China says it had nothing to do with the Parliament hack in Australia. Notes on Patch Tuesday. Shlayer and GreyEnergy malware analyzed. Tomorrow is Valentine’s Day—act accordingly.

Dave Bittner: [0:00:03] China denies involvement in the Australian Parliament hack. We've got some Patch Tuesday notes. A new strain of Shlayer malware is out. We've got a look at GreyEnergy. Reactions are in to the destructive VFEmail attack, and thoughts on St. Valentine's Day with advice, admonition and an excursus on credential-stuffing and holiday doughnuts.

Dave Bittner: [0:00:31] It's time to take a moment to tell you about our sponsor Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the internet yourself, no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/cyberwire. And we thank Recorded Future for sponsoring our show. The CyberWire podcast is made possible, in part, by RSA Conference, taking place March 4 through the 8 at the Moscone Center in San Francisco. The CyberWire is a proud media sponsor of RSA Conference, where the world talks security. Learn more and register today at rsaconference.com/cyberwire19.

Dave Bittner: [0:02:01] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, February 13, 2019. China has got around to officially denying it had anything to do with an attempted hack of parliament in Canberra. Beijing's foreign ministry says it's another move in a smear campaign. There's been no official attribution of the attack. And Australian investigators haven't been going out of their way to finger China. But China is now the usual suspect in such capers, and that's where industry and media have focused their speculation.

Dave Bittner: [0:02:36] Yesterday was Patch Tuesday. Microsoft released fixes for 76 vulnerabilities, 20 of which Redmond classified as critical. Adobe also patched, as is its custom, offering security updates for Flash Player, Acrobat/Reader and the ColdFusion programming language and the Creative Cloud desktop app. Microsoft's patches addressed Windows, Office, IE, Edge, the .NET Framework, Exchange Server, Visual Studio and Team Foundation Server. They also offered fixes for Azure IoT SDK, Dynamics and Flash Player. One of the fixes takes care of an Internet Explorer zero-day that's been actively exploited in the wild. CVE-2019-0676 can, when exploited, allow an attacker to read files on a disk. The usual mode of infection is via a malicious website. Remember, too, that Microsoft would like you to understand that IE is not actually a browser, and you shouldn't be using it as one.

Dave Bittner: [0:03:38] We received some advice from Ivanti's director of product management, Chris Goettl, on what the sensible priorities should be for applying yesterday's patches. He says that the OS, browser and Office updates should be high on the list. The Windows and IE patches are particularly important since the vulnerabilities they address are being actively exploited. He also recommends attending to Microsoft Exchange Server. The fixes address privilege escalation vulnerabilities that could give attackers admin rights. And Goettl recommends fixing the Adobe products Flash, Acrobat and Reader. These are, as usual, being heavily targeted. And they amount to low-hanging fruit for crooks, skids and others who dine out on such things.

Dave Bittner: [0:04:22] Security firm Carbon Black has found a new strain of Shlayer, macOS malware first observed last year by Indego. This version of Shlayer, notable for both its obfuscation and its privilege escalation capabilities, has been downloaded from multiple sites. Its most common guise is that of a bogus Adobe Flash software update. Researchers at security firm ExtraHop recently had a run-in with a malicious Chrome extension downloaded from Google. Matt Cauthorn is vice president of pre-sales security engineering at ExtraHop. And he joins us to share what they found.

Matt Cauthorn: [0:04:58] There's a very popular API testing tool out there called Postman. And on the Google web store for Chrome, you can download a Chrome extension named Postman, ostensibly, for helping test your APIs as you develop your code. And we had a few developers do that. Interestingly, we saw this sort of low and slow socket outbound. It was a web socket - plain text HTTP web traffic - outbound to a public IP address on a suspicious-looking port. And we - sort of monitoring our own activities at ExtraHop as a security company. And we started to investigate this. And it got more and more suspicious as we looked into it.

Matt Cauthorn: [0:05:41] And sure enough, this particular - we were actually able to trace it back to this particular Chrome extension that had been installed on three laptops. We took them offline. We did the remediation. And we found that the thing was exfiltrating data - specifically, was exfiltrating URLs that the browser was traversing. For us, the impact - fortunately, it was contained and sort of responded to very, very quickly. But the impact is really self-evident because it's, effectively, a supply chain like a software supply chain attack, where the developers who are chartered to develop code and get stuff done, they want to test their APIs. Postman is very established. It's very, very popular, super useful. On here, this malicious developer, basically, squatted on the name in the extension store in Google, was able to slip in malicious code under the sort of guise of using this Postman service. So it's really - it was really interesting. It wasn't particularly sophisticated, but I got to say it was quite clever because they got the clicks, and - you know, 27,000 of them, actually. And they basically squatted on the name. And they were able to inspect the stuff that we were doing in our browsers, which is pretty scary.

Dave Bittner: [0:06:56] Yeah. Now, for the folks who went looking for the legit Postman extension in the store, what did they come across that fooled them?

Matt Cauthorn: [0:07:07] So they originally did have a Chrome extension, which was subsequently pulled off in favor of - they have their - Postman, as a service - now they have their own installables. They have their own platform specific. You install a standalone application for Windows, for Mac, for whatever. So they pulled it off of the web store. This guy comes in and takes the name. He squats on the name after they pulled theirs down. And so it's basically like, you know, domain squatting, basically, on a defunct domain name.

Matt Cauthorn: [0:07:37] Extensions for Chrome - they're exposed to - they have access to kind of everything that happens in your browser. Now, there are some controls that Google tries to invoke with the manifest file. There's a file that sort of defines what the thing is able to do - whatever. But most users are not incentivized, A, or motivated, B, to scrutinize the behaviors of a given extension. They sort of trust the name of Google, which is about as ubiquitous as it gets. And so they install - right from the official store, they install a plug-in that happens to be doing bad stuff. It's a real challenge.

Dave Bittner: [0:08:12] Now, obviously, you know, the folks you have there working at ExtraHop are not rookies when it comes to this sort of stuff. And if you all could fall victim to this, what are your recommendations for folks to prevent this from happening in their own organization?

Matt Cauthorn: [0:08:26] So we have a team of researchers - of threat researchers. And we do a lot of hunting internally for security reasons, obviously, as well as just research reasons. And these guys tracked it down very, very quickly, which was impressive. But the more I started looking into the big problem - think of this as like a software supply chain exploit, effectively. And so if you have a plug-in that needs to reach out to the external world and you're an adversary, you're probably going to target - it's a wise bet, at least - to get the clicks, to get the downloaders, to spoof yourself to pretend you are an API integration of some sort - right? - some sort of testing tool. It's expected to reach to the outside world. And absent of, like, close scrutiny, you expect the thing to be reaching out and talking to external things, potentially good or bad, and you might not think about the bad part.

Matt Cauthorn: [0:09:18] So what it - from a recommendation perspective, there's a lot that goes on here. And the deeper you go into the software supply chain attacks, the scarier it becomes, frankly, because recommendation-wise, you got to scrutinize it. And you have to be aware of the different tools, tactics and procedures that they can invoke to bypass detection and to convert the click event, if you will, to get themselves installed. And here, the main vehicle, as unsophisticated as it was - like I said, it was quite clever - is they just squatted on a name that they knew was very popular, that they knew was going to be downloaded, at least by some, to get effective work done for the company as they wrote code.

Dave Bittner: [0:10:00] That's Matt Cauthorn from ExtraHop.

Dave Bittner: [0:10:04] The ICS security specialists at Nozomi have published their research into GreyEnergy, a strain of malware security firm ESET discovered in 2018. A successor to BlackEnergy, GreyEnergy has been used against infrastructure targets in Ukraine and elsewhere. As its name suggests, although the malware has been deployed against several targets, GreyEnergy’s controllers have most famously used it against targets associated with power distribution. Nozomi points out a feature that tends to make the malware resistant to reverse engineering. It's surrounded by a lot of junk code. Obfuscation hinders observation. The malicious code has been examined, but analysis had to work through a lot of irrelevancy.

Dave Bittner: [0:10:49] The destructive attack VFEmail sustained Monday still looks like a motiveless hack. The email service is still trying to restore what it can, but most of its data appear to be gone for good. We heard from Vectra’s head of security analytics, Chris Morales, who noted in an email that, quote, "this kind of destructive attack with no stated motive or demands is quite rare," quote. Praveen Jain, CTO at Cavirin, said that apparently motiveless attacks like this one underscore the importance of not only air-gapped backups, but of better employee training.

Dave Bittner: [0:11:26] And finally, tomorrow is St. Valentine's Day. You'd forgotten, hadn’t you? You're welcome. Don't mention it. As you thrash around online in last-minute searches for gifts, tokens of esteem, or indeed for love itself, hoping to salvage the day, beware. The cybercriminals read the same calendar you do, and they're primed to take advantage of any eleventh-hour desperation. Be especially wary of online offers of chocolate, cards, flowers and so forth. Hackers speak the language of love, but they do so with a serpent's tongue.

Dave Bittner: [0:12:00] So by all means, express your love - you'd better express your love, or significant others will know the reason why - but express it with the seemly circumspection a civilized person uses online. For example, no below-the-belt selfies, if you please, Señor Danger. Those are, quite simply, uncalled for and, in any case, don’t argue for a mature understanding of matters of the heart. While we know the heart has its reasons, of which reason knows nothing, on selfies, the heart and the brain are of one mind. Inclinations to the contrary come from elsewhere, perhaps the spleen, or better yet, from one of those AIs we keep hearing about.

Dave Bittner: [0:12:40] And no buying off-brand candy or using floral gifts from dodgy sites. If the email invite says something along the lines of, greetings of the day, fellow youth. We are to be offering to you the most esteemed and bestest values of the Valentine, well, then tell the Shadow Brokers to call you back on some other holiday - we don’t know - maybe V-J Day. It’s a favorite up Rhode Island way. You’ve probably considered the doughnut as a love token. These, as you know, are widely exchanged and appreciated in the hacking and InfoSec communities. If so, then be advised that Dunkin' Donuts is offering a Valentine's special, a bouquet of doughnuts so arranged as to look a bit like a floral arrangement - just the thing to carry back to your inamorata's keyboard d'amour.

Dave Bittner: [0:13:26] And also, be advised that Dunkin' Donuts is looking out for you. Their DD Perks rewards program hasn't been hacked, but a lot of its members apparently reuse their passwords. If you're one of those, Dunkin' Donuts advises you to stop doing so and to change your password. They found that someone's targeting their customers in credential stuffing attacks. So stuff the doughnuts, not credentials.

Dave Bittner: [0:13:54] Now, a moment to tell you about our sponsor ObserveIT - the greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. In fact, a whopping 60 percent of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer network or system data. But to stop insider threats, you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT for free - no installation required. Go to observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [0:15:02] And I'm pleased to be joined once again by Dr. Charles Clancy. He's the director of the Hume Center for National Security and Technology at Virginia Tech. Dr. Clancy, great to have you back again. We saw a story come by about some work that the Pentagon had been working on. This is using artificial intelligence to do a better job with an ever-tightening RF spectrum availability. And it was something called the Spectrum Collaboration Challenge. What was going on here?

Charles Clancy: [0:15:31] The Spectrum Collaboration Challenge is a program that was launched by the Defense Advanced Research Projects Agency, or DARPA. Typically, DARPA has programs where they will put $30 million to $50 million into developing a specific technology or to demonstrate a particular new capability. But in this case, instead of just giving all the money to a handful of companies or universities, they actually decided to have a competition where they offered prizes, similar to some of the other challenges they've done in the past around unmanned vehicles or around cyber. And this one was really focused on how AI-enabled wireless systems could really more effectively communicate in not only a crowded spectrum but also a contested spectrum, where you might have adversarial components seeking to disrupt your ability to communicate.

Dave Bittner: [0:16:21] Now, one of the things they noted in this article was that this was the first time they saw autonomous collaboration outperforming manual human-driven attempts to optimize spectrum.

Charles Clancy: [0:16:32] Exactly. So historically, spectrum planners have decided what channels should be used by different systems in order to minimize interference, and it's all been a very static plan. And that works well because you're divvying up the spectrum, but it leads to inefficiencies. In fact, many DOD bands are only about 30 percent occupied even at their peak times just because of all of the buffers and guards that are needed in order to make sure that signals don't bump into each other.

Charles Clancy: [0:17:03] If you want to get above 30 percent and be more efficient in the use of the spectrum, then you really need dynamic reactive systems that can identify where the holes are and coordinate among each other to identify who should communicate where and when. And this decentralized autonomy is particularly challenging because - if you can imagine military spectrum, you could have links from aircraft to ships; you could have radar systems; you could have all kinds of different things that used electromagnetic spectrum and do so in very incompatible ways. So the ability for all of them to really choreograph themselves to achieve higher efficiencies is really impressive.

Dave Bittner: [0:17:44] Another thing that struck me from this article was they mentioned that the military is in the process of turning over up to 500 megahertz of spectrum to the private sector in the next couple of years. And I suppose - I mean, that's an ongoing tension between the military's need for that spectrum but the real hunger for that spectrum on the commercial side.

Charles Clancy: [0:18:03] Exactly. The military has a lot of spectrum that they use. They don't use it very often. But when they do use it, it's really important. One example that's part of that 500 megahertz is 150 megahertz that sits at 3.5 gigahertz. And over the last two years, the Federal Communications Commission, or FCC, has gone through a rule-making process to establish what's called the Citizens Broadband Radio Service, or CBRS. And this is a band where commercial broadband service and enterprise broadband will actually co-exist in the same channels as Navy radar systems. And there's a whole sensor network that's being deployed along the U.S. coastline specifically designed to detect when those Navy ships are operating their radars. And when those radars are on, it actually send signals to all of the broadband systems to reconfigure and move into different bands. But this whole concept of spectrum sharing is really key to opening up new bands really to enable advanced 4G service and allow for the new 5G, also targeting these new frequency bands.

Dave Bittner: [0:19:09] Dr. Charles Clancy, thanks for joining us.

Charles Clancy: [0:19:11] Thanks a lot.

Dave Bittner: [0:19:16] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com. The CyberWire Podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik; social media editor, Jennifer Eiben; technical editor, Chris Russell; executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.