The CyberWire Daily Podcast 5.31.19
Ep 855 | 5.31.19

HiddenWasp swarms out from under the Winnti Umbrella. Sino-American wrangling over Huawei. Baltimore maybe should have known better. A coming IoT hacking campaign?

Transcript

Dave Bittner: [00:00:03] HiddenWasp backdoors Linux systems and aims at more than the usual coin mining or DDoS. Thousands of Huawei and ZTE devices remain in U.S. federal networks. It takes time to fully implement a ban. China considers retaliation for the U.S. Entity List as the U.S. works to bring its allies on board. Baltimore may have been warned about its vulnerable servers as long as five years ago. NSA celebrates 20 years of their Centers of Academic Excellence in Cybersecurity. And NetScout sees signs of a coming IoT hacking campaign.

Dave Bittner: [00:00:43] And now a word from our sponsor, ExtraHop, the enterprise cyber analytics company delivering security from the inside out. Have login credentials been compromised? Are attackers hiding in encrypted traffic? Enterprise security teams face questions like these every day. But without complete visibility inside your network, your investigation could take hours or even weeks, and that's assuming you are able to detect potential threats in the first place. ExtraHop helps you rise above the noise of your complex attack surface with complete visibility, real-time threat detection powered by machine learning and guided investigations the SANS Institute calls fast and amazingly thorough. Learn more at extrahop.com/cyber, or be the blue team in the interactive demo. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.

Dave Bittner: [00:01:39] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, May 31, 2019.

Dave Bittner: [00:01:47] Security firm Intezer described Wednesday the operations of HiddenWasp, a campaign that installs a backdoor into Linux systems. Most Linux-focused malware has tended to concentrate on coin mining or distributed denial-of-service. And it's also tended to be, relatively speaking, observers say, heavy-footed and noisy. HiddenWasp, in contrast, is not only relatively stealthy but also has, as its aim, the control of infected devices by the attacker. And many who've commented on the backdoor see this as a new and disturbing development.

Dave Bittner: [00:02:22] HiddenWasp borrows freely. Components of Mirai, the ChinZ Elkinot implant, the Azazel rootkit, and the Linux version of Winnti have all been seen in its code. Attribution remains unclear, but some think it looks like an operation with Chinese origins, either with criminal organizations or intelligence services. AT&T Cybersecurity's Alien Labs, for one, tells SC Magazine that they've concluded with high confidence that HiddenWasp falls under the Winnti Umbrella, a set of groups associated with China.

Dave Bittner: [00:02:56] Intezer says that HiddenWasp's infrastructure bears some similarities to some of the recent Winnti Linux variants researchers at Alphabet's security unit Chronicle have been discussing. It's got a user mode rootkit, a Trojan and initial deployment script that bear a family resemblance to those Winnti strains. Intezer also sees other signs of connection to China. They say that files were uploaded to VirusTotal using a path that contains the name of a China-based forensics outfit, Shen Zhou Want Yun Information Technology. The malware implants, Intezer thinks, may be hosted in servers from a Hong Kong hosting company, ThinkDream. It's worth noting that HiddenWasp seems to have escaped detection by most antivirus software. This will doubtless change as the defenders adapt to the new malware.

Dave Bittner: [00:03:46] Forescout tells Nextgov that some 4,000 Huawei and ZTE devices remain on U.S. federal networks. The security company reasonably notes that purging networks of all the devices in a given category is often harder than just issuing a simple make-it-so. You can't just rip them out, a representative of the firm said. TechCrunch reports that Huawei is, on an interim basis at least, trying to limit the damage of U.S. measures by limiting contact between its U.S. and Chinese workers. This response to placement on the U.S. Entity List seems to be a bit of a scramble as the company works its way through the consequences of U.S. action.

Dave Bittner: [00:04:26] The Chinese government itself has announced that it's compiling an evidently retaliatory blacklist of what it calls unreliable U.S. companies. It's already indicated an intention to stop using Windows on the grounds that, for all Beijing knows, Windows could be exploited by the U.S. for espionage purposes. China is also considering a halt to exports of rare earth metals, which are vital to the solid-state electronics industry.

Dave Bittner: [00:04:54] The U.S., however, shows few signs of relaxing the pressure on Huawei. President Trump is widely expected to make British action of some kind against the Chinese device manufacturer, a condition of the continuing and very close Anglo American intelligence sharing arrangements. It's unlikely in the extreme that Five Eyes collaboration would be completely dismantled, but an impasse over Huawei would have unfortunate effects on the special relationship.

Dave Bittner: [00:05:22] Turning to what is for us local news, Baltimore's IT office seems to have played Cassandra to the city's King Priam and Queen Hecuba. It warned in an undated risk assessment memorandum that seems on internal evidence to have been prepared between August 2016 and September 2017 that servers running unsupported versions of Windows posed a clear risk. The memo, according to The Baltimore Sun, specifically called out the likelihood of ransomware attacks and observed that the two critical servers in question were also not being regularly backed up. So there appears to have been a trifecta of questionable decisions - continuing to use outdated software, failure to patch when that software was given an upgrade and neglecting to backup critical systems. And like Cassandra, the authors of the risk assessment were fated to be disbelieved, or at least ignored.

Dave Bittner: [00:06:15] Baltimore's mayor and city council have sought, with some support from parts of Maryland's congressional delegation - notably Representative Ruppersberger and Senator Van Hollen - to shift blame for the mess over to the federal government. Specifically, they've pointed the fingers at Charm City's hometown intelligence agency, NSA. But this line of self-exculpation may not have legs for much longer. The RobinHood ransomware, first of all, wasn't an NSA tool, whatever casual reporting may have led one to believe. The initial infection was probably through a commonplace phishing attack, nothing that required the dark arts of Fort Meade. But the ransomware did appear to exploit the EternalBlue vulnerability that NSA is widely believed to have discovered and then held back for operational use.

Dave Bittner: [00:07:03] Still, the ShadowBrokers blew the gaff in 2017 when they dumped EternalBlue onto the web, and warnings and patches have been available for a good two years. Nextgov reports that NSA's Rob Joyce said yesterday that while everyone feels bad for Baltimore, the city did, after all, have two years in which to patch. Chris Tonjes, a former Baltimore City CIO who resigned in 2014, said he tried to get the city to upgrade the servers back then but without success. He put it more brutally than NSA did. He told The Baltimore Sun, they rolled the dice, and they lost; I really have no sympathy.

Dave Bittner: [00:07:40] Researchers at security firm Netscout warned this morning that people should expect an upswing in IoT hacking campaigns. Since the end of April, their honeypots have been collecting a surge in exploit attempts directed against routers affected by a vulnerability in the Realtech software development kit. The vulnerability, CVE-2014-8361, is being used to deliver and install a version of the Hakai DDoS bot malware. Hakai is most often used in distributed denial-of-service campaigns. Who's conducting the campaign and why remains unclear, but it's known that most of the attack traffic originates in Egypt, and that it seems most interested in routers located in South Africa.

Dave Bittner: [00:08:23] The Long War Journal reports that ISIS, now in its diaspora phase, was quick to go online to claim responsibility for a suicide bombing in Afghanistan's Marshal Fahim National Defense University in Kabul. Inspiration and franchising appear to be the Caliphate's post-territorial approach.

Dave Bittner: [00:08:46] Now a moment to tell you about our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in; it's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. According to a recent CA Technologies research report, 53% of organizations confirmed insider attacks within the last 12 months. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer, network or system data. But to stop insider threats, you need to track a combination of user and data activity. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT free - no installation required - at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:09:59] And joining me once again is Justin Harvey. He's the global incident response leader at Accenture. Justin, it's always great to have you back. We wanted to focus today on ransomware, some of the things that you all are tracking when it comes to that. What can you share with us?

Justin Harvey: [00:10:12] Well, Dave, what I can share with you is there's been a dramatic trend increase in targeted ransomware. Targeted ransomware is a lot different than your normal commodity ransomware. When you think about ransomware, you think about random emails showing up that have been blasted out to millions of people. Someone clicks a link and boom, their hard drive or their documents have all been encrypted with an automatically generated link that says click here, deposit a bitcoin into this wallet, and we'll email you the key.

Justin Harvey: [00:10:43] There has been a dramatic turn into something a little bit more nefarious. Now cyber criminals, instead of penetrating an organization and finding the high-value assets and taking them out of the enterprise, they're just simply encrypting them in place because they've realized that when you steal data, you have to monetize that. You run the risk of dealing with law enforcement. You've got to deal with the dark web and finding a buyer and registering in underground forums.

Justin Harvey: [00:11:10] Listen; from a criminal's perspective, I'm sure it's pretty onerous to go through all of those processes when in fact you can just go where the data is and encrypt it. Sometimes using the victim's own tools, you can encrypt the file, you can encrypt the disk. And then of course, you send an anonymous email back to the victim and say, hey, I need this many bitcoins in order to return the data to you. And what's worse is we're also seeing a startling trend where, in order to cover their tracks or to create quite more of an impact or impetus for the victim to pay, they're also compromising domain admin credentials and pushing the ransomware out to the entire enterprise using very valid and normally used tools that administrators are using to push normal software updates out.

Dave Bittner: [00:11:56] Now, help me understand this. I've heard folks say that if you find yourself falling victim to ransomware, one of the things you should do is make a copy of all that encrypted data so that, you know, if the bad guys come back and try to wipe that data or if you're attempt at decrypting it is unsuccessful, you'll - even though it's still encrypted, you'll have a copy of that encrypted data. Is that on the money?

Justin Harvey: [00:12:20] I think that that's a very valid strategy. But I think that that breaks down when you start to look at the scale at which some of these incidents are happening. We're talking about organizations that have 5-, 10-, 15-, 50,000 endpoints in an enterprise. And there's simply no way to copy all that data.

Dave Bittner: [00:12:39] I see.

Justin Harvey: [00:12:39] Clearly, if you have some high-value assets, like your customer database, credit card database, something that is more centralized, absolutely, 100%, copy that encrypted data. But I would say that, for the most part, you're not going to be able to handle an incident of that size just by copying that data.

Dave Bittner: [00:12:57] And what's the advice that you're sharing with your clients these days when it comes to whether or not to pay the ransom?

Justin Harvey: [00:13:03] Great question. I am - I'm a hard-liner, Dave. I say under no - actually, under one circumstance should an organization consider paying, and that would be if there is a material impact to loss of life or damage to the environment. For instance, is an entire oil refinery going to blow up and affect the quality of life for an environment or for a city? Or is it a hospital? Can they still give care to their patients? And if all of that is at risk, I think you should definitely consider it and consider working with your local law enforcement office before making that sort of decision.

Justin Harvey: [00:13:40] But if you do go down that route - and believe me, Dave, there's a lot of cons to paying these criminals, and one of them is thinking about the regulatory filing aspect to this because if you don't acknowledge it within your quarterly or yearly filings and if it was a sizable payment, then if it does come out, you could be nailed for not notifying shareholders. The other thing is you may not even know who you're paying. So if you are paying an entity, and it turns out that, later on, that was a sanctioned entity - perhaps a country or a terrorist organization - that will also have to come out in your filings, which could have a material impact in stockholder value.

Dave Bittner: [00:14:23] So keep those backups current, and make sure your tests - that they're actually working, right?

Justin Harvey: [00:14:28] Yeah. I can't say enough about both hot, warm and cold backup. So definitely keep some of your backups around in the cloud, on-prem. Keep them around so that you can quickly roll back. But in some cases, those backups themselves have also been encrypted. So what you're going to need is definitely some longer-term storage. There are some organizations out there, some businesses that store them in big, cooled warehouses for you. But a little trick here - make sure that you keep your manifest of backups out of harm's way because you don't want to be in a circumstance where you're like, well, we need to restore this server, but the manifest for which backups to pull from are on this encrypted file server over here.

Dave Bittner: [00:15:14] Right, right. Yeah.

Justin Harvey: [00:15:14] So you want to think through having an all-out disaster recovery scenario, which is a little bit different than having to restore a data center. Because most organizations today, they think, OK, I've got four data centers, and I have the cloud. So as long as I don't lose everything at once, I'm OK. I always have a hot spare. Well, in the event of some of these crippling cyberattacks we've been working, everything is down - voice-over IP, email, calendar, contacts, legal, file systems. So you have to think to yourself, how are you going to communicate and work that incident if everything that you normally rely upon is down?

Dave Bittner: [00:15:51] Well, Justin Harvey, thanks for joining us.

Justin Harvey: [00:15:54] Thank you, Dave.

Dave Bittner: [00:15:59] And now a few words from our sponsor, Dragos, the leaders in industrial cybersecurity technology. Did you know that one of the key findings from the Dragos 2018 ICS year in review was the compromise of several industrial control equipment manufacturers enabling potential supply chain threats and vendor-enabled access to ICS networks? Download the Dragos 2018 ICS year in review to learn more on what we know and how you can be better prepared at dragos.com/year-in-review. And if you're interested in industrial threat intelligence, you can sign up for a free 30-day trial of the Dragos threat intelligence product WorldView at dragos.com/worldview. And we thank Dragos for sponsoring our show.

Dave Bittner: [00:16:53] My guest today is Diane M. Janosek. She's commandant of the National Cryptologic School at the National Security Agency. She joined us recently in our studios to recognize 20 years of NSA Centers of Academic Excellence in Cybersecurity program. The program brings together colleges and universities, along with industry, to help bridge the cybersecurity skills gap, establish rigorous standards for academic programs in cybersecurity and to provide a pipeline for cybersecurity professionals. We started our conversation with a look back at the program's inception.

Diane M.: [00:17:27] At the time, there was more cyberattacks occurring, more with the military and the defense areas. And we were recognizing that the need to secure information networks was tremendous. And what the need was is, as you probably would guess, there was no textbooks back then. You really didn't even have academic professors. You wouldn't even have professors that could teach cybersecurity at the collegiate level, let alone at the high school level. So from going from nothing to a full on-ramp in terms of now having programs at the college level, at the community college level, through the Ph.D. level on cybersecurity has really been tremendous for the country.

Dave Bittner: [00:18:04] Take me through some of the ways that the program has evolved over the years. What changes have you seen?

Diane M.: [00:18:09] Well, we're recognizing now that we have to focus more on what's on the horizon. So we've now established a designation for CAE Dash research, so you can be a research institution. So that you can take a look at what technologies on the horizon, what innovation is occurring in the area of technology that we might have vulnerabilities that we're not thinking of? We all see what's going on with respect to Internet of Things and social media and all the vulnerabilities that may occur there with respect to all the connections that we have in everyday lives in everything that we do.

Diane M.: [00:18:40] So recognizing that, we are - we partnered with the schools. We now have rigorous standards in the area of research. We have standards now at the advanced levels with the master's, the Ph.D. level. So we're just trying to really say, what do we need to do as a country to come together and say what are our adversaries, whether they be foreign adversaries or even within our own country, what are adversaries doing to address and attack our networks? And what do we need to do to come together to respond to those?

Diane M.: [00:19:12] So we've really embraced the two-year programs for the community colleges. We've also really embraced older workers or more seasoned workers that want to cross-train. So if you're right now working maybe in the health care sector, but you also want to branch out a little bit and do maybe the - work on the cybersecurity side of health care, which is really important, you can now do that as well through the cross-training efforts that we have with these academic institutions, these 272 schools across the country.

Dave Bittner: [00:19:39] Yeah. One of the things that really impresses me about the program is the breadth of it. One of my partners on the CyberWire is - his name's Joe Carrigan, and he works at Johns Hopkins, and of course, you all partner with them. But then also here, locally, you work with Howard Community College. And so there really is opportunities from elite schools to institutions that are available to everyone and beyond.

Diane M.: [00:20:01] Thank you for raising that. We absolutely agree with you. It is for the best, really high-end institutions, as well as the local community colleges. What Howard County Community College is offering is tremendous, as well as Prince George's Community College, Anne Arundel Community College. They're so diverse. And what the good news about the program is is that once you join the CAE program, you belong to a community. They actually have an institution, a legal entity that they've created called the CAE Cybersecurity Community. They come together. They share resources. They'll share curriculum. They'll share cyber labs. They'll share training resources, so you don't have to recreate material from scratch. They share information. They share opportunities for students to then go from a two-year program to a four-year program to a master's program.

Diane M.: [00:20:48] The cybersecurity community is very, very innovative. What they recognize now is they had to come together to give students an opportunity at hands-on experience. They've created opportunities where there's partnerships with over 50 businesses, where they can recruit from virtual career fairs for these students. So the CAE is through the program over the course of 20 years. The CAE schools have come together, really leveraged each other, shared resources and really have made this country a better place.

Dave Bittner: [00:21:18] And so it really is reaching beyond those college-level institutions. You're going down to the high school level, the middle school level, really building that pipeline, getting them while they're young, sparking that interest in them.

Diane M.: [00:21:31] Absolutely. The CAE program, through its 20-year history, has created a sense of community. So not only do they have a community with the colleges and the, you know, federal government across all the different states, they've established a community right where they are, right in their local area.

Dave Bittner: [00:21:48] What can you tell us about what the colleges get out of it? Is this a feather in their cap that they can then go talk about and say, hey, we're a part of this?

Diane M.: [00:21:56] Absolutely. Our schools that are the - CAE certified, you will see that designation prominently on their websites. They absolutely say, we have met the standards that are being expected to us for rigorous curriculum. That will also show not just the curriculum is a high standard, but the professors, the faculty are also well-credentialed. They are skilled in the area that they're teaching. They're not just teaching someone they don't have familiarity with. So you know when you go to a CAE school that you will get faculty that understands the discipline for which they're teaching.

Diane M.: [00:22:28] In addition to that, they also have an opportunity to have scholarships for their students while they're attending the schools. The neat thing in the Department of Defense is that they're recognizing now that we need to have something akin to a cyber ROTC program. It's called the DoD Cyber Scholarship Program, and it's essentially - is recruiting high-schoolers to go to one of the CAE schools, attend one of the CAE schools on scholarship and then do a couple of years with the federal government in a particular area and serve back. And it really is - the cyber ROTC program is really the first of its kind, and that is definitely a feather in the cap for those institutions that are getting those students.

Diane M.: [00:23:06] So through the programs like the CAE program, what NSA is really committed to doing is increasing the pipeline of cybersecurity professionals. We are especially committed also to increasing the pipeline with more female and minority involvement. The diversity part of cybersecurity is so important. As we know now, and we're all experiencing this with cybersecurity, it's multidisciplinary. It's not that it's just the technology side. You have to understand multifacets. The diversity that's out there, with respect to having different viewpoints on a team, is really important. Making sure that there is a team effort, that all team-players feel that it's safe to share information, that they're included in that response. So diversity inclusion is really important, and we're hoping to achieve that as well in the area of STEM and cyber through the CAE program.

Diane M.: [00:23:53] One last thing I wanted to mention is that NSA can't do this alone. We do this through a partnerships with the - with other federal agencies. We do this with the state involvement as well, with industry involvement, through the federal government, through grants, through the grants process - NSA has invested over $100 million annually in support of academic partner programs - through educational grants, through research, through recruitment efforts. We recognize that this whole country can benefit from a rigorous academic programs such as these, through the sharing that occurs as a result of it, through the community that's created. And it's very, very powerful, and we really appreciate the CAE schools rising to the occasion, agreeing that there's a need to raise the bar, agreeing that our whole country benefits from cybersecurity professionals. And we just value the partnerships that we have.

Dave Bittner: [00:24:42] Our thanks to Diane M. Janosek from NSA for joining us. If you want to learn more about the Centers of Academic Excellence in cybersecurity, visit the NSA website. It's in the resources section.

Dave Bittner: [00:24:57] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.

Dave Bittner: [00:25:10] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, our staff writer is Tim Nodar, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.