CRASHOVERRIDE tried to be worse than it was. InnfiRAT scouts for wallets. Simjacker exploited in the Middle East. SINET 16 are out. Pentesting scope. Back up your files, Mayor.
Dave Bittner: [00:00:03] On further review, the Ukrainian electrical grid hack seems to have been designed to do far more damage than it actually accomplished. InnfiRAT is scouting for access to cryptocurrency wallets. A sophisticated threat actor is using Simjacker for surveillance on phones in the Middle East. The SINET 16 have been announced. A penetration test goes bad due to a misunderstanding of scope. And Baltimore decides, hey, you know, it might be a good idea to back up our files.
Dave Bittner: [00:00:37] It's time to take a moment to tell you about our sponsor Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the internet yourself, no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today, and stay ahead of the cyberattacks. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/cyberwire. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:44] Funding for this CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pen testers and white hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights like remediation advice to help fix faster while methodology-driven assessments ensure compliance needs are met at bugcrowd.com.
Dave Bittner: [00:02:11] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, September 13, 2019.
Dave Bittner: [00:02:19] The industrial security specialists at Dragos have published a reassessment of the 2016 CRASHOVERRIDE attack on a portion of Ukraine's power grid. They now believe that the attack was probably intended to disrupt operations for weeks or months as opposed to the hours the actual outage lasted. They also think that the threat actor, which they track as Electrum and which is widely regarded as working on behalf of Russian intelligence, intended the destruction of some pieces of equipment. Electrum now seems to be taking an interest in other sectors' industrial control systems, and those interests appear to extend beyond Ukraine.
Dave Bittner: [00:02:59] So as troubling as the attacks were, Dragos thinks Ukraine actually dodged the metaphorical bullet. One of the tools they found when investigating the incident seems to have been designed to induce a denial-of-service condition on protective relays. Thus, once power was restored, the relays would no longer provide the overcurrent protection they were designed to deliver. This is troubling because it would have exposed transmission equipment to power surges that could have physically damaged them, requiring lengthy repair or even replacement. Some of these devices have long replacement lead times, and this could have disrupted power delivery for an extended period of time. Why didn't this happen? For two reasons. First, the attackers apparently affected fewer relays than intended. And second, their DDoS code was flawed and not as effective as they'd have hoped. But the whole matter is sobering and one hopes is being taken with due seriousness by utilities everywhere. Again, it's not just Ukraine, and it's not just power distribution. Think in terms of risks to water and other essentials, too.
Dave Bittner: [00:04:05] Security firm Zscaler has described InnfiRAT, a remote-access Trojan designed to steal cryptocurrency wallet information. It looks like a criminal operation. The RAT does what most RATs do - goes after access and information - but it's particularly interested not only in cryptocurrencies, but also in the browser cookies where coin wallet usernames and passwords are so often stashed. It's also capable of taking screenshots for much the same purpose. And it's armed with the usual array of enabling tools, like keeping an eye out for active antivirus software.
Dave Bittner: [00:04:41] AdaptiveMobile Security yesterday announced the discovery of Simjacker, a vulnerability and associated exploits in which an SMS is used to effectively hijack a mobile device's SIM card. The company says that a sophisticated threat actor has been exploiting Simjacker in the wild for at least two years. The attacks collect geolocation data and other information from the affected phones. The purpose of the exploitation appears to be surveillance. Most of the affected devices have been in the Middle East. AdaptiveMobile says that while geolocation seems to be of most interest to the current attackers, Simjacker could also be used for other purposes, like distributing disinformation by SMS.
Dave Bittner: [00:05:24] The SINET 16 have been announced. This annual selection of the most innovative, potentially disruptive companies in the cybersecurity industry picks 16 winners from an international pool of applicants. This year's selection was made from among 161 companies based in 18 countries from North America to Europe to Asia and to Oceania. Some of these names you may already be familiar with, but you are likely to hear more from and about them in the future. In reverse alphabetical order, the SINET 16 class of 2019 includes XM Cyber, which specializes in fully automatic breach and attack simulation that enables customers to recognize attack vectors and prioritize their remediation; Tigera, whose zero-trust network security supports continuous compliance for Kubernetes platforms across a range of environments; Tempered Networks, which provides simple and affordable means of segmenting and isolating control systems and industrial internet-of-things devices; Sonrai Security, with a Cloud Data Control service that delivers a risk model for identity and data relationships across a range of cloud and third-party data stores; Siemplify, an independent security orchestration, automation and response provider whose workbench enables enterprises and managed security service providers to manage and respond to cyber threats; OPAQ delivers security-as-a-service from its cloud that enables enterprises to overcome staffing and management challenges in the protection of their IT infrastructure; Kenna Security, whose platform delivers cyber risk predictions that enable security teams to get ahead of exploitation; Karamba's embedded cybersecurity solutions protect connected systems with automated runtime integrity software that does particularly well against remote code execution; CyberSponse, which offers an automated incident response orchestration platform that automates security tools to make human experts more effective; CryptoMove, whose continuous moving target defense and distributed fragmentation offers a new approach to data protection for managing keys and DevSecOps secrets; BigID, a machine-learning shop that enables personal data discovery, correlation and privacy automation for compliance at scale with regulations like GDPR and CCPA; Balbix, whose specialized artificial intelligence deliver continuous and predictive assessment of breach risk; Awake Security, which offers advanced network traffic analysis for a privacy-aware solution that can detect and visualize incidents in full forensic context; Arkose Labs, which solves fraud by pairing global telemetry with an enforcement challenge to control fraud without false positives or degraded throughput; Aqua Security, which secures container-based and cloud-native applications from development to production, and finally, Acceptto, which delivers continuous identity access protection by inferring contextual data to analyze and verify user identity and behavior.
Dave Bittner: [00:08:24] Our congratulations to all of them. And as we've said earlier, we are sure you'll be hearing from them in the future.
Dave Bittner: [00:08:32] Here's a disquieting story out of the American heartland that illustrates the importance of the customer's understanding exactly what the scope of a penetration test will be. A pair of Coalfire pen testers were arrested during an engagement at the Dallas County, Iowa courthouse. The Des Moines Register says that the Iowa Judicial Branch did indeed hire them to conduct penetration testing of court records but that the court administrators did not expect physical penetration to be within the scope of the job. We hope the misunderstanding is cleared up soon.
Dave Bittner: [00:09:08] And finally, the Baltimore Sun reports that Baltimore has gotten around to realizing, or at least acknowledging, that it permanently lost some data in May's ransomware attack. The city now thinks backups are a good idea.
Dave Bittner: [00:09:26] And now a word from our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:10:22] And joining me once again is Johannes Ullrich. He's the dean of research at the SANS Technology Institute, and he's also the host of the "ISC StormCast" podcast. Johannes, it's always great to have you back. You have been tracking some web spam systems that are using some stealthy methods here. What are you looking at?
Johannes Ullrich: [00:10:41] What's happening here is you may have seen that you're clicking on the link you're not supposed to click on, and you're ending up at a compromised website essentially delivers spam, some advertisement for some product you probably don't want to buy. What usually happens here is a website gets compromised. An attacker will place that page on that website. The problem the attacker has - and, well, attackers have problems, too, sometimes - is it's not all that straightforward for an attacker to necessarily update these pages. What they have done sometimes is, for example, set up some JavaScript on that page that will then go out and fetch some HTML snippet from some back-end server that the attacker runs and copy that data into the page. But these outbound requests, of course, go to other compromised web pages. And overall, this is a relatively fragile kind of setup.
Johannes Ullrich: [00:11:39] What attackers have done lately is they have discovered DNS. Now in the past, there wasn't really a good way so sort of do a freeform DNS request with JavaScript. But more recently, we have this new product called DNS over HTTPS. So what an attacker can do now, the attacker can use JavaScript's ability to send HTTPS requests to, for example, the CloudFlare DNS over HTTPS endpoint and use them to then do DNS requests. So the attacker now only has to manage a couple of DNS text records and deposit the JavaScript on the vulnerable page. The victim will really only see outbound HTTPS requests to CloudFlare, some of these sort of well-known services which, of course, much - much more difficult to detect as an anomaly.
Dave Bittner: [00:12:42] So what are your recommendations for folks to get on top of this?
Johannes Ullrich: [00:12:45] Really what you have to do is you have to, first of all, make sure that your website isn't vulnerable. And now what we typically see here is your standard, vulnerable Drupal (ph) page or some of these, you know, big content management systems that are all too often vulnerable. Secondly, watch for outbound requests from your web server. Really take a close look at them. There's only very little that really should connect outbound from a web server to HTTPS sites.
Johannes Ullrich: [00:13:16] You may have some automatic updates running. Maybe you want to pull this in-house and set up your internal server that distributes these updates. That's usually a better way to go anyway if you want to sort of get control of your update mechanisms. And block as much as possible of these outbound HTTPS requests. Of course, ideally for the remaining HTTPS request that you do have to allow - yes, you know, you may set up some HTTPS proxy or so that should allow you to block these DNS over HTTPS requests.
Dave Bittner: [00:13:47] And how widespread is this? What are you seeing there?
Johannes Ullrich: [00:13:50] We don't really see it a lot yet. It really showed up just in a couple of cases, but it's one of those things I really expect to become more popular because it's very easy to copy this idea, so there isn't really much to it. An attacker who realize hey, this is actually how I am able to fly under the radar, and now my spam sites will survive a little bit longer than they used to survive before I did that, so I think it will probably pick up pretty quickly.
Dave Bittner: [00:14:16] All right. Well, Johannes Ullrich, thanks for joining us.
Johannes Ullrich: [00:14:19] Thank you.
Dave Bittner: [00:14:24] And now a word from our sponsor, ExtraHop, the enterprise cyber analytics company delivering security from the inside out. The cloud may help development and application teams move fast, but for security teams already dealing with alert fatigue, tool sprawl and legacy workflows, cloud adoption means a lot more stress. You're building your business cloud first; it's time to build your security the same way. ExtraHop's Reveal(x) provides network detection and response for the hybrid enterprise. With complete visibility, real-time detection and guided investigation, Reveal(x) helps security teams unify threat detection and response across on-prem and cloud workloads so you can protect and scale your business. Learn more at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:15:25] My guest today is Rosa Smothers. She's senior vice president of cyber operations at KnowBe4. Rosa Smothers will be one of the speakers at our upcoming women in cybersecurity reception at the Spy Museum in Washington, D.C. And KnowBe4 is one of our sponsors for the event. I began our conversation by asking her what sparked her initial interest in technology.
Rosa Smothers: [00:15:48] Admittedly, probably growing up as a total "Star Trek" nerd had a lot to do with that. So I had a computer at a very young age thanks to parents who really wanted me to learn technology and not be intimidated by it. So I give a lot of credit to them for that. My first computer was a used Commodore VIC-20 with a tape drive, like an actual cassette tape drive.
Dave Bittner: [00:16:14] I remember those days.
Rosa Smothers: [00:16:16] And it was just - to me, it was the gateway to another universe. And then, you know, things progressed, and then I had a computer with a modem and went on the bulletin boards. And then we all gained access to what we're now calling the internet. So that was, you know, a lot of the late '80s and the '90s. So I grew up with that movement. And so that was an exciting time. I was really fortunate to see all of that growth as it transpired.
Dave Bittner: [00:16:45] And so what were your thoughts as you headed off to college?
Rosa Smothers: [00:16:49] I didn't think about the idea of formal education as much as I should have. I really started out - I was so good with computers and networking and security and things that I actually started working full-time and making a great living before I obtained my bachelor's degree. So I had an associates. Actually, it was September 11 that changed the trajectory of my life in a rather dramatic way because after the attack, I decided I wanted to go work for the government and go fight the bad guys.
Rosa Smothers: [00:17:28] So I left my job and went back to school full time. And I did a, you know, junior and senior year in one year's time and then was initially hired on at the Defense Intelligence Agency. I worked there for about two and a half years as a cyber threat analyst focusing on al-Qaida, and then transitioned at that point over to the Central Intelligence Agency, where I was for a little over 11 years - almost 12 years.
Dave Bittner: [00:17:58] Can you give us some insights as to what the atmosphere was like in those days? I can imagine there was a lot of focus on the mission at that time.
Rosa Smothers: [00:18:08] You know, I think it was a jolt for our country. It was a jolt for the intelligence community. It's sometimes until an emergency happens that our agencies can't necessarily obtain the funding they need for the fight. And so once, God forbid, this emergency happened, the intelligence community received a huge surplus of funding. So there was a hiring surge. There was a surge in technology procurement and research, everything that you can think of because it was such a dire need to expand in the area of counterterrorism that we really hadn't thought much about since, you know, Khobar Towers, the initial attack on the World Trade Center and even the Hezbollah attacks in Lebanon. So it was - the immediacy of it spurred so many things into action so rapidly.
Dave Bittner: [00:19:11] And what was it like for you in terms of it being an opportunity for an environment in which to learn?
Rosa Smothers: [00:19:18] It's not an understatement to say that the scope and depth of our intelligence community's resources is truly mind-boggling. So for anyone who loves a great learning opportunity, which I certainly do - I'm an avid reader - learning about all of the tools, techniques and procedures, if you will, that are available to us for fighting the good fight, it was quite an enlightening and often daunting experience.
Dave Bittner: [00:19:56] Now as you looked around during that time when you were finishing up your education and then beginning your government career, were there very many other women who were there along with you?
Rosa Smothers: [00:20:07] There were women in the intelligence community, certainly, but not as - nearly as many specifically in the technical field as much as I would hope. And that's certainly not to say that the intelligence community isn't doing their darndest to hire qualified personnel of, you know, any gender, any cultural status, any minority status. I think the challenge as I see it is also it's really stimulating the interest in technology when they're young. I was so gratified when I read recently that the Girl Scouts are now giving out STEM badges. And I think it's things like that that are going to increase the role of women in the cyber workplace because, you know, they can't hire us if we're not there and we're not qualified. So I'm hoping as time goes by, our numbers will increase, and the hiring pool will thus increase.
Rosa Smothers: [00:21:13] I'm often asked - you know, and I travel a lot for my position here at KnowBe4. And so whenever I'm having those conversations next to people in the airplane on a long flight and I'm asked, you know, what would - you know, I have a son; I have a daughter. They're 13, 14, 15. What would you do? I start with giving them my business card and letting them know I'd be happy to talk with them at any time to encourage them. But the one thing that I always try to drive home, especially even if they're small children, there are so many apps out there that are learning opportunities, even for computer programming for coding. There is such a dire need for good coding out there. And we're definitely not filling that bill.
Rosa Smothers: [00:22:00] So that's something that I always encourage people to consider, you know, finding those apps in the various app stores that can help kids learn and in a fun way because, you know, it's not only a constructive use of their time, but it's also - can bolster those technical skills and provide them a really promising career. They will always have job security with a skillset like that.
Dave Bittner: [00:22:27] I want to touch on our upcoming Women in Cyber Security Reception, which you're going to be a part of. And we're grateful for KnowBe4 for being a sponsor of. Why do you think events like this are important? Why do they matter?
Rosa Smothers: [00:22:41] Any time you can build community and consensus, it's an important thing. I mean, we're social animals. And any time we can come together and share similar experiences or challenges and be frank and open and honest - and I think sometimes it's also providing a blunt series of feedback regarding - sometimes we're not as forthcoming or as forthright, I should say, as forthright in the workplace as we should be.
Rosa Smothers: [00:23:15] I've had a number of conversations with women that, you know, they struggle with that, you know, I want to be liked, and I want to be respected. And I said, well, if you're doing your job well, that respect will come. Don't worry about those things. These will all come in due course. You know, focus on your technical skills. So I think in encouraging one another to be strong, to stand up, to not be quite so docile - you know, well, a lot of women tend to say, you know, I was just wondering. No, you have a question. You know, it's a different way of making the same statement, but they sound very different to those who hear it. You know what I mean? So it's - even those sort of little coaching moments, I think, are hugely significant. So I, you know, I think any community-building opportunity, especially for women in the technical field, should always be taking full advantage of.
Dave Bittner: [00:24:17] That's Rosa Smothers. She's the senior vice president of cyber operations at KnowBe4. You can find out more about our Women in Cyber Security Reception by going to thecyberwire.com/wcs.
Dave Bittner: [00:24:35] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:24:48] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.