Twitter bots in Swedish politics. A different approach to influence operations. Hotel guest PII for sale. Medical device vulnerabilities. Charges in the case of the Satori botnet.

Dave Bittner: [00:00:00] Hello, everybody. Just a quick reminder that if you enjoy our show and you find it to be a valuable part of your day, we hope you'll take the time to head on over to iTunes and leave us a review. It really is one of the best ways to help spread the word about our show. Thanks.

Dave Bittner: [00:00:17] Twitter bots show up in Sweden's political discourse. Not so much Chinese hacking for influence - Beijing seems to prefer funding sympathetic cultural and research centers. One hundred thirty million hotel guests have their PII offered for sale on the dark web. Medical device vulnerabilities are disclosed, and hospitals are urged to patch. Nexus Zeta faces charges in a U.S. federal court, apparently in connection with the Satori botnet.

Dave Bittner: [00:00:51] Now a few words about our sponsor, Invictus. We've all heard that cyberspace is the new battle space. Invictus International Consulting was founded by people who know a battle space when they see it. This leading cybersecurity company headquartered in Northern Virginia boasts an expert staff with decades of cybersecurity, technology solutioning and intelligence analysis experience. Its customers in the intelligence, defense and homeland security communities highly value these Invictus cyber warriors and their professional ethos. Invictus is a Service-Disabled Veteran-Owned Small Business - that's SDVOSB - with over 60 percent of the Invictus workforce comprised of veterans. The company excels in achieving mission success not only within the government space, but it has been a game-changer within its commercial clientele as well. An award-winning company recently named to 2018's Cybersecurity 500 list as one of the world's hottest and most innovative cybersecurity companies, Invictus recently won the most valuable industry partner award at (ISC)² 15th annual Information Security Leadership Awards, as well as several others. Check them out at invictusic.com to learn more and to see if you have what it takes to become a cyber warrior. That's invictusic.com. And we thank them for sponsoring the CyberWire. Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [00:02:24] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, August 30, 2018.

Dave Bittner: [00:02:33] Automated Twitter accounts have turned up in Sweden, according to a study by that country's defense research establishment. The bots of unknown provenance appear to be interested in the election, where they seem likelier to favor the country's third-largest party, the Sweden Democrats, whose nationalist and anti-immigrant line appears positioned to make a run at overtaking the opposition moderate party for second place behind the governing Social Democrats. The Sweden Democrats have been working to expunge racist elements from their ranks without departing from their nationalist platform, and they may be seeing some success. The bots, wherever they come from, seem to like what's on offer.

Dave Bittner: [00:03:16] The U.S. FBI says that it doesn't have much evidence supporting recent reports - and presidential tweets - that Chinese intelligence compromised former Secretary of State Clinton's insecure private server. Observers say that doing so would represent a departure for Chinese espionage, which has specialized in intellectual property theft. Chinese information operations have tended to focus on sponsoring think tanks and cultural centers, a kind of malign version of Germany's benign Goethe-Institut, to take one example. A few universities have cut ties with Chinese government-funded cultural centers over suspicion that they're being played in an influence operation. But a considerable number of them remain. Australian and U.S. universities have been of particular interest to the Chinese services.

Dave Bittner: [00:04:06] In this world of network-connected refrigerators, thermostats and toasters, it can be an ongoing challenge for organizations to keep up with the proliferation of IoT and BYOD devices they see on their networks. Gilad Peleg is CEO at SecBI. And he offers his perspective.

Gilad Peleg: [00:04:25] We as security professionals are used to dealing with quite - let's say a rigid environment, at least rigid compared to IoT. So you know, there's PCs. There's Macs. There's servers. And, you know, here and there - or not here and there - everybody has their own iPhone or Android. And kind of that's more or less it. Let's add some cloud infrastructure and cloud services to the mix. That's where we are on the customer's side, serving their users.

Gilad Peleg: [00:05:05] And now comes this - I don't know - tidal wave of new devices with tremendous new capabilities but also a whole lot of vulnerabilities that a lot of them just don't have an answer at this point. And we even don't understand all the vulnerabilities yet. BYOD - Bring Your Own Device - is a problem. There's now a lot of discussions about zero trust or sanctioned services or not. The industry is - you know, is working its way to solving or containing those challenges.

Gilad Peleg: [00:05:43] But IoT is a whole new category and a - you know, a whole new battlefield. I think the fact is that we can't trust the device. And if we can't trust the device, the next area or the next place to look for protection is the network. If I'm an organization, or if I have to consult an organization, I will tell them, look, if you can, buy, you know, IoT from a brand name. Try to understand the vulnerabilities. But you know what? One thing is for sure. You have to protect your network. You have to make sure that if something gets through, it will block it, or you will detect that malicious activity on the network. That's a stronghold. That's presence.

Gilad Peleg: [00:06:40] And when you - when a hacker gains presence in your network, it doesn't matter if he's infected your machine, or he's infected the smart TV, or he's infected that AC controller. He has presence. He is literally inside your network. And now it's up to him to decide what he does. He - we like to say he owns your network. And the only thing you need to do right now very quickly or as quick as possible is to detect that. That's critical. If you analyze network traffic, and you do that well - and today, companies like us employ machine learning, artificial intelligence to really be able to pick up the lowest signals to understand and detect very low and slow attacks, taking them into context and allowing the security team to detect and respond as quick as possible to any of those threats.

Dave Bittner: [00:07:51] That's Gilad Peleg from SecBI.

Dave Bittner: [00:07:56] A criminal is selling data belonging to 130 million guests who've stayed at hotels belonging to China's Huazhu group. Several security companies report finding the offering in a dark web market. The hacker wants 8 bitcoin - about $56,000 - for the whole shebang.

Dave Bittner: [00:08:15] Manufacturers of two medical devices - Qualcomm's Life Capsule DataCaptor Terminal Server and Becton Dickinson's Alaris TIVE Syringe Pump - disclosed through ICS-CERT that their devices allow remote unauthenticated access. Patches and upgrades are available. Hospitals are urged to apply them. The issues were discovered and disclosed to the manufacturer by the security company CyberMDX.

Dave Bittner: [00:08:42] The DataCaptor Terminal Server is susceptible to an old exploit, the Misfortune Cookie, which was described by the security firm Check Point back in 2014 when it noticed it in home routers. It's since cropped up in other IoT devices. This issue arises in the RomPager software from Allegro Soft that's used in DataCaptor. The Misfortune Cookie allows an attacker to use an HTTP cookie to write to arbitrary addresses in device memory and to do so without authentication. The DataCaptor Terminal Server is a medical device gateway that connects monitors, respirator, anesthesia delivery systems and infusion pumps to a hospital network.

Dave Bittner: [00:09:25] There are several disturbing possibilities in the Misfortune Cookie - denial of service, unauthenticated login, privilege escalation, arbitrary code execution, eavesdropping, compromise of patient information and so on. The most disturbing possibilities are that device functioning might be altered, thereby threatening patient safety.

Dave Bittner: [00:09:47] The Becton Dickinson Alaris Syringe Pump issue, also noted by CyberMDX, also could enable an attacker to alter device performance. In this case, a hacker would abuse a proprietary protocol to gain unauthenticated access to the device, at which point they could start or stop the pump, alter the rate at which it delivered drugs or even silence alarms going to nursing stations. Again, it's worth noting that the latest versions of these systems don't suffer these vulnerabilities. But it's an old story in IoT security. People often bucket along with older, vulnerable versions, and the devices themselves are easily overlooked and may be difficult to upgrade in any case.

Dave Bittner: [00:10:31] A young man has been charged in connection with the creation of the Satori botnet. But observers wonder if he really had the technical chops to do the crime. Here's the case. Toronto resident Kevin Currin Schuchman has been hauled before the U.S. Federal District Court in Anchorage, Alaska, by teleconference and charged with two counts of violating the Computer Fraud and Abuse Act by installing malware into non-cooperating systems between August and November of last year.

Dave Bittner: [00:11:00] The charging document doesn't name the malware it alleges he installed, but the Daily Beast thinks signs point to the Satori botnet. Mr. Schuchman had been active in various online hacking communities under the nom de hack Nexus Zeta. Check Point researchers noticed Nexus Zeta's chat requests for help in setting up a botnet, and eventually the pseudonym was traced to him. Some doubt that he had the technical chops to pull off something like Satori. He's set to fly into Anchorage to face the court in person tomorrow.

Dave Bittner: [00:11:37] Now a few words about our sponsor, the Incident Response Consortium, a leading non-profit organization working to advance the cybersecurity industry through community building and the sharing of best practices. They're returning to the D.C. metro area this year with their popular free security conference IR18. That's right - it's free. And it's being held September 5 and 6 at the Renaissance Arlington Capitol View Hotel. IR18 welcomes experts, those new to the industry and anyone looking to learn more about the critical issues of cybersecurity. There will be valuable cybersecurity best practices training, hands-on vendor product training, cyber range wargaming, social networking, career opportunities, mentorship opportunities, chances for educational scholarships and much more. Of course, there'll be free breakfast and lunch too. Don't miss this great learning opportunity. And it's a chance to make new friends and build professional relationships. Space is limited. And with over 600 registered attendees already, be sure to head on over to incidentresponse.com to register today. That's incidentresponse.com. We thank the Incident Response Consortium for sponsoring our show.

Dave Bittner: [00:13:02] And joining me once again is Mike Benjamin. He's the senior director of threat research at CenturyLink. Mike, welcome back. We wanted to touch today on the Necurs botnet. What can you update us with here?

Mike Benjamin: [00:13:13] Well, for those that are familiar with Necurs, it's not a new malware family. But it produces a substantive chunk of all of the spam that we see in the internet. And while spam may not be a security issue for many listeners, it also sends a lot of malspam. So we've seen this particular malware send ransomware over the last couple years at a pretty large volume. More recently, we've also seen the actor deploy modules within the malware family that can do crypto-mining, as is popular with a lot of threat actors these days.

Mike Benjamin: [00:13:45] And so Necurs is particularly interesting because it's seen a lot of evolution over the spam botnets that have existed in the last - call it 15 years, to the point that it is very difficult to take down. And so Necurs, however, through the resiliency that they've built, also makes it noticeable within a network monitoring perspective. And so we've seen the actor in recent months shutting down the malware for periods of time. In fact, it most recently just went offline on August 27.

Mike Benjamin: [00:14:16] And what's great about the time periods when they knock their command and control structure down is, well, of course they can't send spam. That's good for everybody. However, what we see is them calling back to the DGA domains that they've registered for the malware. And so monitoring in an environment for callbacks to those DGA domains can be a great way to find infected machines that folks may not be aware of.

Dave Bittner: [00:14:38] So explain to me the contrast there, between the resiliency of Necurs but also that it seems to be noisy when it's running.

Mike Benjamin: [00:14:48] Yeah. So Necurs has a few different mechanisms in which it communicates with its sort of infrastructure. The first is an infected endpoint joins a peer-to-peer network. And so while peer-to-peer protocols are more common these days, the behavior of a host joining a peer-to-peer network can be an anomaly within an environment. And so that's the first thing it does.

Mike Benjamin: [00:15:08] The second is it reaches out over TCP to a command-and-control server. Very much like a lot of malware does, it reaches out and maintains a persistent connection looking for the next command on what it should do.

Mike Benjamin: [00:15:21] However, the last thing it does is when it can't reach its command and control, it also calls back to DGA, just like quite a few malware families we've seen over the years. But it's really the culmination of all of that together that ends up being a little louder than you might see from a traditional piece of malware. In many cases, we see an actor choose one, not all three, of these mechanisms in order to do its callbacks. And so the fact that a host shows all three of those behaviors can be a great signature for actually finding hosts that are affected with the malware.

Dave Bittner: [00:15:50] So when we're talking about its resiliency then, is it a matter of the number of bots that are on the network that makes it hard to tamp down?

Mike Benjamin: [00:15:59] Well, in order to fully remove the malware from the internet is the resiliency that I'm describing.

Dave Bittner: [00:16:06] I see.

Mike Benjamin: [00:16:07] And so the fact that it's - you would have to remove all of its peer-to-peer network, all of its command and control, and pre-reserve all of its DGA domains for an extended time period in order to have the malware family start to shrink. That's a pretty big ask. And so while we do work to notify infected users of their infected machines, removing the - sort of the brain and heart of that malware family is something the industry has not done to date.

Dave Bittner: [00:16:31] I see. All right. Well, thanks for explaining it for us, as always. Mike Benjamin, thanks for joining us.

Dave Bittner: [00:16:39] And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.

Dave Bittner: [00:17:15] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.