CyberWire Daily - Clouds are back after being out. Bitpaymer hits German manufacturer. Cross-plaform mobile malware. SecurityWeek’s 2019 ICS Cyber Security Conference.
Episode Date: October 24, 2019AWS and Google Cloud are back up after early week unrelated outages. A German automation tool manufacturer discloses a ransomware infestation. Mobile malware in the spies’ toolkit. The FBI’s Prote...cted Voices share election secuirty informaiton. Notes from SecurityWeek’s 2019 ICS Cyber Security Conference. NCSC’s annual report. And people have things to say about backdoors, bribes, and those aliens at Area 51. (Chemtrails, too.) Craig Williams from Cisco Talos with an update on Emotet. Guest is Dave Weinstein from Claroty discussing threats to critical infrastructure. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/October/CyberWire_2019_10_24.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
AWS and Google Cloud are back up after unrelated outages.
A German automation tool manufacturer discloses a ransomware infestation,
mobile malware in the spy's toolkit, the FBI's protection voices share election security
information, notes from Security Week's 2019 ICS Cybersecurity Conference, NCSC's annual report,
and people have things to say about backdoors, bribes, and those aliens at Area 51. Chemtrails, too.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, October 24, 2019.
Amazon Web Services sustained a distributed denial-of-service attack yesterday
that affected AWS for some eight hours.
Google Cloud also encountered difficulties on Tuesday.
Computer Business Review says there are no indications the two incidents were connected.
Both AWS and Google Cloud Services report they've now returned to normal operations.
they've now returned to normal operations.
Pilz GmbH, an automation tool manufacturer with headquarters in Germany,
has disclosed that it continues to recover from a ransomware incident that began on October 13th.
ZDNet says the ransomware was BitPamer, with business but not production systems affected.
The effects are being felt across PILTS's international offices.
BlackBerry Silance's threat vector has an account of how mobile malware has assumed an important position in the cyber espionage space.
Several nation-states actively engage in this form of spying,
and the researchers emphasize that this is neither a novelty nor a niche effort, but a long-standing part of a cross-platform strategy integrated with traditional desktop malware
in diverse ways across the geopolitical sphere.
Beijing, Hanoi, Pyongyang, and Tehran
have been particularly active against both Android and iOS targets,
and they all show a troubling degree of sophistication.
Many of these efforts have their origins
in highly targeted work against specific targets,
and many of those targets are domestic.
The U.S. FBI has given Congress an overview of election security preparation.
The Bureau is doing the sort of investigative work one would expect of it.
It's also got some new initiatives for sharing information, notably Protected Voices, a series of videos that addresses election threats and risks.
Security Week's 2019 ICS Cybersecurity Conference began its final day this morning with a discussion on the convergence of safety and cybersecurity.
Dale Maloney, OT leader of Honda of America,
brought a manufacturer's perspective. Ben Sterling, Vistra Energy's lead,
Generation Cybersecurity, contributed a view from the energy sector. It's a developing system,
and as Maloney pointed out, we still tend to rely on dragon slayers. He asked the community
to think through education that can take personnel from
zero to hero. Sterling thinks education has to approach cybersecurity from both sides,
bringing control engineers to an understanding of IT security and IT personnel to an understanding
of controls. Quote, you have to approach the problem from both sides of the coin, end quote.
Senior leaders in manufacturing companies are interested in consistent plant stability
and a reliable product, and that's how they need to be approached on matters involving
cybersecurity.
Four interesting side observations were made on safety in cybersecurity.
First, the panelists have found it useful to get their control engineers certifications,
because those were important to establishing credibility with the IT side. Second, they find it more difficult to get the IT types oriented to
and familiar with control engineering than they do familiarizing the control engineers with IT,
because, quote, the IT types don't like it. They're used to air conditioning. There was much
laughter at this second observation,
which suggests control engineers were heavily represented in the audience.
Third, the IT types need to find your stuff cool.
If they can be induced to take an innate interest in the control engineering space,
you've got a much better chance of working together effectively.
And fourth, thinking in terms of safety as driving defensive priorities,
can be foreign to cybersecurity personnel who came up through the IT ranks.
Bear this in mind when familiarizing them with plant controls.
A presentation on smart cities, and specifically on how IT and OT joined forces to defend them,
drew attention to another cultural gap the speaker perceived between two communities.
Trend Micro's William J. Malick is skeptical about assuming that convergence happens in this sector.
Instead, he sees the evolution of hybrid forms.
He also sees the IT and OT communities as having very different assumptions about the longevity of systems.
Architectural decisions we take today can have significant consequences decades hence,
and in Malik's view, the IT community is not yet comfortable thinking in those terms.
We'll wrap up our coverage of Security Week's 2019 ICS Cybersecurity Conference tomorrow.
We found the conference interesting, as always, and our thanks to Security Week for inviting us to Atlanta.
And speaking of ICS security and critical infrastructure, I recently spoke with Dave Weinstein, Chief Security Officer at OT security
firm Clarity, about the security of critical infrastructure and whether there are common
misperceptions in the public's minds. Most of what we read about and think about
with respect to cyber threats to critical infrastructure
involve the electric grid, right? And indeed, those threats are real. The electric grid is
vulnerable in some respects to some of the most sophisticated nation-state cyber actors that are
out there. But at the same time, it's actually a pretty resilient infrastructure,
at least here in the United States. What does not get enough attention is all of the other
critical infrastructure with respect to our manufacturing facilities, our wastewater
treatment plants, our refineries, oil and gas pipelines. There is really kind of a broad
spectrum of critical infrastructure out there that is impacted that are equally, if not more,
vulnerable to malicious exploitation. There's a lot more out there other than the electrical grid.
The IoT phenomenon, or the Industrial Internet of Things phenomenon, IIoT,
is introducing more and more opportunities
for actors to gain and maintain access
that just weren't there years,
one, two, three, four years ago.
When you consider the security
of our critical infrastructure from a national point of view, how much of the responsibility for the upgrades, for the maintenance, for the security comes from the operators themselves? fair amount of time with the federal government as well as the state government, I can say with pretty high confidence that the onus or the majority of the responsibility resides with the owners and operators of the networks.
And that's largely a factor of the degree of private ownership of our critical infrastructure in the United States, right? With 85 to 90%
of our critical infrastructure residing in private hands owned and operated by private companies,
the government is just limited in terms of their capacity and authority, quite frankly,
to protect these systems. Now, there's well-documented opportunities for collaboration
and public-private partnerships, but I think it's fair to say that the asset owners and operators
themselves have to take responsibility for this function. And quite frankly, from my vantage
point, it seems as though they are. Especially over the past couple of years, there has been a skyrocketing awareness of the problem, of the risk.
I've found that organizations are really taking ownership of this,
as opposed to waiting around for the federal government to provide a solution to them.
That's Dave Weinstein from Clarity.
probably the solution to them. That's Dave Weinstein from Clarity. The UK's National Cyber Security Centre, a GCHQ unit, has released its 2019 annual report. The NCSC says it handled 658
cyber incidents over the past 12 months. The most attacked sectors were, in order, government,
universities, technology companies, and managed service providers, with healthcare and transportation sharing fifth place in a dead heat.
The report's tone is modestly proud and customer-friendly,
featuring easily grasped case studies in the explanatory framework it offers.
NCSC has since its inception significantly been a public-facing organization.
In the U.S., one sees NSA's new Cybersecurity Directorate
assuming a similar role.
It's not a precise counterpart.
The Cybersecurity Directorate remains,
as we've been told at Fort Meade,
a combat support organization.
But its recent public advisories suggest
that it's on its way to assuming,
in partnership with Homeland Security's CISA,
a role similar to the one NCSC has had in the United Kingdom.
In what's presumably not an admission against interest, Huawei's global cybersecurity and privacy officer tells ZDNet that,
you know, it's probably easier to bribe a telco executive than it is to backdoor equipment.
So, don't sweat the backdoors.
And finally, news flash and stop the presses. Edward Snowden's memoir, Permanent Record,
is out. And while flacking his book on the Joe Rogan show, Mr. Snowden told Mr. Rogan that during
Mr. Snowden's time working at the CIA, Mr. Snowden poked around to see
whether the U.S. government was in contact with space aliens, was lacing the sky with chemtrails,
and so on. There's nothing to it, he says, so you can take that to the bank. Or so he'd have you
believe. No alien contact, no chemtrails, and he says trust him. If there were, he'd know,
and he'd give it to you straight. Well, Art Bell, thou shouldst be living at this hour.
Who knew Ed Snowden would practically out himself
as an Air Force stooge?
Head in the sand, sheeple.
At least there's no debunking of Bigfoot.
And remember, the truth is out there.
Calling all sellers. Salesforce is hiring account executives Thank you. and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Craig Williams.
He's the head of Talos Outreach at Cisco.
Craig, it's great to have you back.
You and I have spoken about Emotet before,
and you all recently posted a blog post about how Emotet is back
after maybe taking the summer off.
What's going on here?
Yeah, so Emotet is really interesting um
i didn't realize this until jason and bill and colin put the blog post together emotets graduated
emotet is off to college it has been five years since we discovered emotet wandering around the
internet huh um so that's that's kind. You know, you don't normally see
banking Trojans still out there chugging along after five years. You know, normally through one
means or another, something happens that changes the behavior of our adversaries, be that law
enforcement or them giving up or moving along or just, you know, potentially losing access to it
through some sort of technical
glitch. But yeah, it's been five years out there as a banking Trojan. We've covered it at length.
If you've not heard of Emotet, I really encourage you to go to the Talos blog and
click on the Emotet tag and read through the last several posts. It's very interesting. It's one of
the longest standing banking Trojans out there. It does some really interesting email.
You know, I think, I believe, and feel free to call me out on Twitter, Security Craig,
if I'm mistaken here.
Oh, believe me, they will.
I think Emotet actually pioneered the type of spam reply where you reply in the middle
of a chain of existing
conversations. Right? You know, like you get a spam email and even grandma nowadays is kind of
leery. Like, I don't think I really am getting emailed by Nigerian prince. Right? But on the
other hand, if you've got an email chain open with your friend and someone replies back pretending to be your friend and is
like hey i saw your email you know i just realized it hadn't been a while to be caught up uh check
out this attachment i included i really think we should go there next friday and so you look at it
and it's titled like boat adventure you know and you're like oh that might be legitimate you know
maybe my my friend does want to go out on the lake this weekend.
Right, right.
But the reality is they're generically named.
Now, why do you suppose Emotet has lasted this long?
What makes it different from other campaigns that have come and gone?
You know, I think it's a combination of ingenuity and the fact that the attackers seem to be meticulous. They don't make a ton of blatant
errors and they don't seem to rush things. They seem very patient. And I think when you look at
the types of malware campaigns that tend to succeed, it's one where the attackers are fairly
patient, right? They take long breaks. They let the trail go cold. They pick it back up when
they're ready and they continue their campaign. And every now and then they innovate and change
things up a little bit. So we're dealing with professionals here. Yeah, I believe so. You know,
if you look back at this particular one, it was after some credential thefts. And we actually saw
a massive number of runs in our ThreatGrid product.
If you're not a Cisco customer, ThreatGrid is basically our sandbox.
And, you know, as we're looking at malware samples, we obviously don't detonate everything in the sandbox.
You know, that's super expensive and it's, you know, the most resource intensive for us.
But we do detonate samples every now and then
because we need to see how things are being run. And, you know, over the last year or so,
we've seen tens of thousands of Emotet runs. And so what was really interesting with these is we
would see, you know, usernames and passwords of email accounts coming across, right? And I think the number was just
under 350,000 different username and password combinations. Wow. And so if you go back and
look at our blog post, we even have graphs of the type of activity. And then more interestingly,
the number of passwords that are being reused. Jason basically did some analysis on passwords that were
being reused. And what was really interesting about this is some seem to be really, really
unique. So for example, one of the ones that was reused over 300 times was media and then the at
sign 2018. So you got to wonder what organization was using that and how did they have over 300 people compromised?
That is interesting.
Yeah.
And so we see a lot of that.
And so, you know, it's always one of those side effects of doing malware research, right?
You start looking at malware, you start looking at data theft, and all of a sudden you have insights into the type of defensive strategies the users have been shown.
And so, for example, when we look at these passwords
of all the ones stolen, like the, let's call it the greatest hits chart. Although I guess if you're
a victim, maybe that's not how you'd like to look at it, but. Right. The wall of shame. Yeah. Yeah.
Like the greatest hits on the wall of shame. You'll notice most of them tend to involve
a sequence of numbers. And so I think that's fascinating because that means even the highest offending victims these days appear to at least have knowledge about password training.
Right.
Their passwords are words, a symbol and the numbers.
And we see that multiple times.
and we see that multiple times now what's really interesting is several several of the times it's the same symbol and sequence of numbers uh you know so it's like you know some word the at sign
and then one two three right and we see that over and over and over again um so what that means i
think is a lot of people having password training The problem is the password training has got room for improvement.
Yeah.
You know, when you train your users, you know, it's important that you highlight the fact that, look, you need to look at a password manager.
Let those passwords be randomly generated.
Yes.
Human brains are not made to remember this type of thing. And if you do need to remember a password, perhaps don't use 123 in the ad sign.
Maybe go for something a little more creative.
Well, the blog post is Emotet is back after a summer break.
It's a nice little brush up on the latest on Emotet.
Craig Williams, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
deny approach can keep your company safe and compliant.
And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett
Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave
Bittner.
Thanks for listening.
We'll see you back here tomorrow. but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.