CyberWire Daily - APT10 stays busy. More skepticism about Huawei (and ZTE, for that matter). No foreign “material effect” on US midterms. Reverse RDP risk. IIoT bug found. RSA Innovation Sandbox finalists.
Episode Date: February 6, 2019In today’s podcast, we hear that Chinese threat group APT10 seems to have been busy lately, and up to its familiar industrial espionage. More governments express skepticism about Chinese manufacture...rs. The US report on election security is out: influence ops were found to have had no material effect on the midterms. Lithuania worries about Russian election meddling. A reverse RDP attack risk is reported. An industrial IoT remote code flaw. And congratulations to the finalists in RSA’s Innovation Sandbox. Emily Wilson from Terbium Labs on biometrics for sale on the dark web. Guest is Katie Nickels from MITRE on the ATT&CK knowledge base. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/February/CyberWire_2019_02_06.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Chinese threat group APT10 seems to have been busy lately
and up to its familiar industrial espionage.
More governments express skepticism about Chinese manufacturers.
The U.S. report on election security is out.
Influence ops were found to have had no material effect on the midterms.
Lithuania worries about Russian election meddling.
A reverse RDP attack risk is reported.
There's an industrial IoT remote code flaw.
And congratulations to the finalists in RSA's Innovation Sandbox.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, February 6th, 2019.
February 6, 2019.
The cyber incident Airbus disclosed on January 30 is now believed to have been the work of Chinese operators.
So says French publication Challenges, citing anonymous sources close to the investigation.
Signs seem to point to APT10, also known as Stone Panda or Menu Pass.
APT10 is generally associated with the Taijin Bureau of Ministry State Security. Airbus made its disclosure within GDPR's prescribed 72 hours
since the hackers accessed employee data, mostly professional contact and IT identification details.
APT10 has been busy elsewhere too. A report by Recorded Future and Rapid7 concludes, in a cautionary account of third-party risk
that the espionage group has been active against managed service provider Visma
a U.S. law firm with a wide-ranging intellectual property practice, and other companies
Here, there's less uncertainty about attribution
and there seems little doubt that the campaigns were the work of APT10.
The mode of approach is interesting.
The attackers gained access to their targets using valid but stolen user credentials for Citrix remote access tools.
From there, they conducted privilege escalation and used DLL sideloading to install a malicious DLL
that decrypted
and injected Trokylus malware as its payload. The attackers also, in at least two of the cases,
introduced an uppercut backdoor into its targets by using the Notepad++ updater and again
sideloading malicious DLL. These are all techniques APT10 has used before.
Its malware also used Dropbox to exfiltrate stolen data. APT10 began deploying its current version of Trokylus at the end of
last August. Rapid7, which participated in the investigation with Recorded Future,
followed the Dropbox trail to operations against the targeted law firm back in 2017.
Where's the third-party risk?
It's in the data APT10 exfiltrated,
which in principle makes it possible for them to gain access
to many companies and organizations the initial targets dealt with.
Supply chains and business relationships generally are sufficiently complex
and intertwined to make this sort of threat
commonplace. MSPs and cloud providers will continue to be particularly attractive targets,
especially for nation-state espionage services. Recorded Future and Rapid7 see their investigation
as corroborating the widespread suspicion among Five Eyes Intelligence and Law Enforcement
Services that Chinese industrial espionage remains very much an ongoing and growing threat.
Chinese industrial policy and espionage were the cyber-related matters
that figured in U.S. President Trump's recent State of the Union address.
Apart from that address, the U.S. continues to warn its allies,
particularly its European allies,
about the risks of giving Chinese firms a prominent role in their communications and IT infrastructure.
Most of these strictures have fallen on Huawei,
but the smaller ZTE is also coming in for scrutiny.
A number of countries seem to need little if any U.S. tutorials to be wary of Chinese firms.
Norway has expressed official reservations about Huawei this week, and the Czech Republic's
cybersecurity officials have said they doubt that either Huawei or ZTE will be permitted
a foothold in that country's infrastructure.
Here's a trivia question for you.
What was the first organization to register a domain name as a.org?
It was in 1985, and it was not-for-profit MITRE Corporation.
These days, MITRE continues their online trailblazing,
not the least of which is the MITRE Attack Knowledge Base
of Adversary Tactics and Techniques based on real-world observations.
Katie Nichols is Attack Threat Intelligence Lead at MITRE Corporation.
It came out of a project called
the Fort Meade experiment at MITRE, where there was a series of red team, blue team exercises.
So the red team would come in, compromise the network, do their thing. And they found in trying
to communicate back to the blue team that something like Lockheed Martin kill chain wasn't
quite granular enough for them to communicate exactly what they did. So ATT&CK was born out
of that. And in 2015, MITRE publicly released ATT&CK. And since then, kind of the growth has
been sort of explosive, especially in the past year or so. We've heard from so many people who've
said that ATT&CK's really useful for them to do everything from break better detections,
to track threat intelligence about adversariesaries to doing red teaming like the
MITRE team used to do. So sort of what it is, a knowledge base of what adversaries can do and
their tactics, techniques, and procedures. One of the cool things is because it's open to anyone,
we see vendors map their products to it. We also see people learn from it, like a student could go
in and learn the different things adversaries are doing, or security operation centers can go in and map to it as well. So because it's open, you know, we want everyone
in the community to use it. And so the benefit to us is really the benefit back to the community.
Yeah, it seems as though there's really something for everyone here, even from, as you said, you
know, folks who are just starting out, this is a great place to kind of get the lay of the land, but also for those people who are more advanced, there's plenty
of information that they could benefit from as well. Yeah, absolutely. We've heard that time and
time again, you know, people who are just starting out are really overwhelmed because it's hundreds
of techniques to look into, but we've heard from companies who've done things like every week,
choose a single technique, right? And have a deep dive on that. How do we detect against it? How do we understand it? To more sophisticated organizations
who are looking across, you know, enterprise attack, which is 224 techniques, looking at each
of those and how they detect those and doing kind of an overall assessment of their coverage and
their defenses. So lots of different levels. But we hope that it's a pretty low barrier just to get started with ATT&CK.
And what are your recommendations for people to get started?
If someone isn't familiar with it or wants to find out more, figure out how they can integrate it into their own workflow, what's the best way to go at that?
Sure. So there are a lot of different approaches.
My background is in threat intelligence, so of course I I'm going to say, look at your adversaries, right? On our website, we have a bunch of different threat
groups. And we've mapped those behaviors from open source public reporting to attack. So you
can go in there and say, okay, if I care about APT 10 or APT 29 or some other threat group,
what are the techniques that those adversaries are using? And from there, you know, narrow it
down from hundreds of techniques to just that handful of what do I know that these adversaries
that I care about are doing? And then kind of looking at how you can detect and mitigate
against those. And we have some ideas for getting started with detection mitigation on our website.
So pick a group we have or map your own group based on your own threat intel and start
from there. I love that threat-informed defense approach. One question we get asked a lot is sort
of what's next for the team. And based on feedback, one area that we're looking to create is a new
tactic for impacts. So we think of things like data manipulation or destruction, because that's
been a gap in the framework. Also looking at structure or mitigations. We have ideas for mitigations, but trying to structure those
in a way to help people figure out, if I use this one mitigation, what techniques can I wipe out?
And looking at also sub-techniques. For some people, level of granularity isn't quite deep
enough in the existing attack techniques we have, and we've heard that. So we're trying to figure
out, how do we go to that next level of detail.
That's Katie Nichols from MITRE.
You can check out MITRE ATTACK at attack.mitre.org.
The U.S. Departments of Homeland Security and Justice
have issued their congressionally mandated report
on whether there was foreign meddling in the 2018 midterm elections.
The departments found no evidence of any foreign activity that had any material impact on the
elections or the infrastructure surrounding them. The report isn't naive about the extent
of influence operations, which the U.S. intelligence community as a whole has been
pretty clear about. They're an ongoing threat. The conclusion is that the operations had no material effect on the elections
or the campaigns surrounding those elections.
Turning to the Baltic states, Vilnius thinks, according to Reuters,
that Russia is preparing information operations to interfere with Lithuanian elections.
Russia says the fears are nonsense because they'd never do something like
that, holding, as Moscow always has, that the internal affairs of other countries are sacred.
We're kidding. About the second part, nobody, least of all Moscow, has ever really thought
it a duty to mind their own business with respect to other countries' family affairs.
About calling the fears ridiculous and saying they'd never do that?
Oh, the Russian government spokesman did say all that.
The U.S. House Committee on Energy and Commerce wants Apple to explain why it took so long to
patch FaceTime, which suggests that this story at least will have longer legs than Apple would
no doubt have preferred. Researchers at security firm Checkpoint Research have discovered
more reasons for concern about the Remote Desktop Protocol, or RDP. In this case, the newish wrinkle
is the possibility of a reverse RDP attack in which an attacker could, as Checkpoint expresses it,
reverse the usual direction of communication and infect the IT professional or security
researcher's computer.
Doing this would enable compromise of a network as a whole. One of the more interesting things
they found was that a clipboard sharing channel between client and server could be abused by
attackers. Checkpoint has told Microsoft about the issue, but Redmond, Checkpoint says, acknowledged
the validity of their findings but said they weren't serious enough to service.
So, Checkpoint recommends, patch your RDP clients and disable the clipboard sharing channel.
That channel, they note, is on by default, so if you've never realized it's there,
well, apparently it not only is, but it's on too.
With respect to the industrial Internet of Things,
it's on, too. With respect to the industrial Internet of Things, security firm Tenable disclosed today that it had found a remote code execution vulnerability in the widely used
Indusoft WebStudio product. Tenable describes WebStudio as an automation tool for human-machine
interface and supervisory control and data acquisition, that that is SCADA systems. So if you're a WebStudio user, and if you run a manufacturing plant,
an oil and gas production or distribution facility,
a city's water supply, a jail, a prison, or even a drag racer,
then Tenable recommends you update your software
and make sure it's not accessible from the Internet.
And finally, RSA has announced the finalists for the Innovation Sandbox at next month's RSA Conference.
It's a highly coveted honor to be selected as a finalist, so congratulations to them all.
They include Arcos Labs and its frictionless fraud detection,
cybersecurity asset management platform provider Exonius,
Capsule 8 with its real-time zero-day exploit detection offering,
identity and privileged access management provider CloudKnox Security, Cloud Infrastructure
Control Shop DisruptOps Inc., Duality Technologies and its advanced data privacy solution, Eclipsium
Inc., which offers firmware and hardware defense, API defender Salt Security,
Shift Left, Inc., which offers a fresh approach to application security,
and privacy management firm Wirewheel.
Congratulations to all,
and we look forward to seeing them in San Francisco on March 4th.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. And joining me once again is emily wilson she's the vp of research at terbium labs
emily it's great to have you back i wanted to touch today about biometrics and what you are
seeing in terms of this information showing up on the dark web why don't we start off what are
we talking about when we're saying biometrics? When we think about biometrics, we can think about a few different things. It could be things like
facial recognition technology, the things that Apple would use for face ID or the technology
that's being used in China to track individuals. We could be thinking about fingerprints, what we
use to unlock our iPhones, for example. We could be thinking about voice recognition
or more and more now genetic data.
We think about these companies like Ancestry.com
or 23andMe who are offering genetic testing services.
That information's now in the system
and that would definitely qualify.
And so are these things showing up for trade
in dark web markets?
It's kind of a two-part answer.
No, not really. Not yet.
So the no, not really. No, we're not seeing this show up right now. But the not yet bit is the more
interesting side of this. I think we will see it. And here's why. It is a new type of data that
we're seeing collected more broadly. Apple's been using it for ages. Again,
you know, some state systems use this. We're going to see it used more and more for identification
and authentication because it's sort of a two-factor that we think other people couldn't
force right now. It's something that you are. You know, no one else right now is in a position to
forge your fingerprint at scale. And so it's a safe way to unlock your phone.
As more and more technologies start to use this kind of data, it's going to be more appealing
to cyber criminals. We're not there yet, though. And that's the piece of this. I've been getting
a lot of questions about this lately. People are genuinely concerned about whether or not this is
being traded. But if we stop for a minute and think about how cyber criminals would use this,
if you had fingerprint data for five random people,
not five high-profile individuals, not five people with clearance,
just five random people, what would you do with it?
How would you monetize it?
Right now it's not the most effective way.
Right now it's not a blocker for any cyber criminal who's looking to profit.
And so it's not being traded yet. And of course, I suppose one of the risks we hear about with
biometrics is that it's not like a password where you can just change it. It's definitely,
it falls in the category of lifetime data. You know, the same way that we think about
socials as being effectively immutable or names, right? A lot of people, no one's going to change
their name because of a data breach. You know, we? A lot of people, no one's going to change their name
because of a data breach.
You know, we're not kind of going into
a full witness protection mode
for everyone who's had data compromise.
But when it comes to biometrics,
then it becomes a lot more difficult
and a lot more sensitive.
You know, one of the things people worry about
with health records could be family history
or, you know, questions about lineage
or questions about disease or mental health once we start getting into
genuine biometric data then that kind of blows that even more out of proportion
yeah it's interesting it's interesting to ponder even the the possibility of
ransomware situations of someone saying hey I have your biometric data here be
ashamed if anyone were to find out about your family history of mental illness or something like that.
Which is unfortunate for any number of reasons, right? That there's a stigma around that,
or it would be unfortunately an effective thing to do, especially if you start thinking about
high profile individuals, if you think about an extension of doxing, or if you think about
state officials, for example.
The other thing we have to worry about, and this is a kind of a slight side note on it,
but not just data compromise, but data integrity.
When we talk about going in and changing hospital records,
this kind of information also has the potential to be useful there. There are also the questions of if for some reason all of the fingerprint data
that Apple currently has theoretically, hypothetically available, what if all of a
sudden that was available to law enforcement? You know, we're looking at a lot of questions now about
the legality of unlocking phones or, you know, preserving or destroying data in a hypothetical
world where this information is all being stored or or facial
recognition technology is being stored and you didn't have to circumvent it by forcing someone
to unlock a phone or using a mask to beat the face technology if that data was just available
you know then we start getting into sci-fi movies of the future and we're certainly not there yet
but it is something to be concerned about going forward because the data is being
collected. And at some point it will become appealing and potentially necessary for cyber
criminals. But I think we're still a good 10 years out from that being a real issue.
All right, Emily Wilson, thanks for joining us.
Thank you. a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. Thank you. Thanks for listening. We'll see you back here tomorrow. Thank you. and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.