CyberWire Daily - AllScripts works to remediate ransomware in medical apps. Group 123 hits ROK targets. Triton/Trisis zero-day. Dark Caracal espionage op. Section 702 renewed. GhostTeam ejected from Play Store.
Episode Date: January 19, 2018In today's podcast we hear about ransomware afflicting a healthcare IT provider. Group 123 phishes in South Korean waters. Schneider Electric describes the zero-day Triton/Trisis exploited. The Dark... Caracal spyware campaign is attributed to Lebanon's intelligence service. The US Congress will extend Section 702 surveillance authority for six years. GhostTeam-infected apps are booted from the Play Store. Jonathan Katz from the University of Maryland ponders "uncrackable" quantum encryption. Graham Cluley from the Smashing Security podcast drops by for a chat about the state of the industry. And is there ever a good reason to write down a password? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Dark Caracal is tracked back to its Beirut lair.
Group 123 fishes in South Korean waters.
Schneider Electric describes the zero-day Triton tricis
exploited. The U.S. Congress will extend Section 702 surveillance authority for six years.
Ghost team infected apps are booted from the Play Store. Graham Cooley drops by to talk security.
And is there ever a good reason to write down a password?
I'm Dave Bittner with your CyberWire summary for Friday, January 19, 2018.
Add another health care sector incident to this week's news of unrelated incidents running from southern and eastern Norway to Indiana and Mississippi.
Allscripts, the Chicago-based provider of electronic health record and practice management tools to some 2,700 hospitals and 13,000 other care organizations, is investigating a ransomware infestation that appears to be affecting some of its applications.
The issues came to light yesterday and are reported to be concentrated in applications the company's North Carolina data centers in Raleigh and Charlotte host.
The company has taken down its professional EHR services and its electronic prescribing system until remediation can be accomplished.
Other affected functions included regulatory reporting,
clinical decision support, and various communications and payment apps.
Allscript's support is working with clients during the disruption
as the company works
toward restoring full service. Cisco Talus reports on a new threat actor, Group 123. It's responsible
for six identifiable campaigns mounted during 2017 and continuing into this year. Golden Time,
Evil New Year, Are You Happy?, Free Milk, North Korean Human Rights, and Evil New Year 2018.
The odd names allude to the campaign's distinctive fish bait.
All except Free Milk targeted South Korean individuals and organizations.
Free Milk was international in scope.
Talos is commendably reticent about attribution, but you don't have to be George Smiley to see that those look like the work of Pyongyang.
The payloads in these campaigns included both remote-access Trojans and disk wipers.
Schneider Electric offers a post-mortem on Triton Trisis industrial malware and the zero-day it exploited.
The company has determined that a vulnerability in its Tricon safety
controller firmware permitted exploitation for privilege escalation, and that this enabled
attackers to meddle with emergency shutdown systems during attacks on Middle Eastern systems
believed to be operated by Saudi Aramco. Schneider said the Trisys Triton malware
included a remote-access Trojan, a rat, that enabled attackers in principle not only to shut down plants,
but to induce unsafe conditions and damage difficult to replace equipment.
The attacks of late 2017 were widely called game-changers
because of their happily unrealized potential for catastrophic damage.
Schneider is fast-tracking firmware updates to prevent a reoccurrence,
but in the meantime they recommend that users always enable Triconics cybersecurity features,
always deploy safety systems on isolated networks, don't make them easily connected,
and pay close attention to sound physical security of safety systems and networks.
They also recommend other standard digital hygiene best practices.
As the Davos meetings approach next week, thoughts of the participants turn to geopolitical tensions
and the way those are increasingly manifested in cyberspace.
Russian capabilities in hybrid warfare, of course, prompt considerable reflection and concern,
and the North Korean operations we've mentioned are also well known.
But states that are neither large nor rogue can also be problematic.
One of those, perhaps surprisingly, is Lebanon.
The Electronic Frontier Foundation and security firm Lookout have issued a report describing
an operation they're calling Dark Caracal, named after the long-eared wildcat endemic
to North Africa and Southwest Asia.
Dark Caracal is a long-running espionage campaign that has been affecting Android mobile devices since 2012.
Lebanon's intelligence service, the General Directorate of General Security, GDGS,
is the organization being held responsible for the campaign.
Their targets included journalists and activists, military
personnel, manufacturers, and financial institutions in more than 20 countries.
Several things are noteworthy about the discovery. First, the GDGS seems to have inadvertently left
the information they took exposed on an open server. This has been an issue for intelligence
services and their contractors in some large and sophisticated countries as well,
so OPSEC slips of this sort aren't by any means confined to the Levant.
Second, no sophisticated malware was involved.
The approach was as effective as it was direct.
Dark caracal spread by phishing with baited software that looked like legitimate communication apps.
The malware simply used the permissions users granted when they downloaded it.
Third, and in some ways most interestingly, it seems the GDGS may have rented its espionage
tools and infrastructure from some third party.
The researchers say they found servers and malware associated with Dark Caracal they'd
seen last year in an investigation of hackers apparently working on behalf of the
Kazakh government. Whether Lebanon rented the stuff from Kazakhstan or vice versa,
or whether both intelligence services are buying from some third-party vendor is unknown,
but the appearances suggest a complicated market for espionage tools and infrastructure.
In the U.S., the Senate yesterday voted to extend Section 702 surveillance authorization
for another six years.
This means the U.S. intelligence community will retain what it regards as an essential
foreign intelligence collection authority.
In news of other hacks, Google has kicked 53 apps out of the Play Store.
The malware they were hosting was Ghost Team,
which is designed to steal Facebook credentials.
Trend Micro, the security firm
who's published the results of their investigation
into the malware,
thinks internal signs point to a Vietnamese origin
for the code.
So far, they haven't observed
any significant exploitation of Facebook credentials,
but Trend Micro is working with both Google and Facebook
to prevent a
major outbreak.
Finally, this is the week that began with some false alarms of missile launches issued
by Hawaiian civil defense authorities and Japanese broadcaster NHK.
The unrelated incidents were due to operator error, abetted perhaps by some questionable
user interface design choices.
So they weren't the work of hackers.
But pictures from the Hawaiian Center have raised a lot of eyebrows in security circles,
because pictures taken in July of workspaces in the Hawaii Emergency Management Agency command post
showed an official posing in front of a monitor adorned with a sticky note that had a password written on it.
There's been a great deal of contemptuous mockery, like the tweet that said,
The Deep State apparently uses password Post-it Keeper.
Or the Reddit-wise crack, you have to write your password on the back of the Post-it note
for it to be secure.
So that's funny, sure, but Motherboard offers a contrarian take on the matter.
There are, the publication says, worse things you could do, like record your passwords in
an unencrypted text file, or simply reuse the same one for all your accounts because it's easy to
remember, like FranksRedHot, a password that gets even better if you change the A in Franks to an
at symbol. Those things would be bad. But as the motherboard writer points out, whether or not it's
a good idea to write down your password depends on your threat model. If your workstation is in a publicly accessible place, then bad idea. But if it's
in your home office, say, maybe not as bad as some other choices you could make, especially if you've
got a bad memory. Is it likelier someone's going to break into your house than it is that they'll
realize you use Ninja1234 for everything? Still, a real password manager is your best bet,
and you certainly don't want sticky notes around
when the local TV reporter comes to visit.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal
devices, home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Jonathan Katz.
He's a professor of computer science at the University of Maryland
and also director of the Maryland Cybersecurity Center.
Jonathan, welcome back. Great to talk to you again.
We saw some stories come by on Engadget, and they were talking about
some research being done in China with quantum computing, quantum encryption, quantum cryptography,
and claims that these are unhackable. Sort of unpack it for us. What are we talking about here?
Yeah, I saw those articles too. And the first thing I want to say is that it's actually kind of always been interesting to me,
and I don't quite understand why anything related to quantum cryptography automatically gets a lot of press coverage.
I mean, quantum cryptography is interesting, but I think it's kind of got a niche use case.
But nevertheless, in these particular articles, what they were talking about was a new network for quantum encryption and quantum communication that had been set up by the Chinese
and that basically had beat some previous records in terms of the distance over which the
communication was going and perhaps also at the rate at which the communication was being done.
And when they say unhackable, they always put it in scare quotes, you know. Is that a
reasonable thing to say, or is it merely a factor that, you know, someday a clever human might come
up with a way to crack any type of cryptography? Well, you always have to take these things with
a grain of salt. What they are referring to there is the fact that there is a mathematical proof
that the underlying protocol,
the underlying quantum mechanical protocol actually cannot be hacked.
And not only can it not be hacked by a classical computer,
it can't even be hacked by a quantum computer should one come along in the future.
And that's a guarantee that we don't have for the other kind of cryptography that we use on the Internet.
Those kind of systems, number one, rely on assumptions,
and number two, can potentially be cracked
with enough computational power.
And so that's what they mean when they say unhackable.
Now, having said that, of course,
you realize that in practice,
most systems that get broken
are broken not because of the cryptography,
but by things surrounding the cryptography,
by the implementation, by user error,
by an attacker maybe hacking the physical devices being used for the communication. So, you know, you have to take the unhackable there with
a bit of a grain of salt. But nevertheless, it is kind of nice that these systems come along with
some kind of a proof that at least the underlying protocol itself is not going to be the point of
failure. And is this something that's still off on the horizon? It's merely at the research stage,
or are there practical uses on the way for this?
It's kind of right at the borderline.
I do think that it will remain a niche technology that will only be applicable in certain scenarios.
But I think it's at the point now where people are talking about using it or even using it in very specific scenarios.
And so it is starting to move from the research lab into
limited use. All right, Jonathan Katz, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
My guest today is Graham Cluley. He's a popular voice in the cybersecurity world through his own
website, GrahamClulewley.com,
and as co-host of the Smashing Security podcast with Carol Terrio.
He's a popular keynote speaker and a regular on broadcast media around the world.
I began our conversation by asking him for a status update when it comes to cybersecurity.
You know, I like to be upbeat about these things. I like to think positively.
And I think if we're going to put some positive spin on this, by now, January 2018, we can assume that all of us have had our identity stolen at
some point or another, to some extent or another, by one of these huge breaches. So in a way,
that's good news, because now we're aware of identity theft. Maybe we're even aware of some
of the steps we need to take in order to make sure that funds aren't beginning to disappear from our wallets as well
so it's almost like there's been so much bad news and so many bad experiences that we're a little
bit more um battle uh worn as a result and so we've been in the fight for a while and so we're
better prepared from that point of view but other other than that, I don't really see anything that great and positive on the
horizon. I think we're going to see another year of enormous vulnerabilities, huge data breaches,
and shocking privacy scares. And I suspect it's going to be that way for many, many years to come.
What do you suppose GDPR is going to do in terms of having an effect globally?
Well, it's already had an effect, certainly in Europe, of course, where companies have really been on the ball and been putting measures in place for some time to get themselves prepared for it.
And I think in the case multinationally, some companies outside of Europe have simply not realized that this also affects them.
And if they have any customers in Europe, they need to make changes maybe to their systems and appreciate that potentially there could be some very, very large fines.
Somewhat sceptical as to whether we are going to see this really enormous fines and damages imposed upon companies that the law provides for when this comes round.
I suspect it's more being used to scare people.
But for many companies, this has been an enormous upheaval. But if it does wake up any companies a little bit more seriously and wake up the board and the C-level executives to the threats which are out there, then that has to be good news.
Because for too long, too many companies have really had a slipshod approach to protecting their customers' data.
And that has to change because we are putting our trust in these online businesses and, indeed, non-online as well.
putting our trust in these online businesses and indeed non-online as well and yet time and time again they're proving themselves to be frankly incompetent at protecting our information i'm
more concerned actually that many companies and many individuals these days are almost accepting
data breaches as a fact of life and thinking oh well what could we have done or they're rolling out the age-old excuse of well it must it was a highly sophisticated attack using zero mysterious zero day vulnerabilities
and you know what it could well have been uh state sponsored as well in which case it's like oh well
that's all right that you got hacked because clearly there was nothing you could do and i i
get fed up with companies using those kind of excuses and try and wiggle their way out of it.
I would really love to see consumers voting with their wallets and actually punishing the companies who do suffer these data breaches by no longer doing business with them.
But I know from my own human experience that it's a hassle changing providers or suppliers.
It's a hassle.
that it's a hassle changing providers or suppliers.
It's a hassle.
If you have a relationship with a company and they're providing you with a service and they suffer a data breach, it's quite a nuisance changing your supplier, isn't it?
Or moving your account.
And in some particular cases, you simply can't do it.
If it's a government agency or if it's the National Health Service or some of that,
there's no other choice.
You have to do business with them effectively. You have to entr them with your data and you know what more can you do but i
certainly for the commercial data breaches i would love to see users really making their opinions
felt strongly about this and not just for that week the initial week after the breach is exposed
but actually remember it and tell their friends,
never deal with XYZ company again, because they treated us so badly a year ago.
Yeah, I wonder if we're going to see a time where companies use security as a feature,
you know, similarly to the way, for example, that, you know, Volvo made, where they sold safety,
when no one else was making the point of safety, Volvo
made that a selling point. And it doesn't seem like we've seen that yet with security,
but it strikes me that that could be an area where someone could try to have a competitive
advantage. It would be nice, wouldn't it? I mean, I think for most people, unfortunately,
security simply isn't sexy. I mean, you look at the huge growth we'd seen in Internet of Things devices. Every
device imaginable these days has got the Internet connected to it. And it's simply another feature
which they can put on the side of the box and say, it's not just a toothbrush, it's a toothbrush
which can connect to the World Wide Web. And people say, oh, yes, I'd like one of those.
But that's the thing which makes them choose that particular toothbrush on Amazon rather than this is a really secure toothbrush, which can never be connected to the Internet and doesn't require Internet updates.
But when a security vulnerability is found and it's not so much about security it's more about
privacy is apple which has acted differently from some of the other technology companies out there
and said look we're not going to make money out of you by collecting your data and potentially
putting you at risk that way or displaying ads everywhere and again maybe exposing you to risk
we're going to make money by charging you a heck of a lot of money
when you buy our shiny gadget.
And so they charge more than most people charge for their particular gadget,
but what they do is they say that's going to be it.
Once you've done that, that's how we're going to make money from you,
and maybe we'll make some more money from having you in the ecosystem
and you buy things in the App Store,
but we're not going to be selling your data.
And I like that they appear to have that attitude.
Now, having said that, they still have security vulnerabilities and sometimes really bad ones.
But they do appear to have adopted that as a philosophy.
And, of course, that's sometimes got them into trouble with governments
because they've been so hot on privacy and locking down their phones, for instance.
Do you have any advice for those people who are considering a career in cybersecurity
in terms of pathways they should take
or classes or certifications?
What's your take on all that?
You know, I do get asked this quite a lot
and I feel incredibly underqualified
because I don't have any computer security qualifications.
I fell into this industry 25 odd years ago
completely by accident.
I just think, I have no idea. the world has changed so much in 25 years i haven't gone to a job interview in 25 years either what
i would say to people is try and keep on the right side you know don't be tempted to do naughty
things just because they're possible and uh you know so if you go into for instance if you're
interested in penetration
testing make sure that you have the permission of the company uh whose systems you're testing or
you're looking for vulnerability so make sure you don't blot your copy book from that point of view
because it may impact your future career but the big resource which i would really recommend which
wasn't available to me 25 years ago, are sites like Twitter, because there you
can begin to converse and join in the conversations with so many really brilliant security researchers.
There are fantastic conferences around the world as well. You may be a B-Sides or something like
that in your area, which is fairly easy to get to where you can meet some of these people, form relationships and learn a huge amount.
The opportunities are out there to gather information, to join in on forums, to exchange expertise, to learn, to watch YouTube videos, to get really enthusiastic about this.
But, you know, keep your nose clean. Don't do anything silly, which your future self might regret.
nose clean. Don't do anything silly, which your future self might regret.
All right, Graham Cluley. Thanks for joining us. His website is grahamcluley.com. And of course,
the podcast is Smashing Security. If you haven't checked it out, please do. It's a lot of fun.
Thank you very much.
We'll have an extended version of my conversation with Graham Cluley for our Patreon subscribers. You can learn about that at patreon.com slash thecyberwire.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed. Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Thanks for listening. We'll see you back here tomorrow. Thank you. and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.