Warnings of Outlook exploitation, with a possible Iranian connection. GPS jamming in the Eastern Med. Satellite vulnerabilities. 505 errors. TA505’s new tactics. Content moderation updates.

Dave Bittner: [00:00:03] U.S. Cyber Command warns that an Outlook vulnerability is being actively exploited in the wild. Other sources see a connection with Iran. GPS signals are being jammed near Tel Aviv, and Russian electronic activity in Syria is suspected as the cause. But look at the consequences of satellite cyber vulnerabilities. The TA505 gang changes some of its tactics. Yesterday's brief internet outages are traced to a Cloudflare glitch. And Facebook and YouTube continue to grapple with content moderation. 

Dave Bittner: [00:00:41]  And now a word from our sponsor, Authentic8. Authentic8, the creators of Silo, now have an app called the Silo Research Toolbox that builds a separate isolated browser session. This allows researchers to collect information from the web without risk to their work network. With Silo Research Toolbox, researchers can go anywhere on the web and collect data without revealing their identity or exposing their resources. It runs, looks and is just as powerful as a local browser with none of the risk. The bottom line is that any website you visit on the open, deep or dark web will not know any details about you, your computer or your internet connection. Silo is built fresh at every start and is completely destroyed at the end. It never exposes your IP address and never carries any information with you from session to session. If you're required to keep your online investigations completely anonymous and safe from cyberthreats, consider checking out the Silo Research Toolbox at authentic8.com/cyberwire. That's authentic8.com/cyberwire. And we thank Authentic8 for sponsoring our show. 

Dave Bittner: [00:01:55]  Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com. 

Dave Bittner: [00:02:10]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, July 3, 2019. Yesterday afternoon, U.S. Cyber Command issued a warning that CVE-2017-11774, a Microsoft Office Outlook security bypass vulnerability publicly identified in 2017, is being actively exploited in the wild. Users who haven't yet patched for this bug are urged to do so. Cyber Command posted samples to VirusTotal, and researchers at Chronicle have connected the activity to Iran's APT33 and Shamoon2. 

Dave Bittner: [00:02:50]  Brandon Levene, head of applied intelligence at Chronicle, contacted us through a representative to explain. He said, quote, "the executables uploaded by CyberCom appear to be related to Shamoon2 activity, which took place around January of 2017. These executables are both downloaders that utilize PowerShell to load the PUPY RAT. Additionally, CyberCom uploaded three tools likely to be used for manipulation of exploited web servers. Each tool has a slightly different purpose, but there is a clear capability on the part of the attacker to interact with servers they may have compromised. If the observation of CVE-2017-11774 holds true, this sheds some new light on how the Shamoon attackers were able to compromise their targets. It was highly speculated that spearphishes were involved, but not a lot of information around the initial vectors was published," end quote. Chronicle says it's confirmed that Shamoon2 and APT33 exploited this particular vulnerability in 2018. But since the vulnerability is available and reliable, it's prudent to patch. 

Dave Bittner: [00:03:59]  Airline pilots say they've experienced weeks of GPS disruption around Tel Aviv. The International Federation of Airline Pilots' Associations reported the disruptions last week, and they've since been confirmed by other sources. C4ISRNET reports that Russian jamming is suspected. Israel doesn't appear to be the target but is instead collateral damage from Russian electronic warfare in neighboring Syria. 

Dave Bittner: [00:04:27]  Think tank Chatham House has published a study of NATO space-based strategic systems' vulnerability to cyberattack. NATO itself owns no satellites but rather uses space assets contributed by its member states, which inevitably complicates the cybersecurity task. Chatham House sees the problem fundamentally as one of trust. If the Atlantic Alliance comes to lose confidence in what its overhead surveillance systems are telling it, that would inevitably lead to misperception, mistrust of attribution and faulty crisis decision-making. 

Dave Bittner: [00:05:02]  The TA505 gang is back in the news. Proofpoint researchers have determined that TA505, the cybercriminal group responsible for the Locky ransomware and the Dridex banking Trojan is using a new downloader the researchers are calling AndroMut. The downloader exhibits code similarities to the venerable Andromeda malware family. AndroMut is being used to download the FlawedAmmyy remote access Trojan in at least two separate campaigns. The first campaign is targeting South Korean users, while the second is aimed at Singapore, the UAE and the U.S. Both campaigns use malicious Microsoft Office files as their infection vector, and they both seem to be focused on the banking industry. 

Dave Bittner: [00:05:47]  It's a fact of life these days that the websites we visit are likely full of a variety of third-party trackers, gathering information on who we are and what we do. These trackers can be an irresistible vector for malicious actors to make their way into your system. Avital Grushcovski is co-founder of security firm Source Defense. 

Avital Grushcovski: [00:06:09]  The use of third parties has always been common in websites. They're mainly used to create a personalized user experience on the one hand or to try and monetize off your website on the other hand to increase interaction, to measure your users' behavior, analytical tools and so on, even chat services. What we're definitely seeing - and I've seen that throughout the course of, basically, 15 years of a career in third parties - that the use is increasing drastically from year to year. 

Avital Grushcovski: [00:06:39]  The other interesting trend is that if - 10 years ago, you would never see what I would call a security-oriented organization using these third parties. For example, banks or credit card companies, even online stores, even e-commerce stores, they hardly used any third parties at all. Today even on the biggest banks and the most secure websites, you'll find anywhere between 12 and 25 third parties, even on the page where you log into the system and even past log-in, which is definitely a major change in the past five years or so. 

Dave Bittner: [00:07:16]  So where do the security issues come into play then? 

Avital Grushcovski: [00:07:20]  There's a very common misconception about third-party JavaScript more in the security area, less for R&D people. R&D people know this very well. The origin of JavaScript has no effect over the level of access that JavaScript has to the page. When you integrate these tools, you need to understand that when you place an analytics tool on the page, then that tool is only going to be triggered once the page is loaded in the browser. 

Avital Grushcovski: [00:07:45]  This means that this tool is triggering after all of the security layers the website is based have been concluded. The computer has already communicated to your website server. It's passed through your WAF, SSL, firewall and what not. But right now on the browser, it's calling the remote server completely outside of your security parameter. And that remote server is going to load JavaScript to your page. And that JavaScript can do everything your JavaScript. 

Avital Grushcovski: [00:08:13]  This means that the third-party JavaScript can change the content of the page. It can display messages to users. You know, it does that regularly. It can take the user to different pages. It can even record our keystrokes while we type in username, password, credit card information. But if you look at these companies - and I'm not saying these companies are, you know, misbehaving. 

Avital Grushcovski: [00:08:36]  But if you consider, for example, a bank - a bank has a fairly large security budget. A marketing company, on the other hand, does not. It might be easier hacking a marketing tool or an analytics tool or a chat service than hacking a bank. But once you've hacked those, you've actually hacked the entirety of their users. Instead of spending your time hacking a bank, going through a big effort, you can hack marketing tool that works with bank and hack 20 banks with less effort, which will be, obviously, much more lucrative. 

Dave Bittner: [00:09:10]  That's Avital Grushcovski from Source Defense. 

Dave Bittner: [00:09:14]  Cloudflare experienced another widespread outage yesterday morning U.S. Eastern Time. Cloudflare's CEO Matthew Prince tweeted that a massive spike in CPU usage caused primary and backup systems to fall over and that the issue has since been remediated. The company traced the 502 errors to a bad software deployment, which they pulled in order to restore service to normal. The problem lasted about half an hour. 

Dave Bittner: [00:09:43]  Riviera Beach, Fla., will pay extortionists $600,000 to recover files encrypted in a May ransomware attack. Local news station WPTV notes that this comes on top of the $1 million already allocated for remediation. 

Dave Bittner: [00:10:00]  Facebook shut down dozens of accounts that had been spreading malware via malicious links since 2014, according to Threatpost. A report by Checkpoint this week showed that the accounts were targeting people in Libya by impersonating Libyan figures and news pages. Checkpoint researchers tracked the operation back to a single person, who had been sharing the results of the malware campaign on a personal Facebook page, which included Libyan government documents, emails, phone numbers and photos of high-ranking Libyan officials' passports. It's not clear who the attacker is, whether they were acting alone or what their end goal was. The activity doesn't appear to support any particular political actor, but the researchers say the attacker's actions do seem to be motivated by political events. 

Dave Bittner: [00:10:46]  Facebook, which has recently been concerned to display its determination to moderate extremist content, has also come under criticism for being asleep at the switch with respect to medical information. The social network is moving to minimize the spread of misleading health information such as potentially risky miracle cures and pages pushing weight-loss pills. Facebook is tweaking its news feed algorithms to reduce the reach of pages, but it doesn't affect misleading information spread by personal accounts. TechCrunch points out that some multi-level marketing companies already require their workforce to promote their products on personal profiles in order to bypass such changes. And multi-level marketing campaigns are familiar sales channels for various alternative remedies, quack nostrums, implausible panaceas and so on. 

Dave Bittner: [00:11:35]  Unfortunately, as often happens when platforms try to scale and automate content moderation, Facebook is sweeping up a lot of good along with the bad and the ugly. Vice reports that Facebook is also screening out sites devoted to warning users of bad batches of drugs or that offer materials to test for the presence of fentanyls and other dangerous contaminants in street opioids. The algorithms aren't crazy. And despite what Vice might say, the situation isn't quite like the 1990s attempt to clean up the internet that mistook breast cancer research for impermissible adult content. But, surely, it's another instance of the moderation missing significant and not particularly subtle distinctions. 

Dave Bittner: [00:12:17]  YouTube is going through a similar problem. The platform has decided to restrict instructional hacking and phishing videos. They'll remove the content and send the poster an email. Three strikes, and your channel will be taken down. The policy has been poorly received by people working in information security. Big tech is willing to de-platform but it kicks back at liability, as may be seen in industry's reaction to the U.K.'s advancing duty of care. Perhaps the issue is this. The major social media platforms would like to have all the regulatory, legal and reputational advantages of publishers and common carriers with none of their respective disadvantages. In fairness to social media, governments and consumers sometimes seem to want the same thing, although perhaps in reverse - all the disadvantages and none of the advantages. 

Dave Bittner: [00:13:07]  ISIS online inspiration this week heavily features imagined attacks on New York and Washington during Independence Day, according to multiple reports. It's always difficult to assess the seriousness of such material, but there's little room for serious doubt about their intention. Do stay alert over the long weekend. 

Dave Bittner: [00:13:26]  Speaking of the long weekend, we here at the CyberWire will be taking the next few days off to celebrate Independence Day or as we like to call it Amexit. We'll be back on Monday. And remember. If you insist on demonstrating your patriotism by playing with dangerous explosives, keep in mind that the fingers you lose may be the ones used to unlock your mobile device. Be safe. 

Dave Bittner: [00:13:54]  And now a word from our sponsor, Edgewise. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time-consuming and offers limited value that's hard to measure. There's a better approach - Edgewise Zero Trust Auto-Segmentation. Edgewise is impossibly simple microsegmentation in one click, delivering results immediately with a security outcome that's provable and management that's zero-touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application in any environment without any architectural changes. They provide measurable improvement by quantifying attack path risk reduction and demonstrate isolation between critical services so that your application can't be breached. Learn more at edgewise.net/cyberwire. That's edgewise.net/cyberwire. And we thank Edgewise for sponsoring our show. 

Dave Bittner: [00:15:21]  And joining me once again is Mike Benjamin. He's senior director of threat research at CenturyLink's Black Lotus Labs. Mike, it's great to have you back. I wanted to touch base with you today and get an update on what you all are tracking there with Emotet. First of all, give us an overview. For those who might not be familiar with Emotet, what are we talking about here? 

Mike Benjamin: [00:15:40]  Yeah, thanks, Dave. Emotet's a malware family that's been around for a few years now. There's a number of teams that have been tracking it. And it started out primarily as a banking Trojan, but it's evolved into a pretty pervasive distribution channel for malicious emails of all types. And one of the things that it does is deliver secondary payloads. We've seen it deliver other malware families such as - TrickBot's been one of the more popular ones. It's particularly interesting because it uses a hierarchical command and control model. And so while not extremely rare, it calls back to a first tier of C2s. These are the ones that if you were to sniff your network traffic, you would see the malware talking to. And those devices simply proxy the connection back to a second tier. 

Mike Benjamin: [00:16:27]  Now, for most malware defenders, that's a pretty difficult thing to find. Thanks to our network data, we're able to track those pretty quickly. And the actors have just recently evolved yet again and added another tier into that hierarchy. And what they've done is they've started to use actual infected endpoints - so Windows computers running the malware as another proxy in that chain. And so what another infected endpoint will do is it will call out actually to a - what we're calling a bot C2. The bot C2 will proxy it to that original Tier 1 C2, which was typically a infected - or I shouldn't say infected - a hacked Linux machine. And then that will proxy it back to the final Tier 2. And they're doing this to drive, you know, further difficulty in takedown as well as finding that Tier 2 C2. 

Dave Bittner: [00:17:20]  Now, I guess this adds some complexity on their end. I suppose it sounds like they're managing it. 

Mike Benjamin: [00:17:25]  Yeah, absolutely. And the folks behind Emotet - what you'll see is that they're very regimented in terms of how they update and how they shift behavior. On a very regular basis, they change the PowerShell obfuscation method they use. So like many malware families today, they use a Microsoft Office document with a PowerShell execution out of it through a macro. That will execute on the machine. And so early on, many folks realized they could write host-level signatures for the PowerShell code. Well, the actors realized, I'll just change that periodically, and so they're very good at that. They also change the RSA keys they use for the command and control mechanism about once a month. And the WordPress sites that they hack in order to actually do the final delivery of the malware change practically every day. 

Dave Bittner: [00:18:13]  Well, so given these factors about the folks who are running this, I mean, what are your recommendations for people to protect themselves against them? 

Mike Benjamin: [00:18:20]  The interesting thing here about the bot C2 - that now we have people that might be home users, could be businesses, actually participating in the structure of the botnet. That's not very common. And so the way that they do that is they actually included a module that uses UPnP to dynamically open an external port on the router within the environment. So first recommendation - don't leave UPnP enabled. If you do, restrict it to the host that you actually want to be using it. But in terms of the actual infections, we're back to the blocking and tackling that many malware families have, which is Microsoft Office document dropping PowerShell. Don't enable the macros. Don't click on them. And then monitor an environment to look for that chain of events. Is Microsoft Office programs executing PowerShell? That's got to be a very rare thing in most environments, if it should exist at all. 

Dave Bittner: [00:19:13]  All right. Well, thanks for the update, of course. Mike Benjamin, thanks for joining us. 

Dave Bittner: [00:19:22]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:19:35]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.