shortly thereafter. Cert/CC quickly verified that the zero-day was real and that it worked against a fully patched 64-bit Windows 10 system. The vulnerability exists in Windows task scheduler and has been given a CVSS score of 6.4 to 6.8. There are no known workarounds, but Microsoft has also confirmed the issue and is believed to be working on a patch.

Dave Bittner: [00:04:08] The complexity of attribution and the correspondingly complicated connections among threat groups are on display in a Trend Micro account of Urpage, whose activities are interestingly similar to those of Confucius, Patchwork and Bahamut. Urpage targets InPage, a word processor designed for Urdu and Arabic. Trend Micro notes that Urpage uses a Delphi backdoor like Confucius and Patchwork, and its malware payload resembles the espionage tools found in Bahamut.

Dave Bittner: [00:04:41] TheTruthSpy, which Motherboard and others call a stalkerware vendor, was hacked, losing logins, audio, images, text messages and other data. The hacker, whose work the magazine has verified, told Motherboard that, quote, "I control victims all over the world. I have admin access to the servers," end quote. It's consumer spyware designed for keeping tabs on a spouse or a significant other the customer thinks maybe stepping out - cheaper than a private eye but not nearly as engaging as Philip Marlowe would have been. Oh, wait; Marlowe always said he didn't do divorce work.

Dave Bittner: [00:05:19] There's a concerted effort among many organizations to try to get a better handle on their third-party risk, the vulnerabilities of your suppliers and contractors that may have an effect on your business should they be exploited. It's complicated. CyberGRX is a company that's trying to streamline the process with a third-party cyberrisk information exchange. Fred Kneip is CEO at CyberGRX.

Fred Kneip: [00:05:44] I think as people started to focus on cybersecurity, the first area people focused on were securing their own environments. And so the last decade or so you've really seen an increase in focus on cybersecurity, but it's very much around, how do I ensure my environment, my controls, my processes, procedures in place? What is happening in parallel is companies are becoming more and more reliant upon an ecosystem of third parties to deliver their business. People no longer have, you know, all in-house counsel or in-house payroll and that sort - it's - you know, you use ADP. You use outside counsel. You use Salesforce, et cetera. And it's kind of an interconnected web.

Fred Kneip: [00:06:23] What's happened is as people have built security for their own environment, hackers have said, OK, let's move a different direction, follow the path of least resistance, and let's go through third parties as a channel in. I think Target was probably the biggest wake-up call for everyone, that an HVAC provider was the original point of access to get the credit card information. People have not been focusing on that space. And the effort and attention on third parties to date has really been below what is necessary. And thus you see - I think it's anywhere between 50 to 60 percent of breaches today originate from a third party.

Dave Bittner: [00:06:55] Yeah. And it seems to me like it's a hard problem to even wrap your head around. When I think about the number of organizations that any business would interact with and the potential - it's sort of an exponential web of risk there.

Fred Kneip: [00:07:09] You're absolutely right. I think one measure or one important approach to manage that is recognize that while a typical Fortune 500 company has between 5,000 and 10,000 third parties that they work with that only a fraction of those are the ones that are really the ones that create that highest exposure to risk. Do they have network access? Do they have login credentials? Do they come on-site, et cetera?

Fred Kneip: [00:07:31] So one of the first things that we help companies do is work through what we call an inherent risk mapping to understand, who should I even be focused on? Instead of trying to go out and determine the risk around a thousand companies, they can first focus in on that top 10, top 100 or whatever it might be as the first step in the process.

Dave Bittner: [00:07:50] Now, how do you manage some sort of I guess for lack of a better word standardization for how you deal with your third-party providers? I would think it would be impractical to deal with each one as a one-off situation.

Fred Kneip: [00:08:05] Well, that's exactly right. And it's remarkable what happens today. So in some of the regulated industries such as financial services, health care or even retail because of the PCI, personal confidential information, you have seen some level of third-party management. But what that typically is is a very paper-based - sending an Excel file saying, tell me about your password policy, tell me about your phishing program, et cetera. And if you repeat over a thousand or so companies, it's almost impossible to manage through that. People have teams dedicated to just processing that data.

Fred Kneip: [00:08:41] And on the other side of it, there are companies who are being assessed. One of my favorite examples is the payroll company ADP. They've been assessed in excess of 4,000 times per year. And so that's a team dedicated just responding to questionnaires. You're all asking roughly the same questions. Of those 4,000 for ADP, the vast majority are basically the same. Some will ask for a different format - they'll be in Word files, they'll be in Excel files, whatever it is - but the same type of information.

Fred Kneip: [00:09:07] And so let's standardize that in a comprehensive set of information, allow it to be assessed once and used multiple times. The analogy that I use for that is, you know, if you rewind call it a hundred years or so, you're trying to raise money in the financial markets, you'd have to go to each bank, and they do their own due diligence. And now if you're trying to raise capital, you know, you get an S&P or a Moody's credit rating, and that gives you all that depth of information that you would need to kind of make that risk-based decision. We're trying to do the same thing for cybersecurity.

Dave Bittner: [00:09:39] That's Fred Kneip from CyberGRX.

Dave Bittner: [00:09:45] Air Canada has disclosed that its mobile app sustained a data breach last week. It's thought to affect some 20,000 people whose basic profile data were exposed. That information includes names, email addresses and phone numbers. It may also include more sensitive optional information users might have added to their profiles.

Dave Bittner: [00:10:06] As operational technology experts at Applied Control Solutions continue to warn of potential security issues with power plants' process sensors, researchers at security firm Cybereason point out that criminals also pose a threat to the grid. Unlike nation-states, cybercriminals may not mean to turn the power off, but they might do so inadvertently. Cybereason concluded an experiment last week in which they set up a dummy utility network and observed what happened as cybercriminals attempted to hack into it. Attempt they did, and not just a few of them succeeded. In Cybereason's assessment, the attackers exhibited some advanced skills, but they were also sloppy in many respects. Cybereason told The Washington Post, quote, "they're not looking to throw the switch, but they might throw the switch by accident," end quote.

Dave Bittner: [00:10:58] Most concerns about power grid attacks have focused on the threat of state espionage services, especially those of Russia, deliberately seeking to get into an adversary's electrical distribution system and gain the ability to shut it down. This is a form of warfare or at the very least a form of very aggressive statecraft. But Cybereason argues the criminal threat can't be overlooked either. Their motives are doubtless different. They might, for example, seek to hold utilities up for ransom, or they might be interested in simply penetrating business networks for the usual reasons of credential theft, financial fraud and so on.

Dave Bittner: [00:11:36] But it's worth noting that at least two incidents that disrupted industrial control systems appear to have been inadvertent, incidental to the attackers' presumed primary purposes. These are the 2014 attack on a German steel mill that damaged a blast furnace - the attack prevented the furnace from being properly shut down - and last year's incident in Saudi Arabia where Trisis malware caused, again, probably unintentionally, systems at an oil and gas production facility to enter their fail-safe shutdown mode. So Cybereason points out hackers make mistakes, too. And when those mistakes touch operational control systems, the results could be very damaging indeed.

Dave Bittner: [00:12:18] Reuters reports that an Iranian influence campaign major social media platforms have struggled with is bigger than initially believed. One indication of its size is the effort's linguistic reach. Reuters counts Iranian information operations in 11 languages.

Dave Bittner: [00:12:37] Finally, you've heard of search engine optimization of course. There's a newish form of unwelcome SEO out there - the promise of bot-driven negative reviews coming to dominate the online image of a company or organization. There's currently an active gang of extortionists out there seeking to do exactly that. They call themselves either ironically or truthfully or cluelessly the STD Corporation. And they're trying to shake down airfare comparison site CheapAir for over $10,000 in cryptocurrency - of course - to make sure CheapAir's reputation doesn't get blasted by a wave of bad reviews, all amplified by botnets. CheapAir says it's not paying, to which we say bravo. And use reviews with caution. Bots wouldn't recognize good customer service if it bit them in the bytes.

Dave Bittner: [00:13:36] Now a few words about our sponsor, the Incident Response Consortium, a leading nonprofit organization working to advance the cybersecurity industry through community building and the sharing of best practices. They're returning to the D.C. metro area this year with their popular, free security conference IR18. That's right. It's free, and it's being held September 5 and 6 at the Renaissance Arlington Capital View Hotel. IR18 welcomes experts, those new to the industry and anyone looking to learn more about the critical issues of cybersecurity. There'll be valuable cybersecurity best practices training, hands-on vendor product training, cyber range wargaming, social networking, career opportunities, mentorship opportunities, chances for educational scholarships and much more. Of course, there'll be free breakfast and lunch, too. Don't miss this great learning opportunity. And it's a chance to make new friends and build professional relationships. Space is limited. And with over 600 registered attendees already, be sure to head on over to incidentresponse.com com to register today. That's incidentresponse.com. We thank the Incident Response Consortium for sponsoring our show.

Dave Bittner: [00:15:00] And I'm pleased to be joined once again by Jonathan Katz. He's a professor of computer science at the University of Maryland. He's also director of the Maryland Cybersecurity Center. Jonathan, welcome back. We had a story come by. This was in WIRED. And this was about some flaws in some Intel processors, particularly dealing with the secure enclave. What do we have going on here?

Jonathan Katz: [00:15:22] Well, I'm sure a lot of your listeners remember the attacks from early on this year, Spectre and Meltdown, that were used by some attackers - some researchers, sorry - to basically expose secret information from code execution. And what those same researchers then did, actually, was they applied the techniques to the Intel SGX, which is supposed to be a secure enclave that Intel produces. And they showed that, using extensions of those attacks, they were able to, number one, get secret information from within the enclave, which is something that you're not supposed to be able to do.

Dave Bittner: [00:15:56] Right.

Jonathan Katz: [00:15:56] And even worse, they were able to actually extract the secret keys put in there by Intel from those secure enclaves.

Dave Bittner: [00:16:05] Now, is this secret key - does every instance of the processor get its own secret key, or is this some sort of a master key?

Jonathan Katz: [00:16:13] So it's a little bit of both, actually. So every instance of the enclave does get its own secret key. But because of the way the protocol is designed, it's using what's called a group signature scheme, which essentially means that every enclave has the ability to sign, but a verifier can't tell, actually, which enclave generated the signature. They can only tell that it was a legitimate Intel SGX platform generating that signature. So once you're able to get one key out, it means you can impersonate legitimate Intel SGX enclaves and then, you know, fraudulently sign whatever you like. So just getting a single key is already bad enough to basically impact security of the entire system.

Dave Bittner: [00:16:52] And is this patchable? Is this something Intel is on top of? Or is this a deeper flaw than that?

Jonathan Katz: [00:16:58] Well, it's patchable in the sense that Intel, as far as I know, is currently working on the designs of next-generation enclaves that would be resistant to these attacks. But it's not patchable in the sense that the ones that are already deployed - the hardware that you already might have running on your machine is not going to be fixed and is not going to be able to be resilient to these attacks, unfortunately.

Dave Bittner: [00:17:22] What about the bigger picture with this? I've heard some folks being critical of Intel and other processor designers, saying that, you know, this is a result of their inability to keep making processors that are faster. So in exchange for that, they've come up with these - you know, these speculative processing techniques. And then that's what led to these vulnerabilities.

Jonathan Katz: [00:17:47] Well, there is some truth to that. It certainly was the case that by trying to improve efficiency, they left themselves open to these attacks. On the other hand, I don't think it's really fair to blame Intel because the idea of speculative execution goes back decades. And it wasn't until recently that people were able to exploit it. So, you know, it's not like Intel understood that these were going to be vulnerable or that they were going to cause vulnerability. They were doing the best they could to make the most efficient processors. And it's only the researchers who have been able to get better and better at exploiting what Intel has done.

Dave Bittner: [00:18:17] Yeah. So it's not like folks haven't had time to look at these sorts of things and see if it was potentially going to be a problem.

Jonathan Katz: [00:18:24] Yeah, exactly. And I think the research was actually quite clever. You know, I want to say that nobody really saw this coming - being able to exploit. Like I said, speculative execution has been around for decades. And nobody had noticed that it was a problem before. And so the work that was done to leverage that and then extract secret information was, you know, technically quite advanced and really, like I said, quite clever.

Dave Bittner: [00:18:47] All right. Well, as always, Jonathan Katz, thanks for joining us.

Jonathan Katz: [00:18:51] Thank you.

Dave Bittner: [00:18:54] And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com.

Dave Bittner: [00:19:03] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.

Dave Bittner: [00:19:29] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.