CyberWire Daily - Binding Operational Directive 17-01 hits Kaspersky. Point-of-sale malware found in some ElastiSearch servers. BlueBorne proves widespread. Equifax breach updates, industry notes, a look at the Billington Summit.
Episode Date: September 14, 2017In today's podcast, we hear that DHS tells the US Executive Branch to stop using Kaspersky security software. Kromtech finds ElastiSearch servers hosting point-of-sale malware. BlueBorne bugs buz...z billions of boxes. Equifax says that its breach was accomplished via the Apache Struts flaw patched in April. Industry notes include both venture funding and acquisition news. We take a quick look back at the Billington CyberSecurity Summit. Johannes Ulrich with an update on the Mirai botnet. Renato Marinho, Chief Research Officer at Morphus Labs, on a bad Chrome browser extension that can steal banking credentials. And robo-lawyers come to small claims court. Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. We read Recorded Future’s free intel daily, you might find it valuable, too. If you’d like to protect your endpoints against advanced threats, check out Cylance. JHUISI & partner COMPASS Cyber present Cyber Security Conference for Executives on September 19th in Baltimore. Register for the event. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
DHS tells the U.S. executive branch to stop using Kaspersky security software.
Chromtech finds Elasticsearch servers hosting point-of-sale malware.
Blueborn bugs buzz billions of boxes.
Equifax says that its breach was accomplished via the Apache struts flaw patched in April.
Industry notes include both venture funding and acquisition news.
We take a quick look back at the Billington Cybersecurity Summit,
and in a scene soon to be ripped from the headlines.
Counselor, watch yourself.
I may not hold you in contempt, but if you continue, I'll cycle power and reboot you.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Thursday, September 14, 2017.
Yesterday, the U.S. Department of Homeland Security issued Binding Operational
Directive 17-01, directing that all U.S. government executive branch agencies stop
using Kaspersky security software within 90 days. Acting Homeland Security Secretary Elaine Duke
issued the order, which, as the DHS public statement says, calls on departments and agencies
to identify any use or presence of Kaspersky products on their information systems in the
next 30 days, to develop detailed plans to remove and discontinue present and future use of the
products in the next 60 days, and at 90 days from the date of this directive, unless directed
otherwise by DHS based on new information, to begin to implement the
agency plans to discontinue use and remove the products from information systems. The directive
is based on an assessment of risk, and DHS has not presented evidence publicly of any Kaspersky
wrongdoing. It has, however, explained the risk as follows. Quote, Kaspersky antivirus products
and solutions provide broad access to files and elevated privileges on the computers on which the as follows, quote, and other government agencies, and requirements under Russian law that allow Russian intelligence agencies
to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks.
The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky,
could capitalize on access provided by Kaspersky products to compromise federal information
and information systems
directly implicates U.S. national security, end quote.
As White House Cybersecurity Director Robert Joyce commented yesterday at the Billington
Cybersecurity Summit, the assessment of risk is based on requirements in Russian law that
companies cooperate with the FSB intelligence agency. Joyce agreed with the directive.
Quote,
It was a risk-based decision and the right call.
It's unacceptable that a company could move data to Russia
where law requires it to cooperate with the FSB.
End quote.
The binding operational directive is perhaps not so final as it might appear.
DHS says at the end of its statement
that it's providing Kaspersky with the
opportunity to submit a written response addressing or mitigating security concerns.
Anyone else who has an interest in the matter will also be afforded the opportunity to comment.
Watch the Federal Register for notices affecting Binding Operational Directive 17-01.
We've got an interesting cybersecurity story from Brazil to share today. Directive 17-01. in their finance department and told them that he was from their bank and that unless they updated their system with some specific software,
they would lose access to their online banking system,
which of course was important for their day-to-day operations.
Mr. Mourinho picks up the story from there.
The call was recorded.
Fortunately, the employee didn't follow the instructions and ended the call.
He suspected that it was a kind of scam
and talked to the person in charge of information security
inside of the company that was my friend.
When he sent me the audio recording of that call,
I became very impressed about how it was done.
It was done in a very professional way.
It seems that the guy, the attacker,
was calling from a real call center because of the background noise. I received the URL
that the guy was enticing the victim to access. And that was the moment that I perceived that
the URL was pointing to the Google Chrome App Store. I knew that it was a very different way of attack
and started to analyze the extension code.
And so what did you find?
When I started to analyze the source code,
it was not difficult to reverse engineer it
because it was written in JavaScript.
So the first thing I noticed that the extension
was waiting for the user to access
and specifically banking URL was waiting for the user to type the credentials at the website.
It was prepared to capture the credentials and send to a remote server. The server, of course,
was an attacker host. So it was receiving the credentials the user was typing.
What was the name of the Chrome extension?
What was it disguising itself as?
Yes, the name is very strange.
It's interface online.
It's nothing to see about the banking name.
It was also strange that there was no screenshot.
Another interesting point is that
the Chrome extension, virus total hate, was zero. It's interesting to note that it was not identified
by the antivirus solutions. It was installed by at least 30 victims.
So is the extension still on the Google Chrome store?
Has it been pulled?
No, it isn't online anymore.
After we reported to Google about the incident, they removed the extension from the app store.
After one day, we noticed that the extension came back with another name.
We reported to Google again and they removed the extension for the second time.
So what is your advice for organizations looking to protect themselves against this sort of thing?
I think that is very difficult for a regular employee to detect this kind of attack
because we are talking about an extension hosted at a Google Chrome
official store. And we usually put much trust into these big companies. But for example, users may
suspect about the number of downloads of that extension, the extension name, there was no screenshots or information about the banking itself
into the extension.
The extension asked for much permissions inside of the browser.
It asked to read and to write any field inside any website.
I think that in that point, Google could improve the security. When an extension asks for reading some field, including sensitive information like passwords,
the user should be alerted or could be asked for additional permission to do that.
That's Renato Marinho from Morphys Labs.
Chromtech Security says it's found more than 4,000 Elastisearch servers hosting files related
to Alina POS and Jack POS, both strains of point-of-sale malware.
Both of the affected Elastisearch servers are to be found in Amazon Web Services.
Alina POS and Jack POS use the servers to collect, encrypt, and transfer credit card information
scraped from point-of-sale terminals or infected Windows machines.
The Blue Born vulnerability in Bluetooth, whose discovery Armis Lab announced Tuesday,
may have been addressed by both Microsoft and Google in their most recent patches,
but the estimated rates of susceptibility to attack through this vector are astonishingly high.
More than 5 billion devices worldwide are thought to be vulnerable.
As usual, patching them all will amount to another labor of Hercules.
Until you're sure you're patched and up to date,
experts are advising people turn off Bluetooth when it's not in use.
Equifax has cleared up the confusion over
which vulnerability attackers used in their massive theft of the credit bureau's data.
It was the earlier Apache Struts vulnerability, CVE-2017-5638, which was patched in April,
some two months before Equifax sustained its attack. The credit bureau had earlier suggested
that it was the victim of an attack
that used either a much more recently patched Apache Struts vulnerability
or some hitherto unknown zero-day.
But no, it's the old bug after all.
There's some piling on.
Okay, a lot of piling on.
Rival credit bureau Experian complains that Equifax's clumsy disclosures have impeded
Experian's ability to ensure the security of the data it holds. Tom's Guide reports that other
credit bureau systems in India may have been vulnerable to the same Apache struts bug that
affected Equifax, although there are no reports of other data breaches similar to those Equifax
sustained. And there's been unseemly schadenfreude over Equifax's choice of passwords for admin accounts
in its Argentinian operations.
Username admin, password admin, which would seem easy enough to remember.
In industry news, AppGuard announces that it's closed a $30 million round of Series B funding,
Silent Circle is buying Casala, and Talis announced its purchase of Guavos.
Brocade's acquisition by Broadcom is proving rocky for employees, reports indicate,
with several executives departing early over uncertainties as to when the deal will actually close.
The annual Billington Cybersecurity Summit was held in Washington,
and the industry and government leaders who spoke agreed that proliferation of the Internet of Things,
designed for the most part with inadequate attention to security,
has vastly increased the attack surface U.S. critical infrastructure presents to adversaries.
There was a great deal of clarity on the part of the Director
of National Intelligence and others as to who those adversaries in cyberspace are. Russia,
front and center of course and out to erode public trust, China, interested mostly in economic
advantage, Iran, a dangerous regional junior version of Russia, North Korea, determined to
secure survival of Mr. Kim by whatever
means it deems necessary, and violent extremist groups, a euphemism for ISIS and competing
jihadist organizations.
These last have negligible hacking capability, at least so far, but they've excelled at
information operations.
We have further accounts of the summit on our website, with more coming.
We have further accounts of the summit on our website, with more coming.
And to return to the Equifax breach, the U.S. Federal Trade Commission has opened an investigation into the incident,
and the U.S. Senate is making noises about conducting its own inquiries.
Even the robots are piling on.
Most legal practice has yet to be automated,
but there's an undercurrent of suspicion that the profession may be as ripe for disruption by robots as the long-haul trucking industry seems to be. Do Not Pay,
a robo-lawyer best known for helping drivers appeal and beat parking tickets, has apparently joined the plaintiff's bar. Do Not Pay will provide aggrieved victims of the breach with
the documents they need to sue Equifax in small claims court. You can apparently do this
for damages of up to $25,000. And if you don't like how your lawyer's dealing with you, just reboot.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation
isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be. Let's create the
agent-first future together. Head to salesforce.com slash careers to learn more.
Visit Salesforce.com slash careers to learn more. on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of
herself. Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Joining me once again is Johannes Ulrich.
He's from the SANS Technology Institute and also the ISC Stormcast podcast.
Johannes, so welcome back.
You wanted to give us an update today on the Mirai botnet.
What do we need to know?
Yeah, the Mirai botnet really sort of started to emerge about a year ago. That's when we saw the first sort of wave of attacks that used this
magic password that these security camera DVRs are vulnerable for. Now, what we really see is that it hasn't really let up. There are still
probably 100,000 or more infected systems out there that are constantly scanning the internet.
I connected one of these DVRs to my standard small business cable modem connection,
and within two minutes, repeatedly, it got infected with various versions of this malware.
So essentially, as an end user, you have not even a chance to sort of download a patch or apply security settings
if you're connecting a system like this to an open internet connection these days.
So with these cameras, is there any way of using them safely or is it better just to avoid them altogether?
The best thing is to avoid them altogether.
There is no simple patch for them.
Some of them supposedly have firmware updates, but they're very difficult to find and to apply.
You may be able to put them behind a file, but then again, you're losing some of the functionality
because now you no longer are able to remote access your security footage,
which is one of the features people install them for.
And is there a master database where if you're in the market for a security camera,
you can check to make sure it's not vulnerable to this?
That's a real tricky part.
There are some databases like this,
but the problem is that these cameras or also these DVRs,
these cameras connect to, they are being sold under a large number of different brand names.
There were only three, four different manufacturers, but they're being sold under
dozens of different brand names. So for the end user, it's very difficult to figure out
if they're receiving a vulnerable model or not.
All right. Good information as always. Johannes Ulrich, thanks for joining us. difficult to figure out if they're receiving a vulnerable model or not.
All right. Good information as always. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.