Dave Bittner: [00:00:03] Bellingcat gets a look-in from the Bears. Magecart card-skimming code's been found in bogus domains. The MyDoom worm remains active in the wild 15 years after it first surfaced. Election security threats - the U.S. Coast Guard says the malware that hit a container ship off New York earlier this year was Emotet. Marcus Hutchins gets time served - fresh concerns about digital assistance and privacy. And, yes, you do owe taxes on those alt-coins.
Dave Bittner: [00:00:37] Now I'd like to share some words about our sponsor Akamai. You're familiar with cloud security, but what about security at the edge? With the world's only intelligent edge platform, Akamai stops attacks at the edge before they reach your apps, infrastructure and people. Their visibility into 178 billion attacks per day means that Akamai stays ahead of the latest threats, including responding to zero-day vulnerabilities. With 24/7/365 security operations center support around the globe and over 300 security experts in-house, Akamai surrounds and protects your users wherever they are - at the core, in the cloud or at the edge. If you're going to Black Hat USA this year, visit Akamai at booth 1522 to take part in their crack the code challenge. Akamai - intelligent security starts at the edge. Learn more at Akamai - that's akamai.com/security. And we thank Akamai for sponsoring our show.
Dave Bittner: [00:01:42] Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com.
Dave Bittner: [00:01:57] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, July 29, 2019. Bellingcat, the investigative group that's long followed the activities of Russian security and intelligence services, says its ProtonMail accounts were subjected to a hacking attempt by Russia's military intelligence service, the GRU. ProtonMail says it successfully blocked the attempts. An increased Russian op-tempo may be expected in cyberspace, especially given recent civil unrest in Moscow.
Dave Bittner: [00:02:31] Researchers at Sucuri have found Magecart card-skimming script in faked Google domains. The skimmer supports theft on several payment gateways.
Dave Bittner: [00:02:42] Palo Alto Networks' Unit 42 reports that MyDoom, the old worm that surfaced in 2004, is still out and actively used in phishing campaigns. Its persistence is due in part to its self-sufficiency and to its aggressive utility.
Dave Bittner: [00:02:59] KrebsOnSecurity calls it the unsexy threat to election security. It's the prospect that election officials might have their social media or email accounts spoofed or hijacked to spread disinformation immediately before, during and immediately after voting. A civil grand jury in San Mateo County, Calif., the western part of Silicon Valley, warned that hijacked or spoofed accounts could be used to suppress voting by distributing misinformation about polling or could be used to excite conflict with false reports of results. Thus, argues the report rendered by the California Superior Court for the county of San Mateo, securing the email and social media accounts of election officials shouldn't be overlooked. Secure voting machines by all means, but don't neglect the meta-electoral role that official electronic communications play.
Dave Bittner: [00:03:50] The U.S. Coast Guard, last week, released further details on a cyberattack that hit a merchant vessel inbound for the Port of New York and New Jersey. The Wall Street Journal says the malware involved was an Emotet variant. The deep-draught container ship, U.S.-flagged, reported a pervasive infestation of its internal network. The vessel itself was probably not the target. And the opportunistic infection, the Coast Guard said, was permitted by slipshod shipboard IT practices.
Dave Bittner: [00:04:20] Marcus Hutchins, the accidental hero of WannaCry and the deliberate villain of the Kronos banking Trojan, has been sentenced to time served and a year of supervised release for charges related to developing and selling Kronos. The presiding judge cited Hutchins' youth and apparent reform when he passed sentence. Hutchins will return to the U.K. and will be unlikely to be permitted back into the U.S., at least not for some time. Hutchins himself tweeted thanks to the many who supported him and expressed his gratitude to the judge for leniency and understanding. Some are surprised by the light sentence, as Kronos was neither a prank nor a tool for victimless criminality. It was a banking Trojan.
Dave Bittner: [00:05:04] Content moderation at YouTube, Facebook and Twitter is largely done in a very labor-intensive fashion. Artificial intelligence remains, relatively speaking, in its infancy. And training AI inevitably requires extensive and detailed human curation. The pressure to moderate internet traffic, often motivated by well-intentioned concerns about radicalization, criminal conspiracy and abuse, will continue to drive more intense inspection of online content. Wired reports that Facebook alumnus Alex Stamos, now at the Stanford Cyber Policy Center, for example, is establishing the Stanford Internet Observatory, a SETI-like data-collection and analysis platform, except that unlike SETI, it's not looking for alien life. Instead, it's designed to ferret out the dangerous or otherwise objectionable stuff that crosses the web. The Observatory seeks access to the data all the major online platforms collect.
Dave Bittner: [00:06:00] Implementing a comprehensive threat intelligence program for your organization may seem daunting with countless information feeds available and many third-party providers offering their own customized threat intelligence products. Tom Hegel is a security researcher with AT&T Alien Labs, and he offers these insights.
Tom Hegel: [00:06:19] Threat intelligence has really kind of evolved quite a lot over the last 10 - five, 10 years at least. Things have changed quickly. And in the private industry - information security industry - we've really kind of taken threat intelligence - the approach and methodology of that. A lot of it has come from the government side or the military side of, you know, the threat actor and adversary-tracking type of world. Today modern threat intelligence tends to be a bit of cyberthreat intelligence with indicators and context and so forth. You know, when you think of threat intelligence, it really kind of comes down to indicators of compromise, tracking adversaries that are relevant to your organization and any sort of context around that.
Dave Bittner: [00:07:07] And how does it differ for most folks when it comes to actually consuming, you know, actionable threat intelligence versus plain old feeds?
Tom Hegel: [00:07:16] Yeah, absolutely. Feeds tend to lack a lot of the context that would be considered true threat intelligence. For example, if I just give you a feed of bad file hashes or bad domains, that doesn't give you or the consumer any context to why it's bad. Should I be concerned of maybe the confidence or severity of that? Threat intelligence is really that context and knowledge that sits on top of it all. A comparison would be feeds up against a finished intelligence report with all the context, including that it was coming from this actor. It's relevant to these organizations, and maybe even, this is how you would respond to it. So feeds are kind of what was like an early concept of threat intelligence and still today is almost an immature view at threat intelligence. Nowadays, we want to look at, you know, finished intelligence in some fashion with all of that context on top of it.
Dave Bittner: [00:08:11] Now, in terms of organizations engaging with this and making sure that the investments they're making in it are providing a good return, what advice do you have there?
Tom Hegel: [00:08:21] Yeah - you know, really kind of comes down to - initially, when you build the program around intaking or, in some cases, producing threat intelligence, you have to really know why and where to consume and how to benefit from it most. So if your provider of threat intelligence is supplying information that you are not able to even consume yet as a security program internally, well, you're not going to get the value that, you know, you're paying for. So you need to prepare to understand exactly how to benefit from it most. That includes things like confirming intake capability, you know, such as integrating with your other security platforms inside your organization and then the ability to even respond to threat intelligence actions placed inside your network. You know, if you trigger one of those bad domains from some APT group out there inside your network, do you have the skill sets, the processes or even the technical capability to respond to that?
Tom Hegel: [00:09:20] So you need to kind of get some foothold before you start to intake threat intelligence. And there's a lot of stuff that you should be trying to knock out before you start taking in and focusing on threat intelligence on these advanced actor groups or anything like that. You know, we should try and focus on, first, knocking out some of the almost base lines of information security programs that are kind of standard nowadays, such as antivirus or access-control basics and things like that, before you really start to take into account threat intelligence benefits.
Dave Bittner: [00:09:54] Yeah. It seems to me like there's a potential there for folks to become overwhelmed by the information that comes at them.
Tom Hegel: [00:10:02] Oh, absolutely. And that's one of those key pieces that really is necessary for that planning process is determining what's relevant and, you know, focus on the highest-value pieces of threat intelligence; something that has the most likelihood to occur and has the greatest potential impact against your organization. You know, you don't really want to try and intake every piece of threat intelligence out in the world just to get started. Perhaps it's a good time to first focus on things that are relevant to your industry or maybe your location in the world or the type of business you do with certain customers. That'll help focus you on certain threat adversaries that, you know, may be most likely to go after your organization. So, you know, in that case, you're producing those value right from the start without having to distract and take away too many resources from your program.
Dave Bittner: [00:10:54] That's Tom Hegel from AT&T Alien Labs.
Dave Bittner: [00:10:59] The Guardian reports that Apple contractors regularly hear stuff people would rather keep private. The report lists medical discussions, drug deals and conversations and other sounds of shared intimacy as figuring in the material those human contract trainers - human helpers, as Apple calls them - use to improve Siri's performance. 9-to-5 Mac reports Apple's response - Cupertino explains that such material, quote, "is used to help Siri and dictation understand you better and recognize what you say," end quote. The International Business Times says that Apple intends to take its case to the public through a PR campaign.
Dave Bittner: [00:11:39] And finally, it's alt-coin, so no income tax, right? Has that occurred to you? - probably not because you're conscientious, prudent and law-abiding, always erring on the side of good citizenship. But we're pretty sure that thought has crossed more than a few minds. Among the minds are those over at the United States Internal Revenue Service. The IRS is reminding cryptocurrency users that, yes, money they earn in the form of alt-coin is, indeed, subject to taxation just like regular coin. The IRS has sent out about 10,000 letters to people whose responsibility to alt-render unto Uncle Sam may have slipped their minds, CNBC reports. We expect the next wave of scam phone calls to be from the IRS police, telling us that our Social Security has been compromised and offering us the chance to make the IRS whole with a credit card payment over the phone. That will be hooey and malarkey, something you say to fetch them in Arkansas. But the taxability of cryptocurrency gains is very real.
Dave Bittner: [00:12:47] And now a message from our sponsor ObserveIT.
Unidentified Person: [00:12:52] Great party, huh?
Dave Bittner: [00:12:54] Yeah. Yeah, great party. Could you excuse me for just a moment? Hey, you. What are you doing? What? Oh, no - looks like another insider got into our systems when we weren't looking. I am going to be in so much trouble with the boss.
Unidentified Person: [00:13:13] Did someone say trouble? I bet I can help.
Dave Bittner: [00:13:16] Who are you?
Unidentified Person: [00:13:17] To catch insider threats, you need complete visibility into risky user activity. Here - I'll show you how ObserveIT works.
Dave Bittner: [00:13:24] Wow. Now I can see what happened before, during and after the incident, and I'll be able to investigate in minutes. It used to take me days to do this.
Unidentified Person: [00:13:34] Exactly. Now, if you'll excuse me, I think there's a cocktail over there with my name on it.
Dave Bittner: [00:13:40] But wait - what's your name? Oh, well. Thanks, ObserveIT - and whoever she is. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. Get your free trial at observeit.com/cyberwire. And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security institute, also my co-host over on the "Hacking Humans" podcast. Joe, great to have you back.
Joe Carrigan: [00:14:16] It's good to be back, Dave.
Dave Bittner: [00:14:17] Article over on ZDNet. This is written by Catalin Cimpanu for Zero Day, and the title is "U.S. Company Selling Weaponized BlueKeep Exploit." Describe to us what's going on here.
Joe Carrigan: [00:14:28] So last time we talked, we were talking about there's a proof of concept exploit out there that wasn't actually a real exploit, just a demonstration of the vulnerability. Since then, a couple of things have happened. One, there's been a slide deck released about how you could exploit BlueKeep in the wild.
Dave Bittner: [00:14:46] Right.
Joe Carrigan: [00:14:46] And additionally, just like you said earlier, Immunity is now selling an exploit. This is a penetration testing kit that contractors will use to test somebody's network and to find the vulnerabilities in it.
Dave Bittner: [00:14:58] And so by having this functional exploit in their database, that allows them to do a better job of that?
Joe Carrigan: [00:15:06] Right, right. It is only a matter of time, and when I say a matter of time, I mean weeks before this is available in the Metasploit framework for anybody to download. It's going to be out there. So we've talked about this before, about how important patching is on these systems that are vulnerable to it. Microsoft has come out and actually released a patch for this, even going back to XP, which is an unsupported operating system anymore. And the NSA has come out and said that patching this vulnerability is critical. You have to do it because these things are going to start getting exploited.
Dave Bittner: [00:15:37] And the folks at Immunity have said that their version of this tool is not self-propagating. It's not a worm.
Joe Carrigan: [00:15:45] Right. I don't fault Immunity for coming out with this exploit. Your customer base are people that have very specific instructions from companies on what they can and cannot attack.
Dave Bittner: [00:15:57] I guess I can't help wondering - you know, we've seen that folks are out there scanning the internet to look for systems that are likely vulnerable to BlueKeep. So...
Joe Carrigan: [00:16:07] Right, right. They've been scanning coming out of Tor nodes.
Dave Bittner: [00:16:09] Right. So why not just do that? Why not just scan your customers - in other words, I'm the pen tester. Why not just scan for the vulnerability rather than having the actual active exploit? What is that - is that just another level of verification?
Joe Carrigan: [00:16:25] Well, in the course of a penetration test, you're trying to get network access, and you might be looking for places and ways that you can elevate your privileges, right?
Dave Bittner: [00:16:33] Right.
Joe Carrigan: [00:16:34] If, as a penetration tester, I can't find any way into your network, where actually I'm going to use all the tools at my disposal, and if this gets me into your network and lets me pivot around and move, then I'm going to use it because that's what attackers are going to do.
Dave Bittner: [00:16:46] I see. So as a penetration tester, this may be the first step or one of many steps along the way...
Joe Carrigan: [00:16:53] Right.
Dave Bittner: [00:16:53] ...In the course of my testing all sorts of things within your network.
Joe Carrigan: [00:16:56] Correct, correct.
Dave Bittner: [00:16:57] Right. So merely a scan of whether you might be vulnerable to this, that's only part of the job you've given me as a penetration tester.
Joe Carrigan: [00:17:04] Yes.
Dave Bittner: [00:17:05] All right, so as things stand now, what are the mitigation options?
Joe Carrigan: [00:17:09] The best thing to do is to patch the vulnerability.
Dave Bittner: [00:17:12] Right.
Joe Carrigan: [00:17:12] Right? And Microsoft has had a patch out there since May 14. Now, that is not always possible. And I was talking just I think yesterday about this case, this use case. For example, if a hospital goes out and they buy a $10 million MRI machine - right? - and that MRI machine is controlled by a Windows XP computer because they bought it 20 years ago, the vendor may have said to them, do not update this machine because if you update this machine, that's an unsupported chain, OK?
Joe Carrigan: [00:17:47] You may not actually be able to update a machine that's vulnerable to BlueKeep, but there are other mitigations you can do. One of them is, if you can enable network-level authentication for Remote Desktop Protocol, that eliminates the vulnerability. You can also just disable Remote Desktop Protocol and say, we're not going to be able to Remote Desktop into these machines; we're just actually going to have to go down there and connect to them physically.
Dave Bittner: [00:18:10] Right.
Joe Carrigan: [00:18:11] Or you can make it so you can't RDP any of these machines, unless you're coming in from the network or through a VPN; in other words, keep RDP off the internet. It's generally a bad idea. I think that having RDP on the internet is just generally a bad idea. The only way you should be letting people remotely RDP into your system is if they come in through a VPN.
Dave Bittner: [00:18:32] I see. All right, so we keep beating this drum. This is a serious one. Do what you can.
Joe Carrigan: [00:18:39] Right.
Dave Bittner: [00:18:39] And do not hesitate, do not pass go.
Joe Carrigan: [00:18:42] I'm going to make a prediction, Dave.
Dave Bittner: [00:18:43] Yeah.
Joe Carrigan: [00:18:44] In the next month or two, we're going to see a huge infestation of a worm that uses this vulnerability to propagate around the internet. Now, that's the easiest part of my job, is making these kind of predictions, Dave.
Dave Bittner: [00:18:55] Yeah, OK. All right. Well, very good. Joe Carrigan, thanks for joining us.
Joe Carrigan: [00:18:59] My pleasure.
Dave Bittner: [00:19:05] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:17] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.