AMCA breach extends to LabCorp. Still no EternalBlue in Baltimore ransomware attack. Frankenstein malware. Real hacking isn’t like the movies. Huawei’s no-spy deal. US Data Strategy. Patch BlueKeep.

Dave Bittner: [00:00:03] Another medical testing firm is hit by the third-party breach at AMCA. More officials say there's no EternalBlue involved in Baltimore's ransomware attack. Real hacking isn't like the movies. It's alive - Frankenstein malware, that is. Huawei offers a no-spy agreement. The draft U.S. Data Strategy is out. Really, you should patch for BlueKeep. Researchers from UC San Diego team up with Google to explore the hacker-for-hire marketplace. And a university's donor list has been exposed online.

Dave Bittner: [00:00:41] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We here at the CyberWire have long been subscribers to Recorded Future's Cyber Daily. And if it helps us, we're confident it will help you, too. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/cyberwire. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:37] Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com.

Dave Bittner: [00:01:52] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, June 5, 2019.

Dave Bittner: [00:02:00] Medical testing firm LabCorp has disclosed that it, too, was affected by the breach at third-party collection services provider American Medical Collection Agency. At the beginning of the week, Quest Diagnostics said that about 12 million people were affected by data AMCA held that were accessed by some unknown, unauthorized party. LabCorp puts the tally of those affected in its part of the incident at 7.7 million.

Dave Bittner: [00:02:27] A second member of Congress, Maryland Senator Van Hollen, has joined his House colleague Representative Ruppersberger to announce that the government is confident EternalBlue wasn't involved in the Baltimore ransomware attack.

Dave Bittner: [00:02:40] Baltimore's systems remain a mess, but the city thinks it will have things more or less 90% cleaned up by the end of the weekend. Investigators are trying to make sense of various tweets and social media comments that suggest the attackers might have done at least some doxing in addition to the encryption they inflicted on those poorly protected servers. The projected cost to the city is estimated at more than $18 million, but the night is still young.

Dave Bittner: [00:03:08] Different victims of ransomware show different results in their recovery. In contrast with the ongoing Baltimore horror show, Norsk Hydro was fairly well-prepared and quick to respond to its own ransomware incident. The company reported its first-quarter results today, and underlying profits are down 82%. That sounds bad, but it's actually good. The hit from the ransomware turned out to be bad, but not nearly as bad as it might've been.

Dave Bittner: [00:03:27] We've all seen the Hollywood hack, right? The hacker, properly pierced and tattooed and be-hoodied, taps vigorously on the keyboard, and snarls, I'm in. And then, sure as shootin’, the hacker's in, as you can see when they cut to a kernel panic on the victim's screen as the victim's boss screams, huh - what? - no. Like that, right?

Dave Bittner: [00:03:58] Well, no, not right. That's ZDNet's take on the results of a Bitdefender study of how the Carbanak gang works, anyway. They take months of preparation before they hit a bank. So it's more "Ocean's 11" than it is "WarGames."

Dave Bittner: [00:04:12] Cisco's Talos Group describes a threat campaign they're calling, Frankenstein, because the hoods behind it stitched their effort together from a bunch of disparate open-source tools. Active between January and April of this year, Frankenstein's operators gained entrance into their targets by phishing with Trojanized documents. The attack they've sewn together uses at least these open-source items - first, a component that detects if the sample's being run in a virtual machine, a project from GitHub that leverages MSBuild to execute a PowerShell command, another component from GitHub project FruityC2 for building a stager and yet another GitHub project, PowerShell Empire, for its agents. They may be derivative, but they are by no means stumblebums. Talos calls them moderately sophisticated and highly resourceful and thinks that more threat actors will do likewise in the future.

Dave Bittner: [00:05:08] Suppose you want to do some cybercrime, but your own technical skills aren't quite up to the task. There is a growing market for hackers for hire, who would be more than willing to assist you for a price. The CyberWire's Tamika Smith has the story.

Tamika Smith: [00:05:25] Google and University of California San Diego conducted a study analyzing and testing out the hacker-for-hire market. They created email accounts solely using honeypot Gmail accounts, created buyer personas and started their search to solicit hackers.

Tamika Smith: [00:05:40] Here to talk more about this is Ariana Mirian. She's a Ph.D. student at UC San Diego, where her research is on security and systems. And she served as the first author and lead researcher on this team. Thanks for joining the conversation, Ariana.

Ariana Mirian: [00:05:53] Thanks for having me, Tamika. I'm glad to be here.

Tamika Smith: [00:05:55] So let's get into this study. How was it set up?

Ariana Mirian: [00:05:59] We were interested in looking at the hack-for-hire market. And so that required us to go and find these underground advertisements and then somehow solicit their service. And so what that essentially means is we needed to act as both the buyer and the victim. So we created fake online personas, because we wanted to make sure that no researchers were harmed in the making of this study, in order to solicit this research.

Ariana Mirian: [00:06:21] So as the buyer, I created an online persona, which consisted of a Gmail address. And so we communicated with the services as the buyer, either by emailing them or submitting an online form. Really, it was however the service advertised we should reach them. And then we created a victim persona, so the person who we wanted to hack into - whose Gmail account we wanted to hack into. And the victim persona - the - it was a bit more intricate because we didn't know what these attackers would do. We didn't know what pieces of information they would use. And you know, I have an online footprint. Most people who use the internet have an online footprint, and so we wanted to create this online footprint for these fake victims. We created a Gmail address for them, but we also created a website, for example, that they purported to own or work at, where we linked the Gmail address. On the website, we also linked an additional Gmail address of an associate, which was another fake persona, because we, you know, didn't know if the attackers would use the associate to get to the victim. And then we also created a Facebook profile for the victim, where everything was private except the About Me section. And on the About Me section, we linked the website of the victim persona. And so we engaged with them as the buyer. And then at UCSD, we had set up some monitoring on each of the Gmail accounts to record any changes. And also, our Google colleague was able to see from the Google monitoring that they have what was happening in the Gmail accounts.

Tamika Smith: [00:07:54] So this is very interesting. You guys set out to catfish the hackers.

Ariana Mirian: [00:07:58] Basically, yeah. We really wanted to characterize this market. And the best way to do that was to engage with them - so to see not only what attacks they would deploy on the victims but also how do they engage with the buyers? Is this a legitimate business, or would they just take our money and run?

Tamika Smith: [00:08:14] So let's talk a little bit about how you engaged with them. You set out and created personas, but one thing that I thought was very interesting - you did so in various languages.

Ariana Mirian: [00:08:27] It turns out a lot of those underground markets are not solely in English. And so actually, a lot of the advertisements that we found were in Russian. So we had 27 services that we ended up contacting. I believe three of them were English advertisements, one was a Chinese advertisement, and the rest were Russian. In order to engage with them, we wanted to make sure that our messages seemed realistic. And so we essentially asked folks in our community who are native speakers of that language - so a native Russian speaker - to help us craft emails in response to whatever they were telling us.

Tamika Smith: [00:08:57] So let's talk a little bit more about the technical side. How did you set it up - set up the honeypot accounts so that you would be able to track what was going on and that they couldn't detect that they were being tracked?

Ariana Mirian: [00:09:10] Yeah. So for each Gmail account that we created, we essentially added this entity called a Google Apps Script. Whenever there was a change in the Gmail accounts, it would trigger a notification to a server that we controlled at UCSD. The thing about these Google Apps Scripts is that in order to create them, you actually open up a Google Doc, essentially, that's associated with the Google Drive that is part of the Gmail account. And then on one of the dropdowns, there is this little script button, and then that takes you to a pop-up where you can put in this script. And it's a JavaScript, so it's a language that a lot of folks know and can program in or at least learn.

Tamika Smith: [00:09:48] Is this market viable in any way?

Ariana Mirian: [00:09:50] Yeah, that's a great question. This is a market that is accessible to a lot of, you know, average folks. The contracts that we hired were anywhere from $100 to $400 range. Since the end of our study, actually, some of those prices have increased. But they are still viable for someone who really wants to get into the Gmail account of whoever they target. However, since these are targeted attacks, these don't necessarily scale as well. They don't scale as much, I should say, as other attacks. I don't think it's a large-scale threat. It is definitely a threat to some users out there, but it's not a large-scale threat yet. There is definitely the possibility - and this is all hypothesis - that the attacks could change. So right now, the main attack vector that we saw was phishing - really well-crafted emails that would then capture our password and our two-factor code. And Gmail has introduced some additional defenses to try and prevent against this sort of targeted attack. But it's possible that, in the future, these markets will change to adapt to the new defenses. So instead of phishing, maybe they'll deploy more malware.

Tamika Smith: [00:10:53] Thank you again, Ariana, for joining the conversation.

Ariana Mirian: [00:10:56] Thank you, Tamika. I really appreciate it.

Tamika Smith: [00:10:58] That's Ariana Mirian. She's a Ph.D. student at UC San Diego, where she's researching security in systems. And on this specific research team, she served as the first author and lead researcher.

Dave Bittner: [00:11:11] That's the CyberWire's Tamika Smith.

Dave Bittner: [00:11:14] Huawei's chairman, Liang Hua, accused the U.S. of acting inappropriately toward his company, NPR reports, but then proffered dove with an olive branch, the same kind of no-spy deal Shenzhen has dangled before Germany and the U.K. This dove seems unlikely to fly in Washington given Huawei's reputation with respect to non-disclosure agreements and partners' IP.

Dave Bittner: [00:11:40] Don't believe Microsoft about the importance of patching legacy versions of Windows against the BlueKeep RDP vulnerability? Well, maybe you'll believe NSA's Central Security Service. They think you should patch, too.

Dave Bittner: [00:11:54] The U.S. government has released its draft data strategy. Federal agencies have until July 5 to submit comments. The strategy emphasizes three overarching principles - ethical governance, conscious design and a learning culture. The strategy seems concerned to identify relevant data and ensure their accuracy, integrity and availability. Transparency and an effort to restrain agencies from collecting information without a need to do so appear to be important points of emphasis.

Dave Bittner: [00:12:25] University of Chicago Medicine has apparently left data of almost 1.7 million donors and prospective donors exposed online, Security Discovery says. The university secured the database and thanked the discoverers for the tip.

Dave Bittner: [00:12:41] And we close on a serious note. America has lost another of the Navajo Code Talkers, who served in the Pacific during the Second World War. William Tully Brown passed away Monday in Winslow, Ariz., at the age of 96. Our condolences to his family and friends. As he's laid to rest tomorrow, we'll join the Marine Corps in its farewell. Semper Fidelis, Marine.

Dave Bittner: [00:13:12] Now it's time for a few words from our sponsor BlackBerry Cylance. They're the people who protect our own endpoints here at the CyberWire, and you might consider seeing what BlackBerry Cylance can do for you. You probably know all about legacy antivirus protection. It's very good as far as it goes. But you know what? The bad guys know all about it, too. It will stop the skids, but to keep the savvier hoods' hands off your endpoints, BlackBerry Cylance thinks you need something better. Check out the latest version of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection but security that's quick enough to keep up with the threat by watching, learning and acting on systems' behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit cylance.com to learn more. And we thank BlackBerry Cylance for sponsoring our show.

Dave Bittner: [00:14:21] Joining me once again is Ben Yelin. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, it's great to have you back. We had an article come by. This is from Military Times. It's titled "Secret Tracking Device Found in Navy email to Navy Times Amid Leak Investigation Raises Legal and Ethical Questions." There's a lot to unpack here. Help us understand what's going on.

Ben Yelin: [00:14:44] So there's been this high-profile court martial case about a Navy SEAL being accused of potential war crimes arising out of an incident that took place in 2017, I believe. The profile of this case has been risen significantly because the president of the United States has weighed in on this case publicly. What this article uncovered is that one of the prosecutors working for the United States Navy sent an email to the Navy Times, which is - you know, has readership among members of the Navy and other members of the military branches.

Dave Bittner: [00:15:18] And this is journalism.

Ben Yelin: [00:15:20] Right. Right, so to a journalism outfit.

Dave Bittner: [00:15:23] Right.

Ben Yelin: [00:15:24] And that email was embedded with a secret digital tracking device. So it's unclear. It doesn't seem like this device was any sort of type of malware. It didn't reveal any information - personal information that was on the computers of the journalists who work for the Navy Times. But it did try - or at least attempted to - collect metadata from those devices. It was attempting to identify potential leaks arising out of this case. And to do so, it was trying to identify the IP addresses being used by Navy Times accounts.

Dave Bittner: [00:15:56] Right.

Ben Yelin: [00:15:56] It was transmitting that information to a Navy database in California. This causes a lot of potential legal problems, from my perspective. The Electronic Communications Privacy Act requires, generally, either a warrant or some sort of legal subpoena to use any type of device - electronic or otherwise - that would reveal metadata from a private individual's accounts. Again, these people are not members of our - when we're talking about journalists, they're not members of the armed forces. They are private individuals subject to our constitutional rights. Now because this is the military, it's being conducted from the Navy prosecutor's office. We're not privy to a lot of the information that's gone into this investigation.

Ben Yelin: [00:16:43] And from what they're saying, the prosecutor has complied with all laws and statutes regarding electronic communications and privacy. This, at least to my eye, you know, it's not something that you could prove one way or the other without additional information. And there's always the risk - I'm not sure how this would play out in military court - that the conviction of this individual accused of war crimes could be jeopardized if some of the information used in a potential trial or in the prosecution was obtained through illegal means. That evidence could potentially be suppressed. And then, as we see in millions of other criminal cases, that could be the factor that causes the acquittal of that criminal suspect. So engaging in these techniques presents, really, a dangerous risk for the general public and for the prosecutors who are trying to secure the conviction.

Dave Bittner: [00:17:40] When this was brought to their attention - to the folks who had installed this email tracker - what was their response?

Ben Yelin: [00:17:48] So the prosecutor himself, through his office, declined to comment. But the Navy, through its spokesman, said, quite vociferously, that all investigations coming from this prosecutor's office are conducted, quote, "in accordance with applicable laws, properly coordinated and executed with appropriate oversight." The Navy is saying that they're complying with all laws and regulations. Even though the prosecutor's office itself, which is the one that sent emails with these tracking devices - and they not only sent them to media sources but also to members of the defense's legal team - that prosecutor has declined to comment.

Dave Bittner: [00:18:27] Yeah, it seems like an unfortunate distraction. You have this serious case that could be taken off the rails, potentially, by this issue.

Ben Yelin: [00:18:36] Right. We're talking about something that's literally life and death. And the defense has already filed motions to have the entire case dismissed based on this unlawful surveillance, which would be an absolute disaster from the perspective of the Navy prosecutor. The reason we have the exclusionary rule in place in our court system is to prevent law enforcement - to give them a disincentive to break laws in how they conduct investigations and surveillance. So if they haven't dotted the Is and crossed the Ts in terms of making sure that these techniques are legal - and there are certainly questions as to whether they've done that - then they're not only jeopardizing this particular prosecution but the reputation itself of this prosecutor's office. And that could have very damaging effects down the line.

Dave Bittner: [00:19:24] All right. Well, Ben Yelin, thanks for joining us.

Ben Yelin: [00:19:26] Thank you.

Dave Bittner: [00:19:27] A quick update - since Ben and I recorded this segment, a military judge removed that lead prosecutor from the case. The defense had asked the judge to dismiss the case or remove the prosecutors because of the email tracking, and the judge had the prosecutor removed.

Dave Bittner: [00:19:47] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.

Dave Bittner: [00:19:59] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.