The CyberWire Daily Podcast 3.19.19
Ep 803 | 3.19.19

LockerGoga hits Norse Hydro. Mirai botnet malware gets an update. The DHS is concerned about cybersecurity.


Dave Bittner: [00:00:04:08] An aluminum manufacturing giant in Norway has suffered a major ransom ware attack. A new version of the Mirai botnet malware is targeting enterprise systems. The US Homeland Security Secretary says the private sector and the US government need to work together against cyber threats. Europol has a new cyber incident response strategy and cyber security executives say some vendors' marketing tactics are having a detrimental affect on the security industry.

Dave Bittner: [00:00:38:17] It's time to take a moment to tell you about our sponsor Recorded Future. If you haven't already done so take a look at Recorded Future's cyber daily. We look at it, the CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the Internet yourself, no matter how many analysts you might have on staff. And we're betting that however many you have you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber daily email to get the top trending technical indicators crossing the web. Cyber News, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyber attacks. Go to to subscribe for free threat intelligence updates from Recorded Future. That's and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:45:17] From the CyberWire studios at DataTribe I'm Dave Bittner with your CyberWire summary for Tuesday March 19th, 2019.

Dave Bittner: [00:01:54:13] Norway's Norsk Hydro, one of the world's larges aluminum producers suffered an extensive ransomware attack last night against its facilities in Europe and the United States. The company said in a message to investors that "IT- systems in most business areas are impacted and Hydro is switching to manual operations as far as possible". The Norwegian National Security Authority, or NNSA, said the attack is suspected to have used a fairly new strain of ransomware called LockerGoga. A spokesman for Hydro told the BBC that company was able to continue production by reverting to manual methods and that it has data backups to restore from as soon as the attack in neutralized. Currently, however, Hydro is still working with the NNSA to contain the attack and identify the extent of the damage. Employees have been told not to turn on their computers or connect any devices to the network and all communication it taking place via telephone, mobile devices and text messages. There have been no safety related incidents as a result of the attack.

Dave Bittner: [00:03:01:24] In a press conference this afternoon Hydro's Chief Financial Officer said "the situation for Hydro is quite severe" adding that "the entire worldwide network is down" affecting production as well as office operations. He said the attack began in the United States and escalated overnight but he didn't specify which facilities was first affected or how it was compromised. According to CyberScoop the company has remelting facilities in Kentucky and Texas and has offices in Baltimore. The company's website is still down and there's no time frame for how long the recovery may take. The LockerGoga ransomware was first spotted in January when it was allegedly used in an attack against a French engineering consultancy called "Altran Technologies". Earlier today researchers identified a new strain of LockerGoga uploaded to a public malware repository from a Norwegian IP address.

Dave Bittner: [00:04:01:18] Palo Alto Networks' Unit 42 published a report yesterday on a new variant of the Mirai botnet malware. This version is using a total of 27 exploits, 11 of which are new. It's also targeting a wider range of devices, including WePresent Wireless Presentation systems and LG Supersign TVs. Since these devices are meant for use in business environments the researchers believe this new strain indicates a potential shift to using Mirai to to target enterprises. Enterprises provide a larger attack surface and access to greater amounts of band width allowing for more powerful DDoS attacks. The researchers advise organizations to keep their devices up to date with patches, if a device can't be patched, remove it from your network.

Dave Bittner: [00:04:50:08] Mirai botnets have been used to carry out some of the largest DDoS attacks in recent years. These botnets are particularly powerful because they utilize embedded devices such as routers, modems, security cameras and DVRs, which can generate massive amounts of data to be launched at a target.

Dave Bittner: [00:05:09:06] It's been a couple of weeks now since the team at Axonius took home the most innovative start up award at the 2019 RSA Conference Innovation Sandbox Competition. They describe their asset management solution as the Toyota Camry of cybersecurity challenges, not particularly sexy, but ubiquitous. Nathan Burke is Chief Marketing Officer at Axonius, and he tells us that before they could compete for the big prize, first they had to deal with getting the boss to San Francisco.

Nathan Burke: [00:05:39:17] It happened during the middle of two snow storms on the east coast and so I got there early on Sunday, but Dean Sisman, who is our CEO and Co-founder who was supposed to be presenting did not have as much luck as I did and ended up sitting on the runway for four hours before his flight got canceled then re-booked. And so he was going to miss the rehearsal, the judge's demos and then maybe be there in time for the final presentation. So we just called an audible and said alright I've got to do this and so I changed up the presentation a little bit at the beginning to make it about my personal experience and then practiced a few hundred times and said lets do this.

Dave Bittner: [00:06:20:08] And I guess it went pretty well for you. You guys came away as the winners of the Innovation Sandbox.

Nathan Burke: [00:06:25:11] Yeah I guess the judges saw something in a company doing something that we're all calling the most unsexy part of cyber security and asset management.

Dave Bittner: [00:06:36:08] Well take us through what exactly does your tool do?

Nathan Burke: [00:06:39:02] Yeah, so really we wanna do exactly three things, right. So we wanna be able to give customers a credible and comprehensive asset inventory. Everything they've got from laptops, desktops, servers, VMs, mobile devices, anything. If we can do that then we can show them where they have gaps in their security coverage and then we can automatically validate and enforce their security policies, and what's different about the way that Axonius has approached this is we just connect to all of the different security and management solutions that customers are already using. So we connect to these solutions, gather and collect all the information we can about assets and users, we correlate that together and then we can show you how each of these assets fits against their security policies.

Dave Bittner: [00:07:21:05] And this has been a persistent challenge for organizations to get a handle on this. Why has asset management been so challenging?

Nathan Burke: [00:07:26:22] Yeah, I think it's been so challenging because if you look at it over time the more devices and device types that we have, the more solutions we have to manage them, and the more solutions that we have, the harder it is to ask basic questions around assets and how they adhere to the policy. And so just over time when you think, you start off with a PC on a network that is in a physical location, asset management is as simple as a guy with clipboard, right. But then we move into the world of mobile devices, IOT devices, the cloud, and then it becomes really fractured and fragmented and it just becomes very difficult to understand what you have. And so it's been a challenge and I think that's what one of the judges said during the presentation and the judging which is, you know, that he's lived this before, not being able to get a straight answer about assets. And I think one of the things that's nice is that now everything has an API and so we're kind of here at the right time where we can interface with all these solutions that know about assets, gather that information, correlate it together and present it back in a way that customers can query and find answers to the questions about assets very very simply.

Dave Bittner: [00:08:38:20] Can you walk me through an example. I mean what's a typical type of asset that usually gets overlooked or is hard to track that you guys are able to get a handle on?

Nathan Burke: [00:08:47:22] Sure. A couple of good examples, I mean I think there is an inevitable march to the cloud and so we see more and more of our customers are using cloud instances like Amazon, yet the security tools that they have to secure their on-premise instances and devices just don't necessarily work the same. And so a good example of that is, I'm using Amazon but my vulnerability assessment tool doesn't necessarily know about a new Amazon instance that's been spun up, and, you know, we've said this several times to customers. I don't think there's ever been a time in history where Devout said "hey security is it OK for me to spin up a new instance?" It just doesn't happen right. And so what we're able to do is say, we've found these new Amazon instances, we can look at the VA scanner and say, alright do you know about these? And if the VA scanner just isn't aware of the new instances we can just kind of bridge that gap. And that's just one of the simple ones. And then another one that we see all the time is a company will say "I'm using an EDR or EPP solution and I've got it deployed everywhere," and then we find out that around 18% of their devices are missing that end point agent. So that's something we're always able to find, and I think the idea is, by being able to connect to all of the different solutions we have we're able to uncover things that they wouldn't be able to just looking at that single management consul.

Dave Bittner: [00:10:12:04] That's Nathan Burke from Axonius. Our congratulations to him and the whole team there for winning the 2019 RSA Innovation Sandbox.

Dave Bittner: [00:10:23:02] Homeland Security Secretary Kirstjen Neilsen said yesterday that emerging cyber threats are among her top concerns in the coming year. Neilsen believes that America is not prepared for these threats saying that she's "more worried about the ability of bad guys to hijack our networks than their ability to hijack our flights". She said that the private sector needs to work with the government to defend against these threats. "It's not just US troops and government agents on the front lines anymore, it's ordinary Americans. Threat actors are mercilessly targeting everyone's devices and networks and they are weaponizing our own innovation against us". She added that "our adversaries are using state owned companies as a "forward deployed" force to attack us from within our supply chain".

Dave Bittner: [00:11:13:15] The European Union has adopted an incident response protocol for major cross-border cyber attacks. A press release from Europol said the the WannaCry and NotPetya attacks showed that previous incident response protocols were “insufficient to address rapidly evolving cybercriminal modus operandi effectively.” The new protocol gives a central role to Europol’s European Cybercrime Center, and it aims “to complement existing EU crisis management mechanisms.”

Dave Bittner: [00:11:44:20] Four top cybersecurity executives at Fortune 500 companies told CNBC that some cybersecurity vendors resort to unsavory business practices in order to gain an advantage in the market. All four of the executives said they had encountered sales pitches in which vendors took advantage of the fact that small security flaws at a well-known company can generate major headlines. The vendors in these cases threatened to tell media outlets if the executives didn’t listen to their entire pitch. Two of the executives also described vendors who have called to report emergency security incidents, only to give routine sales pitches once they got on the phone with an executive. Even when the issues they point to are real, some vendors don’t differentiate between an imminent threat and a minor vulnerability. These marketing tactics have resulted in mistrust between cybersecurity executives and vendors, and they make it harder for both to identify and address the real threats.

Dave Bittner: [00:12:49:20] And now a word from our sponsor Looking Glass Cyber Solutions. When it comes to digital business risk you don't want a general admission perspective. Get a backstage pass for the Looking Glass Digital Business Risk Roadshow this spring to learn the industry latest on effective third party risk management tactics to protect your employees, customers and brand, taking a pro-active security posture to combat today's sophisticated threat actors and a cyber criminal master-mind's insights on manipulating your organizations cyber strengths and weaknesses. Come see Looking Glass in a city near you. The tour includes Atlanta, Charlotte, Chicago, San Francisco, New York City, DC and Houston. They hope to see you at the show. To learn more about the roadshow and register visit their website That's and we thank Looking Glass for sponsoring our show.

Dave Bittner: [00:13:53:17] And I'm pleased to be joined once again by Johannes Ullrich, he's the Deane of Research for the SANS Institute and he's also the host of the ISC Stormcast Podcast. Johannes it's great to have you back. You know, back in 2018 certainly the CPU flaws, things like Spector and Meltdown caught our attention but you wanted to point some other flaws, what you're describing as perimeter hardware flaws. What's going on here?

Johannes Ullrich: [00:14:17:20] Yes what this is about is if you're looking at your standard computer mobile device the CPU is only one of many chips that you find in these devices and all these other chips, like columns of parameter chips,that stuff sitting around the CPU feeding it with data, well, they're vulnerable too and in someways sometimes actually more exposed than the CPU. And as one recent example, our WiFi chip sets and in particular the Marvel Avastar. There was an interesting paper that looked at that particular chipset. Now these are names that usually don't ring a bell with anybody. I personally hadn't heard about this chipset yet but, well, it's in many Microsoft surface laptops. It's in many Samsung laptops and such. So it's a widely used chipset and it has some flaws that as was demonstrated here by Dennis Sonanin can be exploited without the user doing anything and get full access of the system.

Dave Bittner: [00:15:19:07] Is this a situation where-- because these chips are on the motherboard the rest of the system has a default situation of trusting these chips and maybe that's going a little too far?

Johannes Ullrich: [00:15:31:23] Correct that's part of the problem. The other side of it is that these chips, well, you know, there is no real hardware anymore, everything has software in it. These are actually little systems on a chip. They have their own operating system, they have their own software running in it, and all of these of course vulnerable, and what makes it sort of worse is because these are fairly minimum systems. A lot of these standard protections that we have that prevent exploitation in normal operating systems, they don't apply to these chips and in some ways they're actually easier to exploit once you have a vulnerability like a simple buffer overflow.

Dave Bittner: [00:16:10:10] Now in a situation like this with these auxiliary chips, would they be updated with an OS update or a firmware update or are they sort of baked in with what they have when they're manufactured?

Johannes Ullrich: [00:16:24:09] That's actually the good part of it that most of them come as a blank slate, and the operating system loads the firmware into that chip as it's being booted. So yes, an operating system update usually can take care of these flaws if it is released.

Dave Bittner: [00:16:41:05] Interesting. So what are people to do here? Is this a matter of keeping up on the latest updates?

Johannes Ullrich: [00:16:48:17] That's pretty much the only thing you can do here. Of course turn off your wifi card if you can turn it off in public environments, but that's, I think, always difficult advice to follow. It's really difficult to do anything but just staying up to date and staying up to date with your operating system patches.

Dave Bittner: [00:17:09:16] Now I guess keeping an eye out to see if your particular device is one that might be vulnerable?

Johannes Ullrich: [00:17:14:06] Yes, but it may actually be difficult to figure out what device is in your system and then also there is no real standard feet for these vulnerabilities. They're often not disclosed very widely like for operating system vulnerabilities.

Dave Bittner: [00:17:29:21] I see. Now is this also a situation where, you know, as a motherboard is manufactured that, you know, a certain percentage of the run might have one brand's chip in it and another percentage of the run might have another's?

Johannes Ullrich: [00:17:42:16] That's certainly possible, in particular different sub-versions of the chip and some maybe vulnerable, others maybe not. Or another case that can also happen is that the particular version of the chip that you have in your system is no longer being supported and there are no more updates for it, while the same laptop bought a couple of months later has a new version that's still receiving updates.

Dave Bittner: [00:18:07:08] That's interesting stuff. Johannes Ullrich, thanks for joining us.

Dave Bittner: [00:18:14:18] And that's the CyberWire. Thanks to all of our sponsors for making this CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe where they're co-building the next generation of cyber security teams and technology. Our CyberWire Editor is John Petrik, Social Media Editor Jennifer Eiben, Technical Editor Chris Russell, Executive Editor Peter Kilpe and I'm Dave Bittner. Thanks for listening.