Russia’s sovereign Internet. Huawei updates. CBP discloses exposure of images collected at a border crossing. Gmail features used for social engineering. M&A notes. Top bugs found by bounty hunters.

Dave Bittner: [00:00:03] Russia says shrapnel from America's war on that nice company Huawei is destroying the world. Russia also tells Tinder to fork over user pictures and messages. A Recorded Future study outlines the case for regarding Huawei as a security risk. U.S. Customs and Border Protection discloses a breach of images collected at a border crossing point. Crooks are taking advantage of Gmail features, notes on recent mergers, and the top 10 bugs that are bugging bug hunters.

Dave Bittner: [00:00:39] And now a word from our sponsor ObserveIT. According to Cisco, over the course of 1 1/2 months, the typical suspicious insider can download 5,200 documents. Unfortunately, many ad hoc insider threat investigations can drag on for weeks or even months since it's tough to know exactly who did what, when and why. Security analysts have to wade through a sea of event logs, many of which are completely irrelevant, to eventually discover the root cause of an incident. What if we told you that there's a way to investigate insider threat incidents faster? With ObserveIT's dedicated Insider Threat Management Platform, security teams can quickly find out the context into both the user and data activity behind an alert. Detailed user activity timelines and easily searchable metadata help you know the whole story on insider threats. Visit observeit.com/cyberwire to try out ObserveIT's sandbox environment for yourself - no downloads or configuration required. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:01:50] Funding for this CyberWire podcast is made possible, in part, by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com.

Dave Bittner: [00:02:05] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 11, 2019. Bloomberg quotes Russia's deputy prime minister Akimov as deploring the way U.S., and especially its suspicion of Huawei, is destroying the world. The shrapnel will hit everybody, Mr. Akimov added in a discussion outlining and defending Russia's decision to build its very own sovereign internet. The tech world whose passing the deputy prime minister prospectively mourns is presumably one of freely flowing commerce and information, and Moscow's crackdown on Telegram is therefore painful, as he puts it. And this is no doubt the result of American shrapnel, as is the Russian government's request that Tinder hand over photos and messages exchanged by Russian users of the dating service. We're pretty sure he means fragmentation and not shrapnel. But anywho, it's Washington's fault. In any case, TASS is authorized to state that Roskomnadzor says that Tinder has agreed to comply. That's from TASS - no word yet directly from Tinder.

Dave Bittner: [00:03:16] In any case, the deputy prime minister's statement is the latest sign of a newfound tenderness for Huawei in Russia. Stateside, Huawei has been investing in lobbyists. Fast Company reports that the company's expenditure on lobbying, which amounted to $570,000 in 2017, rose in 2018 to $3.7 million. The company's smaller competitor, ZTE, is also concerned, and concerned to the tune of $1.4 million that it's already spent on K Street this year.

Dave Bittner: [00:03:50] Over in the U.K., Huawei representatives are reassuring Parliament that the company is no threat. The aim on both sides of the Atlantic is the same - avoidance of crippling sanctions and continued access to a lucrative market. Anti-Huawei sentiment in the U.S. extends beyond the administration. In fact, administration critics are expressing concerns that President Trump might be induced to let Huawei off the hook in the course of cutting a trade deal with China. So why are people worried about Huawei? There is the company's reputation for unreliability with respect to its partners' trade secrets, which we've discussed in the past. But there are things about the very nature of the company that would give one pause, even were it to become a model of respect for contracts.

Dave Bittner: [00:04:37] Recorded Future has published a study that explains why it's reasonable to consider Huawei a security risk. The company is large enough to become both a monopoly and a technological monoculture. A monopoly wields considerable power that's easily misused. A monoculture is also a problem for a technological ecosystem as much as it is in a biological one. Monocultures are at risk of sudden collapse under stress. They can be brought down because they lack the resilience a more diversified ecosystem tends naturally to enjoy. The way in which Huawei increasingly pervades global supply chains is also cause for concern, the study argues. And finally, the company exists in symbiosis with a repressive, authoritarian government. It grew and flourished under those conditions, and it's unlikely to be willing or even able to adapt itself to trading in an environment governed by law as opposed to mere policy.

Dave Bittner: [00:05:35] It's been just about a year since GDPR went into full effect in the EU, with privacy implications felt worldwide. We checked in with FireMon's Tim Woods for a look back at the GDPR's impact.

Tim Woods: [00:05:48] Well, you've definitely seen an uptick in the reported number of breaches where people think that perhaps the information that they have ownership of or have responsibility or custody of - we've seen that go up by almost 40% higher reporting breaches and or exposed information. And I use the term breach kind of loosely because sometimes, it's just exposed information. It's not necessarily - it's the actual individual who owns the information that has accidentally, due to misconfiguration of services or misconfiguration of database access or whatever - they've exposed that information. And they really can't qualify or quantify who's actually had access to that information. But regardless, the reporting of that has definitely went up since GDPR went live back in May 26 of last year.

Dave Bittner: [00:06:40] And what's been the global impact?

Tim Woods: [00:06:42] I think there's greater awareness, also, from - especially by large enterprises or global companies where you have a global presence, you know? You have to - it's like any of the regulatory compliance initiatives. You have to kind of look at your zones of control. It's like, where are we using that information? Do we have EU citizens' data or not? Are we processing EU citizens' data or not? And sometimes, in a multi-global, large conglomerate, you don't really know where that information may or may not be.

Tim Woods: [00:07:11] And then, also, some of the things that maybe we don't - again, if I go back to the awareness of it - is some of the things that you may not consider, such as a marketing mail-out or a marketing database that may actually have email addresses of EU citizens and things of that nature. It gives us reason for pause to go back and look at the information that we're holding on to to say, hey, even though we're not in the EU, are we processing any of that personally identifiable information that may be associated to an EU citizen?

Dave Bittner: [00:07:39] Have there been any unintended consequences, anything that's taken place that - where people didn't expect it was going to go down that way?

Tim Woods: [00:07:46] I've spoke to a number of different companies. I've spoke to a number of different individuals and companies, and they've definitely kind of stepped back to look at what they believe their - number one, their legal stance is, what their legal responsibility is and where they are using personally identifiable information, and then how they determine the association of that personally identifiable information. You know, is it related to EU citizenship or not? And then, just in general, again, you know, are we giving individuals the right to refusal or the right to be forgotten? And are we making sure that we're transparent? I mean, we've seen some pretty big fines kind of coming down the pipe.

Tim Woods: [00:08:25] There - you know, from a GDR perspective, I - there haven't been what I would call, you know - because the teeth - I call it the teeth around GDPR, which sometimes brings the enforcement or the recognition, you know, of, hey, we need to be compliant to this. You know, I think Google probably was the largest, where they were fined $50 million for the failure to acknowledge the transparency of the information. But now we see - here in the States right now, we see Facebook kind of running from GDPR. And of course, Facebook is facing a big FTC fine right now, too. They've set aside - I don't know - almost $3 billion, you know, due to lack of transparency. So I think some of these, you know, people are definitely taking note when it comes to the penalty phase and the fine phase as far as, what could the implications to our company be? - because you don't want to have something that could be catastrophic to our business.

Dave Bittner: [00:09:13] That's Tim Woods from FireMon.

Dave Bittner: [00:09:17] U.S. Customs and Border Protection says a subcontractor lost pictures of travelers' faces and license plates taken at a single border crossing point. CBP didn't say which subcontractor was involved, but The Washington Post reports that it was Perceptics. There's the circumstantial evidence of the breach Perceptics disclosed late last month, and the CBP email that announced the problem had the subject line CBP Perceptics Public Statement. The Post and others connect the dots and conclude that the Tennessee-based provider of license plate readers was the company in question. Perceptics has been a vendor to CBP, WIRED notes, in a decades-long relationship.

Dave Bittner: [00:09:59] Many observers are concluding that this is another object lesson in the inherent risk of accumulating data. Those data can prove irresistible to attackers. Data collection and the tight coupling of services are attractive when they appear in the private sector, too. Google's Gmail and Calendar services are providing an object lesson here, as well. Calendar is designed to let anyone schedule a meeting with any user. And that, Kaspersky researchers report, is a bit of functionality that's being exploited by criminals. When you get a calendar invitation, a pop-up notification of that invitation appears on your phone. The attackers embed malicious code in their invitation. Because users are accustomed to trust the invitations, the pop-up becomes an effective phish hook. Kaspersky says that the attacks observed so far are sending the unwary to credential-stealing sites, but there's considerable untapped opportunity for other forms of social engineering here as well. A senior engineer at Synopsys commented to Forbes that, quote, "automation is not your friend in cases such as this." Don't let a calendar app automatically stick invitations into your calendar.

Dave Bittner: [00:11:12] Raytheon's combination with United Technologies, described at the time of its announcement as United Technologies' acquisition of Raytheon, is now being characterized as a merger of equals. The combined company will be called Raytheon Technologies, a very large aerospace integrator that will play in both civilian and military markets. Notably, United Technologies Carrier, the HVAC company, and Otis Elevators will be spun out. The new company's investor prospectus lists cyber protection for commercial aerospace as one of the complementary capabilities Raytheon brings to the merger. Raytheon owns cybersecurity company Forcepoint. United Technologies owns security provider Lenel.

Dave Bittner: [00:11:58] Salesforce's acquisition of Tableau in a $15.7 billion deal represents a CRM and data analytics merger with complex security implications. The company will handle a tremendous quantity of sensitive data. As ZDNet points out, the acquisition suggests that Salesforce has ambitions outside of its core CRM market.

Dave Bittner: [00:12:22] And finally, which vulnerabilities are bug hunters finding? HackerOne, which coordinates bug bounty programs for a living, has taken a look at what they characterize as 120,000 security vulnerabilities reported across more than 1,400 customer programs globally. Here's what they found the bug hunters are finding. The top 10 vulnerabilities are, from 10 to 1 - number 10...

0:12:45:(SOUNDBITE OF DRUMROLL)

Dave Bittner: [00:12:45] ...Cross-Site Request Forgery; number nine, Generic Improper Access Control; number eight, Insecure Direct Object Reference; number seven, Server-Side Request Forgery; number six, Code Injection. Coming in at number five is SQL Injection; number four, privilege escalation; number three, information disclosure; number two, Generic Improper Authentication. And the number one vulnerability the bug hunters are finding is...

0:13:20:(SOUNDBITE OF DRUMROLL)

Dave Bittner: [00:13:20] ...Cross-site Scripting - all types of cross-site scripting - domain, reflected, stored and generic.

Dave Bittner: [00:13:43] Now a moment to tell you about our sponsor ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book, "SOAR Platforms: Everything You Need to Know About Security, Orchestration, Automation and Response." The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. Download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:14:59] And joining me once again is Johannes Ullrich. He's the dean of research at the SANS Technology Institute. He's also host of the "ISC StormCast" podcast. Johannes, it's great to have you back. You wanted to share some information about a botnet that you all have been tracking there at SANS. What can you tell us?

Johannes Ullrich: [00:15:18] Yeah, this is sort of an interesting botnet for a number of reasons. Now, first of all, it's going straight after RDP, this remote desktop protocol that, of course, has caused a lot of news lately with the BlueKeep vulnerability that is sort of rumored to be in the development of being turned into a major worm. Now, this botnet doesn't actually do anything about this vulnerability. What it's really just going after is weak passwords. And I think it's a good lesson learned here. It's the old vulnerabilities that often get you, not necessarily the new and shiny ones. Now this botnet is currently just sort of collecting vulnerable hosts. It's brute-forcing passwords. And once it finds passwords that work, reports them back. Also interesting, this botnet is entirely written in Java, which is sort of unusual because in order to work, it actually has to deliver the full Java runtime. So the entire download for the botnet is around 80 megabytes.

Dave Bittner: [00:16:23] And you all are referring to this as GoldBrute.

Johannes Ullrich: [00:16:26] GoldBrute is what we called it because the one sort of unique Java class that was added to the code here, that's called GoldBrute. So we went with that particular name.

Dave Bittner: [00:16:38] Now there are some interesting behaviors here - the way that it reaches out, the way it only hits vulnerable servers from different directions. There are some interesting things going on.

Johannes Ullrich: [00:16:50] Yeah. So once a host gets infected with this particular botnet, it will first start scanning for systems that are listening for RDP, so Port 3389. Now once it found new systems listening, it will report them back to a command control server to be added to a list to later be brute-forced. The interesting part here is that, essentially, this command control server is first waiting for individual bots to do some work for it. It waits for 80 vulnerable hosts to be reported back before it then feeds new vulnerable hosts back to the bot to be actually brute-forced. So it's sort of a two-stage process where, first, the bot that is looking for just hosts that have this port exposed, so they're possibly listening on RDP. Once a bot proves its worth, so to speak, by reporting 80 vulnerable hosts back, then it's actually put to task to brute-force passwords. And the way this works, again, is that each bot only gets one username and password pair. So we assume that this is sort of used to avoid some of the lock-out that some services are doing. So each bot is trying a username and password. If it works - great. If it doesn't work, well, another bot will try another username and password later.

Dave Bittner: [00:18:10] Now, you all did some analysis of this in your own lab. You're able to manipulate the code to make it send the host a username and password to your lab machine. What did you find out there?

Johannes Ullrich: [00:18:21] Well, what we found is that this particular list of usernames and passwords that is being retrieved, the entire target list is about 1 1/2 million vulnerable systems large. So that's basically what's being fed by this command control server. Once it gets into a system, all it does basically is then reporting back that, yes, I got into it. I got into it with this username and password.

Dave Bittner: [00:18:49] So where do you suppose it's going to go from here? Any ideas what to expect?

Johannes Ullrich: [00:18:54] Well, there's sort of two options. First of all, that whatever group is behind this GoldBrute botnet is later going to deploy some additional payload. Or now in the malicious economy, we sort of have these different roles that groups take on; that this particular group is just collecting the machines and then selling them off to someone else that has a worthwhile payload for them.

Dave Bittner: [00:19:15] It's interesting work you all are doing here. It's the GoldBrute botnet. Johannes Ullrich, thanks for joining us.

Johannes Ullrich: [00:19:21] Thank you.

Dave Bittner: [00:19:31] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.

Dave Bittner: [00:19:43] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.