The CyberWire Daily Podcast 10.11.19
Ep 947 | 10.11.19

Ransomware and a zero-day. A newly discovered espionage platform. FIN7’s new tricks. Beijing speaks and Apple listens. A visit to NSA’s Cybersecurity Directorate.

Transcript

Dave Bittner: [00:00:03] BitPaymer Ransomware is exploiting an Apple zero-day. Attor isn't your ordinary maligned faerie. It's also an espionage platform that's been carefully deployed against Russian and Eastern European targets. FIN7 upgrades its toolkit. Apple does what the Chinese government asks it to do, blocking a mapping and a news app from users in China. And a look inside the black box as we visit NSA's Cybersecurity Directorate. 

Dave Bittner: [00:00:35]  It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely. Because that's what you want, actionable intelligence. Sign up for the Cyber Daily email, and every day you'll receive the top trending indicators Recorded Future captures crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates. That's recordedfuture.com/cyberwire. And we thank Recorded Future for sponsoring our show. 

Dave Bittner: [00:01:45]  Funding for this CyberWire podcast is made possible in part by McAfee, security built by the power of harnessing one billion threat sensors from device to cloud. Intelligence that enables you to respond to your environment, and insights that empower you to change it. McAfee, the device-to-cloud cybersecurity company. Go to mcafee.com/insights. 

Dave Bittner: [00:02:08]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, October 11, 2019. Researchers at security firm Morphisec have found BitPaymer ransomware exploiting an Apple zero-day, an unquoted path vulnerability in an Apple software update component that comes bundled with iTunes for Windows. Thus, the ransomware evades security tools by effectively presenting itself as a legitimate software update. Earlier reports said the vulnerability was associated with Apple's Bonjour updater, but Morphisec has concluded that's not the case. It's an unrelated updater. Note that only Windows users are affected. Mac users, once they update to macOS Catalina this week, will be untroubled. Apple is sunsetting iTunes for Mac with this update. 

Dave Bittner: [00:02:58]  ESET reports the discovery of Attor, a modular espionage platform that has been deployed mostly against select individuals in Russia, many of whom have shown an interest in using privacy-focused services. The malware has also been used against a smaller number of diplomatic and government targets in eastern Europe, notably in Ukraine, Slovakia, Lithuania and Turkey. Attor has been in use since 2013, at least, and ESET describes it as professionally written. Its plugin architecture enables its controllers to customize Attor's functionality to specific targets. In general, the malware uses an unusual device-fingerprinting technique, automated data collection and Tor-enabled exfiltration. ESET does not know what Attor's infection vectors have been, and the researchers think it's probable that the malware has still undiscovered plugins. Attor itself is named after a malign faerie in the book, "A Court of Thorns and Roses." The book has lots of fans and lots of fan fiction, too. 

Dave Bittner: [00:04:02]  FireEye researchers have caught FIN7, known for the Carbanak financial crimes, using new tools. FIN7, that is, would be the one using the new tools, not FireEye. FIN7's new kit has two items which FireEye calls BOOSTWRITE and RDFSNIFFER. BOOSTRIGHT is an in-memory-only dropper that's carrying both Carbanak and a second payload, which is RDFSNIFFER. RDFSNIFFER has a range of malicious functionality. Among other things, it's able to intercept SSL connections, delete data and run commands on remote systems. The payload affects NCR Aloha Command Center Client sessions. The Aloha Command Center is widely used in the hospitality industry to manage hardware and software at remote locations. 

Dave Bittner: [00:04:49]  At the request of Chinese authorities, Apple has removed both a U.S. News app and a mapping app from its Chinese service. The Telegraph notes that the optics aren't good for Cupertino, which some see as having joined the National Basketball Association in a kind of shadow extension of China's social credit program into the West. Verge says the app is Quartz's, blocked for content not legal in China. The Quartz news service is both widely read and not typically seen as extreme, and so its illegality would appear to be publication of stories not to the liking of Beijing. The mapping app HKmap.live was allegedly used to target police and commit crimes where police weren't present. Apple had this latter information from the Hong Kong Cyber Security and Technology Crime Bureau. 

Dave Bittner: [00:05:39]  The opposing point of view holds that the protesters in Hong Kong were using HKMap.live to avoid the police and that the crime they were interested in committing was, generally speaking, assembling to protest. That and graffiti, sure, but graffiti wouldn't alone seem serious enough to warrant that kind of pressure on Apple. Anyway, Apple has taken the authorities' line all the way to the bank. Quartz is understandably on the other side of this dispute. The company's CEO Zach Seward told The Verge, we abhor this kind of government censorship of the internet and have great coverage of how to get around such bans around the world. He suggested that people read Quartz's coverage of VPNs as means of evading government crackdowns on content. 

Dave Bittner: [00:06:25]  It's perhaps worth noting that officials in three western nations recently addressed VPNs, too, but they had a decidedly different take on them. U.S., Canadian and British intelligence and security services have, over the past week, published warnings that unspecified threat actors were actively exploiting vulnerabilities in widely used virtual private networks. One of the U.S. agencies that issued its own warning on the matter was NSA's new Cybersecurity Directorate. Their public warning was noteworthy in that it offered some brief advice on how to use VPNs with more assurance they'd work as advertised. 

Dave Bittner: [00:06:59]  The directorate's five pieces of advice were as follows and seem easy enough for the ordinary user to do. One, immediately upgrade your VPN to the latest version. Two, reset credentials before reconnecting the upgraded devices to an external network. Three, review your network accounts to ensure adversaries did not create new accounts. Four, update VPN user, administrator and service account credentials. And five, revoke and create new VPN server keys and certificates. 

Dave Bittner: [00:07:29]  We were at Fort Meade yesterday for the NSA Cybersecurity Directorate's first media roundtable. The directorate's leaders, director Anne Neuberger and technical director Neil Ziring, said that Monday's announcement concerning VPN vulnerabilities and remediations was the first in what they expect to be a continuing line of such warnings and advice. As nation-states increasingly hit targets that aren't themselves opposing nation-states, they said it's important to open the black box and provide individuals, businesses, not-for-profits and local governments actionable intelligence and the context necessary to use it. 

Dave Bittner: [00:08:10]  And now a word from our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire, and we thank ObserveIT for sponsoring our show. 

Dave Bittner: [00:09:07]  And joining me once again is Awais Rashid. He's a professor of cybersecurity at University of Bristol. Welcome back, Awais. We want to talk today about the importance of real-world experimentation, getting out of the lab and - with your research and practice. What do you have to share with us about that today? 

Awais Rashid: [00:09:24]  I think the challenge we are going to face is that within the next few years, the number of devices connected to each other on the internet will outnumber humans by, depending on whose estimate you believe, something like five to one. And, you know, these systems of connected devices will underpin everything from health care to transport to energy and finance, and, you know, the way we communicate and share information with each other will change. So we are really talking about, you know, really large-scale, hyper-connected systems. 

Awais Rashid: [00:09:57]  So as a result, you know, we need to ensure that what we develop in the lab actually works in the real world, and as a result, you know, the way to test any kind of security solution architectures has to be to deploy them in the wild and understand what are the implications of that. That is very, very challenging because, of course, you can't deploy prototypical solutions on production environments because, of course, they may not necessarily be fit for purpose or scale very well. So we really do need large-scale experimental infrastructures that are close enough to the real world to be able to do that, and that's a big challenge. 

Dave Bittner: [00:10:37]  You know, there's that old saying of - from warfare that no battle plan survives contact with the enemy. It seems like that could apply here as well. 

Awais Rashid: [00:10:47]  Absolutely, and that's exactly the reason - that normally, what happens is - and we develop things that are developed with rigor and with all good intentions by researchers and practitioners, but usually, we test them on small-scale things in the lab or in an experimental setting. And then when they are deployed in real-world infrastructures, they don't always scale. I'm not saying that they never scale. They don't always scale, and that's why we need to think about as to how we might be able to do this. 

Awais Rashid: [00:11:13]  There are a number of academic and industry organizations that run test beds. And I think there might - there is a good argument for us to try and link some of these test bed infrastructures together so that we do have economies of scale but also that really large-scale environment that would represent the realistic setting in which security takes place in the real world. 

Dave Bittner: [00:11:37]  I'm thinking of the rigorous testing that takes place when it comes to pharmaceuticals. Is that not a good example? Is it simply too expensive to do something at that scale? 

Awais Rashid: [00:11:48]  I think it's not a case of expense. It's how you may deploy and test something. And the pharmaceutical industry is an interesting example because there, the trials only move on to large-scale clinical trials once they've gone through smaller-scale testing. And then increasing level of confidence is built up. And I think we do need to be able to do something very, very similar. But the question is, how do we test in the wild? 

Awais Rashid: [00:12:15]  For example, would you be willing to deploy an experimental security solution on, say, a power grid or a nuclear power plant or a transportation system? And I think you would have to have a lot of confidence and then a lot of fail-safes built into it. And I think we need to develop those kind of protocols. Other disciplines have developed those protocols, and I think we are a little bit further from that at this point in time. 

Dave Bittner: [00:12:38]  Awais Rashid, thanks for joining us. 

Dave Bittner: [00:12:44]  Now it's time for a few words from our sponsor, BlackBerry Cylance. You probably know all about legacy antivirus protection. It's very good as far as it goes. But you know what? The bad guys know all about it, too. It will stop the skids, but to keep this savvier hoods' hands off your endpoints, Blackberry Cylance thinks you need something better. Check out the latest version of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection but security that's quick enough to keep up with the threat by watching, learning and acting on systems' behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit cylance.com to learn more. And we thank BlackBerry Cylance for sponsoring our show. 

Dave Bittner: [00:13:43]  My guest today is Kumar Saurabh, co-founder and CEO of LogicHub, a security automation company. Our conversation centers on his notion that security organizations need to do a better job sharing information about breaches and security lapses, and that in the long run, we'll all be safer for it. 

Kumar Saurabh: [00:14:02]  Many a times when you hear about breaches - right? - many times when you look at that, it takes a long while to even piece together, you know, what actually happened at 100,000 foot level. And if you actually want to get deeper into it and you want to figure out really what happened, have data about it and kind of if you want to get to a place where you can figure it out as a defensive team, as a blue team, what could you have done, what could have the team done to prevent or detect and respond to these attacks faster, that kind of data is simply unavailable to many peoples, especially, you know, for practitioners to learn from. You know, that data is virtually impossible to get your hands on. And that's why I think, you know, we as an industry could probably do a much better job. 

Kumar Saurabh: [00:14:51]  You know, breaches are going to happen, right? But the key part of it is, how well are we learning from those? You know, I do look at aviation industry as a very good example of that, right? And there is a lot of talk about, you know, quote, unquote, "black box thinking" and trying to get to black box. I think in security and in cyber ops and sec ops, you know, people are still quite hesitant to share data more broadly so that people can learn from it. 

Dave Bittner: [00:15:23]  That's a really interesting analogy there. I mean, do you suppose that we need a cyber equivalent of the FAA? 

Kumar Saurabh: [00:15:31]  Absolutely. And I used to run a dev ops team. Running a 100-person engineering team, dev ops team, you have to keep the site up and running. And the reality is the sites go down. Sites have issues. One of the biggest things that made a difference is every time it went down, we looked at the data very, very closely. And we tried to figure out why did it go down. There is a culture of, like, blameless postmortems or retrospectives, if you will, to try to learn from that and establish the root cause. There are things like root cause analysis, the five why's, asking the why, why, why question to get to the root cause because unless and until you can find the root cause, you can't actually apply effects that you know will fix the problem for good, right? 

Kumar Saurabh: [00:16:20]  So that culture of openly discussing the why some kind of a failure happened without assigning blame was a big, big, big step towards improving the site reliability and resiliency. And I think something similar could very well happen on the security operational side of things. But it's a mentality. It's a mindset that has to be there. There has to be a learning mindset. And I do understand a lot of hesitation in admitting to the failures and kind of being open and candid about it. It's easy for me to say it. It's - I do acknowledge that it's a really hard thing to do and put it in practice. But I think if you want to get really good at making our security much, much, much better, I think being able to share such data and such learnings will go a long, long way towards that. 

Dave Bittner: [00:17:19]  So you're making the case that there is a strong public interest in having this information distributed broadly and quickly. 

Kumar Saurabh: [00:17:27]  Absolutely. And also for the longer term, definitely correctly. I would say much more so in terms of broadly, right? Like, if this kind of information is only present and available to, you know, three-letter agencies and law enforcement only, there are many private sector companies that could actually benefit and build much better defensive technologies. And it can come into all sorts of places. Academia could probably benefit from this quite a lot as well. So I can imagine that a lot of - like, expanding how different people can benefit from this data. 

Kumar Saurabh: [00:18:05]  Again, the goal is not to assign a blame, right? It's not a news story if you're preventing a breach for, like, 10 years in a row. But the one day that you slip up - right? - it's a major headline. So it's really asymmetrical. It's a hard problem. But in spite of that, there is a very, very valuable learning opportunity that we're not capitalizing on right now. 

Dave Bittner: [00:18:29]  And so in your mind, how would something like this play out from a practical point of view? How would we execute a plan like this? 

Kumar Saurabh: [00:18:36]  If you had looked 10 years back - right? - there is virtually very little sharing of intel data, right? And if you look at the threat intelligence space, especially in financial sector, there are organizations that focus around sharing of data. And I was just at a conference yesterday, and one of the big things about, you know, sharing of data between government agencies, right? So I could imagine that there is a place where there is an organization. You have to be members of that organization, so there is a little bit of trust built in. And you have known quantities around the table. But again, the goal there is to foster sharing of this data and sharing the learnings. And it becomes something that we learn from, and the knowledge and the data is available to a broader audience. 

Kumar Saurabh: [00:19:30]  I would not go as far as saying, you know, hey, let's put everything on the web, right? And I can understand why some people might be hesitant to do that. But the sweet spot might be somewhere in between the two. But certainly, where we are today seems far too restrictive, far too narrow. 

Dave Bittner: [00:19:50]  And when people push back against this idea, where are they usually coming from? 

Kumar Saurabh: [00:19:55]  I think I've been in those shoes, right? I have been in those shoes. If your site has gone down - right? - if something didn't work as you expected it to do, it's hard to admit that, right? And the spotlight that it brings along with it is painful. I find it completely natural to resist that. Another thing that I quite often hear is that, hey, adversaries will learn from it. You know what? Adversaries are already sharing techniques and data among themselves on the dark web, on other places, forums and all of that, right? So if the adversaries are sharing, I think the net-net of it is by not sharing, we are probably saving a little, but we're losing a lot. 

Kumar Saurabh: [00:20:42]  So in my personal opinion, the net-net of getting over the hurdle that yes, it puts a spotlight on you, and yes that the spotlight is very painful to be under, and yet - and this is where I think, you know, some kind of government regulation can come into play. Like, if you went back five, 10 years ago, nobody wants to advertise or even acknowledge or broadcast a breach. But over the years, you know, there have been laws and regulations in place. And there are customers that are asking their vendors and their suppliers to notify them in case of a breach within a certain amount of time, right? 

Kumar Saurabh: [00:21:23]  So those kind of things are becoming more and more normal. And so I think that is the right thing to do. Is it the convenient thing to do? Is it an easy thing to do? Probably not. But is it the right thing to do? Is it going to be for the greater good in the long run? Absolutely. 

Dave Bittner: [00:21:42]  That's Kumar Saurabh from LogicHub. 

Dave Bittner: [00:21:50]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:22:02]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.