Clouds are back after being out. Bitpaymer hits German manufacturer. Cross-plaform mobile malware. SecurityWeek’s 2019 ICS Cyber Security Conference.
Dave Bittner: [00:00:03] AWS and Google Cloud are back up after unrelated outages. A German automation tool manufacturer discloses a ransomware infestation. Mobile malware in the spy's toolkit. The FBI's protection voices share election security information. Notes from SecurityWeek's 2019 ICS Cyber Security Conference. NCSC's annual report. And people have things to say about backdoors, bribes and those aliens at Area 51 - chemtrails, too.
Dave Bittner: [00:00:38] And now a word from our sponsor, ExtraHop, delivering cloud-native network detection and response for the hybrid enterprise. The cloud helps your organization move fast, but hybrid isn't easy. Most cloud threats fall on customers to resolve, and prevention-based security wasn't designed for the modern attack service. That's why Gartner predicts that 60% of enterprise security budgets will go towards detection and response in 2020. ExtraHop Reveal(x) Cloud is the only SaaS-based network detection and response solution for AWS with complete visibility, real-time threat detection and automated response powered by cloud-scale machine learning. Request your 30-day free trial of Reveal(x) Cloud at extrahop.com/trial. That's extrahop.com/trial. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:01:34] Funding for this CyberWire podcast is made possible in part by McAfee, security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee, the device to cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:01:56] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, October 24, 2019.
Dave Bittner: [00:02:05] Amazon Web Services sustained a distributed denial of service attack yesterday that affected AWS for some eight hours. Google Cloud also encountered difficulties on Tuesday. Computer Business Review says there are no indications the two incidents were connected. Both AWS and Google Cloud Services report they've now returned to normal operations. Pilz GmbH, an automation tool manufacturer with headquarters in Germany, has disclosed that it continues to recover from a ransomware incident that began on October 13. ZDNet says the ransomware was BitPaymer, with business but not production systems affected. The effects are being felt across Pilz's international offices.
Dave Bittner: [00:02:51] BlackBerry Cylance's ThreatVector has an account of how mobile malware has assumed an important position in the cyber espionage space. Several nation-states actively engage in this form of spying, and the researchers emphasized that this is neither a novelty nor a niche effort, quote, "but a long-standing part of a cross-platform strategy integrated with traditional desktop malware in diverse ways across the geopolitical sphere," end quote. Beijing, Hanoi, Pyongyang and Tehran have been particularly active against both Android and iOS targets, and they all show a troubling degree of sophistication. Many of these efforts have their origins in highly targeted work against specific targets, and many of those targets aren't domestic.
Dave Bittner: [00:03:35] The U.S. FBI has given Congress an overview of election security preparation. The bureau is doing the sort of investigative work one would expect of it. It's also got some new initiatives for sharing information, notably protected voices, a series of videos that addresses election threats and risks.
Dave Bittner: [00:03:58] SecurityWeek's 2019 ICS Cyber Security Conference began its final day this morning with a discussion on the convergence of safety and cybersecurity. Dale Malony, OT leader of Honda of America, brought a manufacturer's perspective. Ben Stirling, Vistra Energy's lead, Generation Cyber Security, contributed a view from the energy sector. It's a developing system, and as Malony pointed out, we still tend to rely on dragon slayers. He asked the community to think through education that can take personnel from zero to hero. Stirling thinks education has to approach cybersecurity from both sides, bringing control engineers to an understanding of IT security, and IT personnel to an understanding of controls. Quote, "you have to approach the problem from both sides of the coin," end quote. Senior leaders in manufacturing companies are interested in consistent plant stability and a reliable product, and that's how they need to be approached on matters involving cybersecurity.
Dave Bittner: [00:04:58] Four interesting side observations were made on safety and cybersecurity. First, the panelists have found it useful to get their control engineers certifications because those were important to establishing credibility with the IT side. Second, they find it more difficult to get the IT types oriented to and familiar with control engineering than they do familiarizing the control engineers with IT because, quote, "the IT types don't like it. They're used to air conditioning." There was much laughter at this second observation, which suggests control engineers were heavily represented in the audience. Third, the IT types need to find your stuff cool. If they can be induced to take an innate interest in the control engineering space, you've got a much better chance of working together effectively. And fourth, thinking in terms of safety as driving defensive priorities can be foreign to cybersecurity personnel who came up through the IT ranks. Bear this in mind when familiarizing them with plant controls.
Dave Bittner: [00:05:59] A presentation on smart cities, and specifically on how IT and OT joined forces to defend them, drew attention to another cultural gap the speaker perceived between two communities. Trend Micro's William J. Malik is skeptical about assuming that convergence happens in this sector. Instead, he sees the evolution of hybrid forms. He also sees the IT and OT communities as having very different assumptions about the longevity of systems. Architectural decisions we take today can have significant consequences decades hence. And in Malik's view, the IT community is not yet comfortable thinking in those terms.
Dave Bittner: [00:06:36] We'll wrap up our coverage of SecurityWeek's 2019 ICS Cyber Security Conference tomorrow. We found the conference interesting, as always, and our thanks to SecurityWeek for inviting us to Atlanta.
Dave Bittner: [00:06:48] And speaking of ICS security and critical infrastructure, I recently spoke with Dave Weinstein, chief security officer at OT security firm Claroty, about the security of critical infrastructure and whether there are common misperceptions in the publics' minds.
Dave Weinstein: [00:07:04] Most of what we read about and think about with respect to cyber threats to critical infrastructure involve the electric grid, right? And indeed, those threats are real, though the electric grid is vulnerable in some respects to some of the most sophisticated nation-state cyber actors that are out there. But at the same time, it's actually a pretty resilient infrastructure, at least here in the United States. What does not get enough attention is all of the other critical infrastructure with respect to our manufacturing facilities, our wastewater treatment plants, our refineries, oil and gas pipelines.
Dave Weinstein: [00:07:49] There is really kind of a broad spectrum of critical infrastructure out there that is impacted that are equally, if not more vulnerable to malicious exploitation. There's a lot more out there other than the electrical grid. The IoT phenomenon, or the industrial Internet of Things phenomenon, IIoT, is introducing more and more opportunities for actors to gain and maintain access that just weren't there years - you know, one, two, three, four years ago.
Dave Bittner: [00:08:25] When you consider the security of our critical infrastructure from a national point of view, how much of the responsibility for the upgrades, for the maintenance, for the security comes from the operators themselves, and how much comes from the federal government?
Dave Weinstein: [00:08:45] You know, as somebody who's spent a fair amount of time with the federal government as well as the state government, I can say with pretty high confidence that the onus or the majority of the responsibility resides with the owners and operators of the networks. And that's largely a factor of the degree of private ownership of our critical infrastructure in the United States, right? With 85% to 90% of our critical infrastructure residing in private hands, owned and operated by private companies, the government is just limited in terms of their capacity and authority, quite frankly, to protect these systems.
Dave Weinstein: [00:09:26] Now, there is well-documented opportunities for collaboration in public-private partnerships, but I think it's fair to say that the asset owners and operators themselves have to take responsibility for this - and quite frankly, from my vantage point, it seems as though they are. Especially over the past couple of years, there has been a skyrocketing awareness of the problem of the risk. I've found that organizations are really taking ownership of this, as opposed to waiting around for the federal government to provide a solution to them.
Dave Bittner: [00:10:06] That's Dave Weinstein from Claroty.
Dave Bittner: [00:10:10] The U.K.'s National Cyber Security Centre, a GCHQ unit, has released its 2019 annual report. The NCSC says it handled 658 cyber incidents over the past 12 months. The most-attacked sectors were, in order - government, universities, technology companies and managed service providers, with health care and transportation sharing fifth place in a dead heat. The report's tone is modestly proud and customer friendly, featuring easily grasped case studies in the explanatory framework it offers. NCSC has, since its inception, significantly been a public-facing organization. In the U.S., one sees NSA's new Cybersecurity Directorate assuming a similar role. It's not a precise counterpart. The Cybersecurity Directorate remains, as we've been told at Fort Meade, a combat support organization. But its recent public advisory suggests that it's on its way to assuming, in partnership with Homeland Security's CISA, a role similar to the one NCSC has had in the United Kingdom.
Dave Bittner: [00:11:13] In what's presumably not an admission against interest, Huawei's global cybersecurity and privacy officer tells ZDNet that, you know, it's probably easier to bribe a telco executive than it is to backdoor equipment. So don't sweat the backdoors? Hm.
Dave Bittner: [00:11:34] And finally, newsflash and stop the presses - Edward Snowden's memoir "Permanent Record" is out. And while flacking his book on the Joe Rogan show, Mr. Snowden told Mr. Rogen that during Mr. Snowden's time working at the CIA, Mr. Snowden poked around to see whether the U.S. government was in contact with space aliens, was lacing the sky with chemtrails and so on. There's nothing to it, he says, so you can take that to the bank - or so he'd have you believe. No alien contact, no chemtrails, and he says trust him, if there were, he'd know and he'd give it to you straight. Well, Art Bell thou shouldst be living at this hour. Who knew Ed Snowden would practically out himself as an Air Force stooge? Head in the sand, sheeple, at least there's no debunking of Bigfoot. Remember - the truth is out there.
Dave Bittner: [00:12:29] And now a word from our sponsor, Dragos. Cyberattacks on oil and gas environments are continuing to progress in frequency and sophistication. Attackers are creating tailored attacks to cause significant operational and financial impacts. And most importantly, they're becoming aware they can overcome automated safeguards to cause physical effects and harm the lives of those who work in the facilities. Read the latest case study from Dragos to learn how they helped an oil and gas organization ensure it had detections and response plans against TRISIS-like activity on its networks and comprehensively defend its environment. You can find it at dragos.com/case-studies. That's dragos.com/case-studies. And we thank Dragos for sponsoring our show.
Dave Bittner: [00:13:27] And joining me once again is Craig Williams. He's the head of Talos Outreach at Cisco. Craig, it's great to have you back. You and I have spoken about Emotet before. And you all recently posted a blog post about how Emotet is back after maybe taking the summer off. What's going on here?
Craig Williams: [00:13:45] Yeah. So Emotet is really interesting. I didn't realize this until Jaeson and Bill and Colin put the blog post together. Emotet's graduated. Emotet is off to college.
Dave Bittner: [00:13:57] OK (laughter).
Craig Williams: [00:13:59] It has been five years since we discovered Emotet wandering around the internet. So that's kind of amazing. You know, you don't normally see banking Trojans still out there chugging along after five years. You know, normally, through one means or another, something happens that changes the behavior of our adversaries, be that law enforcement or them giving up or moving along or just, you know, potentially losing access to it through some sort of technical glitch.
Craig Williams: [00:14:28] But yeah, it's been five years out there's a banking Trojan. We've covered it at length. If you've not heard of Emotet, I really encourage you to go to the Talos blog and click on the Emotet tag and read through the last several posts. Very interesting. It's one of the longest-standing banking Trojans out there. It does some really interesting email. You know, I think - I believe - and feel free to call me out on Twitter, SecurityCraig, if I'm mistaken here - but...
Dave Bittner: [00:14:56] (Laughter) Oh, believe me. They will (laughter).
Craig Williams: [00:15:00] ...(Laughter) I think Emotet actually pioneered the type of spam reply where you reply in the middle of a chain of existing conversations. Right? You know, like, you get a spam email. And even grandma nowadays is kind of leery. Like, I don't think I really am getting emailed by Nigerian prince, right? But on the other hand, if you've got an email chain open with your friend, and someone replies back pretending to be your friend and is like, hey, I saw your email. You know, I just realized it hadn't been a while since we caught up. Check out this attachment I included. I really think we should go there next Friday. And so you look at it, and it's titled, like, boat adventure, you know? And you're like, that might be legitimate. You know, maybe my friend does want to go out on the lake this weekend.
Dave Bittner: [00:15:47] Right. Right.
Craig Williams: [00:15:48] But the reality is they're generically named.
Dave Bittner: [00:15:52] Now, why do you suppose Emotet has lasted this long? What makes it different from other campaigns that have come and gone?
Craig Williams: [00:15:59] You know, I think it's a combination of ingenuity and the fact that the attackers seem to be meticulous. They don't make a ton of blatant errors, and they don't seem to rush things. They seem very patient. And I think, when you look at the types of malware campaigns that tend to succeed, it's one where the attackers are fairly patient, right? They take long breaks. They let the trail go cold. They pick it back up when they're ready, and they continue their campaign. And every now and then, they innovate and change things up a little bit.
Dave Bittner: [00:16:34] So we're dealing with professionals here.
Craig Williams: [00:16:37] Yeah, I believe so. You know, if you look back at this particular one, it was after some of the - some credential thefts. And we actually saw a massive number of runs in our Threat Grid product. If you're not a Cisco customer, Threat Grid is basically our sandbox. And, you know, as we're looking at malware samples, we obviously don't detonate everything in the sandbox. You know, that's super expensive, and it's, you know, the most resource-intensive for us.
Craig Williams: [00:17:04] But we do detonate samples every now and then because we need to see how things are being run. And, you know, over the last year or so, we've seen tens of thousands of Emotet runs. And so what was really interesting with these is we would see, you know, usernames and passwords of email accounts coming across, right? And I think the number was just under 350,000 different username and password combinations.
Dave Bittner: [00:17:33] Wow.
Craig Williams: [00:17:34] And so if you go back and look at our blog post, we even have graphs of the type of activity and then, more interestingly, the number of passwords that are being reused. Jaeson basically did some analysis on passwords that were being reused. And what was really interesting about this is some seem to be really, really unique. So for example, one of the ones that was reused over 300 times was media and then the @ sign, 2018. So you got to wonder, what organization was using that, and how did they have over 300 people compromised? And so...
Dave Bittner: [00:18:08] That is interesting.
Craig Williams: [00:18:09] Yeah. And so we see a lot of that. And so, you know, it's always one of the side effects of doing malware research, right? You start looking at malware. You start looking at data theft. And all of a sudden, you have insights into the type of defensive strategies that users have been shown. And so, for example, when we look at these passwords, of all the ones stolen like that, the - let's call it the greatest hits chart - although, I guess if you're a victim, maybe that's not how you'd like to look at it - but...
Dave Bittner: [00:18:33] (Laughter) Right.
Craig Williams: [00:18:33] (Laughter).
Dave Bittner: [00:18:35] The wall of shame (laughter).
Craig Williams: [00:18:36] Yeah, yeah. Like, the greatest hits in the wall of shame.
Dave Bittner: [00:18:39] Yeah (laughter).
Craig Williams: [00:18:41] Yeah. You'll notice most of them tend to involve a sequence of numbers. And so I think that's fascinating because that means even the highest-offending victims these days appear to at least have knowledge about password training, right? Their passwords are words, a symbol and then numbers. And we see that multiple times. Now, what's really interesting is, several of the times, it's the same symbol and sequence of numbers. You know, so it's like, you know, some word, the @ sign and then one, two, three, (laughter) right?
Dave Bittner: [00:19:19] Right.
Craig Williams: [00:19:19] And we see that over and over and over again. So what that means, I think, is a lot of people are having password training. The problem is the password training is - got room for improvement.
Dave Bittner: [00:19:30] Yeah.
Craig Williams: [00:19:31] You know, when you train your users, you know, it's important that you highlight the fact that, look, you need to look at a password manager. You know...
Dave Bittner: [00:19:39] Let those passwords be randomly generated.
Craig Williams: [00:19:41] Yes. Human brains are not made to remember this type of thing. And if you do need to remember a password, perhaps don't use one, two, three and the @ side. Maybe go for something a little more creative.
Dave Bittner: [00:19:54] Well, the blog post is "Emotet Is Back After A Summer Break." It's a nice little brush-up on the latest on Emotet. Craig Williams, thanks for joining us.
Craig Williams: [00:20:04] Thank you.
Dave Bittner: [00:20:09] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:22] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.