The CyberWire Daily Podcast 5.24.19
Ep 851 | 5.24.19

Stone Panda update. A new strain of Mirai. Bogus cryptocurrency apps are trending in Google Play. Mr. Assange is charged under the Espionage Act. Info ops. Law firms as phishbait.

Transcript

Dave Bittner: [00:00:03] Stone Panda is distributing the Quasar RAT. A new strain of Mirai is out. Bitcoin prices are up, and so is the incidence of malicious cryptocurrency apps in Google Play. The U.S. charges WikiLeaks' Julian Assange with 17 new counts under the Espionage Act. U.K. political parties are said to have poor security. Huawei's on a charm offensive. Russia points with sad alarm to NATO cyber deterrence policy. And bogus law firm emails prove effective phishbait.

Dave Bittner: [00:00:39] And now a word from our sponsor, ExtraHop, the enterprise cyber analytics company delivering security from the inside out. Have login credentials been compromised? Are attackers hiding in encrypted traffic? Enterprise security teams face questions like these every day. But without complete visibility inside your network, your investigation could take hours or even weeks, and that's assuming you are able to detect potential threats in the first place. ExtraHop helps you rise above the noise of your complex attack surface with complete visibility, real-time threat detection powered by machine learning and guided investigations the SANS Institute calls fast and amazingly thorough. Learn more at extrahop.com/cyber, or be the blue team in the interactive demo. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.

Dave Bittner: [00:01:35] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, May 24, 2019.

Dave Bittner: [00:01:43] There was more news late this week on APT10, also known as Stone Panda. EnSilo found the group to be unusually active in April. The samples the company inspected came from the Philippines, which is in keeping with the APT's long-standing interest in Southeast Asia. APT10 was distributing a version of the Quasar remote access Trojan modified to incorporate the ShareSploit password stealer. The recent campaign also made use of the PlugX machine scouting tool.

Dave Bittner: [00:02:14] Trend Micro has discovered a new variant of Mirai, Backdoor.Linux.MIRAI.VWIPT, circulating in the wild. The IoT botnet's new variant repurposes 13 exploits, involving everything from remote code execution to authentication bypass. The assemblage seems opportunistic, but it's no less risky for all that. Trend Micro's advice is both familiar and sound - patch and update vulnerable systems.

Dave Bittner: [00:02:45] There's a rise in malicious crypto apps, wallets and other items cropping up in Google Play. ESET notices that this increase is significantly correlated with bitcoin price spikes, so criminals continue to do what they always do - follow the money.

Dave Bittner: [00:03:00] The U.S. yesterday charged WikiLeaks founder Julian Assange with Espionage Act violations related to activities in 2009 and 2010. The indictment supersedes the one filed last month. Mr. Assange is currently serving a 50-week sentence in a British prison. Both the U.S. and Sweden are seeking his extradition. The latest charges arouse concerns about press freedom - in WIRED, for example. But the Justice Department counters that what WikiLeaks was up to had nothing to do with journalism. For what it's worth, Amnesty International has said that it does not regard Mr. Assange as a prisoner of conscience.

Dave Bittner: [00:03:40] The case will be interesting on many levels, but, of course, Mr. Assange will need to be extradited before any precedent-setting proceedings can begin. His tenure in Her Majesty's Prison Belmarsh won't be up until late this coming summer. And there's considerable sentiment in Parliament for sending him back to face justice in Sweden. Each of the U.S. charges under the Espionage Act carries a possible sentence of 10 years. If he were convicted on all the charges listed in the superseding indictment, and if they were imposed consecutively, he would face a sentence of 175 years.

Dave Bittner: [00:04:16] We heard about SecurityScorecard's study of political parties' cybersecurity earlier this week. Another study is out, and this one focused on the United Kingdom. A study from security firm Red Sift finds all 22 major British political parties have deplorable cybersecurity. The Liberal Democrats, Labour, the Scottish National Party, the Socialists and the Animal Welfare Party have all at least implemented DMARC, which puts them ahead of the Tories, UKIP and Brexiteers. But on the whole, it's not a pretty sight.

Dave Bittner: [00:04:48] Under increasing pressure as the U.S. blacklist extends its reach to international customers, Huawei takes its charm counteroffensive to Vice. Vice did a nice job with the underattended press junket - polite but palpably skeptical. The presentation is interesting if only because it illustrates the ways in which China continues to fumble with information operations. Imagine the slicker packaging a Russian operation would've wrapped around the messaging and you'll see the contrast.

Dave Bittner: [00:05:18] China has done much better with more traditional service tradecraft, like funding think tanks and sending students to universities in target countries, although the gaffe has been blown on most of those approaches as well. But here again we see the paradox of information operations. Both China and the U.S. excel at selling things to mass markets, but they have trouble selling narratives more complicated and insinuating than the parable of the ring around the collar. China's marketing successes, you may object, are based on the fact that they sell affordable but reasonably reliable commodities, and that's true. But again, contrast Russia, whose only successful foray into consumer markets has been the Kalashnikov battle rifle. They don't make noodles or soft drinks for export, but Moscow can get people to lap up the bogus news stories.

Dave Bittner: [00:06:09] Speaking of Russian narratives, Moscow has taken note of NATO Secretary General Stoltenberg's London remarks, pointing out with somber alarm in Sputnik to the secretary general's obvious point that a response to a cyberattack need not itself be just another cyber counterattack. Anyone who's paid attention to NATO's strategic thinking for the past seven decades isn't surprised by the secretary general's remarks. Most retaliation, even proportionate retaliation, isn't retaliation in kind. There's no law of armed conflict that says you have to respond to an attack by an armored division with a counterattack by your own armored division. But Sputnik manages to insinuate that NATO would be inclined to shoot down an airliner, or even use a small nuclear weapon in response to a phishing incident.

Dave Bittner: [00:06:57] The use of language in the Sputnik article is worth remarking. The publications allude to the incident, as they put it, in which two former Russian nationals, the Skripals, were poisoned in the U.K. Britain says the GRU did it, but Sputnik points out that Russia has refuted such accusations. Refuted isn't synonymous with denied, which, of course, is what Moscow actually did.

Dave Bittner: [00:07:22] And finally, emails that appear to carry threats of litigation are proving effective phishbait, KrebsOnSecurity reports. A phishing template that misrepresents its emails as coming from a law firm is being sold in dark web markets. You can pick your firm from among Pullman & Associates, Wiseman & Associates, Steinburg & Associates, Swartz & Associates or Quartermain & Associates. The text of the email template warns the recipient that they are being charged by the city and that if they don't reply in seven days, we will be forced to step forward with this action. The usage is predictably wayward. No law firm is likely to use the salutation, hi, for example. But it might be scary enough to spook the unwary and the naive to click. So just say, hi, right back at ya, and delete the message unclicked.

Dave Bittner: [00:08:16] Now a moment to tell you about our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. According to a recent CA Technologies research report, 53% of organizations confirmed insider attacks within the last 12 months. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer, network or system data. But to stop insider threats, you need to track a combination of user and data activity. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT free - no installation required - at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:09:28] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host on the "Hacking Humans" podcast. Joe, it's great to have you back.

Joe Carrigan: [00:09:37] It's good to be back, Dave.

Dave Bittner: [00:09:38] We are going to cover a recent posting from the Google security blog. This is new research - how effective is basic account hygiene at preventing hijacking?

Joe Carrigan: [00:09:48] Right.

Dave Bittner: [00:09:48] This is right up our alley.

Joe Carrigan: [00:09:49] It is.

Dave Bittner: [00:09:49] The kind of thing we would talk about over on "Hacking Humans."

Joe Carrigan: [00:09:52] It's one of my favorite things to talk about, too.

Dave Bittner: [00:09:53] Yeah (laughter). There's a lot of interesting data in this report.

Joe Carrigan: [00:09:57] There is. And it's a very...

Dave Bittner: [00:09:58] Take us through it.

Joe Carrigan: [00:09:59] ...Concise report as well. So it's a quick read, and it's very good. But they talk about different kinds of protective processes you can do for multifactor authentication and for secondary knowledge-based challenges.

Dave Bittner: [00:10:11] OK.

Joe Carrigan: [00:10:12] They talk about six specifics here. One is an on-device prompt, right? This is where you have a phone, and it says, did you just log in to your Google account? And you say, yes, it was me - no, it wasn't.

Dave Bittner: [00:10:23] Right, OK.

Joe Carrigan: [00:10:24] Another one is an SMS code.

Dave Bittner: [00:10:25] Text message.

Joe Carrigan: [00:10:26] A text message code.

Dave Bittner: [00:10:27] Yup, yup.

Joe Carrigan: [00:10:28] A security key, like a YubiKey or the Google Titan.

Dave Bittner: [00:10:31] Right.

Joe Carrigan: [00:10:31] Using a secondary email address and a phone number.

Dave Bittner: [00:10:35] Yeah.

Joe Carrigan: [00:10:35] That's another one, like having access to a phone number. And finally, the last sign-in location - knowing your last - the location of your last sign-in.

Dave Bittner: [00:10:42] Oh, OK. Yup, yup.

Joe Carrigan: [00:10:44] What's remarkable is that all of these, with the exception of your secondary email address, are 100% effective in this study of stopping automated attacks. But what I also think is interesting is that SMS codes, which I frequently describe as the least secure form of two-factor authentication - because it can be socially engineered, right? You can be talked into giving up the code. And it can also be hacked by somebody cloning your SIM card.

Dave Bittner: [00:11:10] Right.

Joe Carrigan: [00:11:11] That will stop 100% of the automated attacks as well.

Dave Bittner: [00:11:15] Right, OK.

Joe Carrigan: [00:11:15] So a bot is running through these username and password pairs. It sees, enter the code we just sent you by the SMS. It is just going to skip to the next - stop the attack and go on to the next one in the list.

Dave Bittner: [00:11:25] Yeah.

Joe Carrigan: [00:11:25] It's not going to make an effort because that actually requires some human effort to get in there.

Dave Bittner: [00:11:29] Right.

Joe Carrigan: [00:11:30] It is 96% effective in bulk phishing attacks, right? So 96% of the time, it stops a bulk phishing attack. But a targeted attack, where somebody is trying to actively work with you, it still has a remarkably high success rate of 76% of the time it prevents you from having your account taken over.

Dave Bittner: [00:11:50] So how do these numbers compare to the percentages if someone doesn't have these sorts of things enabled?

Joe Carrigan: [00:11:57] Right. So if you don't have, like, a phone configured...

Dave Bittner: [00:12:00] Yeah.

Joe Carrigan: [00:12:00] ...With either the on-device prompt or an SMS code or a security key, then they fall back to other knowledge-based systems. We've already talked about how secondary email addresses is the one - the only one that falls victim to the automated attacks.

Dave Bittner: [00:12:11] Right.

Joe Carrigan: [00:12:12] But a - just a simple phone number can be as effective as 25%, right? So 25% of the time, you're protected by it. So 75% of the time, somebody gets in. And with your last sign-in location, that knowledge base falls down to a 10% protection level. So 90% of the time, the attackers are successful.

Dave Bittner: [00:12:31] Yeah.

Joe Carrigan: [00:12:32] Probably because they know where you signed in last from just by guessing - by knowing where you're located.

Dave Bittner: [00:12:36] So there really is - I'm surprised at the gap here that...

Joe Carrigan: [00:12:40] Right.

Dave Bittner: [00:12:42] ...Maybe I shouldn't be, but the gap here that if you have these things enabled, it's a big difference between having them and not...

Joe Carrigan: [00:12:49] Right.

Dave Bittner: [00:12:49] ...According to what Google's tracked here. Now, what about having a physical security key?

Joe Carrigan: [00:12:53] Now, that stops 100% of all these attacks. In their study, nobody with a physical security key lost control of their account.

Dave Bittner: [00:12:59] Not even people targeted with, like, spear-phishing?

Joe Carrigan: [00:13:02] Right.

Dave Bittner: [00:13:02] But I guess the point here is that if you're someone who feels as though you could be targeted - or for the things that you care most about...

Joe Carrigan: [00:13:12] Right.

Dave Bittner: [00:13:12] ...Your financial things, you know, stuff like that...

Joe Carrigan: [00:13:14] Yep.

Dave Bittner: [00:13:15] Boy, a security key is the way to go.

Joe Carrigan: [00:13:16] A security key is the way to go. I use one. It's called a YubiKey. And Google supports it, so I have it as the sign-in on my accounts. And it will ask me for the key, and I have to have the physical key. You know, that's a minor inconvenience, but it keeps my account secure.

Dave Bittner: [00:13:30] Yeah. All right. Well, it's an interesting report. I highly recommend it. Again, it's called "How Effective Is Basic Account Hygiene At Preventing Hijacking?" And that's over on the Google security blog. Joe Carrigan, thanks for joining us.

Joe Carrigan: [00:13:42] My pleasure, Dave.

Dave Bittner: [00:13:48] Now it's time for a few words from our sponsor, BlackBerry Cylance. They're the people who protect our own endpoints here at the CyberWire, and you might consider seeing what BlackBerry Cylance can do for you. You probably know all about legacy antivirus protection. It's very good as far as it goes, but you know what? The bad guys know all about it too. It will stop the skids, but to keep the savvier hoods' hands off your endpoints, BlackBerry Cylance thinks you need something better. Check out the latest version of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection but security that's quick enough to keep up with the threat by watching, learning and acting on systems' behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit cylance.com to learn more. And we thank BlackBerry Cylance for sponsoring our show.

Dave Bittner: [00:14:54] My guest today is Nate Lesser. He's CEO at Cypient Black, a company that's looking to improve the protection of high-value targets, their families and their personal digital lives. The challenge begins, according to Nate Lesser, with the fact that convenience often trumps security when it comes to segregating our personal and professional digital ecosystems - something he refers to as entangled enterprise risk.

Nate Lesser: [00:15:20] We think of entanglement as this notion that comes really from the concept of quantum entanglement, this idea of spooky action at a distance - the idea that an attacker's action on one domain in one place can have an impact somewhere else, in some cases even without the direct technical connection between those two spaces. So the example that we focus on is an attacker's compromise of the digital personal life of a high-value target can have an impact on the company that target works for, whether or not that attack then pivots to try and technically compromise the company or even just through the notion of - we think of entanglement as the idea that the compromise of that individual might affect the risk posture or the business operations of a company because of a reputational risk or the loss of sales or impact to other employees.

Dave Bittner: [00:16:23] So what are some of the specific risks here in terms of having separate parts of your business life entangled this way?

Nate Lesser: [00:16:31] I think it's important to recognize that this entanglement exists whether or not we kind of recognize it. And it's often not a technical entanglement. So as I mentioned before, we think of this risk and we kind of classify the entanglement risk in two ways. We refer to them as pivot attacks, which is what you would naturally expect, right? Somebody compromises my personal cellphone. Perhaps I also do - it's owned by me and managed by me, but maybe I also have my work email on it, and that's not well-segregated, so they're able to compromise something about my professional environment. And we think of that as a pivot attack.

Nate Lesser: [00:17:10] Or maybe they compromise my Apple Watch or, you know, any kind of smartwatch. And when I go into the office, I've hooked that smartwatch up to our corporate Wi-Fi, which maybe my company allows. And then they can use it to pivot as, you know, an IOT device that's now on the corporate network. They can use that device to try and pivot into the enterprise network. So we think of that type of entanglement as pivot attacks, and when we refer to that, we're often thinking of things that enterprise security team has some awareness of or the ability to understand and know, the ability to enumerate those attack vectors and points of ingress and, really, the ability to do something about.

Nate Lesser: [00:17:57] The other type of entanglement, which we talk about as endgame attacks - when an attacker exploits the second type of entanglement, it's usually the compromise of the personal digital life of the executive or high-value target or even just an employee at a company is the endgame in and of itself, and there is no pivot into the enterprise. And when we think of those types of attacks, unfortunately, the thing that characterizes them the most is that the enterprise security team has no awareness, no purview, no mandate to do anything about those types of attacks. And that's where we've really left our executives, high-value targets and all of our employees out in the cold.

Dave Bittner: [00:18:42] Can you walk me through a specific example of that second possibility?

Nate Lesser: [00:18:48] Sure. So an endgame attack might look like - and this is a real-world example from a forensic investigation - a CEO of a major auto manufacturer was in the midst of a really nasty labor dispute and in the midst of sensitive negotiations to resolve that labor dispute when his daughter went out on a lunch date. And protesters showed up at that lunch date. Somebody decided to check her phone for malicious tracking software and discovered some.

Nate Lesser: [00:19:21] So this is now - and unsurprisingly, because the protesters were protesting, her activity at this lunch was really about the labor dispute. Unsurprisingly, the CEO of this company was dismayed, and it derailed their negotiations, costing the company quite a lot of money. So we're now looking at, from a technical perspective, three steps removed. It wasn't the company that was compromised. It wasn't the CEO. It was his daughter's phone. And yet, it cost the company - I think the number was millions of dollars.

Dave Bittner: [00:19:57] Well, how do you come at that? When when you have something that far removed - and I think it's reasonable to expect people would be sharing things like home Wi-Fis and so forth - where do you begin?

Nate Lesser: [00:20:10] Well, I think that's exactly the right question, and I like that you caveated it in that way, right? So when we think about it, you already started to put in place the notion that it's not like we can just take the set of security capabilities we have in the enterprise and apply them to our personal lives. They would break everything.

Nate Lesser: [00:20:27] So how do we start to put in place security protections that really provide holistic coverage for individuals' digital personal life while simultaneously allowing our - we think of them as our protectees, the constituents that we're trying to serve - to interact with their digital lives in the ways that they want to? We have some answers to that question, but I don't think we have the only answers. But we do think it begins with enterprises recognizing this risk and then being willing to pay for protection for their - at least their executives and other high-value targets.

Nate Lesser: [00:21:09] So for big companies - those that are spending hundreds of millions of dollars a year on their cybersecurity team - they've got all the expertise and all the capability in place that you could possibly want and imagine, and yet, they're not providing these kind of protections to their C-suite, to their board of directors. And usually, it's because their chief counsel will tell you, I don't want someone's home network logs to be inside the enterprise and be discoverable. We can't possibly have those show up in some SEC filing because we accidentally or intentionally released them because we had to. We need to have a bright line between people's personal lives and the company.

Nate Lesser: [00:21:52] And so we believe that the answer to this - the long-term answer, the real solution - is to have companies provide cybersecurity for their executives and other high-value targets as a benefit and to pay for it but to have it provided - just like your health care - by a third party. And the same way your doctor doesn't call up the company to tell them you're sick, your cybersecurity provider for your personal life wouldn't have any technical connection back into the enterprise - would not provide logs or incident information back to the company and therefore preserve the privacy of the individuals that that company protects.

Dave Bittner: [00:22:33] When that bridge has to be crossed, if something happens in the executive's personal life - you know, a family member clicks on something they shouldn't - what's the chain to alert the business that we may have an issue here?

Nate Lesser: [00:22:48] Right. So it's a great question. You know, the answer - and we've struggled with this quite a bit, and I wouldn't - I don't think we have the only answer.

Dave Bittner: [00:22:56] Yeah.

Nate Lesser: [00:22:56] The answer we give is that there is no connection there. If the executive wants to report back to their company, that's their business. But the same way that your doctor is not going to call you - your CEO might have a terminal illness. Nobody's calling the company to tell them.

Dave Bittner: [00:23:15] Yeah. I mean, it's interesting. Again, to sort of strain the metaphor - but I'm imagining, you know, the CEO at the end of the day, you know, walking into the boardroom and taking the "Mona Lisa" off the wall, putting it in the front seat of his car, driving home and then hanging in on the wall above his fireplace and doing that every single day, you know, back and forth between home and the office. Right? He's got this incredibly valuable thing, but like you say, at the museum, it's properly protected, but at home, not necessarily so much.

Nate Lesser: [00:23:49] That's exactly right. And so let's talk about what that - going back to the notion of entanglement, what is the "Mona Lisa?" Well, it's not just a device that the enterprise has already locked down and protected. The enterprise is doing a pretty good job of that. It's the information in the CEO's head. It's the CEO's reputation itself. It's the safety of your CEO's children. It's your CEO's travel patterns - things that don't just exist within inside the confines of enterprise assets.

Dave Bittner: [00:24:24] That's Nate Lesser. He is CEO at Cypient Black.

Dave Bittner: [00:24:33] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.

Dave Bittner: [00:24:45] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.