APT10 stays busy. More skepticism about Huawei (and ZTE, for that matter). No foreign “material effect” on US midterms. Reverse RDP risk. IIoT bug found. RSA Innovation Sandbox finalists.
Dave Bittner: [00:00:03] Chinese threat group APT 10 seems to have been busy lately and up to its familiar industrial espionage. More governments expressed skepticism about Chinese manufacturers. The U.S. report on election security is out. Influence ops were found to have had no material effect on the midterms. Lithuania worries about Russian election meddling. A reverse RDP attack risk is reported. There is an industrial IoT remote code flaw. And congratulations to the finalists in RSA's Innovation Sandbox.
Dave Bittner: [00:00:41] Now a moment to tell you about our sponsor ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. In fact, a whopping 60 percent of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer network or system data. But to stop insider threats, you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT for free - no installation required. Go to observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:01:43] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, February 6th, 2019.
Dave Bittner: [00:01:53] The cyber incident Airbus disclosed on January 30th is now believed to have been the work of Chinese operators, so says French publication Challenges, citing anonymous sources close to the investigation. Signs seem to point to APT 10, also known as Stone Panda or MenuPass. APT 10 is generally associated with the Tianjin Bureau of Ministry State Security. Airbus made its disclosure within GDPR's prescribed 72 hours, since the hackers accessed employee data, mostly professional contact and IT identification details.
Dave Bittner: [00:02:30] APT 10 has been busy elsewhere, too. A report by Recorded Future and Rapid7 concludes, in a cautionary account of third-party risk, that the espionage group has been active against managed service provider Visma, a U.S. law firm with a wide-ranging intellectual property practice, and other companies. Here there's less uncertainty about attribution, and there seems little doubt that the campaigns were the work of APT 10.
Dave Bittner: [00:02:58] The mode of approach is interesting. The attackers gained access to their targets using valid but stolen user credentials for Citrix remote access tools. From there, they conducted privilege escalation and used DLL side-loading to install a malicious DLL that decrypted and injected Trochilus malware as its payload. The attackers also, in at least two of the cases, introduced an UPPERCUT backdoor into its targets by using the Notepad++ updater, and again, side-loading malicious DLL.
Dave Bittner: [00:03:31] These are all techniques APT 10 has used before. Its malware also used Dropbox to exfiltrate stolen data. APT 10 began deploying its current version of Trochilus at the end of last August. Rapid7, which participated in the investigation with Recorded Future, followed the Dropbox trail to operations against the targeted law firm back in 2017. Where is the third-party risk? It's in the data APT 10 exfiltrated, which in principle, makes it possible for them to gain access to many companies and organizations the initial targets dealt with.
Dave Bittner: [00:04:07] Supply chains and business relationships generally are sufficiently complex and intertwined to make this sort of threat commonplace. MSPs and cloud providers will continue to be particularly attractive targets, especially for nation-state espionage services. Recorded Future and Rapid7 see their investigation as corroborating the widespread suspicion among Five Eyes intelligence and law enforcement services that Chinese industrial espionage remains very much an ongoing and growing threat. Chinese industrial policy and espionage were these cyber-related matters that figured in U.S. President Trump's recent State of the Union address.
Dave Bittner: [00:04:46] Apart from that address, the U.S. continues to warn its allies, particularly its European allies, about the risks of giving Chinese firms a prominent role in their communications and IT infrastructure. Most of these strictures have fallen on Huawei, but the smaller ZTE is also coming in for scrutiny. A number of countries seem to need little, if any, U.S. tutorials to be wary of Chinese firms. Norway has expressed official reservations about Huawei this week, and the Czech Republic cybersecurity officials have said they doubt that either Huawei or ZTE will be permitted a foothold in that country's infrastructure.
Dave Bittner: [00:05:24] Here's a trivia question for you. What was the first organization to register a domain name as a dot org? It was in 1985, and it was not-for-profit MITRE Corporation. These days, MITRE continues their online trailblazing, not the least of which is the MITRE ATT&CK knowledge base of adversary tactics and techniques based on real world observations. Katie Nickels is ATT&CK threat intelligence lead at MITRE Corporation.
Katie Nickels: [00:05:52] It came out of a project called the Fort Meade eXperiment at MITRE where there was a series of red team, blue team exercises. So the red team would come in, compromise the network, do their thing. And they found in, trying to communicate back to the blue team, that something like Lockheed Martin Kill Chain wasn't quite granular enough for them to communicate exactly what they did. So ATT&CK was born out of that.
Katie Nickels: [00:06:14] And in 2015, MITRE publicly released ATT&CK. And since then, kind of the growth has been sort of explosive, especially in the past year or so. We've heard from so many people who said that ATT&CK's really useful for them to do everything from write better detections, to track threat intelligence about adversaries, to doing red teaming, like the MITRE team used to do. So sort of what it is - a knowledge base of what adversaries can do and their tactics, techniques and procedures.
Katie Nickels: [00:06:42] One of the cool things is because it's open to anyone, we see vendors map their products to it. We also see people learn from it. Like, a student could go in and learn the different things adversaries are doing. Or security operations centers can go in and map to it as well. So because it's open, you know, we want everyone in the community to use it. And so the benefit to us is really the benefit back to the community.
Dave Bittner: [00:07:04] Yeah. It seems as though there's really something for everyone here, even from - as you said, you know, folks who are just starting out, this is a great place to kind of get the lay of the land. But also for those people who are more advanced, there's plenty of information that they could benefit from as well.
Katie Nickels: [00:07:20] Yeah, absolutely. We've heard that time and time again. You know, people who are just starting out are really overwhelmed because it's hundreds of techniques to look into. But we've heard from companies who've done things like every week choose a single technique - right? - and have a deep dive on that. How do we detect against it? How do we understand it?
Katie Nickels: [00:07:36] To more sophisticated organizations who are looking across, you know, Enterprise ATT&CK, which is 224 techniques - looking at each of those and how they detect those and doing kind of an overall assessment of their coverage and their defenses - so lots of different levels. But we hope that it's, you know, a pretty low barrier just to get started with ATT&CK.
Dave Bittner: [00:07:56] And what are your recommendations for people to get started? How - if someone isn't familiar with it or wants to find out more, figure out how they can integrate it into their own workflow, what's the best way to go at that?
Katie Nickels: [00:08:08] Sure. So there are a lot of different approaches. My background is in threat intelligence, so of course, I'm going to say, well, look at your adversaries, right? On our website, we have a bunch of different threat groups. And we've mapped those behaviors from open-source public reporting to ATT&CK. So you can go in there and say, OK, if I care about APT 10 or APT29 or some other threat group, what are the techniques that those adversaries are using?
Katie Nickels: [00:08:32] And from there, you know, narrow it down from hundreds of techniques to just that handful of - what do I know that these adversaries that I care about are doing? And then kind of looking at how you can detect and mitigate against those - and we have some ideas - we're getting started with detection mitigation on our website. So pick a group we have or map your own group based on your own threat intel and start from there. I love that threat-informed defense approach.
Katie Nickels: [00:08:58] One question we get asked a lot is sort of what's next for the team. And based on feedback, one area that we're looking to create is a new tactic for impacts. So we think of things like data manipulation or destruction because that's been a gap in the framework - also looking at structuring our mitigations. We have, you know, ideas for mitigation. But trying to structure those in a way to help people figure out - if I use this one mitigation, what techniques can I wipe out? And looking at also subtechniques - for some people, level of granularity isn't quite deep enough in the existing ATT&CK techniques we have. And we've heard that. So we're trying to figure out how do we go to that next level of detail.
Dave Bittner: [00:09:36] That's Katie Nickels from MITRE. You can check out MITRE ATT&CK at attack.mitre.org.
Dave Bittner: [00:09:44] The U.S. Departments of Homeland Security and Justice have issued their congressionally mandated report on whether there was foreign meddling in the 2018 midterm elections. The departments found no evidence of any foreign activity that had any material impact on the elections or the infrastructure surrounding them. The report isn't naive about the extent of influence operations, which the U.S. intelligence community as a whole has been pretty clear about. They're an ongoing threat. The conclusion is that the operations had no material effect on the elections or the campaigns surrounding those elections.
Dave Bittner: [00:10:21] Turning to the Baltic states, Vilnius thinks, according to Reuters, that Russia is preparing information operations to interfere with Lithuanian elections. Russia says the fears are nonsense because they'd never do something like that, holding as Moscow always has that the internal affairs of other countries are sacred - we're kidding about the second part. Nobody, least of all Moscow, has ever really thought it a duty to mind their own business with respect to other countries' family affairs. About calling the fears ridiculous and saying they'd never do that, oh, the Russian government spokesman did say all that.
Dave Bittner: [00:10:59] The U.S. House Committee on Energy and Commerce wants Apple to explain why it took so long to patch FaceTime, which suggests that this story at least will have longer legs than Apple would no doubt have preferred.
Dave Bittner: [00:11:12] Researchers at security firm Check Point Research have discovered more reasons for concern about the remote desktop protocol - or RDP. In this case, the newish wrinkle is the possibility of a reverse RDP attack in which an attacker could, as Check Point expresses it, reverse the usual direction of communication and infect the IT professional or security researcher's computer. Doing this would enable compromise of a network as a whole. One of the more interesting things they found was that a clipboard-sharing channel between client and server could be abused by attackers.
Dave Bittner: [00:11:46] Check Point has told Microsoft about the issue. But Redmond, Check Point says, acknowledged the validity of their findings but said they weren't serious enough to service. So Check Point recommends patch your RDP clients and disable the clipboard-sharing channel. That channel, they note, is on by default. So if you've never realized it's there, well, apparently it not only is but it's on too.
Dave Bittner: [00:12:11] With respect to the industrial internet of things, security firm Tenable disclosed today that it had found a remote code execution vulnerability in the widely used InduSoft Web Studio product. Tenable describes Web Studio as an automation tool for human-machine interface and supervisory control and data acquisition - that is SCADA systems. So if you're a Web Studio user and if you run a manufacturing plant, an oil and gas production or distribution facility, a city's water supply, a jail, a prison or even a drag racer, then Tenable recommends you update your software and make sure it's not accessible from the internet.
Dave Bittner: [00:12:51] And finally RSA has announced the finalists for the Innovation Sandbox at next month's RSA Conference. It's a highly coveted honor to be selected as a finalist, so congratulations to them all. They include Arkose Labs and its frictionless fraud detection, cybersecurity asset management platform provider Axonius, Capsule8 with its real-time zero-day exploit detection offering, identity and privileged access management provider CloudKnox Security, cloud infrastructure control shop DisruptOps Inc., Duality Technologies and its advanced data privacy solution, Eclypsium Inc., which offers firmware and hardware defense, API defender Salt Security, ShiftLeft Inc., which offers a fresh approach to application security and privacy management firm WireWheel. Congratulations to all, and we look forward to seeing them in San Francisco on March 4.
Dave Bittner: [00:13:52] And now a word from our sponsor KnowBe4. Many of the world's most reputable organizations rely on Kevin Mitnick, the world's most famous hacker and KnowBe4's chief hacking officer, to uncover their most dangerous security flaws. Wouldn't it be great if you had insight into the latest threats and could find out what would Kevin do? Well, now you can. Kevin and Perry Carpenter, KnowBe4's chief evangelist and strategy officer, will give you an inside look into Kevin's mind. You'll learn more about the world of penetration testing and social engineering with firsthand experiences and some disconcerting discoveries. In this webinar, you'll see exclusive demos of the latest bad guy attack strategies to find out how these vulnerabilities may affect your organization. And you'll learn what you can do to stop the bad guys. In other words, what would Kevin do? Go to knowbe4.com/cyberwire to register for the webinar. That's knowbe4.com/cyberwire, and we thank KnowBe4 for sponsoring our show.
Dave Bittner: [00:15:03] And joining me once again is Emily Wilson. She's the VP of research at Terbium Labs. Emily, it's great to have you back. I wanted to touch today about biometrics and what you were seeing in terms of this information showing up on the dark web. Why don't we start off - what are we talking about when we're saying biometrics?
Emily Wilson: [00:15:21] When we think about biometrics, we can think about a few different things. It could be things like facial recognition technology, the things that Apple would use for face ID or the technology that's being used in China, you know, to track individuals. We could be thinking about fingerprints. What we use to unlock our iPhones, for example. We could be thinking about voice recognition or, more and more now, genetic data. We think about these companies like ancestry.com or 23andMe who are offering genetic testing services. That information's now in the system, and that would definitely qualify.
Dave Bittner: [00:15:55] And so are these things showing up for trade in dark web markets?
Emily Wilson: [00:15:59] It's kind of a two-part answer. No, not really; not yet. So the, no, not really - no, we're not seeing this show up right now. But the not yet bit is the more interesting side of this. I think we will see it, and here's why. It is a new type of data that we're seeing collected more broadly. Apple's been using it for ages. Again, you know, some state systems use this. We're going to see it used more and more for identification and authentication because it's sort of a two-factor that we think other people couldn't force right now. It's something that you are.
Emily Wilson: [00:16:35] You know, no one else right now is in a position to forge your fingerprint at scale. And so it's a safe way to unlock your phone. As more and more technologies start to use this kind of data, it's going to be more appealing to cybercriminals. We're not there yet, though. And that's the piece of this - you know, I've been getting a lot of questions about this lately. People are genuinely concerned about whether or not this is being traded.
Emily Wilson: [00:16:58] But if we stop for a minute and think about how cybercriminals would use this - if you had fingerprint data for five random people - not five high-profile individuals, not five people with clearance, just five random people - what would you do with it? How would you monetize it? Right now, it's not the most effective way. Right now, it's not a blocker for any cybercriminal who's looking to profit. And so it's not being traded yet.
Dave Bittner: [00:17:24] And of course, I suppose, one of the risks we hear about with biometrics is that it's not like a password where you can just change it.
Emily Wilson: [00:17:31] It's definitely - it falls in the category of lifetime data. You know, the same way that we think about socials as being effectively immutable or names, right? A lot of people - no one's going to change their name because of a data breach. You know, we're not kind of going into a full witness protection mode for everyone who's had data compromised.
Emily Wilson: [00:17:48] But when it comes to biometrics, then it becomes a lot more difficult and a lot more sensitive. You know, one of the things people worry about with health records could be family history or, you know, questions about lineage or questions about disease or mental health. Once we start getting into genuine biometric data, then that kind of blows that even more out of proportion.
Dave Bittner: [00:18:11] Yeah, that's interesting. It's interesting to ponder even the possibility of ransomware situations of someone saying, hey, I have your biometric data here; it'd be a shame if anyone were to find out about your family history of mental illness or something like that.
Emily Wilson: [00:18:25] Which is unfortunate for any number of reasons - right? - that there's a stigma around that. Or it would be, unfortunately, an effective - ineffective thing to do, especially if you start thinking about high-profile individuals, if you think about an extension of doxxing or if you think about state officials, for example. The other thing we have to worry about - and this is kind of a slight side note on it, but not just data compromise but data integrity. When we talk about going in and changing hospital records, you know, this kind of information also has the potential to be useful there.
Emily Wilson: [00:18:58] There are also the questions of if for some reason all of the fingerprint data that Apple currently has is theoretically, hypothetically available - what if, all of a sudden, that was available to law enforcement? You know, we're looking at a lot of questions now about the legality of unlocking phones or, you know, preserving or destroying data. In a hypothetical world where this information is all being stored or facial recognition technology is being stored, and you didn't have to circumvent it by forcing someone to unlock a phone or using a mask to beat the face technology - if that data was just available, you know, then we start getting into sci-fi movies of the future.
Emily Wilson: [00:19:35] And we're certainly not there yet, but it is something to be concerned about going forward because the data is being collected. And at some point, it will become appealing and potentially necessary for cybercriminals. But I think we're still a good 10 years out from that being a real issue.
Dave Bittner: [00:19:53] All right. Emily Wilson, thanks for joining us.
Dave Bittner: [00:20:00] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:12] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.