CyberWire Daily - CrashOverride implicated in Ukraine grid hack—possibly as a proof-of-concept. Hack-induced Gulf diplomatic troubles continue. New malware strains, exploits appear.
Episode Date: June 12, 2017In today's podcast, we hear that Dragos and ESET are bringing some clarity—and some bad news—to investigation of December 2016's Ukrainian power-grid hack. Qatar and its neighbors try to sort out ...hack-induced diplomatic troubles. DoubleSwitch social media malware hijacks dissidents' accounts. CertLock impedes removal of unwanted programs by security software. MacSpy and MacRansom appear as malware-as-a-service offerings. AMT vulnerability exploited in the wild. David Dufour from Webroot explains why attribution is so difficult. Robert Rodriguez from SINET describes the upcoming Innovation Summit 2017. China arrests twenty-two for trading in stolen iOS user data. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Dragos and ESET bring clarity and bad news
to investigation of December 2016's Ukrainian power grid hack.
Qatar and its neighbors try to sort out hack-induced diplomatic troubles.
Double-switch social media malware hijacks dissidents' accounts.
CertLock impedes removal of unwanted programs by security software.
MacSpy and MacRansom appear as malware-as-a-service offerings.
AMT vulnerability is exploited in the wild.
And China arrests 22 for trading in stolen iOS user data.
I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, June 12, 2017.
Security firms ESET and Dragos have been working together on malware samples obtained by ESET,
and they have some insight into what those samples mean,
the likelihood of more and more effective attacks against power grids.
The researchers released a report today on the malware that hit Ukraine's power grid last December.
They're calling the attack code Crash Override or InDestroyer,
and they compare it to Stuxnet in terms of the severity of its
threat to physical systems. Crash override is modular and readily tailored to its targets.
Dragos calls this the first-ever malware framework designed and deployed to attack electric grids,
and reckons it as the fourth piece of what they characterize as ICS-tailored malware.
The predecessors will be familiar.
Stuxnet, which was deployed against Iranian uranium refinement centrifuges sometime between
2005 and its discovery in 2010.
Black Energy 2, which was used in spear phishing connection with a disruption of power in eastern
Ukraine on December 23, 2015.
And Havix, a remote-access Trojan discovered in 2014
during investigation of industrial espionage campaigns in Europe.
Crash override resembles Stuxnet in that it was used to disrupt physical processes.
On December 17 of last year, an electrical substation in Ukraine
was taken offline to disrupt power in the vicinity of Kiev.
Dragos thinks that incident
now looks like a proof of concept. The authors of the malware devoted considerable effort and
attention to understanding the operating environment of Ukrainergo, the power utility
affected in December 2016. Crash Override was not designed to work against any specific or
narrow set of vendor systems.
It is in effect a platform that can be used to attack a wide variety of industrial targets.
It's modular, extensible, and can be used simultaneously at more than one site.
It has no espionage functionality. This is more than spyware.
It's malware designed and used specifically to take down an electrical utility.
In principle, although there are no signs of this yet, It's malware designed and used specifically to take down an electrical utility.
In principle, although there are no signs of this yet,
crash override could be adapted to attack systems in other industrial sectors.
Dragos thinks the Electrum threat group is behind the malware.
They also believe Electrum is directly tied to the Sandworm group, a cyber espionage crew generally regarded as working for Russian intelligence services.
And so the Ukrainergo attack now looks more like a dry run than it had before.
Al Jazeera appears to have largely recovered from last week's cyber attacks,
the precise nature of which remains unclear.
It sounded initially like a distributed denial of service incident,
but if it was a DDoS attack, it seems to have been largely unsuccessful,
since the network experienced relatively few problems with availability. The attacks do
appear to figure in the larger campaign of hacking and disinformation aimed at splitting Qatar from
regional Arab allies. Whether Al Jazeera was hit by the same actors who planted disinformation
through hijacked Qatar news agency services last month is also unclear.
The threat may be a second-order response by hacktivists or governments who bought the
original round of disinformation.
Morocco and Kuwait are attempting to mediate the dispute.
Qatar's government, with U.S. FBI assistance, has tentatively attributed Qatar news agency
hijackings to Russian actors,
but outside observers remain dubious.
Looking at our CyberWire event calendar, the Cynet Innovation Summit 2017 is coming up
June 20th in New York City, and we're pleased to be a media partner for the event.
Robert Rodriguez is the chairman and founder of Cynet.
So Innovation Summit is a little differentiated from the other programs
in that we're connecting Wall Street, Silicon Valley, and the Beltway
with an emphasis on the banking and finance institutions.
For example, we have at least a dozen CISOs from Fortune 100 banks,
so Goldman, JPMorgan Chase, Bank of New York Mellon, Citi, Standard Charter Bank,
Mitsubishi Bank, Sallie Mae Bank. So there's that emphasis because we are in New York City.
And then the Silicon Valley piece is always, you know, Cite is known as a huge supporter of
innovation, entrepreneurialism globally in the cybersecurity domain. So the
innovators are in the room. And if you think about what's important to small business,
especially early stage emerging growth companies, to include large companies. But at the end of the
day, after they raise their capital, all they really want to meet are the buyers of both
industry and government. So for example, a CISO or a CSO or a CIO is somebody that has capital to purchase interesting and value-add solutions.
So we really focus on providing an environment for the business, a cyber, to take place.
New York City is a thriving entrepreneurial community.
It is an epicenter of banking and finance and many other areas of commerce and business as well.
Another opportunity for the audience are the innovators and the entrepreneurs.
As they listen to these CISOs talk about risk, what's important to them, what type of needs and requirements they're prioritizing,
discussions on ransomware and how that marriage
of IoT and ransomware are affecting the future of risk. There's a topic on malware, third-party
vendor risk management. So understanding these strategies and pain points and the way that the
CISOs think about this is going to help those entrepreneurs build their strategy and
roadmaps to address those needs. The ability for us to have this diverse ecosystem in the room
provides value for all those in attendance, whether you're Cisco with 10 people or Cisco today
with thousands of people. There's something for somebody at all levels in their life at Cynet.
something for somebody at all levels in their life at SciNet.
That's Robert Rodriguez.
The SciNet Innovation Summit 2017 takes place June 20th in New York City.
Several strands of malware are being newly described.
Here's a brief overview of each.
Access Now reports a new form of social media hijacking, DoubleSwitch, which renders its victims effectively unable to regain control
of their accounts.
Observed principally in Venezuela, Double Switch has been used against critics of the
Chavista government.
Access now thinks it's likely to be seen in other repressive regimes as well.
Various researchers are reporting a new Trojan, Sertlok, in the wild.
Carried by a range of unwanted programs,
the Trojan renders those programs more difficult to clean
from Windows systems by blocking the certificates of security software.
Researchers at AlienVault and Fortinet
have obtained and analyzed live samples of MacSpy and MacRansom,
two varieties of malware-as-a-service that have been on offer
in dark web markets at least since the last weeks of May.
As the name suggests, they target Mac systems with, respectively, spyware and ransomware.
As Mac market share rises, so does Mac malware's black market share.
Sophos reports a ransomware outbreak in Chinese Android systems.
The malicious code hides in a bogus copy of the King of Glory game.
The ransomware copies WannaCry's user interface, but it's not WannaCry.
And Microsoft has found exploitation of a vulnerability in Intel chipsets' active management technology in the wild.
The Platinum Advanced Persistent Threat Group is going after AMT to execute
malicious code in targeted machines. In Europe, authorities continue to work to round up known
wolves. One of them, a Syrian expatriate arrested in Germany, is said to be a principal point of
contact between terrorists and the ISIS news service AMOK. In the U.S., former FBI Director Robert Mueller
is set to serve as special counsel for Russia investigations. And finally, in China, police
round up 22 people and charge them with selling data obtained from iOS users. The scam is said
to have netted them as much as 50 million yuan, which comes to about 7.25 million
in Yankee dollars. Innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of
herself. Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by David DeFore.
He's the Senior Director of Engineering and Cybersecurity at WebRoot.
David, welcome back. You know, with the recent attacks by the WannaCry ransomware,
one of the subjects that's been popular is people talking about attribution with this particular attack.
People want to attribute
it to North Korea, but other people have been saying, hold on, not so fast. Attribution is
difficult. That is in fact true, David. And again, thank you for having me again. And just for the
listeners, attribution is when we take a look at code or some type of malicious software to try to
understand where it's come from.
And we're looking at the fingerprints and maybe who's touched it so we can make that
determination back to the originator.
You know, that's really when we're talking about attribution.
That's what we're talking about.
And it is it is very difficult to attribute something back to a malicious actor.
One thing that occurs quite often in the cybersecurity world is a bad
guy, cyber criminal, will create some malicious code and they'll keep it super secret and they'll
use that to their nefarious means. But once they're discovered, they will blast that code out
on message boards everywhere so everyone has access to that. And at that point, it begins to get very difficult
to determine where something came from. So they sort of shoot it out there as a smoke screen.
So now everyone has it. It's hard to attribute it to anyone in particular.
That's exactly what they're doing. One, just to be mean. And two, it's not as valuable anymore.
So they're going to just get it out there so no one can trace it back to them.
What about this notion? I've heard people say that attribution really isn't that important,
that attribution is the stuff of nation states. But for those of us trying to keep our systems safe, what difference does it make who it came from? The point is we've got to keep it out.
I disagree. There's some examples with ransomware where developers took the core encryption code that allowed you to actually encrypt malicious or encrypt files on a machine.
But then if you looked at that encryption algorithm itself, those algorithms were broken.
So you couldn't ever decrypt the code. So that's a bad thing.
Or the decryption algorithm was such that we could figure out a way to generate a key
that would unlock that.
So attribution is important in some instances where we can actually help people, not because
maybe we're trying to get to the person at the other end to put them in jail.
But a lot of times, if we can see where
something came from and have a good understanding of it and the variance, we might be able to help
folks. David DeFore, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.