VFEmail attacked, infrastructure wiped. EU considers a response to APT10. US Executive Order on AI is out. GPS jamming threat. Stryker hack. Shadow IT in the Corps.
Dave Bittner: [00:00:03] VFEmail sustains a devastating data-destroying attack. The EU considers whether it should, can or will make a coordinated response to China's APT10. A U.S. executive order outlines a strategy to maintain superiority in artificial intelligence. Norway warns, again, the risk of GPS jamming. U.S. Army Stryker vehicles were hacked during testing last year. And submarines are getting ahead of themselves, downloading close air support control apps to personal tablets.
Dave Bittner: [00:00:41] It's time to take a moment to tell you about our sponsor, Recorded Future. You've probably heard of Recorded Future, the real-time threat intelligence company. Their patented technology continuously analyzes the entire web to give infosec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email. And every day, you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today, and stay ahead of cyberattacks. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. It's timely. It's solid, and the price is right. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:42] The CyberWire podcast is made possible, in part, by RSA Conference, taking place March 4 through the 8 at the Moscone Center in San Francisco. The CyberWire is a proud media sponsor of RSA Conference, where the world talks security. Learn more and register today at rsaconference.com/cyberwire19.
Dave Bittner: [00:02:03] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, February 12, 2019. Secure email provider VFEmail sustained an attack yesterday afternoon that wiped its U.S. infrastructure. Someone attacked and reformatted its servers so as to make the data they held unrecoverable. It's potentially a business killer. There's a good chance the company will cease operations. The company tweeted, quote, "every VM is lost. Every file server is lost. Every backup is lost," end quote. They're working on the one file server they caught in mid-formatting, hoping to be able to recover something from that one. But this seems a best-case scenario. That server was in the Netherlands, and the company does appear to have been able to retrieve some backed-up data in that country. But as far as it can tell, its U.S. customers' data are gone for good.
Dave Bittner: [00:03:00] The company has been, as far as anyone can tell, commendably open, prompt and transparent with its disclosures. Others might learn something if they look at VFEmail's public response to the incident. They might also see the attack and its effects as a cautionary tale about the importance of secure offline backup routinely checked and regularly exercised. Milwaukee-based VFEmail has been around since 2001, offering a service that scans email for potentially malicious content. It has offered both a paid and a free service, and its free service has been used by a number of not-for-profits - smaller charities, local churches and the like. And these will be particularly affected. If you're acquainted with any of those users, this would be a good time to check in with them and offer whatever IT or security advice and help you might be able to give.
Dave Bittner: [00:03:50] The attackers' identity is so far unknown. VFEmail says a Bulgarian IP address turned up in the traffic it caught during the one server reformatting it caught in progress. But that in itself means little. The attackers' motive is as unknown as the attackers themselves. VFEmail, like other email services, has been hit by extortion attempts in the past, weathering DDoS extortion in 2015, 2017 and 2018. But this doesn't seem to be one of them. There was no ransom demand of the sort one would expect in a straightforward criminal attack, nor were there any of the statements, manifestos or communiques one would expect from hacktivists. It's difficult to imagine a plausible reason for a state espionage service to have conducted the attack. But based on what's known so far, the motive may be simple malice or just the LOLs, which usually amounts, effectively, to the same thing.
Dave Bittner: [00:04:48] We've been following the curious case of American security professional Paul Whelan who claims he was visiting Russia to attend a wedding and was handed a flash drive that the Russians say was full of classified information. After which, they promptly arrested him. Shane Harris covers intelligence and national security at The Washington Post.
Shane Harris: [00:05:08] He has been sitting in the jail ever since and trying to meet with officials from various embassies and getting ready to - it looks like, perhaps, actually plead his case when it goes to trial in Moscow. It's been kind of an uphill battle, really, for him to get access to any kind of consular officials. Normally, what happens is when you are a citizen - foreign citizen in a country and you're arrested, you're supposed to have access to officials from your home country's embassy or their consulate.
Shane Harris: [00:05:39] And in this case, Paul Whelan actually claims citizenship in four different countries, which is quite unusual. He has four different passports - Canada, the United States, Great Britain and Ireland. And he has been trying to see officials from those countries. But as you say, the Russians have been dragging their feet. They've been throwing up various administrative roadblocks.
Shane Harris: [00:06:00] For instance, the State Department wants to allow him to sign something called a privacy waiver, which would actually allow the U.S. government to talk publicly on his behalf. And they've been able to finally get the waiver to him. But now the Russians are saying he has to mail it to the United States. And so they keep - it's kind of one thing after another, according to his family.
Shane Harris: [00:06:20] And all this time, we should add, as he's going through these various diplomatic maneuvers to try and get someone to represent him, he has a Russian lawyer. But the government in Russia has not detailed any of the precise evidence of the case. So he hasn't seen anything like criminal information or an indictment, which you would see normally, for example, in a United States court.
Dave Bittner: [00:06:42] And so what's the speculation here? What do we suppose is actually going on?
Shane Harris: [00:06:46] Well, it's pretty much nothing but (laughter) speculation at this point. I think one thing that seems fairly sure is Paul Whelan is not a spy for the United States. His background is such - and we can talk more about this - that he would not at all be a likely candidate as being an intelligence operative, say, for the CIA or the FBI - somebody spying for the government in Russia.
Shane Harris: [00:07:09] In Russia, the legal definition of espionage is quite broad. So when they say he has committed espionage, it may not be in the way that we traditionally think about it. But some experts believe that this was, perhaps, some kind of a setup - that maybe he was tricked or lured into taking some information that he shouldn't have. And now that the Russians have him in custody, they might be using him as some kind of a bargaining chip possibly to get concessions from the United States or - some former U.S. officials have speculated - as a potential trade for a woman named Maria Bouthaina who is - right now has pleaded guilty to acting as an unregistered agent of Russia in the United States and is awaiting sentencing from an American court.
Shane Harris: [00:07:55] But really, we haven't even seen that much attention to this coming from the State Department. We've heard - Secretary of State Mike Pompeo has spoken briefly a couple of times about Whelan's case. You're not really seeing a concerted effort by the Trump administration, publicly anyway, to pressure Russia or to demand that it disclose more information about what they think Whelan actually did.
Dave Bittner: [00:08:18] Yeah. That was actually going to be my next question to you. I mean, with this, obviously, peculiar relationship that President Trump has with Putin and the Russians in general, you know, is that affecting the negotiations here and what the State Department wants to do or is able to do?
Shane Harris: [00:08:37] You know, I think, in some ways, it has to be affecting them. We know this is an administration that - on the one hand, it has undertaken some policies like sanctions and then the expulsion of Russian diplomats from the United States that are certainly tough on Russia and are pushing back at it for a number of its different transgressions as the U.S. sees them, including interference in the 2016 election and the attempted murder of a former Russian agent in Great Britain.
Shane Harris: [00:09:02] But as you said, the president himself has this very peculiar relationship - I think to put it mildly - with Vladimir Putin. And you don't see him, certainly, coming out and pleading on behalf of Paul Whelan, which is a bit strange, I think, because the president has actually made a big show in other cases where other countries have been holding Americans either, you know, against their will in some cases or under dubious circumstances. The president has come out and made a point of talking about their cases. And we haven't seen that with Whelan.
Shane Harris: [00:09:35] So I think it's left a lot of people, particularly members of his family, wondering why they're not making more of a public case about this. I mean, it could be that the U.S. government is just waiting to see if Paul Whelan was involved in something maybe that was nefarious or inappropriate. But even in cases like that, usually you see a bit more of a kind of sticking-up-for-the-American, frankly, and more of a willingness to - if not, necessarily, defend that person - to certainly demand that the government holding him show their cards and say, OK, what do you think it is that this person actually did? And the Russians haven't done that, and the Americans haven't publicly demanded that.
Dave Bittner: [00:10:15] That's Shane Harris. He covers intelligence and national security for The Washington Post.
Dave Bittner: [00:10:22] The EU deliberates a coordinated response to APT10's recent activity. The deliberations are believed, according to reports in Bloomberg, to have been prompted by British briefings to its counterparts on January 28. During which, the British presented evidence of APT10's infiltration of networks in Europe and elsewhere. The meetings were not public, but the British presentation is believed to have fairly closely tracked the recent U.S. indictments of certain members of APT10. Unanimity is required for the EU to take action, and that unanimity will be tough to achieve. Not every member sees the same things or at least wishes to see the same things. The EU is working on a policy for coordinated response to cyberattacks generally considered. The APT10 affair is expected to be raised during high-level Sino–European talks scheduled for April.
Dave Bittner: [00:11:16] President Trump yesterday signed an executive order designed to maintain American leadership in artificial intelligence against determined effective Chinese competition. It enunciates determination and some principles, and it directs agencies to make AI funding a priority when they plan their budgets. But actual resources for research and development will have to come from Congress.
Dave Bittner: [00:11:40] Three incidents of military concern have come up this week. Norwegian intelligence services are warning NATO partners, again, of the risk posed by GPS jamming. Such jamming occurred during exercises NATO conducted along its northern tier late last year. It was widely attributed to Russia at the time, and there's been no particular reason beyond rather routine Russian denials to doubt that attribution. The jamming is particularly worrisome not so much because it's a nuisance during military exercises but because of the threat it poses to civil aviation whose navigation systems were also affected.
Dave Bittner: [00:12:17] The other two reports come from the U.S. The Drive reports that U.S. Army Stryker combat vehicles, specifically the up-gunned Stryker infantry carrier vehicle Dragoon, have been hacked. The publication says it's unclear whether the hacking was a test or a live cyberattack by an actual adversary. But a look at the report from the U.S. Defense Department's Office of Test and Evaluation suggests that the hacking was conducted during early user testing the Army conducted last year in Germany. As the Pentagon report says, quote, "adversaries demonstrated the ability to degrade select capabilities of the ICV-D when operating in a contested cyber environment. In most cases, the exploited vulnerabilities pre-date the integration of the lethality upgrades," end quote.
Dave Bittner: [00:13:05] And a report by the Department of the Navy Inspector General finds that the Marine Corps appears to have a problem with shadow IT. It's the sort of issue that surfaces wherever clever and motivated people in an organization look for easier ways of doing their job. In this case, the job is coordination of close air support, something the Marines would like to push down to platoon level, moving away from the centralized system exemplified by, for example, ANGLICO teams.
Dave Bittner: [00:13:35] According to the IG, Marines have been downloading two apps - KILSWITCH and APASS - onto their personal devices. KILSWITCH and APASS were both designed by the Naval Air Warfare Center Weapons Division. There is authority to operate them, and the Marines have been using them for their intended purpose. The problem is the personal devices. They should only be used in the arguably more secure service-issued tablets, not the ones they might have bought for themselves at a Black Friday door busters sale from, say, Best Buy in Jacksonville or Oceanside. The concern is that the personal devices might be hackable, as the Russians are said to have hacked Ukrainian fire direction app (foreign language spoken) D-30 a couple years ago. So a friendly reminder - use the proper tool for the proper job, Terminal Lance.
Dave Bittner: [00:14:29] Now a moment to tell you about our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in, it's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. In fact, a whopping 60 percent of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer network or system data. But to stop insider threats, you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT for free, no installation required. Go to observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:15:37] And joining me once again is Johannes Ullrich. He's the dean of research for the SANS Institute, and he's also the host of the "ISC StormCast" podcast. Johannes, welcome back. We wanted to touch today on the ability for folks to sort get a foothold in a network via flaws with hardware. But what are we talking about here?
Johannes Ullrich: [00:15:57] Well, there are sort of really two issues here. One is sort of your good old internet of things and these devices being exploited and then being used. But then you also have systems that are part of larger systems, like, very famously these baseboard management controllers that you have in many systems, in particular in servers that almost act like their own little computer within that larger server. And they, if exploited, it can be used then to attack the network again. So there ends up a little beachhead that a hacker could build in order to attack the network and not necessarily attack more of the systems they're already on.
Dave Bittner: [00:16:39] And how does this play out in a real-world environment? Can you give us an example?
Johannes Ullrich: [00:16:44] So, for example, with these baseboard management controllers, now, they themselves are sometimes considered a vulnerability. But what happens here is that an attacker gets a foothold on a server, gets administrator access on that server, but then uses that administrator access to actually upload new firmware, for example, into this baseboard management controller or just gain access to the baseboard management controller using standard tools that are typically installed with the operating system.
Johannes Ullrich: [00:17:16] From this baseboard management controller, they're actually connected to an administrative network. And that standard best practice, you want to isolate the control of these devices from the rest of the network. But now the attacker can actually use the controller on the server that the attacker compromised to attack other servers using that administrative network which often is, well, more open in the sense that it has access to all of these administrative functionalities that the normal network wouldn't have access to.
Dave Bittner: [00:17:51] So what's to be done here? How can folks protect themselves against this sort of thing?
Johannes Ullrich: [00:17:55] Well, I would start by removing these tools if you can. That's not a perfect solution. An attacker can easily upload them. But then you may be able to detect uploading of these tools to the system. Secondly, of course, monitor your management networks. What I often see is that people have all kinds of logging set up for people logging into systems the normal way, either, you know, SSH or via various remote control methods. But they often overlook logging of access via these administrative networks, for example, to serial consoles and things like that. So that's something that you really have to worry about, something you have to be careful about that you have the visibility here that you need.
Dave Bittner: [00:18:42] All right. Well, it's an interesting one to look out for. As always, Johannes Ullrich, thanks for joining us.
Johannes Ullrich: [00:18:47] Thank you.
Dave Bittner: [00:18:52] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:05] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.