CyberWire Daily - A CrashOverride update from Robert M. Lee. Patch news. Terrorist funding goes cyber. Cozy and Fancy Bear were more active than earlier believed.
Episode Date: June 14, 2017Robert M Lee from Dragos provides an overview of CrashOverride. A quick look at yesterday's Patch Tuesday. Some of the fixes even reached back into Windows XP's unquiet grave. Terrorist information o...perations are increasingly sustained by cryptocurrency funding. Accenture's Justin Harvey reviews automation and orchestration. Russian intelligence may have been more active probing US state election systems than previously thought. Fake-news-as-a-service is now a black-market offering. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Yesterday was Patch Tuesday, and some of the fixes even reached back into Windows XP's unquiet grave.
Terrorist information operations are increasingly sustained by cryptocurrency funding.
Russian intelligence may have been more active probing U.S. state election systems than previously thought.
Fake news as a service is now a black market offering.
And crash override is a real threat to the grid.
This is not a drill.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, June 14, 2017.
We've got a slightly unusual edition of the CyberWire for you today.
We're going to do a quick rundown of some news, but we're going to spend the main part of the show with Robert M. Lee, founder and CEO of Dragos, the security company whose recently published report has
been at the center of the crash override power grid malware.
First, the news.
Microsoft issued 96 patches yesterday and, in an unusual move, reached back to fix WannaCry
related issues in the beyond end-of-life Windows XP.
Also unusual is Redmond's warning to expect exploitation by state-sponsored threat
actors. Yesterday, Adobe also pushed out fixes for its much-updated, much-patched Shockwave and Flash
products. Information operations continue to figure prominently in terrorist groups' use of the
Internet, which is why disruptive cyberattacks by states belonging to the civilized world
have had such difficulty countering them.
Another trend in terrorists' use of cyberspace is emerging in financing.
Cryptocurrencies are beginning to assume a more important role
in bankrolling their operations.
Bloomberg reports that Russian probes of U.S. electoral processes
seem to have been more extensive than feared.
Cozy and Fancy Bear, between them, may have prospected systems in as many as 39 states, and they're expected to be back.
The probes seem to involve reconnaissance, but also attempts at voter registration data manipulation.
With respect to influence operations, Trend Micro is warning that fake news as a service is now available in online black markets.
It's pricey, but payoff could be high.
One service available for $400,000 offers election manipulation.
How effective such services may be is so far anyone's guess.
The crash override threat to electrical grids may be greater than at first
thought. The story is developing rapidly. Robert M. Lee of Dragos, which did the heavy analytical
lifting, joins us for the details. In 2015, on December 23rd in Ukraine, there was the first
ever cyber attack that actually brought down portions of a grid and disrupted electric operations.
And myself and a couple of members of my team got to be involved in the investigation, analyze it out.
And the big discovery there was that while malware helped facilitate access, this malware known as Black Energy 3,
the malware didn't cause the outage.
It was the human adversaries learning and interacting with the grid operation systems.
In 2016, it happened again, where Ukraine came under attack, and this time at Kiev in a substation there.
There was another outage due to a cyber attack.
But this time, we weren't involved in the investigation.
It was more of a close-held matter, since it was was a transmission level substation, which is a much bigger impact. And we didn't know anything about it. So nothing's
really been public up to now. Some discussions have, but nothing really about what caused the
outage. So it turns out this anti-virus firm in Slovakia called ESIT actually had a sample of the
malware, which we've now known and called Crash Override.
And they were analyzing this malware, but for whatever reason,
I don't know if it was sensitivities or just, you know,
I have no idea about their motivations or intent,
but they didn't notify anybody about it and didn't release any information.
And we got a call on June 8th from reporters saying,
hey, ESIT's getting ready to go live with this analysis
and we're having a bunch of stories published on June 12th
and we would like to know if you can confirm this.
And so ESET reached out and passed us some of their analysis.
When we got it on June 8th,
we immediately noticed the potential impact here.
There's only ever been three other ICS or
industrial control system tailored pieces of malware before, so this was very significant.
And obviously, the impact ability to be able to take down any portion of a grid is very alarming.
So from June 8th to June 12th, when we became public, we tracked down samples of the malware,
did all the analysis, reverse engineered their analysis to be able to validate it, found additional contacts that had
been missing, found additional samples. We're able to link it to the Electrum group that we track
internally at Dragos, which has direct ties to the Sandworm team that attacked the grid in 2015.
And we also found out that none of the industry partners had been notified yet.
So in that time as well, we reached out to all the different U.S. government agencies, various national level certs around the world, and industry sector partners as well, of course, as our customers with all the information available.
And try to make sure that they were ready before this went public on Monday, June 12th.
So it was a 96-hour kind of surge to make sure that we could get the appropriate
message out because the impact is real and the threat is significant, but it's not apocalyptic.
It's not the grid is going to cascade. It's not some doomsday scenario, but it has the potential,
has the real potential for hours or a day or two of outages at sites that it targets.
And it's scalable across any number of energy sites. So very alarming,
but not doom and gloom. Yeah, take us through that. I mean, you generally tend to have sort
of a measured response to these sorts of things. You're often a voice of reason when it comes to,
you know, ICS potential vulnerabilities. How serious is this? How do we calibrate?
Yeah, so I think it's extremely serious, but again, not doing gloom.
But I say extremely serious because the industry time and time again, whether it's government or private sector, has trained their mindset into vulnerabilities and exploits.
Like how bad is a vulnerability?
How bad is an exploit?
And patch it, fix it, prevent it.
and patch it, fix it, prevent it.
And the whole thing here is what makes this crash override malware unique and very interesting is that it doesn't rely on any specific vendor, doesn't rely on any vulnerabilities.
It's just the codification of grid operations knowledge.
So it's leveraging completely normal functionality that operators need to have inside of the electric grid
to then be able to send the
wrong commands and disrupt the electric grid. Now, the nuance, of course, is that our electric grid
operators, the government and private sector working together over years, have done an amazing
job at making our grid very reliable. They're used to going back to manual operations and getting
electricity running for storms and events like that. So even though that hasn't been tailored for security necessarily,
even though they do train for it,
that still has a very big impact of security as a byproduct.
So what we're looking at is a platform
that is able to be scaled across different sites that the adversary targets.
It doesn't spread randomly.
The adversary still has to target these individual sites,
but it would work.
And right now, without any modification in all of Europe, most of the Middle East, and most of Asia.
And with very small modification, we're working the North American power grid. So everyone's taking it very seriously because it's a mindset change, it's an evolution in tradecraft for the
adversary, and it's concerning. But it's not cascading grid failure. It's not all the sites
across America going down. It's not months and weeks of outages. It's hours, maybe a day or two of specifically targeted sites that the adversary chooses.
Take me through where you all are in terms of attribution.
My firm doesn't get into the game of attribution. I actually don't think it has any value for network defenders. It doesn't matter who the adversary is. It matters what the capability is and how to protect yourself against it. Obviously, national security folks are very
interested in attribution because it does matter for them. My view is we've been able to confirm
with high confidence that the Electrum group that did this attack has direct ties to the Sandworm
team. So FireEye has tracked the Sandworm team for a while, and their folks,
and John Hildecrist over there, came out and confirmed that the Sandworm team is Russian-based
actors working closely with the government. I'm not in a position to refute or confirm that
assessment. I just know that the group we tracked as Electrum has direct ties to that group,
and they've attributed that group to the Russian government.
So where do we go from here? This has been a busy few days, obviously, for you.
What are your recommendations going forward? Yeah, well, I'm hoping that we'll have more. I mean, this should have been analyzed over a month or two, not 96 hours, but hopefully we'll have
more to learn and pass on to our folks. But there's really three big takeaways, I think.
Number one, industrial control sites, not only electric power grid, but other's really three big takeaways, I think. Number one, industrial control sites,
not only electric power grid, but other sites as well, but especially grid operators,
need to have the mindset that, again, it's not about the vulnerability, it's about somebody
using your systems against you. And they need to specifically ready the visibility into those
environments to look for that, to detect it, and to understand what
they're going to do in response. But the real big mindset change is it's not about the tool.
It's not about the security appliance. That may help you, but you're dealing with human adversaries.
You need human defenders inside that loop to make sure that you're defending appropriately.
So that's the first thing. The second thing is the government and its government agencies have
done this very, very well this time. I've been extremely impressed. But they really need to capture that nuance and continue beating the drum. This is a serious threat and significant, but not catastrophic.
nuance has to be there. We want it to be positioned that it's serious enough to try to take it appropriately, but also recognize the amazing work that the community has been doing over the years.
And if they capture that nuance, both communities will respond correctly. And so far that's being
done, which is honestly amazing. And the third thing that has to be done after the first attack,
Mike Asante, Tim Conway, and I, a couple others that investigated it, came out and specifically said that one of the things that bothered us the most was that no senior government official in the U.S. had admonished the attack in 2015.
But the United States government from senior level needs to say that attacks on civilian infrastructure are inappropriate and that our hearts and minds with those folks in Ukraine and that this is unacceptable.
You have to make a statement.
And so we went around different conferences and so forth in different political circles in D.C. through June to August timeframe and made that position that this was ridiculous and no one had said anything.
And one of the statements we had said at the time was you're you're emboldening the attackers you're just showing them that they can use ukraine as a battlefield to test out their
capabilities and it's going to come home to roost in our environments within a couple years like
this is their training opportunity and we need to stop this um and obviously in september 2016 it
happened again so we can't let this opportunity go again.
Now that we have the details, now we understand the Trump administration and senior level government officials need to come out and strongly make the statement that the United States government and its allies do not really have any willingness to let these type of events go unnoticed. And that while we may not do big sanctions or attribution or anything like that,
that whoever is responsible know that this is an unacceptable attack on civilian infrastructure.
That's Robert M. Lee from Dragos.
You can read the full report on Crash Override on their website.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold
to stay home with her young son.
But her maternal instincts
take a wild and surreal turn
as she discovers the best
yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking
and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24
only on Disney+.
And now a message from Black Cloak.
Did you know the easiest
way for cyber criminals to bypass
your company's defenses is by
targeting your executives and their families
at home? Black Cloak's
award-winning digital executive
protection platform secures their personal devices, home networks Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Justin Harvey.
He's the Global Incident Response Leader at Accenture.
Justin, welcome back.
You know, we talk about response automation and orchestration,
and these are hot topics right now. Bring us up to date. What do we need to know about this?
Sure. Well, incident response and security operations automation and orchestration,
it's not really a new topic these days, but there have been some advances in the technology.
If you want to go back several years and look at the way that a security
operations center or a fusion center or cyber defense center was architected, it was really
architected like a pyramid. The base of the pyramid is filled with your junior level one
analysts that are looking at events. They're interpreting the data. And if they need additional
information or if they have questions, they essentially escalate it up to level two.
There are fewer level twos than you have of level ones and so on until it gets up to the incident response or threat hunt team.
That model of building a heavy people-centric security operations center has proven to be unsustainable within the greater information security industry
globally. There are simply not enough people or analysts to fill those seats. So the industry has
naturally pivoted to ways to address that. And you can address a shortcoming in analysts in one of
two ways. The first would be through managed services. And yes,
we are seeing a dramatic increase and uptick in organizations that want to outsource part of their
security monitoring. So that's one way to do it. And the other way to do it is to utilize things
like automation. And automation enables you to take your rote tasks that your level ones are already
doing. They see event comes in, they classify, they categorize it, they do a little bit of analysis,
and then they kick it up to the next level of the security operations pyramid. Well,
what automation is doing is it's taking all of those tasks and essentially creating an enriched alert or a contextual alert through collecting system information and with a little bit of logic and then sending it up to the next level for analysis.
So it's essentially creating a heads up display for higher level resources.
And how about orchestration?
And how about orchestration? it already knows where that attachment or where that malicious document or object went to on an endpoint.
And orchestration is taking over for what a human would already be assigned to do.
Go down to that endpoint, pull the flight recorder, determine if the user executed it.
If they did execute it, then you want to contain or remediate that threat on the endpoint.
So orchestration paired with automation is becoming more and more powerful. And both of these types of technologies are just addressing a simple fact
that there's not enough people in the industry to respond to these incoming threats to organizations.
Orchestration can also be brought to bear in helping your existing humans or your existing analysts that are triaging events,
essentially guiding them through their workflow. One term I use is guided workflow. So if you know
an event, a particular type of event is coming in, and you know that you can't automate some
lookups or automate a lot of that, at least help the human walk through their decision-making
process in order to reach a conclusion and take action to contain that or classify that
alert as a false positive.
All right.
Justin Harvey, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge
it's a necessity that's why we're thrilled to partner with threat locker a cyber security
solution trusted by businesses worldwide threat locker is a full suite of solutions designed to
give you total control stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.