Shamoon 3 and Charming Kitten. Czech CERT issues warning concerning Huawei, ZTE. Influence ops and a Facebook boycott. PewDiePie’s followers versus the Wall Street Journal.
Dave Bittner: [00:00:03] Shamoon 3 and the renewed activity of Charming Kitten strike observers as the long-expected Iranian cyber retaliation for reimposition of sanctions. The Czech CERT says Huawei and ZTE both represent a threat. Huawei insists it didn't do nothing. Facebook faces a boycott in the wake of Senate-commissioned reports on Russian trolling. And PewDiePie's followers deface a Wall Street Journal page.
Dave Bittner: [00:00:35] Now a word from our sponsors Shape Security. Last year, 2.3 billion usernames and passwords were reported as compromised. It says everyone in America had passwords stolen for not just one but seven online accounts. And that's just the data reported last year. It can take years for a credential spill to be reported, if it's discovered at all. Why do these spills matter? Two words - credential stuffing. Attackers take those spilled usernames and passwords and try them on every login form imaginable. Because users recycle passwords, up to 3 percent of stolen credentials will be valid on a typical website or mobile app. Once they're in, attackers steal whatever they can get from gift cards to frequent flyer miles. And it adds up. This year, credential stuffing will pull nearly $9 billion from our banking, travel and e-commerce accounts. But there's hope as consumers use unique passwords, as organizations join Shape Security's collective defense platform because, together, we can defeat account takeovers. To learn more, visit shapesecurity.com. That's shapesecurity.com. And we thank Shape Security for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.
Dave Bittner: [00:01:56] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire Summary for Tuesday, December 18, 2018. Shamoon 3 seems to have affected a wider range of targets than at first believed. McAfee says the attacks affected victims in the oil, gas, telecommunications, energy and government sectors in the Middle East and Southern Europe.
Dave Bittner: [00:02:18] Symantec reports more signs that this Shamoon infestation came from Iranian threat actors, including its association with attacks that used StoneDrill malware. Shamoon 3, as well as Charming Kittens' reappearance with two-factor-authentication-defeating attacks, have led some observers to conclude that the long-expected Iranian cyber retaliation for reimposed sanctions is underway.
Dave Bittner: [00:02:43] The Czech government's CERT has issued an unambiguous warning that Huawei and ZTE equipment represents a security threat. The report specifically cites Chinese laws requiring companies to cooperate with intelligence and security services as grounds for excluding devices produced by either company from government networks. Huawei, for its part, continues to regard itself publicly as a victim of geopolitical competition, singled out for special punishment by the U.S. for reasons having everything to do with trade and nothing to do with security.
Dave Bittner: [00:03:18] The U.S. Senate-commissioned reports on Russian influence operations point out extensive trolling via Instagram, much of it directed toward African-American voters, as the Russian government sought to exploit fissures in American civil society. The NAACP has responded to those portions of the reports that indicated voter suppression efforts by returning a donation the organization had received from Facebook, which owns Instagram, and called for a boycott of the social networking company.
Dave Bittner: [00:03:49] The boycott - #LogOutFacebook - began this morning and is scheduled to last for a week. The NAACP says the boycott is a response to what it calls the tech company's history of data hacks which unfairly target its users of color. Facebook has said it intends to beef up its content moderation efforts to police the sort of influence operations the two Senate-commissioned reports released yesterday outline.
Dave Bittner: [00:04:15] The reports - one by social media and brand protection shop New Knowledge, the other by the Computational Propaganda Research Project, a joint effort by Oxford researchers and Graphica, another social media analysis company - fleshed out much what has been known concerning the operations of the St. Petersburg troll farm, the Russian government-directed Internet Research Agency.
Dave Bittner: [00:04:39] What's new in the report is the extent to which the Russian influence operation depended upon highly targeted, culturally literate marketing to U.S. political, ethnic and cultural subgroups over Instagram. This activity dwarfed, for example, the purchase of Facebook ads by Russian operators. The shift in the propaganda's center of gravity to Instagram occurred in 2017 when too much attention made Facebook a less attractive messaging platform. The new knowledge study suggests the magnitude of the change. They found 187 million engagements with users on Instagram, as compared to 77 million on Facebook.
Dave Bittner: [00:05:20] The reports were also interesting in that they suggest the Russian activity is ongoing and complex. It involves an interesting mix of mass marketing, the electronic equivalent of direct mail and traditional HUMINT trade craft. There were infiltrations of online games, browser extensions and music apps. The St. Petersburg trolls took to social media to encourage "Pokemon Go" players at its peak popularity during the 2016 election season to adopt politically divisive usernames.
Dave Bittner: [00:05:50] Russian-controlled accounts connected with individuals through merchandise that carried messages by making follower requests, dangling job offers and establishing helplines that encourage people to divulge sensitive information that could be used in subsequent efforts. These last two in particular are updates of long-standing ways of recruiting agents. Begin small. Learn about the targets. And habituate them to doing you little, more or less innocent favors. But the rest is all marketing. And it seems the shame of the world that the country that, for good or ill, invented modern marketing should see its rival run circles around it.
Dave Bittner: [00:06:28] There is a new report recently published tracking cybersecurity in Fortune 500 companies. Our U.K. correspondent, Carole Theriault, has the story.
Carole Theriault: [00:06:38] Rapid7 have just put out a brand-new report. And I got a chance to chat with Tod Beardsley, Rapid7's director of research, about what they were up to. I've seen that you guys are issuing a new cyber investigative report called the "Industry Cyber-Exposure Report: Fortune 500." This is a fancy title. So what were you guys looking for?
Tod Beardsley: [00:07:03] It is very fancy (laughter).
Carole Theriault: [00:07:04] (Laughter).
Tod Beardsley: [00:07:04] So for the last, I'd say, three or four years, Rapid7 has produced something called the National Exposure Index, essentially a look at the whole Internet. And - but for this report, we narrow that down to just Fortune 500 companies. And we map out what IP space belongs to all of these companies. We bucket them into particular industries. So, like, it might be, like, retail or technology or wholesalers or something like that. And then we take a look at the exposure among just the Fortune 500.
Tod Beardsley: [00:07:36] But Fortune 500 is a pretty good stand-in, proxy, for, like, the U.S. economy. You know, they employ millions of people. They represent, like, almost a third of U.S. GDP. And so we can look at the Fortune 500 and figure out, like, what exposure looks like for them. And then we can kind of say some things about, like, how U.S. companies, like, treat the Internet and how they - what they expose to the Internet, how they're exposed and, you know, the kinds of things that those I2 organizations, which tend to be very well-resourced because they're Fortune 500 - you know, where they can, like, get the most bang for their buck when it comes to exposure.
Carole Theriault: [00:08:15] Fascinating. OK, I have my bucket of popcorn. Do you have a few tidbits from this report you can share with us?
Tod Beardsley: [00:08:22] The average company in the Fortune 500 exposes about 500 services to the Internet.
Carole Theriault: [00:08:26] What does that mean, though?
Tod Beardsley: [00:08:27] I will let you know (laughter).
Carole Theriault: [00:08:30] (Laughter) Sorry.
Tod Beardsley: [00:08:30] No, no problem. So, like, a service on the Internet - so that would be something like a website or a DNS service or a SMB service, which is how you do, like, Windows networking, or SSH, which is like a secure remote shell - you know, all of these services, like - which is why you have the internet. Like, you want to be able to do this. We figure, like, this is a pretty good baseline for us. Like, if you're a Fortune 500 company - you have a couple billion dollars flying around - like, you are likely to expose about 500 services.
Tod Beardsley: [00:08:58] Now, there are some companies that expose way more than that, like, that hit, like, 2,000 to 3,000 services. And we would consider those companies to be more exposed because they have more attack surface. They have more machines they have to keep updated. They have more services they have to patch. They have more, like...
Carole Theriault: [00:09:14] What kind of companies are way up there?
Tod Beardsley: [00:09:16] We saw things like - like, companies that are in, like, business services in technology unsurprisingly will expose a lot more. You know, but we have...
Carole Theriault: [00:09:26] Yeah.
Tod Beardsley: [00:09:26] ...Companies that are in the apparel bucket don't expose much. Like, they may have, you know, a website, a DNS server, and that's about it.
Carole Theriault: [00:09:32] OK. So what takeaways do you think people get from reading this report?
Tod Beardsley: [00:09:36] We look at not just volume, but we also look at a couple particular services. One of them is SMB, which stands for Server Message Block. And it is a protocol used almost always by Windows. That is pretty much an everything protocol. It does authentication, does file sharing, does printer management. And SMB for a long time has been a favorite target for attackers. And Microsoft knows this. And so we're at that point today where we say, like, do not ever expose SMB. There is no business reason. There's no technical reason. There's no practical reason to have SMB exposed to the Internet today.
Tod Beardsley: [00:10:18] Then we go count. You know, and we count among the Fortune 500. Like, who's actually still exposing SMB? And the number's not zero (laughter), and - which is a bummer. We also see, like, insecure old protocols like Telnet, which is a protocol from, like, 1978 that is used for - usually for, like, remote management. Like, you Telnet to a computer to do, like, operating system things, right? You reboot it or whatever. Telnet is very much deprecated by a newer protocol called SSH, which does almost the same thing, but it does it with cryptography.
Tod Beardsley: [00:10:52] And so tell Telnet has no business being on the modern internet today because it's old. It's impossible to secure in any reasonable way. And so we just - we're on a crusade to get rid of Telnet. Think you can take a look at the findings from the Fortune 500 and apply them, like, directly to your enterprise. Cover a couple of other things in the report, but I would just recommend people go download it.
Carole Theriault: [00:11:16] Indeed. Thanks to Tom (ph) Beardsley of Rapid7. This was Carole Theriault for the CyberWire.
Dave Bittner: [00:11:23] We've heard and passed on much sound advice against placing too much importance on attribution of attacks to specific actors. It's often said that unless you wear a badge and carry a gun, attribution really doesn't matter that much. That's certainly true in part. One of the first things one naturally wants to know when attacked is who did it. But all too often, knowing who did it means little in terms of defending yourself or recovering from an attack.
Dave Bittner: [00:11:50] Of course, attribution is interesting when it reveals an attacker's tactics, techniques and procedures. That can be useful, and that's some solid value anyone might take from threat intelligence. But here's another way attribution in the whodunit sense may matter terribly. Your cyber insurance policy might not cover an act of cyberwar.
Dave Bittner: [00:12:11] Mondelez International, a major food company that was hit hard by NotPetya, submitted a claim for more than $100 million in losses it incurred as a result of that attack. According to Reinsurance News, however, Zurich Insurance is disputing the claim on the grounds that the policy they wrote for Mondelez excluded coverage for a hostile or warlike act by any government or sovereign power. NotPetya has generally been attributed to Russia, and that attribution has been convincing enough for Zurich to hold its payout.
Dave Bittner: [00:12:44] There will be much more to be said on the matter. As Reinsurance News points out, the burden of proof here is on Zurich. But it's worth noting that there's a good chance any cyber insurance policy you may have could contain a war clause. The large print giveth, and the small print taketh away.
Dave Bittner: [00:13:03] Finally, we're still following the followers of Pewdiepie, who continue to disport themselves as what Mr. Cluley has taught us in another context to call cockwombles (ph). Hacking printers to urge people to follow YouTube star and noted impresario of the Tide Pod challenge, Pewdiepie? Check. Hacking printers to encourage such following and at the same time to assume the moral and technical superiority that comes with telling people they've been pwned, and aren't they glad someone told them so they can up their sorry game? Check and double check. Defacing a Wall Street Journal page to display a poorly written message saying the journal apologized for its animate versions about Mr. Pie? You betcha.
Dave Bittner: [00:13:46] And that last one achieved a kind of harmonic convergence of loserdom (ph) since it closed with the message, we also need your credit card number, expiry date and the lucky three digits on the back to win the chicken dinner in Fortnite. Dance on, all ye cockwombles (ph).
Dave Bittner: [00:14:07] It's time to tell you about our sponsor, privacy.com. If you're a longtime listener, you've probably heard me mention privacy.com on the CyberWire before. In fact, when I was a guest on another cybersecurity podcast, privacy.com was my pick of the week one week for something that everybody should check out. And here's why. Privacy lets you buy things online using virtual card numbers instead of using your real ones. Think about it. You don't use the same password everywhere. So why would you use the same card number everywhere when you shop online? What's great is that it's super-fast and easy to use. Privacy.com gives you a brand-new virtual card number for every purchase you make with just one click. And we've got a special offer for CyberWire listeners. New customers will get $5 for a limited time to spend on your first purchase - five bucks, free money. So go to privacy.com/cyberwire and sign up now. That's privacy.com/cyberwire. And we thank privacy.com for sponsoring our show.
Dave Bittner: [00:15:14] And I'm pleased to be joined once again by Craig Williams. He's the director of Talos Outreach at Cisco. Craig, it's great to have you back. You know, we're coming up quickly here on the end of the year. And thought it might be helpful to look back at the year in review and track some of the things that you all saw this year and how that informs what you're going to look for in the year to come.
Craig Williams: [00:15:36] Yeah, thanks for having me. So you know, the one I wanted to talk about was basically our vul dev team just knocking it out of the park this year. For those of you who don't know, our vulnerability discovery team basically looks for bugs in products that people use every day. And this can be anything from, you know, a library that's used in, say, an iPhone, a Mac computer to, you know, a specialized software that few people touch.
Craig Williams: [00:16:02] And the reason we look at it is because people need to make sure that devices are patched. And we found bugs in very old libraries that touch huge numbers of things just because no one's ever looked. And so part of what the vul team does is finding that, working with vendors to, you know, coordinate disclosure, get patches out there. And in doing so, we've patched a record number of things this year for our advisories.
Craig Williams: [00:16:29] We've gone from 201 advisories to 245 in this year. But from a CVE perspective, it's even higher because of the way that I had asked us to assign CVEs. We've gone from 202 to 394. So think about that - that's more than one CVE per day.
Dave Bittner: [00:16:45] Wow.
Craig Williams: [00:16:46] When you put it in terms like that, it's really amazing how many bugs these folks found.
Dave Bittner: [00:16:51] I mean, give me some insight. What is the - what's the return on this investment for the Talos Group and for Cisco to invest in this sort of thing? I mean, it's not that you're only going and poking around in your own devices to look for these things. This is a community project.
Craig Williams: [00:17:06] Right. Well, that's actually a common misconception. So at Cisco, we have our team looking at non-Cisco software. And then we have another team in our Advanced Security Initiatives Group that actually look at Cisco software. So we actually have a specific team for that who's super productive, and they do their own blog post. But when we look, we look for things that are not Cisco.
Craig Williams: [00:17:26] And to give you an idea of what we get out of this - so, you know, my favorite one of all time, I think, was the LibTIFF vulnerability. So if you're not familiar with LibTIFF, it's one of those ancient graphics libraries. Like, it, you know, probably dates back into the '80s, if not before.
Dave Bittner: [00:17:41] Oh, yeah.
Craig Williams: [00:17:41] And so what we found was basically a buffer overflow in LibTiff. So you could effectively send someone a malformed iMessage and potentially get code execution on the device. So, you know, when you think of it in terms of that, getting that fixed is pretty important because the reality is we are not the only ones looking.
Craig Williams: [00:17:58] It is not unusual for us to have a vulnerability collision, which means when we discovered it and reported it, well, someone else discovered and reported it at the same time. And so if you think about the fact that that happens relatively regularly, you really start to get an idea of how many different teams around the world are looking for these. And that's not even counting criminal organizations. That's teams of good guys trying to do the same research.
Dave Bittner: [00:18:20] Now, looking ahead towards next year, do you anticipate continued acceleration?
Craig Williams: [00:18:27] Absolutely. You know, one of the things that's most important to vul dev is finding new and more efficient ways to find these type of bugs and to help vendors identify these security issues. So I think we're going to continue to see these numbers climb. I hope that we continue to knock out high-severity, you know, remotely exploitable bugs so that there are less out there for adversaries.
Dave Bittner: [00:18:46] Yeah. All right, well, Craig Williams, thanks for joining us.
Dave Bittner: [00:18:54] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.
Dave Bittner: [00:19:22] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.