Sri Lanka bombing investigation updates. Cryptojacking targets enterprises in East Asia. Oracle web server zero-day. The criminal-to-criminal credential-stuffing market. Who talked about Huawei in UK?

Dave Bittner: [00:00:03] Investigation of the Easter massacres in Sri Lanka continues. For all the concern about online inspiration, some of the coordination seems to have been face-to-face. Symantec describes a cryptojacking campaign, Beapy, that propagates using EternalBlue. An Oracle web server zero-day is reported. Recorded Future describes the commodified black market for credential-stuffing. And there's a cabinet dust-up in the U.K. over a leak about the government's plans for Huawei.

Dave Bittner: [00:00:37] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely because that's what you want - actionable intelligence. Sign up for the Cyber Daily email, and every day you'll receive the top trending indicators Recorded Future captures crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates. That's recordedfuture.com/cyberwire. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:47] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, April 26, 2019.

Dave Bittner: [00:01:56] Investigation into the Easter massacres in Sri Lanka has identified at least eight of the nine suicide bombers. Three were members of one of the country's wealthiest families; the family patriarch is among those who've been arrested. The family's fortune is said to have been made trading spices. One of those believed to have been a leader of the closely coordinated attacks was among the bombers. Zahran Hashim, the imam notorious for online sermons urging the extermination of unbelievers, died when he detonated his bomb at the Shangri-La Hotel in Colombo. Some are now retrospectively connecting Hashim to the defacement last year of Buddhist shrines in Mawanella, an earlier jihadist action that some now - again, retrospectively - see as a forerunner of the Easter massacres. He apparently rented a house in Mawanella for a few months - he had made himself unwelcome at the local mosque - from where he concentrated on face-to-face indoctrination of local youth. So not all of his business was conducted online.

Dave Bittner: [00:02:57] Controversy persists over how clear warnings of an imminent attack could have gone so generally overlooked. This isn't a matter of missing subtle clues but of police on the ground apparently not paying attention to an alert passed through official channels. Foreign intelligence services - notably India's - are also said to have warned Sri Lanka that jihadist violence was in the works. And there's more intelligence chatter sufficient to warn tourists that further attacks may be in the offing, even with the extensive police sweeps being conducted throughout the country.

Dave Bittner: [00:03:31] The death toll in the attacks is proving, as is often the case, to be difficult to arrive at. The authorities are now suggesting that the final count of losses may be closer to the earlier figure of 250 than the more recently cited 300. Whatever the final toll, it's tragic by any estimation. President Sirisena has vowed to search every house, if necessary, to bring an end to the violence. Protection is being extended to mosques, lest there be a backlash to the bombings.

Dave Bittner: [00:04:02] Researchers at security firm Symantec are tracking a cryptojacking campaign that, for now at least, is concentrating on businesses in China, although a minority of the infections - about 20% - have hit South Korea, Japan and Vietnam. They're calling the campaign Beapy, and the worm involved appears to be using the ExternalBlue exploit to spread. So far, Beapy has left individual users largely alone. It shows a distinct preference for enterprises. The initial infection vector has generally been a phishing email carrying its payload in an attached Excel file. It uses unpatched machines to establish a beachhead in a targeted network and then spreads from there. EternalBlue is the most common means of propagation, but Beapy has also been observed using the credential-theft tool Hacktool.Mimikatz.

Dave Bittner: [00:04:51] Beapy is a file-based, as opposed to a browser-based, coin miner, and so it works faster than competitors that operate from the browser; this can translate to much greater gains for the cryptojackers. As Symantec points out, 100,000 strong, browser-based botnet could pull in about $30,000 in 30 days. A file-based competitor of the same size would net $750,000. So do the math. Symantec offers some advice on protecting yourself from cryptojacking. As always, be aware of phishing and on your guard when opening emails, and especially when following links or opening attachments. And watch for spikes in battery usage. If you see your battery draining faster than it ought, scan the device for the presence of coin-mining malware.

Dave Bittner: [00:05:38] KnownSec 404 has discovered a zero-day in Oracle web servers. Two web logic components - wls9-async and wls-wsat - are susceptible to remote code execution. There's no patch yet, and KnownSec 404 recommends either removing the two problematic components and restarting the servers or firewalling the paths an attack might exploit.

Dave Bittner: [00:06:03] A Recorded Future study indicates the degree to which credential-stuffing tools have become widely available criminal commodities. It's possible to mount a credential-stuffing campaign for as little as $550; that investment is often repaid twentyfold. It's a criminal-to-criminal market - the money's made in reselling stolen credentials. Recorded Future says there are six major toolkits available, with dozens of also-rans being hawked in dark web markets. As always, multifactor authentication and, especially, getting into the habit of not reusing passwords are good ideas.

Dave Bittner: [00:06:40] A cabinet dust-up over who talked out of school about a pending decision by Her Majesty's Government to allow Huawei participation in the U.K.'s 5G build-out - at least in non-core technologies like antennas - may give rise to a criminal investigation, the Telegraph reports. But senior cabinet members are all saying the same thing - I don't know nothing; I didn't do nothing. Well, leave those capers to the wide boys, Sunshine.

Dave Bittner: [00:07:10] I'd like to take a moment to thank our sponsor, Georgetown University. Georgetown offers a part-time master's in cybersecurity risk management that prepares you to navigate today's complex cyberthreats. Ideal for working professionals, the program features flexible options to earn your degree without interrupting your career. Take classes online, on campus or through a combination of both - you decide. Not ready to commit to a full master's program? Explore accelerated options through Georgetown's cybersecurity certificates, which you can complete in as little as six months. To learn more about these programs, visit scs.georgetown.edu/cyberwire. That's scs.georgetown.edu/cyberwire. And we thank Georgetown University for sponsoring our show.

Dave Bittner: [00:08:09] And joining me once again is Johannes Ullrich. He is dean of research for the SANS Institute, and he's also host of the ISC's "StormCast" podcast. Johannes, it's great to have you back. You have been tracking some increases in DHCP client vulnerabilities. What do you see in here?

Johannes Ullrich: [00:08:25] Yes, there has been really sort of a rash of these vulnerabilities, in particular in Windows at the beginning of the year. I think there are a total of five different vulnerabilities that were sort of spread through the January and the March patchset. And the problem with these vulnerabilities is there hasn't really been a public exploit for it yet, but they're really very dangerous, in particular for users that have to connect sort of to these open wireless access points.

Dave Bittner: [00:08:56] So give us an example where it would be the problem here.

Johannes Ullrich: [00:08:59] So you're at a hotel, and we all know hotel networks are often compromised, in particular to target visitors to the hotel. And you're getting an IP address from the hotel's wireless network. DHCP has to be working; there's really no other good way of doing this. If the DHCP server off the hotel is now compromised, is sending you a crafted response, the hacker could actually be executing arbitrary code on your system.

Dave Bittner: [00:09:31] Now, what about - are you going to get any help with firewalls or if you're using a VPN?

Johannes Ullrich: [00:09:36] Not really because all of this really happens before, in particular VPN matters. And even the firewall - the firewall has to allow these DHCP responses back in. There's really no good way sort of to whitelist anything. There may be a chance there is sort of some intrusion protection system or so closer inspects the payload off these DHCP responses. But haven't really seen anything good in particular when it comes to these DHCP exploits.

Dave Bittner: [00:10:07] So what do you recommend here? How can folks protect themselves?

Johannes Ullrich: [00:10:11] Well, the bad thing is there isn't really much you can do, other than being careful, watching for odd behavior, trying to avoid these wireless networks, of course. But realistically, if you're traveling a lot, there isn't much you can do to avoid them. You could use your cellphone, for example; that's, of course, always a better option. Use some kind of LTE connectivity or so versus the hotel network, but then again, you may find yourself in a hotel with bad reception; that has happened to me. You really have to rely on the hotel network or whatever the open wireless access point or network is that you're using.

Dave Bittner: [00:10:50] Should we be waiting for some patches here? What's the ultimate resolution going to be?

Johannes Ullrich: [00:10:54] Yeah. Actually, the best thing you can do is apply patches. And you know, Microsoft came out with patches. Like I said, right now there is at least no public exploit available for this particular vulnerability. The last one that we have seen sort of widely exploited like this was back - the Shellshock vulnerability; that one was exploitable against Linux DHCP clients. But here, of course, with Windows being affected, you have a much larger population that's potentially vulnerable.

Dave Bittner: [00:11:25] All right. Johannes Ullrich, thanks for joining us.

Dave Bittner: [00:11:32] And now a word from our sponsor, ExtraHop, the enterprise cyber analytics company delivering security from the inside out. Most security teams today rely on rule- and signature-based tools, which can leave you blind to unknown threats. At the same time, cloud and rising encryption standards cause more visibility gaps that attackers can use to infiltrate your network and move without detection. Analysts, including Gartner, EMA and others, recommend complementing signature-based tools with network traffic analysis that deliver east-west visibility and behavioral analytics to help you quickly detect, investigate and respond to known and unknown threats. Visit extrahop.com/cyber to learn more. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.

Dave Bittner: [00:12:30] My guest today is Anura Fernando. He's chief innovation architect for medical systems interoperability and security at UL, Underwriters Laboratories. UL has been a key player in the development of standards covering the testing and certification for the cybersecurity of connected medical devices. In fact, the FDA recently recognized UL's standard 2900-2-1, which addresses those concerns.

Anura Fernando: [00:12:56] Medical device cybersecurity is a growing area that's being addressed in terms of critical infrastructure protection. It was really one of three domains that was initially identified by the federal government here in the U.S. when breaches really started to peak a few years ago. The other two are industrial control and consumer security products and building products and so forth. What UL tried to do is to develop some standards to try to address some of the core outstanding issues around cybersecurity.

Anura Fernando: [00:13:38] There are currently a number of different standards that are out there to address product-level cybersecurity, and there are even some that deal with secure development processes and so forth for health care technologies, medical devices and other types of technologies used to provide health care. What we found to be lacking at the time - and this was in the 2015 timeframe - was repeatable and reproducible testing that provides objective evidence of a particular product's cybersecurity posture. And so these standards that provide that type of testing were established for the health care vertical, the industrial control vertical and the building security vertical.

Dave Bittner: [00:14:27] So within the world of medical systems, what are some of the specific challenges that UL faced?

Anura Fernando: [00:14:34] Some of the unique issues in the medical device industry really have to do with the fact that the medical industry is somewhat unique in how it develops products. In most other product areas, you don't want to develop products that could harm somebody. In the medical industry, you sometimes do have to create products that will allow for harm. However, the end goal is to save the person's life. A good example of this is radiation therapy. Now, if you look at a therapeutic linear accelerator, for example, the purpose of that is to apply radiation in a way that destroys human tissue - in this case, pathological tissue. But it also can cause other bodily injury that has to be sustained and recovered from, with the end goal being to preserve the person's life.

Anura Fernando: [00:15:37] And so when you connect devices like that to a network, and if that network is not protected, now there are unknown individuals - some call them bad actors or threat actors - out there who may access that network or find that device, you know, just through internet searches and so forth and be able to access that device and cause harm, when the purpose of that device is to cause healing instead.

Dave Bittner: [00:16:05] And I suppose - I mean, there's a natural tension there, where doctors don't want to have any security protocols that would get in the way of them being able to provide the medical care that they need to provide.

Anura Fernando: [00:16:18] Absolutely. You know, as device manufacturers struggled with how to improve security of products, we found things like, you know, ideas to have fingerprint readers on medical devices, for instance. And that's all well and good, unless that medical device happens to be in an operating room, in a sterile environment, where the clinicians have to have gloves on, and the device, you know, drops its network connection and they need to reauthenticate, then they have to break the sterile field in order to reauthenticate, and that's not acceptable. So you know, clinicians certainly have very valid concerns in terms of cybersecurity.

Anura Fernando: [00:16:58] And in health care in particular, you really have to balance the need for security as opposed to the accessibility of the device for clinical care, especially if you're talking about something like a defibrillator or a ventilator or something that may be needed urgently in an acute care setting, like an emergency room or something like that. Saving the patient's life typically trumps the need for security. And so security overrides are an important facet of what health care industry has been looking for and something that's been accounted for in the UL 2900 standards that I mentioned before. And what this allows for is carefully managed security override of products when it comes to the issue of things like saving patients' lives.

Dave Bittner: [00:17:48] But what about - I've heard folks say - coming at this from the other side; that, you know, when you have a standard like this established, well, that just gives the bad guys a road map.

Anura Fernando: [00:18:00] Certainly, that's one way to look at it. And so it's it's well-recognized that standards are always lagging technology, by and large; that's one of the reasons that the medical device industry had to really move from prescriptive standards to risk-based standards. And what that allows for in the world of cybersecurity now, as opposed to, you know, basic safety and essential performance, is that we have tools in the standards world that allow for manufacturers to establish a baseline of cybersecurity hygiene using the requirements of the standard, but then go well beyond that baseline as appropriate for managing the risks of their product.

Anura Fernando: [00:18:42] And so while the basics are in the standard, the provisions to go beyond that are also in the standard, but the details of how you achieve all of the necessary protections aren't outlined in the standard. And so that's one of the mechanisms to prevent standards from serving as sort of a road map. There's a lot of intellectual property regarding the assets of a product and the security controls that protect that product that are a part of the certification process. They're not exposed in publicly available certificates and things like that. They are managed under NDA and contracts between the certifier and the manufacturer, and so they prevent the bad guys from having access to the kinds of details that might allow for them to successfully exploit a product.

Dave Bittner: [00:19:35] Now, how do you see things playing out as we go forward? Where do you see the evolution of this space, as medical devices continue to evolve and also the need to secure them grows, as well?

Anura Fernando: [00:19:49] I see this much like how UL has historically seen the adoption of electricity, you know, across society. Back in the late 1890s, when UL started up, electricity was first being used by consumers, and you know, people wanted light bulbs and washing machines and, you know, cooking equipment and all the things that make our lives easier and our tasks more convenient than they used to be, prior to the introduction of electricity. We're seeing that same kind of paradigm now, where data is important to everybody; our memories are all in social media, our interactions are very frequently electronic and not direct and personal, to a large extent anymore.

Anura Fernando: [00:20:40] And so we are, as human beings, very, very dependent on data and the exchange of data for how we exist and survive in the world. And so as we developed mechanisms to allow for society to trust in the use of electricity, without worrying about buildings burning down and people getting electrocuted as they did in the early days of electricity, now as we look at electricity in the form of data and data that's being exchanged on networks, much like electricity is transmitted and propagated for power, using those same kinds of trust-building techniques through standards, through certifications, through trust models that involve compliance and so forth, it seems that there should come a day that, much like when we plug an appliance into the wall, we don't get overly concerned or observe it for a while to see if the wall catches on fire or the appliance catches on fire or we don't worry about touching it because we're concerned about getting an electric shock.

Anura Fernando: [00:21:45] I'm really hoping that as we continue to evolve this baseline of cybersecurity hygiene and raise the bar and raise the bar, working with stakeholders all across the industry, like security researchers, like manufacturers, like regulators, that the continual evolution of that bar of cybersecurity hygiene will allow us to eventually trust our connections of devices and our exchange of data the same way that we do on the use of electricity for power. It's important to understand that in health care - and maybe more so in health care than in some other sectors - cybersecurity is a shared responsibility. And so there are a lot of stakeholders that have a role in this, ranging from manufacturers of products to the vendors of components that go into those products to the system integrators who put those products together in health care environments to the people who provide health care in hospitals and other settings.

Anura Fernando: [00:22:47] And so sharing information in a very, very proactive way and engaging across that whole value chain is really an important aspect of being able to continuously evolve that baseline of cybersecurity hygiene, as we talked about. And so raising awareness, using tools coming out of efforts of various groups - for example, I'm involved in the Healthcare Sector Coordinating Council; they're putting out some great documents, like The Joint Security Plan, that helps even manufacturers, for example, who aren't very familiar with cybersecurity yet, to understand how to adopt practices into their organization and build and scale those practices over time. These are all important tools that are integral and necessary to the growth of that whole value chain in achieving and then evolving a baseline of cybersecurity hygiene.

Dave Bittner: [00:23:44] That's Anura Fernando. He's chief innovation architect for medical systems interoperability and security at UL, Underwriters Laboratories.

Dave Bittner: [00:23:57] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIt, the leading insider threat management platform. Learn more at observeit.com.

Dave Bittner: [00:24:09] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.