The CyberWire Daily Podcast 3.26.19
Ep 808 | 3.26.19

More on ASUS supply chain backdoor. FEMA data mishandling. LockerGoga ransomware. Mueller report responses.


David Bittner: [00:00:04:02] Supply chain attacks and Operation ShadowHammer's ASUS backdoor. LockerGoga ransomware maybe slow and sloppy but its masters are determined and willing to play for high stakes. What will happen with FEMA over its data mishandling incident? Responses to the Mueller Report's conclusions. Venezuela says it was hacked again, the rhetorical technique is implausible insistence. And what do PewDiePie fans call themselves? The Nine Year Olds? The Bro Army? Fans of Mr. Pie's girlfriend are the Marzipans. Thought you'd like to know.

David Bittner: [00:00:44:00] Now, a moment to tell you about our sponsor, ThreatConnect, designed by analysts but built for the entire team ThreatConnect's intelligence driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations, to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book, SOAR Platforms, everything you need to know about security, orchestration, automation and response. The book talks about intelligence driven orchestration, decreasing time to response and remediation with SOAR, and ends with a checklist for a complete SOAR solution. Download it at That's And we thank ThreatConnect for sponsoring our show.

David Bittner: [00:01:54:22] From the CyberWire studios at DataTribe I'm Dave Bittner with your CyberWire summary for Tuesday, March 26th, 2019.

David Bittner: [00:02:04:08] The ASUS backdoor security researchers at Kaspersky Lab disclosed recently has been independently confirmed by security firm, Symantec, which thinks the campaign ran from June through October of last year. Kaspersky calls the backdoor operation ShadowHammer, it spreads through the ASUS Life Update Utility and gave attackers access to, and control over, infected machines. The Trojanized utility was hosted on ASUS's site and signed with an ASUS certification, which, Kaspersky says, no doubt helped it evade detection. Motherboard broke the story yesterday and reporter, Kim Zetter, notes that it took ASUS some time to respond, and, registers disapproval that their response didn't acknowledge Kaspersky's role in finding the compromises utility. But, give Kaspersky full credit for sounding the alarm on this, Symantec does. 57,000 has been widely quoted as the number of users hit, but that's a significant understatement, low by at least a couple of orders of magnitude, 57,000 represents the number of Kaspersky installations, the company says, detected ShadowHammer. Symantec thinks around 500,000 systems were affected. Kaspersky guesses that tally of infected machines is probably at least on the order of a million. That's give or take a couple of bakers dozen.

David Bittner: [00:03:26:19] There's no attribution yet beyond calling the attackers and APT, which usually means that it's a nation-state. Who that nation-state might be is unknown, as are the attackers' objectives, ShadowHammer's known geographical distribution offers no particular clues. The US leads in the number of infections but that's just with 13% of them, barely nosing out Australia's 12% and Italy's 11%.

David Bittner: [00:03:52:22] It's worth noting that this is a supply chain attack, the attack compromises a third party device or service as a means of hitting its ultimate target. Software updating utilities have been among the more attractive vehicles of such attacks, NotPetya, for example transmitted itself via compromised updates to an otherwise innocent Ukrainian tax preparation software package. Problems with the ASUS supply chain have been suspected for some time as ITWire points out, Due Security flagged issues with the ASUS OEM updater utility back in 2016. They did so in the context of what they colorfully called shovelware, crapware, bloatware, and they did warn that such unnecessary and unwanted software posed a security threat. They ironically called it value added, although value subtracted might be better, if less ironic. But ShadowHammer is a different, more serious matter, evidently deliberately installed for attack purposes. The story is continuing to develop.

David Bittner: [00:04:55:05] Security firm, Alert Logic, has told ZDNet they found a bug in the LockerGoga ransomware that could enable potential victims to, as they put it, inoculate their systems against infection, crashing the malware as it attempts to execute and before it encrypts files.

David Bittner: [00:05:11:14] KnowBe4 has an interesting take on LockerGoga, the security firm says on its blog, quote, "Technically LockerGoga has just another ransomware strain and not even a very good one, it's got bugs and it's slow. However, the gang behind it represents a dangerous combination of aggressive disruption and high stakes targets." The attackers are thought likely to patch the bug soon, so enterprises would be well advised to follow sound practices with respect to regular, secure backup. Norsk Hydro appears to have done that and have been able to recover without paying the ransom demanded. The two US chemical companies affected over the past few days are continuing to work on their recovery, one of those, Momentiv, is said by Motherboard to have ordered new computers to replace its infected inventory.

David Bittner: [00:06:01:02] The folks at Oracle and KPMG recently published their cloud threat report for 2019, Greg Jensen is senior principal and director of cloud security at Oracle.

Greg Jensen: [00:06:11:18] Organizations, by and large, they're simply just not prepared right now, and it points back to this challenge around shared responsibility, which is, what's my role as a customer, what's my role versus my cloud provider in securing that data that's now in the cloud? A lot of respondents really feel confused by that, they don't know where their role ends and the cloud provider picks up. We also see a lot of interesting anecdotes that come out tied to this ability, how organizations simply are just flying down the highway with their most precious cargo in tow, but they can't even see out the windshield right now, and this is really resulting in the fact that only one out of every ten organizations are able to analyze at least 75% of their security events that are transpiring within their environment. And so that means we're really working with blinders on right now, we can't see the attack coming.

David Bittner: [00:07:10:24] How much of this do you suppose is a matter of folks perhaps looking for the advantages of the cloud and all the things that it brings, but, you know, maybe turning a blind eye to some of the additional work that comes with it?

Greg Jensen: [00:07:25:22] Yes, you know, what happens in a lot of organizations is, because cloud has really become very-- it's very easy to deploy a cloud solution today, in many cases it's as simple as pulling up an instance, and that type of ability has given the line of business, if you take for example a legal department, if they know they can spool up some type of new service within an hour and start getting real value out of it, they potentially might, and in many cases they do. Now, what's the risk there? Well, quite often in that hour, or in those weeks they have not engaged or don't fully engage the security team, and what is the security team's role? Well, you need to have the security team involved, you need to have compliance involved, you need to have all these groups involved to look at these new applications and determine are there any risks? Is it an insecure platform? Will that new service meet our regulatory compliance, like GDPR or California Privacy Acts? So, all of these things sometimes get skipped, and it's not until the service is rolled out that someone finally will realize there's a new enterprise app that's being used by our employees and we didn't know about it, now we have to go and try to put controls around it, and that takes more time and leaves the organization and customers exposed.

David Bittner: [00:08:50:10] So, based on the information you collected here, what are your recommendations? What should organizations do to get a better handle on this?

Greg Jensen: [00:08:58:00] You know, really this is a people process technology type of thing, right? It's not go acquire a new service that's going to take care of all your problems, there is no silver bullet, but it's multiple things, it's starting with having all the advanced training for your people and do it on a reoccurring basis, and make sure your users and your cyber teams are fully trained and up to spec. The other part is processes, make sure all the processes that you're incorporating within the security or IT organization are completely in line with closing all these areas of risk. In other words, if you aren't sure if your cloud service provider is going to cover maybe cloud base penetration testing, well don't go on the assumption that that's just going to happen, ask. Look into the contracts. Understand for every single service provider that you have, what are they doing? What do I need to do? And then make sure that you have a program wrapped around that. And then, of course, the technology is a very important step, because with the amount of events and alerts taking place today, advanced technologies that help create a means of automation to close the loop, that's so important now.

David Bittner: [00:10:16:16] That's Greg Jensen from Oracle. The report is the Oracle and KPMG Cloud Threat Report for 2019.

David Bittner: [00:10:24:23] FEMA's data mishandling incident seems likely, the Washington Post says, to serve as a test case for the US Administration's stated determination to hold agencies responsible for this sort of misstep. The Department of Homeland Security Inspector General called the episode a direct violation of applicable data handling rules and FEMA called it a major privacy incident. Both the Senate and House Homeland Security Committees are considering investigating. It's worth nothing that the FEMA incident wasn't a hack and the data themselves don't appear to have gotten into anyone's hands other than those of the still-unnamed contractor who was hired to place disaster victims in hotels and other temporary quarters. So, in this respect, the FEMA incident is not like, for example, the famous OPM breach of 2014, when Chinese espionage services romped through the US Government security clearance files. But many are looking at the FEMA incident as something that ought to serve as a wakeup call, at least, and maybe an occasion for the sort of action against Federal managers that would encourage the others to do better in the future.

David Bittner: [00:11:31:06] President Trump has done a lot of probably understandable crowing over the announced results of Special Counsel Robert Mueller's investigation, as reported by Attorney General Barr. Even as the President's detractors glom noisily onto the Special Counsels non-call with respect to obstruction. The President woofed a bit about the treason involved in seeing collusion where the Special Council found no real evidence, but, it's best to read traitor in this context as meaning something more like jerk or even really bad jerk, who ought to get fired, and not the Constitution's more formal definition in Article III, which goes something like this, "Treason against the United States shall consist only in levying war against them or in adhering to their enemies giving them aid and comfort." In any case, the likeliest near term result of the report are further congressional hearings and expressions of determination to do something about security in future elections. Russian response to the Mueller report is generally being characterized as muted.

David Bittner: [00:12:35:14] Less muted is Russia's response to Venezuela's power outages. In a gesture of friendship and solidarity, Moscow has dispatched military aircraft and some military personnel to help Caracas recover from cyber attacks and sabotage the Chavista regime says it suffered over the past month. Electricity went out again yesterday, but Venezuela's current defacto leaders say they've mostly restored power. They blame a cyber attack, again, and few, but probably not even most of the Chavistas, believe this. Venezuela's power grid has been failing under neglect and mismanagement for some time.

David Bittner: [00:13:13:16] And finally, bravo Emsisoft, which has just released a decryptor for the recent round of the PewDiePie-boosting ransomware, "PewCrypt." The ransomware campaign was mounted by the YouTube stars fans in an attempt to boost their hero's profile over the rival stars of T-Series, best known as a producer of Bollywood music. Here's a sample of the PewDiePie adherents' persuasive prose, courtesy of SC Magazine. Quote, "the private key will be deleted and your files gone forever," unquote, should T-Series have more followers than Mr Pie, and should Mr Pie fail to reach 100 million followers. Emsisoft says there's not a pandemic of PewCrypt infections out there, but there's definitely a thin sprinkling of victims across cyberspace. So good work Emsisoft, and we hope the Nine Year Olds of the Bro Army and their Marzipan inamoratas can move on to other things. Travel, divert yourself, try a laxative, get a GED.

David Bittner: [00:14:22:16] And now a word from our sponsor, KnowBe4. E-mail is still the number one attack vector the bad guys use with a whopping 91% of cyberattacks beginning with phishing. But, e-mail hacking is much more than phishing and launching malware, find out how to protect your organization with an on demand webinar by Roger A. Grimes, KnowBe4's data driven defense evangelist. Roger walks you through ten incredible ways you can be hacked by e-mail and how to stop the bad guys, and he also shares a hacking demo by KnowBe4's chief hacking officer, Kevin Mitnick. So, check out the ten incredible ways, including how silent malware launch, remote password hash capture and rogue rules work. Why rogue documents establishing fake relationships and compromising a user's ethics are so effective. Details behind clickjacking and web beacons, and how to defend against all of these. Go to And we thank KnowBe4 for sponsoring our show.

David Bittner: [00:15:42:19] And joining me once again is Joe Carrigan, he's from the Johns Hopkins University Information Security Institute, he's also my co-host on the Hacking Humans podcast, which you should definitely check out. Joe, great to have you back.

Joe Carrigan: [00:15:53:02] Dave, I'm very pleased to be here.

David Bittner: [00:15:54:15] So, we are going to talk today about Facebook.

Joe Carrigan: [00:15:57:17] Yey.

David Bittner: [00:15:58:17] Facebook is in the news again.

Joe Carrigan: [00:16:01:11] Yes, again.

David Bittner: [00:16:02:03] They seem to have a hard time getting out of the news.

Joe Carrigan: [00:16:04:18] They cannot--

David Bittner: [00:16:07:00] Can't get out of their own way.

Joe Carrigan: [00:16:08:00] They can't get out of their own way. I mean, it's like they have so many holes in their feet from the bullets they keep putting through them, and they're going, "Why does this keep happening?"

David Bittner: [00:16:15:15] Yeah, yeah. So this time it is the storage of many, many passwords.

Joe Carrigan: [00:16:21:04] In plain text.

David Bittner: [00:16:22:05] In plain text, so, walk us through how does something like this happen?

Joe Carrigan: [00:16:26:21] So, Facebook released a statement that said that, when they store your password, they salt and hash the password, and then they go through an additional step where they use a cryptographic key to encrypt it, so that even if their password database was stolen, their user database was stolen or broken into, somebody would not be able to crack the hashes, because they don't have the cryptographic key.

David Bittner: [00:16:49:14] Okay, this all sounds good to me, so far.

Joe Carrigan: [00:16:51:11] That's great, that's great, but that's in their database for the users. This is something from their developers, that when they were developing applications, they would log user credentials in plain text. So, before they sent the data off to be processed in this secure process, while it was still in the plain text that the user entered it, they would store that data in a log file somewhere.

David Bittner: [00:17:17:05] This seems to me like a policy problem [LAUGHS].

Joe Carrigan: [00:17:20:03] It is a policy problem, this story is replete with policy problems. In the Krebs on Security article, Brian Krebs quotes a software developer, Scott Renfro, and he says, "In this situation, what we found is, these passwords were inadvertently logged and that there was no actual risk that's come from this. We want to make sure that we're reserving those steps and only force password changes in cases where there's definitely been signs of abuse." So, in other words, what this developer is saying is, after the horse has left the barn, then we're gonna close the door. Right?

David Bittner: [00:17:56:14] Yeah.

Joe Carrigan: [00:17:56:16] Just because you don't have evidence of abuse is not--

David Bittner: [00:17:59:08] Absence of evidence is not evidence of absence?

Joe Carrigan: [00:18:01:08] Correct, that's what I'm trying to stammer through here.

David Bittner: [00:18:03:19] Right, right.

Joe Carrigan: [00:18:06:03] This is not the right thing to do, you need to force users to change their passwords because their passwords have been compromised and stored in plain text somewhere. Don't just recommend they change their passwords, I think you should force a password change.

David Bittner: [00:18:18:01] Well, and I think that speaks to a fundamental issue here, right? Which is that these companies ask us to place our trust in them, that they're going to securely store our passwords, and here is a case where clearly they have not.

Joe Carrigan: [00:18:32:06] They've not done that.

David Bittner: [00:18:33:13] And so they say that these passwords were not compromised, I suppose I could make the argument, that the very fact that they mishandled them is a compromise.

Joe Carrigan: [00:18:42:15] I would agree, I would agree with that, that these passwords have been compromised because they've been exposed and available to 20,000 Facebook employees.

David Bittner: [00:18:51:03] Dating back to 2012.

Joe Carrigan: [00:18:53:01] Right. Now, they say that only 2,000 of those people have accessed the data.

David Bittner: [00:18:57:12] That's a lot of people.

Joe Carrigan: [00:18:57:18] Okay, what if one tenth of one percent of those people are bad actors?

David Bittner: [00:19:01:01] Right.

Joe Carrigan: [00:19:01:05] Right? Now you've got two people that have had access to those passwords in unencrypted form.

David Bittner: [00:19:06:09] Uh huh. Where do we go from here? I guess the recommendation is--

Joe Carrigan: [00:19:08:23] Well, first thing I tell everybody is change your passwords on Facebook.

David Bittner: [00:19:13:00] Yeah.

Joe Carrigan: [00:19:13:00] Change them now.

David Bittner: [00:19:13:23] And why not? Yes. Why not.

Joe Carrigan: [00:19:15:00] If you're using a password manager, it's no sweat, you just go in, change your password, you have a new complex 20 character password and you're done.

David Bittner: [00:19:21:19] Uh huh. Alright, well everybody beware, just, I mean, why not? Just go change that Facebook password.

Joe Carrigan: [00:19:27:00] Go and change your password.

David Bittner: [00:19:28:15] There's no reason not to.

Joe Carrigan: [00:19:29:14] Yep.

David Bittner: [00:19:29:21] Yeah. Alright. Joe Carrigan, thanks for joining us.

Joe Carrigan: [00:19:32:04] My pleasure, David.

David Bittner: [00:19:37:13] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at This CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik. Social media editor, Jennifer Eiben. Technical editor, Chris Russell. Our staff writer is Tim Nodar. Executive Editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.