CyberWire Daily - China says it had nothing to do with the Parliament hack in Australia. Notes on Patch Tuesday. Shlayer and GreyEnergy malware analyzed. Tomorrow is Valentine’s Day—act accordingly.
Episode Date: February 13, 2019In today’s podcast, we hear that China has denied involvement in the Australian Parliament hack. Patch Tuesday notes. A new strain of Shlayer malware is out. A look at GreyEnergy. Reactions to th...e destructive VFEmail attack. And thoughts on St. Valentine’s Day, with advice, admonition, and an excursus on credential-stuffing and holiday doughnuts. Dr. Charles Clancy from VA Tech’s Hume Center on the Pentagon’s use of AI for RF spectrum management. Guest is Matt Cauthorn from ExtraHop on malicious Chrome extensions. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/February/CyberWire_2019_02_13.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
China denies involvement in the Australian Parliament hack.
We've got some patch Tuesday notes.
A new strain of Schleyer malware is out.
We've got a look at grey energy. Re strain of Schleyer malware is out. We've got a
look at gray energy. Reactions are into the destructive VF email attack. And thoughts on
St. Valentine's Day with advice, admonition, and an excursus on credential stuffing and holiday donuts.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, February 13th, 2019.
China has got around to officially denying it had anything to do with an attempted hack of parliament in Canberra.
Beijing's foreign ministry says it's another move in a smear campaign.
There's been no official attribution of the attack,
and Australian investigators haven't been going out of their way to finger China.
But China is now the usual suspect in such capers,
and that's where industry and media have focused their speculation.
Yesterday was Patch Tuesday.
Microsoft released fixes for 76 vulnerabilities, 20 of which Redmond classified as critical.
Adobe also patched, as is its custom, offering security updates for Flash Player, Acrobat Reader, and the ColdFusion programming language, and the Creative Cloud desktop app.
Microsoft's patches addressed Windows, Office, IE, Edge, the.NET Framework, Exchange Server, Visual Studio, and Team Foundation Server
They also offered fixes for Assure IoT SDK, Dynamics, and Flash Player
One of the fixes takes care of an Internet Explorer 0 day that's been actively exploited in the wild. CVE-2019-0676 can, when exploited,
allow an attacker to read files on a disk. The usual mode of infection is via a malicious website.
Remember, too, that Microsoft would like you to understand that IE is not actually a browser,
and you shouldn't be using it as one. We received some advice from Ivanti's Director of Product Management, Chris Godel,
on what the sensible priorities should be for applying yesterday's patches.
He says that the OS, browser, and office updates should be high on the list.
The Windows and IE patches are particularly important
since the vulnerabilities they address are being actively exploited.
He also recommends attending to Microsoft Exchange Server.
The fixes address privilege escalation vulnerabilities
that could give attackers admin rights.
And Gottl recommends fixing the Adobe products Flash, Acrobat, and Reader.
These are, as usual, being heavily targeted,
and they amount to low-hanging fruit for crooks, skids,
and others who dine out on such things.
Security firm Carbon Black has found a new strain of Schleyer,
macOS malware first observed last year by Indego.
This version of Schleyer, notable for both its obfuscation and its privilege escalation capabilities,
has been downloaded from multiple sites.
Its most common guise is that of a bogus Adobe Flash software update.
Researchers at security firm ExtraHop recently had a run-in
with a malicious Chrome extension downloaded from Google.
Matt Cawthorn is vice president of pre-sales security engineering at ExtraHop,
and he joins us to share what they found.
There's a very popular API testing tool out there called Postman.
And on the Google Web Store for Chrome,
you can download a Chrome extension named Postman,
ostensibly for helping test your APIs as you develop your code.
And we had a few developers do that.
Interestingly, we saw this sort of low and slow socket outbound.
It was a web socket, plain text, HTTP, web traffic, outbound to a public IP address on a suspicious looking port.
And we sort of monitoring our own activities at ExtraHop as a security company.
And we started to investigate this and it got more and more suspicious as we looked into it. And sure enough, this particular, we were actually able to trace
it back to this particular Chrome extension that had been installed on three laptops. We took them
offline. We did the remediation and we found that the thing was exfiltrating data. Specifically,
it was exfiltrating URLs that the browser was traversing. For us, the impact, fortunately, it was contained and sort of responded to very, very quickly.
But the impact is really self-evident because it's effectively a supply chain, like a software supply chain attack, where the developers who are chartered to develop code and get stuff done, they want to test their APIs.
Postman is very established. It's very, very popular, super useful. On here, this malicious developer basically
squatted on the name in the extension store in Google, was able to slip in malicious code under
the sort of guise of using this Postman service. So it was really interesting. It wasn't particularly
sophisticated, but I got to say it was quite clever because they got the clicks and, you know, 27,000 of them actually.
And they basically squatted on the name and they were able to inspect the stuff legit Postman extension in the store, what did they come across that fooled them?
So they originally did have a Chrome extension, which was subsequently pulled off in favor of they have their Postman as a service.
Now they have their own installables.
They have their own platform specific.
You install a standalone application for Windows, for Mac, for whatever. So they pulled it off of the web
store. This guy comes in and takes the name. He squats on the name after they pulled theirs down.
And so it's basically like domain squatting, basically on a defunct domain name.
Extensions for Chrome, they're exposed to, they have access to kind of
everything that happens in your browser. Now, there are some controls that Google tries to
invoke with the manifest file. There's a file that sort of defines what the thing is able to do or
whatever. But most users are not incentivized, A, or motivated, B, to scrutinize the behaviors of
a given extension. They sort of trust the name of Google,
which is about as ubiquitous as it gets. And so they install right from the official store,
they install a plugin that happens to be doing bad stuff. It's a real challenge.
Now, obviously, you know, the folks you have there working at ExtraHop are not rookies when
it comes to this sort of stuff. And if you all could fall victim to this,
what are your recommendations for folks to prevent this from happening in their own organization?
So we have a team of researchers, of threat researchers, and we do a lot of hunting
internally for security reasons, obviously, as well as just research reasons. And these guys
tracked it down very, very quickly, which was impressive. But the more I started looking into
the big problem, think of this as like a software supply chain exploit effectively.
And so if you have a plugin that needs to reach out to the external world and you're an adversary,
you're probably going to target, it's a wise bet at least, to get the clicks, to get the download,
is to spoof yourself, to pretend you are
an API integration of some sort, right? Some sort of testing tool. It's expected to reach to the
outside world. And absent like close scrutiny, you expect the thing to be reaching out and talking to
external things, potentially good or bad. And you might not think about the bad part. So from a
recommendation perspective, there's a lot that goes on here. And the deeper you go into the software supply chain attacks, the click event, if you will, to get themselves
installed. And here, the main vehicle, as unsophisticated as it was, like I said, it was
quite clever, they just squatted on a name that they knew was very popular, that they knew was
going to be downloaded, at least by some, to get effective work done for the company as they wrote code. That's Matt Cawthorn from ExtraHop.
The ICS security specialists at Nozomi have published their research into Gray Energy,
a strain of malware security firm ESET discovered in 2018.
A successor to Black Energy, Gray Energy has been used against infrastructure targets in Ukraine and elsewhere.
As its name suggests, although the malware has been deployed against several targets,
gray energy's controllers have most famously used it against targets associated with power
distribution. Nozomi points out a feature that tends to make the malware resistant to reverse
engineering. It's surrounded by a lot of junk code. Obfuscation hinders observation.
The malicious code has been examined,
but analysis had to work through a lot of irrelevancy.
The destructive attack VF email sustained Monday
still looks like a motiveless hack.
The email service is still trying to restore what it can,
but most of its data appear to be gone for good.
We heard from Vectra's head of security analytics, Chris Morales, who noted in an email that,
quote, this kind of destructive attack with no stated motive or demands is quite rare,
end quote. Praveen Jain, CTO at Caverin, said that apparently motiveless attacks like this
one underscore the importance of not only air-gapped
backups, but a better
employee training.
And finally, tomorrow is St. Valentine's
Day. You'd forgotten, hadn't you?
You're welcome. Don't mention it.
As you thrash around online
in last-minute searches for gifts,
tokens of esteem, or indeed
for love itself, hoping to salvage
the day, beware.
The cybercriminals read the same calendar you do,
and they're primed to take advantage of any eleventh-hour desperation.
Be especially wary of online offers of chocolate, cards, flowers, and so forth.
Hackers speak the language of love, but they do so with a serpent's tongue.
So by all means, express your
love. You'd better express your love, or significant others will know the reason why.
But express it with the seemly circumspection a civilized person uses online. For example,
no below-the-belt selfies, if you please, senor danger. Those are quite simply uncalled for,
and in any case, don't argue for a mature understanding of matters of the heart.
While we know the heart has its reasons of which reason knows nothing,
on selfies the heart and the brain are of one mind.
Inclinations to the contrary come from elsewhere,
perhaps the spleen,
or better yet from one of those AIs we keep hearing about.
And no buying off-brand candy or using floral gifts from dodgy sites.
If the email invite says something along the lines of,
Greetings of the day, fellow youth.
We are to be offering to you the most esteemed and bestest values of the Valentine.
Well, then tell the shadow brokers to call you back on some other holiday.
We don't know, maybe BJ Day.
It's a favorite up Rhode Island way. You've probably considered the donut as a love token. These, as you know,
are widely exchanged and appreciated in the hacking and infosec communities. If so, then be
advised that Dunkin' Donuts is offering a Valentine's special, a bouquet of donuts so arranged
as to look a bit like a floral arrangement,
just the thing to carry back
to your inamorata's keyboard demur.
And also be advised that Dunkin' Donuts
is looking out for you.
Their DD Perks Rewards program hasn't been hacked,
but a lot of its members apparently reuse their passwords.
If you're one of those,
Dunkin' Donuts advises you to stop doing so
and to change your password.
They've found that someone's targeting their customers in credential stuffing attacks.
So stuff the donuts, not credentials.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their
families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Dr. Charles Clancy.
He's the director of the Hume Center for National Security and Technology at Virginia Tech.
Dr. Clancy, great to have you back again. We saw a story come by about some work that the Pentagon had been working on.
This is using artificial intelligence to do a better job with an ever-tightening RF spectrum availability,
and it was something called the Spectrum Collaboration Challenge. What was going on here?
The Spectrum Collaboration Challenge is a program that was launched by the Defense Advanced Research
Projects Agency, or DARPA. Typically, DARPA has programs where they will put $30 to $50 million into developing a
specific technology or demonstrate a particular new capability. But in this case, instead of
just giving all the money to a handful of companies or universities, they actually decided to have a
competition where they offer prizes, similar to some of the other challenges they've done in the
past around unmanned vehicles or around cyber.
And this one was really focused on how AI-enabled wireless systems could really more effectively
communicate in not only a crowded spectrum, but also a contested spectrum where you might
have adversarial components seeking to disrupt your ability to communicate.
Now, one of the things they noted in this article was that this was the first time they
saw autonomous collaboration outperforming manual human-driven attempts to optimize spectrum.
Exactly.
So historically, spectrum planners have decided what channels should be used by different
systems in order to minimize interference.
And it's all been a very static plan. And that works
well because you're divvying up the spectrum, but it leads to inefficiencies. In fact, many DoD
bands are only about 30% occupied, even at their peak times, just because of all of the buffers and
guards that are needed in order to make sure that signals don't bump into each other. If you want to get above that 30% and be more efficient in the use of the spectrum,
then you really need dynamic reactive systems that can identify where the holes are and
coordinate among each other to identify who should communicate where and when.
And this decentralized autonomy is particularly challenging because if you can imagine military spectrum, you could have links from aircraft to ships.
You could have radar systems.
You could have all kinds of different things that use the electromagnetic spectrum and do so in very incompatible ways.
So the ability for all of them to really choreograph themselves to achieve higher efficiencies is really impressive.
choreograph themselves to achieve higher efficiencies is really impressive.
Another thing that struck me from this article was they mentioned that the military is in the process of turning over up to 500 megahertz of spectrum to the private sector in the next couple
of years. And I suppose, I mean, that's an ongoing tension between the military's need for that
spectrum, but the real hunger for that spectrum on the commercial side.
Exactly. The military has a lot of spectrum that they use. They don't use it very often,
but when they do use it, it's really important. One example that's part of that 500 megahertz is
150 megahertz that sits at 3.5 gigahertz. And over the last two years, the Federal Communications
Commission, or FCC, has gone through a rulemaking process to establish what's called the Citizens Broadband Radio Service, or CBRS.
And this is a band where commercial broadband service and enterprise broadband will actually coexist in the same channels as Navy radar systems.
as Navy radar systems. And there's a whole sensor network that's being deployed along the U.S.
coastline, specifically designed to detect when those Navy ships are operating their radars. And when those radars are on, it actually sends signals to all of the broadband systems to
reconfigure and move into different bands. But this whole concept of spectrum sharing is really
key to opening up new bands, really to enable advanced 4G service and a lot
of the new 5G also targeting these new frequency bands. Dr. Charles Clancy, thanks for joining us.
Thanks a lot.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John
Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll
see you back here tomorrow. Thank you. that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.