Turla hijacks OilRig infrastructure. Bouncing Golf is no game. CISA panel recommends supply chain security reforms. AMCA driven toward bankruptcy by data breach. Florida town pays ransom.
Dave Bittner: [00:00:03] Call it Waterbug or call it Turla, the Russian cyber operation has been hijacking Iran's OilRig cyber espionage infrastructure. Other cyber campaigns also afflict Middle Eastern targets. A U.S. panel convened by CISA has some recommendations for supply chain security. An ad agency inadvertently exposes sensitive personal data. A bankruptcy filing in the AMCA breach, and Riviera Beach, Fla., decides to pay $600,000 in ransom to decrypt its files.
Dave Bittner: [00:00:39] And now a word from our sponsor ExtraHop, the enterprise cyber analytics company delivering security from the inside out. Prevention-based tools leave you blind to any threats inside your network. By adding behavioral-based network traffic analysis to your SOC, you can find and stop attackers before they make their move. ExtraHop illuminates the dark space with complete visibility at enterprise scale, detects threats up to 95% faster with machine learning and guided investigations that help Tier 1 analysts perform like seasoned threat hunters. Visit extrahop.com/cyber to learn why the SANS Institute calls ExtraHop fast and amazingly thorough, a product with which many SOC teams could hit the ground running. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:01:35] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, June 20, 2019. A Russian espionage operation, Waterbug, which others refer to as Turla, appears to have hijacked Iran's OilRig infrastructure, also known as Crambus, according to Symantec. The activity falls into three distinct campaigns - one using Meterpreter, another hitherto unremarked backdoor Neptun, and a third backdoor that executes PowerShell scripts without powershell.exe. Symantec doesn't attribute Waterbug or Crambus to any nation-state but notes that press reports have done so. In any case, Symantec thinks that Turla opportunistically stole credentials from OilRig in January of 2018 and has since then used OilRig's infrastructure to stage its own espionage operations in the Middle East and elsewhere. It appears that OilRig did not react to the hijacking, which Symantec says is the first such spy versus spy hijacking it's seen.
Dave Bittner: [00:02:39] Trend Micro is also describing a cyber espionage campaign that afflicts targets in the Middle East. The researchers call it Bouncing Golf, and they say it shows some significant similarities to the earlier Domestic Kitten campaign. Domestic Kitten has been generally attributed to Iran. Check Point fingered Tehran for Domestic Kitten last September.
Dave Bittner: [00:03:01] We received an email late yesterday from CISA, the U.S. Department of Homeland Security's cybersecurity and infrastructure security agency, outlining recommendations on information and communication technology, that is ICT supply chain security. The recommendations are the work of the CISA-organized ICT supply chain risk management task force. The full set of recommendations are expected to be posted soon, but in outline, the task force proposes a reform of U.S. federal acquisition regulations to incentivize purchases from original equipment manufacturers and their authorized resellers only. Why does this matter? It matters because going down the path the CISA panel recommends might help resolve certain tensions involving acquisition rules that strongly encourage agencies and contractors to make low cost an overriding factor in procurements.
Dave Bittner: [00:03:54] To take one example we've heard about from Control Global's Unfettered blog, counterfeit Yokogawa transmitters, in general use with electrical power distribution process sensors, are widely available, and Yokogawa warns that they are even for sale on eBay. They're pretty convincing knockoffs made in China of Yokogawa's real McCoys. One might well worry about the likelihood that counterfeit goods are low-quality junk, but of course, there's the additional concern that there could be deliberately induced vulnerabilities in them. And, of course, their presence on eBay would suggest that anything you buy from the web isn't necessarily coming from an authorized vendor. The Defense Appropriations Act says that for commercial off-the-shelf - that is, COTS - equipment, you're supposed to buy low-cost devices and buy them from the internet wherever possible, so policy would seem to have an inconsistency. The authors of the bill have their hearts in the right place. You don't want to spend more than necessary on a commodity device, but in this case, economy is at war with security and perhaps even safety. As is usually the case if you have inconsistent preferences - in this case, supply chain security and lowest cost - you can usually be induced to take a sucker bet.
Dave Bittner: [00:05:09] The demand for cybersecurity professionals shows no signs of slowing down. So how can those of us who enjoy success share our experience and wisdom with those who aspire to join us? Our U.K. correspondent Carole Theriault files this report.
Carole Theriault: [00:05:25] So I dedicate a lot of time to educating people on how to be safer online through podcasts like this one, speaking at schools and events and so on. Zoe Rose is an ethical hacker based in the U.K., and she, too, is very involved in helping people be safer online. I asked her about her experiences and what advice she had for young people, especially women, who might want to get into the industry. Here's Zoe Rose.
Zoe Rose: [00:05:51] The reality is - I mean, if you look back before there was all this technology in our lives and we were coding through, you know, sheets of paper that have holes punched in it - but if you looked at it, those people - the majority of them were women. If you watched the "Hidden Figures" movie, they were - those women were the computers, you know? They were the ones doing all the technical - so it's not really unique to women, but I think it's more the cultural change of where we've made that assumption that it makes us unique. And so I think identifying to young people that, actually, it does come naturally, and you're not - it's not going to be ridiculously challenging for you to get into it because you probably have a good understanding.
Carole Theriault: [00:06:38] Do you feel that women are treated differently in the industry?
Zoe Rose: [00:06:44] Well, what I've noticed is in the beginning, I found it very challenging. This is more than 10 years ago, mind you. But I was told by one organization they don't hire women because they're too distracting to men.
Carole Theriault: [00:06:57] (Laughter).
Zoe Rose: [00:06:58] I had - yeah, I know. I told them to stop hiring children.
Carole Theriault: [00:07:02] (Laughter).
Zoe Rose: [00:07:06] I've also had situations where I've had to block colleagues and, you know, remove them from my life because they've become very uncomfortable, and I felt unsafe. But what I've noticed was in those situations, it was the top-down that was allowing that culture to exist.
Carole Theriault: [00:07:26] Right.
Zoe Rose: [00:07:26] It wasn't everybody thought that. It was that senior leadership didn't say anything or actively participated in that belief. And actually, finding organizations that aren't like that - I mean, back then, I found it very challenging. But now I find it, actually, quite a bit easier. And when I find an organization I potentially want to work for, I look at how senior leadership, you know, approaches this.
Carole Theriault: [00:07:57] So I don't know if it's easier now because I am much more knowledgeable and secure and, you know, know a lot more than I did 15, 20 years ago. My instincts say to me that the environment is changing for the good. And it is - I think it's easier for women to get into the industry now than it may have been. But at the same time, there's probably going to be new challenges now.
Zoe Rose: [00:08:18] Definitely. So last year, I spoke in Sri Lanka. And what really stood out to me and the reason I bring this up is I presented - I think I called it In the Life of an Ethical Hacker. And afterwards, I got a lot of young men, school age to just about to graduate. And a young man came up, and they're like, oh, I'm going to be the most elite pen tester, or I'm going to be the coolest hacker. And none of them talked about their skills or anything. They just talked about how they're going to be super elite. And then these two young women came up to me. And they were like, you know what? Actually, it was really cool hearing your talk because I never thought I'd be good enough to be a hacker or I'd be good enough to be a programmer. I really thought that I just don't have the skill. So I was talking to them about their experience. And my goodness, Carole, these two young ladies are more advanced, more intelligent than I could ever dream to be. They were so skilled. It was bloody impressive. And I was thinking about that after. And I was, like, looking at the males and how, you know, confident they were that they were going to take over the world, whereas these two young women, they were highly technical but didn't think they were. They were very intelligent, very hardworking. And yet they still worried that they wouldn't be good enough.
Carole Theriault: [00:09:42] It is really refreshing to hear about young people that understand that in order to become really good at something, it takes a lot of patience and work and skill. And that's how you develop the skill by just dedicating yourself to it.
Zoe Rose: [00:09:52] Definitely. I mean, my background is networking, network architecture. And then I went into network security, and then I went to cybersecurity. So I admit that I've got gaps in my knowledge. I mean, I was never a programmer, and I would never say I am. And that to me is vital because people will come to me and be, like, how can I be the best programmer? And I'll be, like, honestly, I'm not going to be the most effective person, so here is the people that you should speak to because they're brilliant.
Carole Theriault: [00:10:19] I like what she says about women and technology having always been intertwined and that women tend to really work on their skills before they get into the industry. This could just give them a bit of edge. This was Carole Theriault for the CyberWire.
Dave Bittner: [00:10:35] vpnMentor found an exposed database - now secured - belonging to Florida advertising agency X Social Media. The database contained business and personal information concerning medication side effects, defective infant care products, injuries attributable to pesticides, medicines or medical devices and U.S. veterans' combat wounds. Much of X Social Media's ad business is said to lie with law firms cultivating class action suits.
Dave Bittner: [00:11:04] A data breach can swiftly kill a company. Over the past 2 1/2 weeks, we've been following the American Medical Collection Agency breach - that's AMCA - that spilled data belonging to medical testing and diagnostic companies. AMCA says it began to suspect a breach in March, when it was warned that unusual credit card activity suggested that its data might have been compromised. That breach was publicly revealed on June 3 when Quest Diagnostics disclosed it in an 8K filing. Now AMCA and its parent company are going under. Retrieval-Masters Creditors Bureau Inc, AMCA's corporate parent, on Monday filed for Chapter 11 bankruptcy in the U.S. Bankruptcy Court for the Southern District of New York. The action is the result of the AMCA data breach that affected Quest Diagnostics, LabCorp, and BioReference Laboratories. The filing suggests that this is the first step toward orderly liquidation. Loss of business, immediate costs of response and the costs of notification were more than AMCA could handle. The company's four biggest customers - LabCorp, Quest Diagnostics, Conduent and CareCentrix either terminated or substantially curtailed their relationship with AMCA.
Dave Bittner: [00:12:18] The costs are also worth reviewing. The Chapter 11 filing says the company had already spent $400,000 hiring outside consultants to find and fix the causes of the breach. The expense of notification that good practice and regulation required were even heavier. AMCA had to assume, it says in the filing, that all the data on its servers had been compromised, which meant that it had to notify some 7 million individuals. That cost $3.8 million. It also had to cut jobs, dropping its headcount from the 113 employees it had at the end of 2018 to just 25 as of Monday. The data breach has been an instructive case of third-party risk. It's now also an instructive case of a cyberattack killing off an entire small business.
Dave Bittner: [00:13:06] The city council of suburban Riviera Beach, Fla., voted unanimously to pay ransomware extortionists $600,000 to recover city files. The AP reports that the town understands it's a crap shoot. Even paying may not get them their files back. WPTV points out that backups would have been cheaper. An expert the television station quotes put it this way. "Grandma has backups of her photos. Why does a city of this size not have backups?" He's got a point. We don't want to minimize the friction involved in such good practices as regular secure backup, but it's surely less trouble and far less expensive than finding 600 grand in bitcoin to fork over to some sleazy hood. On the side of Riviera Beach, well, it's in Palm Springs County, and it's got about 35,000 residents, which doesn't strike us as all that big, really. After all, Baltimore has more than 600,000 people living in it, and Charm City wasn't backing up its stuff either.
Dave Bittner: [00:14:10] And now a word from our sponsor ObserveIT. According to Cisco, over the course of 1 1/2 months, the typical suspicious insider can download 5,200 documents. Unfortunately, many ad hoc insider threat investigations can drag on for weeks or even months since it's tough to know exactly who did what when and why. Security analysts have to wade through a sea of event logs, many of which are completely irrelevant, to eventually discover the root cause of an incident. What if we told you that there's a way to investigate insider threat incidents faster? With ObserveIT's dedicated insider threat management platform, security teams can quickly find out the context into both the user and data activity behind an alert. Detailed user activity timelines and easily searchable metadata help you know the whole story on insider threats. Visit observeit.com/cyberwire to try out ObserveIT's sandbox environment for yourself - no downloads or configuration required. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:15:27] And I'm pleased to be joined once again by Johannes Ullrich. He is the dean of research at the SANS Institute, and he also hosts the ISC StormCast podcast. Johannes, it's always great to have you back. We wanted to discuss today some issues with DNS security. There's been some talk about DNS cookies and things like that, but you have some specific issues you wanted to address today.
Johannes Ullrich: [00:15:48] Yes. You probably have heard - and hell, you mentioned in your podcast a couple of times these sort of attacks against DNS recently, like these Sea Turtle attacks. What essentially happened is that an attacker got into companies' and organizations' DNS administrator's system and then changed DNS settings. Now, DNSSEC is often thrown around as sort of a cure against these problems, which, well, is actually not really true because if an attacker has access to your DNS admin system, they typically can also fix the DNSSEC records to match. And probably in the past, what it has been - that DNSSEC is sort of one of those great protocols. Actually, whoever designed DNSSEC did it just right from a security point of view. They first worried about security, then they worried about usability. And that's exactly DNSSEC's problem. It's very secure, but it's really difficult to use it correctly. The only way you really can use it in any practical means is usually if you just let your registrar worry about it, like GoDaddy, Google. They all have sort of a little checkbox, enable DNSSEC. All is good at this point, but DNSSEC really doesn't prevent a lot of real ongoing problems at this point.
Johannes Ullrich: [00:17:09] Now, to help with this a little bit, there is now a simpler feature that was added to DNS recently. And that really has been getting some support. For example, the latest version Ubuntu with its version of the BIND-named server is supporting it, and that's DNS cookies. So not DNSSEC - instead, they're using these DNS cookies. Great thing about them - there's really nothing you have to configure. They're sort of just a checkbox you enable. They enable themself. They configure themself for the most part. And they really solve one big problem, and that's the spoofing of DNS queries. This is part of what DNSSEC tried to be a little bit about but really did a bad job about really doing - addressing the entire issue with DNS spoofing. So DNS cookies are really trying to prevent this particular attack and are doing a reasonably good job about this. So DNS cookies - very easy to implement. They're solving real problems - not as good as DNSSEC, but then again, you know, easy to implement.
Dave Bittner: [00:18:21] So for most people, would this be a good enough solution?
Johannes Ullrich: [00:18:25] That's really what this is about. It's good enough. And the other attack it really prevents is all these denial of service attacks that we have with DNS that rely on spoofed DNS queries. DNS cookies don't totally avoid these attacks, but at least they mitigate some of the effects of these attacks.
Dave Bittner: [00:18:47] All right. Interesting development. Johannes Ullrich, thanks for joining us.
Johannes Ullrich: [00:18:51] Thank you.
Dave Bittner: [00:18:56] And that's The CyberWire. Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com.
Dave Bittner: [00:19:12] Thanks to all of our sponsors for making The CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:23] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Nick Veliky, Bennett Moe, John Petrik, Jennifer Eiben, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.