CyberWire Daily - Competing for terrorist mindshare. ICS threat group update. AnonPlus vandalizes US state sites. GDPR's disclosure timeline. Congressional hearings. DarkOverlord collared.
Episode Date: May 17, 2018In today's podcast, we hear that Al Qaeda is back, howling online toward whatever lone wolves might be within earshot. The CHRYSENE ICS threat group may be looking beyond the Arabian Gulf. AnonPlus�...�is after US state governments—New Mexico, Idaho, and Connecticut have received the hacktivists' puzzling vandalism. What the EU will expect of you within seventy-two hours of discovering a breach. The US Congress wants answers about, among other things, ZTE and Cambridge Analytica. And an alleged DarkOverlord is nabbed in Serbia. Dr. Charles Clancy from the VA Tech’s Hume Center, discussing the skills shortage for the 5G network buildout. Guest is Ryan Barnette from Akamai on Drupalgeddon 2.0. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Al-Qaeda is back, howling online toward whatever lone wolves might be within earshot.
The Khristine ICS threat group may be looking beyond the
Arabian Gulf. Anon Plus
is after U.S. state governments.
What the EU will expect of you within
72 hours of discovering a breach.
The U.S. Congress wants
answers about ZTE and Cambridge
Analytica. And an alleged
dark overlord is nabbed in
Serbia.
From the Cyber Wire studios at DataTribe,
I'm Dave Bittner with your Cyber Wire summary for Thursday, May 17, 2018.
Now that ISIS has been considerably disrupted,
Al-Qaeda is working online to regain terrorist mindshare lost to ISIS.
Their calling from the familiar playbook,
but with their own emphasis on inspiring attacks on infidel lands.
Al-Qaeda's organization has been more fluid than ISIS's had been.
Al-Qaeda, according to reports in Deutsche Welle,
is engaged in branding and rebranding with a view to displacing its struggling rival ISIS.
The anniversary of the establishment of the modern state of Israel and the move of the
U.S. embassy to that country, to Jerusalem, figure prominently in the group's short-term
messaging.
Industrial cybersecurity firm Dragos this morning offered new details on the Chrysene
threat group, specialists in hitting industrial control systems.
Associated with the 2012 and 2016 Shamoon attacks on Saudi Aramco,
Crycine has, Dragos says, developed a sophistication beyond groups like Greenbug,
who are also known as Oil Rig.
In its update on Crycine, Dragos doesn't discuss attribution, but the
Shamoon-1 and Shamoon-2 attacks associated with the threat group have been widely thought to be
the work of Iran. Chrysine's target list concentrates on the petrochemical, oil, gas,
and electric generation sectors. The Dragos study notes ch Crycine's concentration on initial penetration.
It compromises a target and then passes the machine it's pwned on for further exploitation.
Crycine may be extending its target list beyond its original Arabian Gulf range.
The threat group's operations have now been observed in Iraq, Pakistan, Israel, and the United Kingdom. Anon Plus, a hacktivist group believed to be based in Italy,
has been attacking U.S. state governments.
New Mexico is the latest victim, but Idaho and Connecticut were also recently hit.
Anon Plus, in its communiques, follows the now-familiar anarcho-syndicalist line
they have no leaders and so forth,
and their principal declared interest
is opposition to censorship. It's unclear how defacing a state's workman's compensation site,
among others, fits AnonPlus's strategy, but the nuisance value is undeniable.
This may be an instance of the familiar hacktivist disposition to hit targets of opportunity,
going where defenses permit them to operate easily.
GDPR takes effect a week from tomorrow, and researchers continue to find sensitive data exposed online.
GDPR, the European Union's General Data Protection Regulation, is expected to shape both corporate and criminal online behavior.
to shape both corporate and criminal online behavior.
Legitimate organizations will struggle toward compliance since the regulatory penalties for falling afoul of GDPR
are potential business killers.
Criminals are already using GDPR-themed spam
to induce worried staffers to cough up credentials in phishing expeditions.
There are also concerns that breaches could be induced in enterprises
with the aim of putting companies out of compliance.
That could be done for hacktivist, competitive, or extortion motives.
72 hours is a crucial window under the new data protection regime.
Security firm Imperva has a useful timeline explaining what GDPR will require organizations to do
within 72 hours of detecting a breach.
At a high level of generality, a breached organization must investigate,
notify regulators and affected individuals of the breach,
specifically state what data was exposed,
and express a plan for containing the damage going forward.
Any failure to get this done within 72 hours must be explained to the regulators.
Absent reasonable justification for the delay, the affected organizations can expect penalties.
Drupal is a popular online content management system with millions of users worldwide. The
platform recently found itself in the news thanks to a vulnerability that became known as Drupal Geddon 2.0.
Ryan Barnett is a principal security researcher at Akamai, and he joins us with his insights.
The main issue in looking at this, it was a different API or application programming interface with Drupal.
They called it a form API.
The main issue was the applications, they can create
arrays, right? Different ways to hold data. And the problem was here is there's actually a
vulnerability in what's called renderable arrays. And the bottom line is that an attacker, somebody
who's non-authenticated could send from their web browser even in a query string
data that would look like an array. And if they could have that be renderable, they can do
remote code execution, which is probably the worst case scenario from a security perspective.
Because then essentially it's as if the attacker is sitting at the keyboards
and they can execute any command they want. And essentially, they're running with the privileges of whatever the application is running as on the operating system.
And so once the update is made, and they've made the vulnerability public,
the concern is for the folks who don't upgrade right away.
Yeah, exactly. That issue is what bad guys, criminals, black cats, whatever you want to
call them, that's what they live on,
right? Is they realize there's going to be a lag from the time something is posted until you can
actually get it patched on their system. In this particular case, they did a good job, meaning
Drupal, of making these releases well known in advance so people could plan. I was actually
monitoring on Twitter, looking for different hashtags related to this issue.
And it was rather surprising to see
how many people were just standing by.
Like, is it released yet?
You know, I got my team ready.
Is it released yet?
So the time to fix, quote unquote,
is a key issue for everybody, right?
Not just the Drupal issue.
But most people, from what we've seen, were able to
upgrade pretty quickly and get patches installed. What have you seen since that date? How bad is it?
Like you said, most people are unable to update, but I suppose there are those laggers out there.
Absolutely. It's a law of percentages, right? And even if you take a step back and say, hey,
80% of people updated, great.
But when you have millions of installs, that 20% is still significant.
What was interesting in this scenario was the Drupal security team, the patches they made were purposefully vague.
They made changes, but it wasn't quite clear from an attacker's perspective, wait a minute, as a remote user, how can I actually exploit this?
So that was done on purpose.
So Drupal actually did a good job there, right?
Not saying, hey, you know, attack here and point big arrows at it, right?
And there were long discussions and threads on multiple forums where people were trying to figure out how can we exploit this?
Hey, can we do this?
Can we do that?
And it went on for two weeks. And actually, it was two weeks later, around April 12th, another security vendor,
they actually went ahead and released a blog post describing how to exploit it.
Their perspective on this, right, you can take different sides of this argument,
was they thought some people perhaps, like you said, if they didn't patch,
they might think, oh, well, we don't need to, right? Because it's not known that it's publicly
being exploited. So, you know, from a security company's perspective, they say, look, this is
a problem. And here we're going to demonstrate how you do need to fix this. So once I reviewed
that blog data, I knew immediately, uh-oh, here it comes.
Because then there was enough detail.
Exactly.
And it was within hours.
I'd say about three hours.
And then we were able to see, we saw some attacks for the first two weeks.
But the payloads they were trying to send, the malicious stuff, it wasn't formatted correctly.
It really wasn't doing anything.
It was kind of benign.
It wouldn't even work. But this second wave, as you said, when that came through,
massive scanning attacks, because it was very easy for attackers to weaponize it at that point.
And because these attack payloads, they're not specific to a specific site or implementation
of Drupal, the kind of category of attacker I label this as is random opportunistic,
where they don't really care to break into website X.
They're looking for any website that this can work on
because they have end goals of installing their favorite toolkits
to do different things.
So the more IPs they can hit and web servers and send this, the better.
So they just want to do massive kind of spray scanning all over the place.
So that's why it spiked up on our radar.
That's Ryan Barnett from Akamai.
The U.S. House wants a full report from the Department of Homeland Security
on security issues surrounding ZTE.
The Senate Appropriations Committee also wanted some answers,
and in their case they heard from FBI Director Christopher Wray,
who, while declining to name corporate names,
expressed the Bureau's security reservations this way.
Quote,
We at the FBI remain deeply concerned that any company beholden to foreign
governments that don't share our values are not companies that we want to be gaining positions
of power inside our telecommunications network. That gives them the capacity to maliciously modify
or steal information. That gives them the capacity to conduct undetected espionage.
That gives them the capacity to exert pressure or control.
End quote.
The U.S. Senate Judiciary Committee was also busy.
In their case, they heard from Christopher Wiley,
the whistleblower in the Cambridge Analytica case.
Wiley said he had no knowledge of whether the now-defunct company,
in its use of Facebook data,
had supported the activities of the Internet
Research Agency, the now-famous St. Petersburg troll farm. He did, however, say that Cambridge
Analytica, quote, made a lot of noise to companies and individuals connected to the Russian government,
end quote. He dismissed the notion that Cambridge Analytica was an ordinary marketing research
operation, saying that Cambridge Analytica specialized in disinformation,
spreading rumors, comprimat, and propaganda.
Finally, remember Dark Overlord?
That's the hacking group that tried most famously to extort Netflix,
threatening to release hacked copies of Orange is the New Black.
Serbian police have popped one alleged Dark Overlord ringmaster,
an unnamed 38-year-old man who lives in Belgrade,
so far only identified by the initials SS.
The Dark Overlord's modus operandi was a bit different.
Instead of trying to sell stolen data on the dark web,
the group would steal data, demonstrate to the owners that they'd done so,
and demand a ransom for returning it unreleased.
Motherboard this morning heard from SS's colleagues,
who want everyone to know that they're still in business.
So you've still got Corey out there, law enforcement.
Good hunting.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Dr. Charles Clancy.
He's the director of the Hume Center for National Security and Technology at Virginia Tech.
Dr. Clancy, welcome back.
Last year, you testified before the House Energy and Commerce Committee,
specifically the Subcommittee on Communications and Technology.
They were having a hearing on promoting security and wireless technologies.
And you covered a lot of ground. But one of the things that caught my eye was something we talk about a lot, which is this workforce issue, the shortage of qualified cybersecurity folks.
But there was an even more specific area that was interesting, and that's when it comes to telecom infrastructure.
We may be having a skills gap when it comes to universities training people to be prepared for this subset of the industry.
What can you share there?
Well, the cybersecurity industry has a massive shortage of jobs nationwide, worldwide, really.
has a massive shortage of jobs nationwide, worldwide, really.
The statistics show that here in the Washington, D.C. metropolitan area, for example,
there's 42,000 empty jobs in cybersecurity.
So there's a huge shortfall that we need to address. And universities across the board are struggling to expand their curriculum offerings to keep up with the demand.
Now, I think that if you look at where a lot of those investments have been made,
as many universities try to address that gap, they're focusing on many of the more traditional
IT security challenges. So things like defending a traditional IT network from attacks or software
engineering and writing secure code. And while all these things are really important, we're starting
to see a fundamental shift in the DNA of the internet. As the internet of things comes along, it's not so much just the
security of an app that's on my phone or a cloud service that I might be using that's important.
Now I need to worry about the security of connected infrastructure. I need to worry
about the security of telecommunications infrastructure. And so far, we haven't really seen universities scaling up to be able to address that unique gap,
which is going to be an area that we will continue to see need for as the DNA of the Internet shifts from the social mobile Internet to the Internet of Things.
And as you have students come through your program, you advise a lot of these students in the research that you do.
How do you handle the
radio spectrum side of things? You know, that's different than bits and bytes.
Exactly. So just as an example, here at Virginia Tech, we've launched a new course in wireless
intelligent communication security. We've launched a new course in embedded and industrial control
system security that will approach these somewhat
unique fields from a security perspective. And we're seeing a lot of interest from students in
those courses, in particular in employers. We have a number of large companies that are
unable to hire people who have both cyber physical systems expertise and security expertise.
Typically, they'll have one or the other, and they'll need to cross-train them after they hire them.
Yeah, so perhaps an opportunity for some of those students coming up in an area that hasn't received a lot of attention.
Indeed, and one that is going to need a lot of attention,
particularly as the nature of the Internet continues to shift more towards the Internet of Things.
Dr. Charles Clancy, thanks for joining us.
My pleasure.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is
Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. needs AI solutions that are not only ambitious, but also practical and adaptable. That's where
Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.