Notes on a reported US cyberattack against Iran. A look at “Secondary Infektion.” And some cases of cyber stalking.

Dave Bittner: [00:00:03] The U.S. is said to have conducted cyberattacks against Iranian targets related to recent Iranian moves in the Gulf. These cyber operations are also said to have been a covert alternative to conventional military strikes. The Atlantic Council describes Secondary Infektion, a Russian disinformation campaign that begins obscurely, then depends upon amplification. I dig into the details of BlueKeep with Joe Carrigan. And a case of cyberstalking in Minnesota goes to court.

Dave Bittner: [00:00:39] And now a few words from our sponsor, KnowBe4. Everyone knows that multifactor authentication, or MFA, is more secure than a simple login name and password. But too many people think that MFA is a perfect, un-hackable solution. It isn't. Learn from Roger Grimes, KnowBe4's data-driven defense evangelist, in an on-demand webinar, where he'll explore 12 ways hackers can and do get around your favorite MFA solution. The webinar includes a hacking demo by KnowBe4's chief hacking officer Kevin Mitnick and real-life successful examples of every attack type. It will end by telling you how to better defend your MFA solution so that you get maximum benefit and security. Go to knowbe4.com/mfa to watch the webinar. That's knowbe4.com/mfa. And we thank KnowBe4 for sponsoring our show.

Dave Bittner: [00:01:53] Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com.

Dave Bittner: [00:01:55] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, June 24, 2019.

Dave Bittner: [00:02:03] U.S. Cyber Command is said to have conducted offensive operations against Iranian targets as a reprisal for Tehran's attacks on commercial shipping in the Gulf of Oman and for the shootdown of a U.S. Global Hawk unmanned drone. Yahoo, which broke the story late Friday, said the attacks were directed against an Iranian intelligence unit responsible for supporting attacks against shipping by tracking tanker traffic. Thus, the retaliation would be tuned to the attacks on shipping. The specific Iranian agency was unnamed, but it's said to be associated with the Revolutionary Guard.

Dave Bittner: [00:02:39] On Saturday, The Washington Post was more specific about the alleged U.S. cyberattack, reporting that U.S. Cyber Command had disabled Iranian rocket and missile launch control systems in the region, which, if true, would suggest a direct response to the Global Hawk shootdown, as opposed to the attacks on tankers.

Dave Bittner: [00:02:58] The New York Times' sources tell it that Cyber Command hit both the intelligence unit that supported the tanker attacks and missile launch systems, so the U.S. retaliation may have been tuned to both the recent Iranian actions. The cyberattack was, a source says, approved by President Trump.

Dave Bittner: [00:03:18] The reports are all sourced to at least three anonymous sources said to be U.S. officials who spoke on condition of anonymity because they were not authorized to comment publicly. It's worth noting that this doesn't necessarily mean they were leakers, since comment on background might have been authorized. In any case, the story is still developing, and all reports should be received with a degree of circumspection.

Dave Bittner: [00:03:42] How a missile launch system or a missile control system might be susceptible to cyberattack is by no means as obvious as the reporting seems to assume. Some shorter-range air defense missiles and a much larger number of surface-to-surface missiles are as difficult to hack as a rifle bullet. But if a missile depended upon communication with a ground station for guidance, and many medium- and longer-range systems do, then it might be more vulnerable than a weapon whose guidance was self-contained. The Iranian system may use such communication.

Dave Bittner: [00:04:16] Iran says the system used to knock down the drone was a Khordad missile defense system that Iran says can detect targets at ranges of 150 kilometers, track them at 120 kilometers and engage them at 85 kilometers. The interception is a Sayyad-3 missile, thought to have been developed from the American SM-1, Standard Missile, which Iran received during the days of the Shah. How networked and vulnerable the Khordad system might be is controversial; until recently, there had been doubts that the system was even a real weapon, as opposed to a Potemkin system built for PR consumption. But the claim that the system was interfered with in some way is at least plausible.

Dave Bittner: [00:04:59] The RQ-4 that Iran shot down was, by the way, a U.S. Navy drone, not an Air Force asset, as some early reports had it. U.S. Central Command and the U.S. Navy have referred inquiries to U.S. Cyber Command, which has declined to comment for reasons of operational security. Iran has promised a firm response to any U.S. aggression. Tehran also claims that the U.S. did, indeed, attempt a cyberattack but that the attack failed. We stress again that this story is still developing.

Dave Bittner: [00:05:31] Also on Saturday, the U.S. Cybersecurity and Infrastructure Security Agency, CISA, warned that Iran has increased the tempo of its cyberattacks against U.S. targets. CISA warned, in particular, that Iran could be expected to engage in wiper attacks. These gain access to target networks through familiar criminal methods, particularly phishing, password spraying and credential stuffing, but their aim is data destruction, not theft. The Shamoon attack against Saudi Aramco in 2012, widely attributed to Iran, was an example of a wiper attack. CISA has collected advice for staying safe in the face of such threats on their website. It's good advice any time, not just during periods of heightened alert, so it's worth a visit.

Dave Bittner: [00:06:17] The Atlantic Council's Digital Forensic Research Laboratory, the DFRL, has a report out on a Russian disinformation campaign. They're calling the campaign Secondary Infektion, after the late Soviet-era Operation Infektion, which published the disinformation that AIDS was a U.S. bio-war project, which of course it wasn't and isn't. Secondary Infektion's goal appears to be the now customary ones of inducing mistrust and division along various cultural fault lines.

Dave Bittner: [00:06:49] Secondary Infektion is interesting in that it began by placing stories in obscure corners of the internet's hinterlands, which are then amplified through Facebook accounts and, ultimately, in the state media outlet RT. The DFRL acknowledges that it doesn't have access to Facebook's back-end data, but they attribute Secondary Infektion to Russian actors on circumstantial contextual and linguistic grounds. Patching for BlueKeep seems to be up. It appears that users of affected Microsoft products may finally be heeding the many warnings from Microsoft, CISA, NSA and others.

Dave Bittner: [00:07:28] A police officer in Minnesota has been awarded $585,000 in a lawsuit against the City of Minneapolis and two of her police colleagues, who were among dozens of officers who had been improperly accessing her department of motor vehicles records, a violation of the state's Drivers Privacy Protection Act. The snooping was apparently creepily motiveless - cyberstalking for the lulz.

Dave Bittner: [00:07:54] Unfortunately, we end with a very sad story. How far motiveless - indeed, even anonymous malice can go was tragically on display recently, where a catfish working from Indiana allegedly induced a teenager in Alaska to kill a friend and send the catfisher a report on the murder. According to reports by the Anchorage Daily News, the alleged catfish is one Darin Schilmiller, a 21-year-old living in New Salisbury, Ind., who presented himself as a millionaire named Tyler from Kansas.

Dave Bittner: [00:08:27] Schilmiller is said to have cultivated an online relationship with 18-year-old Denali Brehmer and allegedly induced her to send him texts describing abuse of minors. Authorities say he then combined blackmail with an offer of $9 million to get Brehmer to commit a murder for him. Any murder apparently would do. Schilmiller, remember, was out of Indiana, had nothing but an online connection with Brehmer or any of Brehmer's acquaintances. But he's nonetheless said to have guided the selection of the victim. Brehmer allegedly recruited three other teenagers to help her murder Cynthia Hoffman.

Dave Bittner: [00:09:04] Authorities say Schilmiller told them he and Brehmer had been planning a murder for about three weeks. Hoffman, described as a trusting young woman whose learning disabilities rendered her developmentally younger than her 19 years, had considered Brehmer her best friend. An Anchorage grand jury indicted the six young people involved on June 14. They're charged with murder in the first degree, conspiracy to commit murder and murder in the second degree. Brehmer and Schilmiller have also been charged with an additional count of solicitation to commit murder.

Dave Bittner: [00:09:40] We've said alleged a lot in describing this story, but one thing is certain and not at all alleged; poor Cynthia Hoffman was shot dead and then abandoned near the Eklutna River. She wanted friends, thought her friend Brehmer was cool and was looking forward to getting her learner's driver's permit soon. The story is unbelievably heartbreaking, and our hearts go out to the Hoffman family. And should you see anyone sliding into the kind of malign digital world Brehmer and Schilmiller apparently inhabited, please do what you can to pull them out of it.

Dave Bittner: [00:10:19] And now a few words from our sponsor Dragos, the leaders in industrial cybersecurity technology. Threats to industrial organizations are proliferating. As Dragos recently identified, the most dangerous threat to ICS, XENOTIME, the activity group behind TRISIS, has expanded its targeting beyond oil and gas -- illustrating a trend that will likely continue for other ICS-targeting adversaries. Learn more about the eight public threat activity groups Dragos tracks at dragos.com/adversaries and how taking an intelligence-driven approach to ICS security is the most comprehensive defensive strategy to combat industrial adversaries. To register for a free 30-day trial of Dragos' ICS threat intelligence, visit dragos.com/worldview. And we thank Dragos for sponsoring our show.

Dave Bittner: [00:11:21] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host on the "Hacking Humans" podcast. Joe, it's great to have you back.

Joe Carrigan: [00:11:30] (As HAL 9000) Hello, Dave.

Dave Bittner: [00:11:31] (Laughter).

Joe Carrigan: [00:11:32] I was listening last week (laughter).

Dave Bittner: [00:11:34] Yeah. OK, about "2001."

Joe Carrigan: [00:11:35] Right.

Dave Bittner: [00:11:36] You're going to give me a hard time about "2001."

Joe Carrigan: [00:11:38] No, I just think it was - it's awesome that you had that sound on your computer that said, I'm sorry, Dave. I can't do that for you.

Dave Bittner: [00:11:43] Yeah (laughter).

Joe Carrigan: [00:11:45] I wish there was something as cool for guys named Joe.

Dave Bittner: [00:11:47] Yeah. Well...

Joe Carrigan: [00:11:48] But there isn't.

Dave Bittner: [00:11:48] ...There isn't. So there you go.

Joe Carrigan: [00:11:51] (Laughter).

Dave Bittner: [00:11:51] So I want to dig in today and talk to you about BlueKeep. It seems as though it's getting escalating attention.

Joe Carrigan: [00:11:58] Yes.

Dave Bittner: [00:11:58] Like, this is...

Joe Carrigan: [00:11:58] As well it should be, actually.

Dave Bittner: [00:12:00] OK. So what do we need to know here?

Joe Carrigan: [00:12:02] So last week, the Cybersecurity and Infrastructure Security Agency, which is part of the Department of Homeland Security, issued an alert for this. So what is BlueKeep. It's a vulnerability in the Remote Desktop Protocol of older versions of the Windows operating system. So for user OS's, it's Windows XP, Windows 2000, Vista and 7.

Dave Bittner: [00:12:22] OK.

Joe Carrigan: [00:12:22] So 8 and 10 are not vulnerable. For servers, it's server 2003 and 2008, both the base versions and the R2 versions.

Dave Bittner: [00:12:31] OK.

Joe Carrigan: [00:12:31] OK?

Dave Bittner: [00:12:32] And RDP was used for what?

Joe Carrigan: [00:12:33] Is Remote Desktop Protocol - so if you want to connect to a Windows machine like you're sitting at the Windows machine but you don't want to physically get up and go to the Windows machine, you use RDP.

Dave Bittner: [00:12:44] So I could use this to log into my work computer from home or log into...

Joe Carrigan: [00:12:48] Right.

Dave Bittner: [00:12:48] ...A different machine where I work...

Joe Carrigan: [00:12:50] Yep, yep.

Dave Bittner: [00:12:50] ...And not have to actually be sitting in front of it.

Joe Carrigan: [00:12:52] And that's really what it's used for. It's used for systems administrators because if you have to go down to the server room every time you have to make a change to a server or add a user or change something, that's a lot of time.

Dave Bittner: [00:13:02] You get a lot of exercise.

Joe Carrigan: [00:13:03] Right, right. So...

Dave Bittner: [00:13:04] OK.

Joe Carrigan: [00:13:04] System administrators are like programmers; we don't like to move. So...

Dave Bittner: [00:13:09] (Laughter) OK.

Joe Carrigan: [00:13:09] So RDP is there to solve that problem.

Dave Bittner: [00:13:11] Right.

Joe Carrigan: [00:13:11] This vulnerability, which is so severe that Microsoft saw fit to issue a patch for Windows XP, which - it end-of-lifed over five years ago.

Dave Bittner: [00:13:19] Yeah.

Joe Carrigan: [00:13:20] OK? But there are still people out there using it. Don't know if that has anything to do with how easy it is to fix it and issue the patch, but I tend to think it has more to do with the severity of this issue.

Dave Bittner: [00:13:29] OK.

Joe Carrigan: [00:13:29] So if somebody exploits this vulnerability, they can do just about anything. They can add accounts with full user rights. So if there is a computer with RDP open to the internet, an attacker can just add a new account and then go in and log into that account as an administrator...

Dave Bittner: [00:13:44] Oh, OK.

Joe Carrigan: [00:13:45] ...Right? - and just take full control of it. They can also view, change and delete data and also install programs.

Dave Bittner: [00:13:52] So yeah. So they own the machine.

Joe Carrigan: [00:13:54] Right. It requires no user interaction, which is why BlueKeep is considered to be "wormable." I put quotes around wormable. Basically, what that means is it's possible to write a program that infects one system. And once it infects that system, it looks around for other systems to infect and then goes off and infects that system.

Dave Bittner: [00:14:13] So lateral movement within a network.

Joe Carrigan: [00:14:16] Or lateral movement across - or just...

Dave Bittner: [00:14:17] Across the internet.

Joe Carrigan: [00:14:18] ...Across the internet. Right?

Dave Bittner: [00:14:19] I see.

Joe Carrigan: [00:14:19] That's how this is going to spread. And it is going to spread fast once one of these worms is developed. And that's really bad news. This is something we've seen before, right? The EternalBlue vulnerability allowed the same kind of thing to happen with WannaCry and NotPetya. That's how those ransomware packages spread...

Dave Bittner: [00:14:36] Right, right.

Joe Carrigan: [00:14:36] ...Was using another vulnerability called EternalBlue. And I like the way - how they're all using the word blue in them. That makes it really easy to differentiate them in your head.

Dave Bittner: [00:14:43] (Laughter) Yeah.

Joe Carrigan: [00:14:45] I think we should come up with a better scheme...

Dave Bittner: [00:14:47] Yeah.

Joe Carrigan: [00:14:47] ...For naming these things.

Dave Bittner: [00:14:48] What are we talking about in terms of the timeline here?

Joe Carrigan: [00:14:50] This vulnerability was announced on May 14, which was the same day that Microsoft released a patch for it.

Dave Bittner: [00:14:56] OK.

Joe Carrigan: [00:14:56] So it looks like somebody found the vulnerability, disclosed it to Microsoft. And then Microsoft said, we're going to develop a patch for this, and now that we have the patch released, go ahead and announce the vulnerability.

Dave Bittner: [00:15:06] Right.

Joe Carrigan: [00:15:06] What's interesting is, later in May, we started seeing tons of scans coming out looking for RDP ports open on computers on the internet from Tor nodes.

Dave Bittner: [00:15:18] OK.

Joe Carrigan: [00:15:18] Right? Now, Tor is an anonymizing network.

Dave Bittner: [00:15:20] Right.

Joe Carrigan: [00:15:21] So there's somebody operating in that network that is looking for RDP hosts. So they probably don't have an exploit ready for it yet.

Dave Bittner: [00:15:32] Right.

Joe Carrigan: [00:15:32] Right? But they're building up their list of places to go once they have that exploit and that software written. And if I were going to do this, I would make that list available to the software somehow. I'm not going to waste time scanning for machines with RDP open. I'm just going to go through the list that I know that these are open.

Dave Bittner: [00:15:49] Yeah.

Joe Carrigan: [00:15:49] I've done the research, in other words.

Dave Bittner: [00:15:50] Yeah, sure - makes sense.

Joe Carrigan: [00:15:52] Then we start seeing some people who have proof-of-concept exploits. They don't have any payloads in them, but they're out there. There's even a GitHub repository that has it. And then the NSA issues an advisory on June 4 to install the patch.

Dave Bittner: [00:16:03] Yeah. So sort of the NSA weighing in and saying, hey, guys, this is serious...

Joe Carrigan: [00:16:08] Right. Yeah.

Dave Bittner: [00:16:10] ...Don't - you know, have at it.

Joe Carrigan: [00:16:10] So the NSA comes out and says patch this system. The CISA comes out and says patch this - patch your systems. I'm going to go ahead and say patch your system.

Dave Bittner: [00:16:22] (Laughter) You're going to go out on a limb here, Joe? Yeah, yeah.

Joe Carrigan: [00:16:23] I'm going - yeah, that's right. It's a real risky position.

Dave Bittner: [00:16:25] Right, exactly. Oh, boy.

Joe Carrigan: [00:16:27] Now, there are other things you can do if you can't patch the system, right? You can update the end-of-life operating system to a new operating system - Windows 10...

Dave Bittner: [00:16:36] Yeah.

Joe Carrigan: [00:16:37] ...Or a newer version of Server, like '12.

Dave Bittner: [00:16:39] Yeah.

Joe Carrigan: [00:16:39] 2012.

Dave Bittner: [00:16:40] Yeah, yeah. But not everybody can do that, right? I mean, you have legacy systems that run on Windows XP, and they run on Windows XP. And that's it.

Joe Carrigan: [00:16:47] Right, yeah. A lot of medical devices that were bought 20 years ago that are still viable medical devices, the operating system on those computers that runs those things is Windows XP.

Dave Bittner: [00:16:57] Yeah.

Joe Carrigan: [00:16:57] And if those things have RDP enabled, they are vulnerable to this attack.

Dave Bittner: [00:17:01] Yeah.

Joe Carrigan: [00:17:02] You can disable the unnecessary services. If you just disable RDP, then you've solved the problem. Right? That kind of mitigates it. You can enable Network Level Authentication...

Dave Bittner: [00:17:12] OK.

Joe Carrigan: [00:17:12] ...Because this attack only works on unauthenticated sessions. But if you have to authenticate, it won't work.

Dave Bittner: [00:17:18] OK.

Joe Carrigan: [00:17:19] And the last bit of advice in the update from CISA is blocking the port at the firewall.

Dave Bittner: [00:17:25] Oh, OK.

Joe Carrigan: [00:17:25] OK? That prevents legitimate connections to RDP, though, and it doesn't prevent lateral movement from inside the network. Right? So it's not really a good solution.

Dave Bittner: [00:17:37] OK.

Joe Carrigan: [00:17:37] The best solution is to patch - is to patch or upgrade.

Dave Bittner: [00:17:40] Yeah, yeah. All right. Well, I think - it's safe to say this is one that deserves people's attention.

Joe Carrigan: [00:17:45] It absolutely deserves attention.

Dave Bittner: [00:17:47] Joe Carrigan, thanks for joining us.

Joe Carrigan: [00:17:48] It's my pleasure.

Dave Bittner: [00:17:53] And that's the CyberWire. Thanks to all of our sponsors for making The CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.

Dave Bittner: [00:18:06] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence, and every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.

Dave Bittner: [00:18:35] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Nick Veliky, Bennett Moe, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.