Supply chain hacking campaign looks like espionage. Airstrikes versus hackers. FTC versus Facebook. Notes from the Global Cyber Innovation Summit. What’s up with MegaCortex.
Dave Bittner: [00:00:04] Tracking a group that's after the software supply chain. Israel adds airstrikes to the array of responses it's prepared to make to hackers. The U.S. Federal Trade Commission still doesn't know how you solve a problem like Mark. Some more notes from last week's Global Cyber Innovation Summit. Sophos has more details on MegaCortex, a new strain of ransomware. And criminal organizations organize and operate a lot like legitimate businesses.
Dave Bittner: [00:00:37] It's time to take a moment to tell you about our sponsor, Recorded Future. You've probably heard of Recorded Future, the real-time threat intelligence company. Their patented technology continuously analyzes the entire web to give infosec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email, and every day, you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today, and stay ahead of cyberattacks. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. It's timely. It's solid. And the price is right. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:38] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, May 6, 2019.
Dave Bittner: [00:01:46] Researchers at a number of firms - including Kaspersky, ESET, Avast, CrowdStrike, and Alphabet’s Chronicle security unit - are tracking an increasingly aggressive and capable Chinese gang that's been hitting software supply chains. It's a bit unclear whether it's actually a gang or a unit controlled by Chinese intelligence and security organs. Variously called Barium, ShadowHammer, ShadowPad or Wicked Panda, the group has over the last few months afflicted Piriform’s backup tool CCleaner - apparently en route to its ultimate target, computer manufacturer Asus, NetSarang’s enterprise remote management tool and various online games.
Dave Bittner: [00:02:27] The goal appears to be espionage, and so speculation about attribution is trending toward a state actor, especially as evidence of interest in credential theft seems a Johnny-come-lately, and perhaps a bit of 11th hour misdirection. But focusing on the software supply chain in this way is troubling. And security researchers are pointing out that NotPetya started as a supply chain attack, too.
Dave Bittner: [00:02:51] The Jerusalem Post says a joint Shin Bet-IDF operation prevented a Hamas cyberattack with an air attack on the Gaza headquarters of Hamas' cyber operations. Forbes calls it a significant first - kinetic retaliation for a cyberattack, or perhaps kinetic pre-emption of an imminent cyberattack. The nature of the prospective cyberattack isn't clear. In the past, Hamas has shown mid-grade capability - some defacement and denial of service - and somewhat more sophisticated social engineering aimed at gaining access to information that could be developed into intelligence.
Dave Bittner: [00:03:26] An IDF spokesman is quoted in The Times of Israel to the effect, that, quote, "Hamas no longer has cyber capabilities after our strike," end quote. Shin Bet is said to have in some fashion neutralized the Hamas cyber capability, after which IDF aircraft destroyed the building that housed the operations. But the operational reality is both more complex and more conventional.
Dave Bittner: [00:03:50] Israel and the Palestinian Sunni-Islamist militia have been engaged in active combat for the better part of a week, with Hamas firing an estimated 600 rockets into Israel, and Israel responding with hundreds of airstrikes. It would probably be more accurate to regard Hamas cyber headquarters as one target in a larger air campaign and the combat itself as another round in a war that's long had a cyber dimension. Cyber units will appear on target lists as other electronic warfare units have for decades.
Dave Bittner: [00:04:23] So to see the airstrike as exclusively a response to a cyber threat is a stretch. It was one strike in an extensive campaign. Nor is it the first, as ZDNet hints, at least not internationally. The U.S. killed ISIS hackers with a drone strike in 2015, as Defense Systems observed in contemporary accounts of American action against the caliphate.
Dave Bittner: [00:04:46] The U.S. Federal Trade Commission's enforcement action against Facebook remains up in the air. It's likely to be severe. But The New York Times reports that the form such severity will take, especially the nature of the penalties - if any - to be directed against CEO Zuckerberg himself, are believed to remain the subject of partisan disagreement within the commission. There is bipartisan skepticism of big tech, but disagreement over details.
Dave Bittner: [00:05:13] Late last week, an anonymous electric utility filed an electric disturbance report to the Department of Energy, indicating that some sort of cyber event had taken place. Blake Sobczak is a reporter at E&E news. And he's been leading the coverage of the story.
Blake Sobczak: [00:05:28] It's still a little bit hazy because we don't actually know the utility who initially filed this form. Obviously, that information is available to the Department of Energy and to other federal officials. But what DOE did share - what the Department of Energy did share - was that a denial of service condition was involved.
Blake Sobczak: [00:05:46] And in fact, they also mentioned that it was not only any denial of service, but a denial of service that exploited a particular vulnerability. And they said that there was a patch already available for this vulnerability, and so the utility in question was able to apply that patch and get back up on its feet fairly quickly. They also were very careful to say that no power outages were involved. No actual disruption to power generation happened as a result of this cyber incident.
Dave Bittner: [00:06:17] So things functioned the way that they were supposed to in case of an event like this, I suppose.
Blake Sobczak: [00:06:23] That's right. And the best that I was kind of able to glean in terms of details surrounding this was that a particular type of Cisco Adaptive Security Appliance product was involved. Now, Cisco declined comment on this. They said that they weren't aware of any reports. But of course, they're incredibly widely used, both network security devices and just routers.
Blake Sobczak: [00:06:46] So my understanding is that there was some sort of denial-of-service condition instigated in these devices, likely positioned at the edge of some transmission network based on the geographic footprint that we know. And this would have triggered the filing with DOE. It would have been enough, basically, to - for the utility to say, oh, we're having trouble accessing these devices or peering into our own networks. So we're going to have to, you know, tip off regulators that's something's wrong here.
Blake Sobczak: [00:07:15] And when they did actually dig in, they discovered that some remote hacker or hackers had, you know, again, exploited this vulnerability, triggered, essentially, an equipment outage. But again, no actual blackouts associated with that. It sounds like the transmission grid and the power grid in that entire region was up and running when this happened on March 5. And there were no service interruptions.
Dave Bittner: [00:07:40] Can you take us through how the Department of Energy categorizes things as a cyberattack, some of the nuances there? I understand there's a wide range of things that could fall into that category. Is that accurate?
Blake Sobczak: [00:07:52] That's correct. And this was - part of the tricky nature of this story was, at least at first, there was a lot of fog of war around, OK, was this really a malicious hacking episode, or was this something perhaps more benign or even a mistake in filing, which happens from time to time? And, you know, the utility says something and then later discovers, well, actually, maybe that wasn't a cyber event. And there's no requirement that a cyber event actually be malicious in nature or that it even has to come from remote hackers.
Blake Sobczak: [00:08:20] So for instance, the first time that I actually noticed a utility file one of these and classify it as an actual cyber event, what ended up happening - this was something that affected consumer's energy in Michigan in the beginning of 2018. And it was an employee who had been undergoing training and inadvertently got some escalated privileges on that particular training system and basically triggered a blackout for about 15,000 people. And that was classified as a cyber event because it had this element of unauthorized access. The employee wasn't supposed to get to that system. And it, you know, had a real actual grid disruption tied to it.
Dave Bittner: [00:08:58] Where do you expect this to go from here? How will - do you expect more information to trickle out? Will there be clarity over the next days, weeks, months?
Blake Sobczak: [00:09:07] I do expect more information to come forward at some point. I filed for a Freedom of Information Act request as soon as I saw the cyber event listed. And sometimes the Department of Energy does opt to redact some portions of these OE-417 filings because they consider it to be sensitive, critical electric infrastructure information that shouldn't get out to the public. And I understand that.
Blake Sobczak: [00:09:31] You know, the utility here is certainly concerned that maybe if the general public knew that this particular vulnerability was able to be exploited somewhat recently, that that could invite future hackers or future interest from hackers. And so, you know, I definitely sympathize with the position of the federal government and certainly the utility industry that maybe it's best to keep a tight lid on some of the information surrounding these events.
Blake Sobczak: [00:09:55] But on the other hand, I do think that with some of the lack of clarity surrounding, you know, precisely what happened and how such a wide geographic array of networks were apparently impacted, I do think that certainly the public deserves to know a little bit more about exactly what played out here. Certainly the North American Liability Corporation, as the main grid monitor and enforcer of cyber security rules, I have to imagine that they're going to be taking a very close look at this.
Blake Sobczak: [00:10:22] And in fact, the Department of Energy disclosure that this utility in question didn't patch this vulnerability that was available for apparently quite a long time, that's the sort of thing that could invite regulatory scrutiny from the North American Electric Reliability Corporation. So I expect perhaps we haven't heard the last from them. And, you know, it wouldn't be hard to imagine regulators there pursuing some sort of fine or enforcement action against this utility if they - if it did emerge that, you know, this vulnerability in some presumably pretty critical grid software just went unpatched for a long time.
Dave Bittner: [00:10:59] That's Blake Sobczak. He's a reporter at E&E News.
Dave Bittner: [00:11:04] We'll continue to share some notes and observations on the Global Cyber Innovation Summit held last Wednesday and Thursday in Baltimore. The symposium offered an overview of current and emerging threats, and of the technology trends that both expose enterprises to such threats and offer the prospect of enhanced defenses.
Dave Bittner: [00:11:23] Estonia's ambassador-at-large for cybersecurity, Heli Tiirmaa-Klaar, shared her country's experience as not only one of the most thoroughly digitized societies in the world, but as the victim of what's come to be generally regarded as the first cyber war, Russia's 2007 attacks against the networks of the Baltic republic. She characterized it as the, quote, "first politically motivated cyber campaign in history," end quote, and drew the lesson that good public-private partnership and solid expertise can work to build a society resilient enough to withstand even attacks by a highly capable cyber power.
Dave Bittner: [00:12:00] Not all threats are the proximate work of a nation-state. During a panel discussion on the conference's first day, Carbon Black's Mike Viscuso emphasized the sheer size of the criminal underground at work in cyberspace. The underground cyber economy is now larger, he emphasized, than the illicit drug trade. In fact, it's now a better-than-trillion-dollar industry. He thinks that as defenses get better - and they have been getting better - the criminals will cease playing the long game because the long game will no longer pay off. They'll increasingly turn to smash-and-grab attacks. He compared the criminals to a caged lion. They're confined and increasingly hungry, and they won't be patient. The CyberWire will have further coverage of the summit later this week.
Dave Bittner: [00:12:45] Security firm Sophos has released a report on MegaCortex, a new strain of ransomware it found last week. It doesn't appear to be spread by spam, but Sophos thinks it may well be spread by Trojans that themself arrive by email. So the usual caution about emails and backups are in order. So far, it's not known whether the hoods are honoring ransom payments. Sophos says customers in the United States, Italy, Canada, France, the Netherlands, and Ireland have reported incidents.
Dave Bittner: [00:13:15] The criminals have the brass to suggest that they'll throw in some security consultation if the victims pay the ransom. As they put it, quote, "the software's price will include a guarantee that your company will never be inconvenienced by us. You will also receive a consultation on how to improve your company's cybersecurity." This sweetening of the pot to deliver best-value to the victim is another sorry instance of criminal enterprise aping legitimate ones.
Dave Bittner: [00:13:42] As researchers at IBM point out, they compete for talent. They sometimes cooperate with one another, since almost any business will need a subcontractor at some point. They have CEOs. Those CEOs hire program managers. They have goals. And they work regular hours, taking weekends off. That last point makes them sound more like large stable firms than like scrappy startups.
Dave Bittner: [00:14:05] Any who, to return to MegaCortex, researchers seeking to explain the ransom note point out that it's likely an homage to the name of the corporation Neo worked for in the film "The Matrix." Sophos suggests the ransom note reads like something voiced by Morpheus, to which we say, what if I told you everything you've securely backed up can be restored?
Dave Bittner: [00:14:33] And now a few words from our sponsor KnowBe4. Everyone knows that multi-factor authentication, or MFA, is more secure than a simple log-in name and password. But too many people think that MFA is a perfect, un-hackable solution. It isn't. Learn from Roger Grimes, KnowBe4's data-driven defense evangelist in an on-demand webinar, where he'll explore 12 ways hackers can and do get around your favorite MFA solution. The webinar includes a hacking demo by KnowBe4's chief hacking officer Kevin Mitnick and real-life successful examples of every attack type. It will end by telling you how to better defend your MFA solution so that you get maximum benefit and security. Go to knowbe4.com/mfa to watch the webinar. That's knowbe4.com/mfa. And we thank KnowBe4 for sponsoring our show.
Dave Bittner: [00:15:37] And joining me once again is Joe Carrigan. He is from the Johns Hopkins University Information Security Institute, also my co-host on the "Hacking Humans" podcast. Joe, welcome back.
Joe Carrigan: [00:15:47] Hi, Dave.
Dave Bittner: [00:15:48] Interesting news came from Dell about some patches that they have sent out recently. Bring us up to date here. What's going on?
Joe Carrigan: [00:15:56] So Dell has a product that they install on almost all their machines called the SupportAssist client...
Dave Bittner: [00:16:01] OK.
Joe Carrigan: [00:16:02] ...Right? And you may see this frequently. It comes up and says, hi, I'm the SupportAssist client. Let me run a scan on your computer. Let me make it - and it is a legitimate product from Dell.
Dave Bittner: [00:16:10] Right.
Joe Carrigan: [00:16:11] But there is a young researcher - and by young, I mean this guy is 17-years-old. His name's Bill Demirkapi. And I hope I'm saying his last name correctly.
Dave Bittner: [00:16:21] Right.
Joe Carrigan: [00:16:21] I'm probably butchering it. But I'm just going to call him Bill from now on.
Dave Bittner: [00:16:24] OK.
Joe Carrigan: [00:16:25] But he found a remote code execution. Using social engineering, you can trick somebody into running code that they shouldn't run.
Dave Bittner: [00:16:32] Let's just back up. Just for a real basic explanation, what's remote code execution?
Joe Carrigan: [00:16:37] So basically, remote code execution means I can - as an attacker, can run whatever I want on your machine...
Dave Bittner: [00:16:42] From somewhere else.
Joe Carrigan: [00:16:43] ...From somewhere else. And it's a really bad vulnerability.
Dave Bittner: [00:16:46] Right.
Joe Carrigan: [00:16:47] Dell ships this product with the idea of helping their customers. And it probably does provide some real benefit to the customer. But we as customers of Dell, and even Dell themselves, have to realize that this increases your attack surface. All these pre-installed applications and bloatware that you get from these computer manufacturers increases the vulnerability surface of your computer when you get it out of the box.
Dave Bittner: [00:17:08] Yeah. This SupportAssist client, I mean, one of the things it was supposed to be keeping tabs on was security.
Joe Carrigan: [00:17:13] Correct. It was supposed to be keeping update on security, and it in itself is insecure. Well, it's software, right? So it can have vulnerabilities in it just as well. I want to talk about something with Bill. Bill is a sharp young man. He's going to Rochester Institute of Technology next year, which is a good school. And Bill has done a bang-up job here, all right? And he has done this exactly right. The first thing he did, he discovered this vulnerability back in October. He has a timeline on his web page, where he shares the write-up about the vulnerability.
Dave Bittner: [00:17:46] OK.
Joe Carrigan: [00:17:47] And it takes Dell about a month to confirm the vulnerability, right? Then it takes Dell about to the end of April to finally patch the vulnerability.
Dave Bittner: [00:17:57] OK.
Joe Carrigan: [00:17:58] And Bill did not discuss the vulnerability. He kept the vulnerability confidential until Dell had fixed it, which is great. So thank you, Bill, for your work. It's great.
Dave Bittner: [00:18:08] And we assume that he had had some back-and-forth with Dell...
Joe Carrigan: [00:18:11] Correct.
Dave Bittner: [00:18:12] ...About this.
Joe Carrigan: [00:18:13] I'm sure that that went on.
Dave Bittner: [00:18:14] Yeah.
Joe Carrigan: [00:18:15] I would like to say to Dell that five months is kind of a long time to let this vulnerability linger. The fact that Bill found it and notified you of it is great. And you guys were lucky that happened. But you don't know who else has found this vulnerability and not disclosed it to you. And that means that if - there's a good chance that somebody else out there had it. They had it for five months. They really didn't need to have it. I think this vulnerability should've been fixed a lot faster than five months.
Dave Bittner: [00:18:42] Yeah. Well, and I wonder, you know, what's going on behind the scenes. I wonder how - was there any way that Dell could establish how often this was being used, if at all, out in the wild, if there was any mechanism for that.
Joe Carrigan: [00:18:52] That's a good point.
Dave Bittner: [00:18:53] Yeah.
Joe Carrigan: [00:18:54] And another good point that counters my argument about this taking so long is that Dell has a pretty big configuration management issue with this product. They have to push it out and make sure it works on all the devices that they're going to deploy it to...
Dave Bittner: [00:19:09] Right.
Joe Carrigan: [00:19:10] ...Right? So there is a big issue. And all these devices are different. They have hundreds of model numbers. Some of these machines are years old. How do you know if your fix is going to, you know, make it so that these things don't work anymore? It's a difficult problem for Dell to have.
Dave Bittner: [00:19:22] Yeah.
Joe Carrigan: [00:19:23] So maybe I'm being harsh on Dell. I don't know. I still think five months is a long time, though.
Dave Bittner: [00:19:27] Yeah, yeah. Well, and so I guess the bottom line here is that if you are running a Dell system...
Joe Carrigan: [00:19:33] Right.
Dave Bittner: [00:19:34] ...Go in and check to see what version of this SupportAssist client you're running...
Joe Carrigan: [00:19:38] Right. Make sure you update that.
Dave Bittner: [00:19:39] Yeah, make sure you have the latest one.
Joe Carrigan: [00:19:41] Right.
Dave Bittner: [00:19:42] All right. Well, Joe Carrigan, thanks for joining us.
Joe Carrigan: [00:19:44] My pleasure, Dave.
Dave Bittner: [00:19:49] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:01] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology and where you can always count on your friendly DataTribe neighbors, like BlueRidge AI, who are quick and skillful with a soldering iron when you're audio monitoring speakers go on the fritz and you've still got a show to get out. Thanks, guys.
Dave Bittner: [00:20:26] Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.