CyberWire Daily - Airline resolves IT issue. Paradise ransomware source code leaked. Unauthorized access to cameras possible. TSA pipeline cyber guidance under preparation. Russo-US summit. Anonymous extradition.
Episode Date: June 16, 2021Southwest flights are back in the air after an IT issue disrupted them yesterday. Paradise ransomware source code has been leaked online. Some networked camera feeds may be accessible to unauthorized ...viewers. TSA is preparing a second, more prescriptive pipeline cybersecurity directive. The Russo-US summit is underway. Our guest is Jay Paz from Cobalt on bad actors targeting hackers. Joe Carrigan looks at malware hosted on Steam. And the “face of Anonymous” has been extradited from Mexico to the US. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/115 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Southwest flights are back in the air after an IT issue disrupted them yesterday.
Paradise ransomware source code has been leaked online.
Some networked camera feeds may be accessible to unauthorized viewers.
TSA is preparing a second, more prescriptive pipeline cybersecurity directive.
The Russo-U.S. summit is underway.
Our guest is Jay Paz from Cobalt on bad actors targeting hackers.
Joe Kerrigan looks at malware hosted on Steam.
And the face of Anonymous has been extradited from Mexico to the U.S.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, June 16th, 2021.
U.S. domestic carrier Southwest Airlines has restored normal service after an IT incident caused about 500 flights to be canceled and delayed roughly 1,300 more. The U.S. Federal
Aviation Administration halted Southwest Airlines flights in a temporary ground stop Tuesday
after Southwest experienced IT issues with its reservation
systems. The ground stop was lifted early in the afternoon. Despite the widespread alarm on Twitter
to the effect that Southwest had to have been a ransomware victim, that seems to have not been
the case. The Wall Street Journal puts the incident down to what the airline called a systems issue and connectivity problems,
so it was apparently a glitch and not an attack.
Tuesday's outage represents the second time in two days that Southwest IT problems snarled flight scheduling.
On Monday evening, flights were delayed when other connectivity issues interfered with a third-party weather data provider's ability to deliver its information to the airline.
The barriers to entry in the ransomware market, already unpleasantly low, may soon get even lower.
The source code for the Paradise strain of ransomware,
a commodity in the ransomware-as-a-service criminal market since it appeared on the scene in 2017,
has been leaked and posted to the XSS Hacking Forum, bleeping computer reports.
It's now available for free, at least to active participants in the XSS Forum.
Among the alerts CISA issued yesterday was one concerning a vulnerability in ThruTech's P2P software development kit,
a supply chain risk for networked camera vendors who use the P2P SDK.
The risk the vulnerability poses is unauthorized viewing of video.
Security firm Nozomi has published an account of the issue.
They point out that it's difficult for users of networked cameras
to identify the provenance of peer-to-peer functionality
or the security of the software that delivers it,
and so they recommend that the best way to prevent captured audio-video content
from being viewed by strangers over the Internet
is to disable peer-to-peer functionality.
CISA's alert contains a set of useful mitigations.
TSA is preparing a second Pipeline Cybersecurity Directive, FCW reports. This one will focus on
risk mitigation. Sonia Proctor, TSA's Assistant Administrator for Surface Operations, yesterday
told subcommittees of the House Homeland Security Committee
that the coming directive will be a security-sensitive information document
and will be rather prescriptive in terms of the mitigation measures required.
The summit between Presidents Biden and Putin is now underway in Geneva.
The American side is expected to raise Russian complicity in cybercrime.
The Russian side is expected to offer extradition of criminals to the U.S. if the U.S. will honor
similar Russian extradition requests. The Guardian is following the summit's progress.
The close attention this meeting is expected to give cybersecurity issues
probably represents a new normal in Russo-American relations.
The New York Times observes that these summits are now about cyber the way they were once about nuclear weapons.
Cyber attack is less immediately frightening than a nuclear exchange, but it's also a great deal more difficult to deter or to arrange confidence-building measures.
Part of the problem lies in the problem of attribution.
There are few human events less ambiguous than a missile launch.
The same can't be said of a cyber attack, where misdirection and doubt are so notoriously pervasive.
CyberScoop quotes FireEye's CEO Kevin Mandia on his company's own experience investigating the SolarWinds supply chain compromise.
FireEye's Mandiant unit was among the first to discover the problem and attribute the action to Russia.
Mandia told a CyberScoop-organized conference yesterday, quote,
That's the challenge of cyberspace.
quote,
End quote. and security companies are absolutely fair game for espionage. Russia has consistently denied involvement in the SolarWinds incident,
as well as involvement in the recent ransomware attacks that Cisco's Talos unit characterized as privateering.
And finally, speaking of extradition,
the so-called face of Anonymous, who'd been living in Mexico,
has been shipped back to the United States, where he's wanted for a variety of computer crimes.
And no, that face isn't a Guy Fawkes mask, but rather, as Naked Security reports,
the natural face of one Christopher Doyon, who goes by the hacker name Commander X,
Doyon, who goes by the hacker name Commander X, who allegedly skipped bail in California back in 2011 to live as a celebrity fugitive in Canada and then Mexico, where he was apprehended last
week and extradited to the U.S. on June 12th. Mr. Doyon, now 56 years old and a former resident
of Mountain View, California, in the center of Silicon Valley, faces charges of failing
to appear for a 2012 status hearing after his arrest in connection with a distributed denial
of service attack against systems belonging to Santa Cruz County, California. The DDoS was
allegedly part of a protest against changes to Santa Cruz enforcement policies that would have
affected when and where homeless people
might camp in the jurisdiction. The U.S. Department of Justice explains that failure to appear after
pretrial release carries a maximum penalty of two years imprisonment, a $250,000 fine, and three
years of supervised release. The Justice Department says with respect to the 2011 indictment,
the maximum statutory penalty for conspiracy to cause intentional damage to a protected computer
is 10 years imprisonment, three years of supervised release, and a fine of $250,000
plus restitution if appropriate. So stay in school, friends. Straighten up way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Security professionals recently found themselves the targets of online social engineering campaigns
specifically targeting them and the enhanced access they may have to
their clients' and companies' systems. Jay Paz is Director of Pentest Operations and Research
at Pentest platform provider Cobalt, and he joins us with these insights.
It's important to note, right, that when we're talking about hacker, we aren't just talking about
malicious attackers. We are talking about
security professionals that make a living assessing networks or applications for customers
or for their own company. And so they are also here considered a hacker, right? And then the
other side of it is those that are malicious attackers, those that are doing it for the financial aspect of it,
or just as part of a group, a state-funded group, perhaps, those are also hackers.
And so we want to make sure that we are capturing both of those personas in this conversation.
And what is it about a cybersecurity professional that makes them particularly
attractive to adversaries?
The amount of knowledge that they have, what they know about the environments that they're testing,
or the companies that they work for. They have an insider knowledge that is extremely valuable
for those individuals that are doing this for malicious reasons.
So what are your recommendations?
I mean, what should organizations do to make sure that these folks
don't fall particular victim to these adversaries?
I think the best thing that any organization can do is not assume, right?
And we talked about it a little bit, that assumption
that security professionals know how to defend their own environments is flawed. And a lot of
times, security awareness training, or even more in-depth training isn't provided to some of these
individuals, either to save money, or because they don't feel like they need it. And I think similarly, it's important for
security professionals to realize that we need to continue to learn and to continue to stay ahead
of the malicious attackers. And so I think it's a partnership between the organization and the
individual to really make sure that those gaps are being covered. Yeah, it strikes me that
this may require a certain amount of humility to recognize that, yes, even though you are above the
average person when it comes to knowledge of these things, there are still areas where they can come
at you. A hundred percent. And I think that that's true in any profession, right? Like you see major league baseball players getting out there and getting their reps in batting practice and
field practice. And just because they've made it to the big show, doesn't mean that they,
they can't improve or that they shouldn't continue to practice or get better at their craft.
And I think that applies to all of us as well. It's important for all of us to realize that these malicious attackers are continuously getting better and better at what they do.
And they are finding new targets and new approaches to arrive at the information that they're trying to steal.
at the information that they're trying to steal.
And while today this hacker-on-hacker attack may be the thing,
tomorrow it could be a completely different group of people
that they are targeting.
And so it's important to look at our security programs
in a more holistic approach
to make sure that we're capturing all of these nuances.
That's Jay Paz from Cobalt.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute
and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
Interesting story caught my eye, and I thought it would interest you, you being a gamer.
Yes, I'm an elite gamer, Dave.
So this is an article written by Becky Bracken.
It's over on the ThreatPost website, and it's titled Steam Gaming Platform Hosting Malware.
There's some interesting details here.
Unpack it for us, Joe.
All right.
So it sounds a lot scarier than it is for Steam users, but it's not really.
What's happening here?
Let me tell you what's happening here, let me tell you what's happening here, is somebody out there has figured out that they can use Steam as a distribution platform for images that have a set of malicious code or some malicious code packed into something called the ICC profile.
ICC profile is, the ICC is the International Color Consortium.
Right.
And they work on standardizing colors across applications.
Yeah.
And image formats like PNG, portable network graphic, which is an open image format,
have allowances for putting these profiles into the image.
Right.
Now, I looked up the specification of these, and these profiles can be of n bits long,
which means they can be arbitrarily big.
Mm-hmm.
And what that means is that you can put anything in there
that you want,
and it probably will not affect the rendering of the image.
Right.
But it may not be a valid ICC profile,
but it's still there.
Yeah, and the ICC profiles are there.
So if you were to send an image off to be printed, for example, it would tell the printer,
these are the things you need to know about this image to have it print properly.
Yeah, here are the exact colors I want you to use.
Yeah.
And the printer has its interpretation from the ICC, and the image displayer has its, you know,
the application you're using has its interface with the ICC and the image displayer has its, you know, the application you're using has its
interface with the ICC. And so it's basically a standardized way of doing things. It's just
being abused here as an opportunity. But the code will not run on its own, right? So if you just view
the image, that doesn't run the code. What has to happen is somebody has to be tricked into running
some other code that goes out, fetches the image, gets the decompressed code out of the image,
and then executes the decompressed code. So what they're speculating is happening here is that
they're prepping for a larger scale attack. They're going to send out a bunch of phishing
emails or a bunch of, probably just a bunch of phishing emails. And
they're going to get people to click on links or download malicious attachments that are really
very small. And that's really the objective here is the distribution of the malware will be easier
because the malware that actually goes out and fetches this image will be tiny.
Right.
Maybe a couple lines of code.
Okay.
And then it's going to go out to Steam,
which you can access through a web interface
and get this image, download the image,
unpack the ICC profile, find the code,
execute the code.
That's how this is going to work.
So they're basically hiding this code in plain sight
on a publicly accessible website that is Steam
and profile images don't generally draw a whole lot of attention to themselves.
Now, we've seen this done before on Twitter.
Twitter being used for command and control and other social media sites.
Any place you can put a public image, you can do this.
But this is the first time we're seeing it on Steam.
Hmm.
Has Steam had any response to this?
As of the recording, no.
It's owned by Valve.
Steam is owned by Valve software, and they have not responded to it.
I don't know how they would respond to it or how they would control for this.
I mean, I guess you could check the ICC profile and make sure it's not being
abused, or you could limit image size. But actually, these are just source code, so it's
going to be small anyway. I mean, checking for image size is not going to be very helpful.
I mean, I wonder if you could just simply strip the ICC code info out of images that are being
used as profile pictures. You could strip a lot of the metadata out. They're being just displayed on a screen.
Right.
So presumably, you know, it's not something,
it wouldn't make that much of a difference
if you were to do so for security reasons.
But who knows?
I mean, Steam's big,
so there are lots of images up there, right?
Right.
This article actually gives you the number.
They've got over 20 million users.
Wow.
Wow.
Yeah, interesting.
Yeah, you know, one of the things that fascinates me about this gives you the number. They've got over 20 million users. Wow. Wow. Yeah. Interesting. Yeah. You
know, one of the things that fascinates me about this is that, you know, over the years, I've had
to shed my perception that graphics files are pretty much benign. Right. You know, because
they've become a popular place for folks to hide things. Right. Well, I mean, still, if you just
look at the graphic, if you just look just load it up in a web browser,
nothing's going to happen.
Right.
You're going to have to have the loader
execute the software.
Now, I guess if you could,
if you wanted to,
you could compile and run the code yourself
that you find in some random image,
but I wouldn't recommend doing that.
Yeah.
Yeah, that's an edge case for sure.
That seems like a very bad idea.
Yeah.
Hmm.
All right.
Interesting thing to look out for.
I mean, is this imminent?
As you said, it seems like they're preparing for something else.
So, I mean, any advice for folks to protect themselves here?
I would say the standard advice.
Don't open email attachments.
Don't click on links, those kind of things.
Right.
There's not really anything you can do.
One of the reasons I think they're using Steam is because a lot of legitimate traffic goes to Steam.
Yeah.
Right?
So it wouldn't stick out, especially if you have a Steam client installed.
It won't stick out on any packet capture tools because it will just look like normal traffic.
I see.
Yeah.
Yeah.
Absolutely.
All right.
Well, again, it's over on ThreatPost.
The article is titled
Steam Gaming Platform
Hosting Malware.
Joe Kerrigan,
thanks for joining us.
It's my pleasure.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris
Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for
listening. We'll see you back here tomorrow. Business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.