CyberWire Daily - CRASHOVERRIDE tried to be worse than it was. InnfiRAT scouts for wallets. Simjacker exploited in the Middle East. SINET 16 are out. Pentesting scope. Back up your files, Mayor.
Episode Date: September 13, 2019The Ukrainian electrical grid hack seems, on further review, to have been designed to do far more damage than it actually accomplished. InnfiRAT is scouting for access to cryptocurrency wallets. A sop...histicated threat actor is using Simjacker for surveillance on phones in the Middle East. The SINET 16 have been announced. A penetration test goes bad due to a misunderstanding of scope, and Baltimore decides, hey, it might be a good idea to back up files. Johannes Ullrich from the SANS Technology Institute on web spam systems. Guest is Rosa Smothers from KnowBe4 discussing her career journey and the importance of diversity in tech. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/September/CyberWire_2019_09_13.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
On further review, the Ukrainian electrical grid hack
seems to have been designed to do far more damage than it actually accomplished.
Infrat is scouting for access to cryptocurrency wallets.
A sophisticated threat actor is using SimJacker for surveillance on phones in the Middle East.
The Signet 16 have been announced.
A penetration test goes bad due to a misunderstanding of scope.
And Baltimore decides, hey, you know, it might be a good idea to back up our files.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday,
September 13th, 2019. The industrial security specialists at Dragos have published a reassessment of the 2016 crash override attack on a portion of Ukraine's power grid.
They now believe that the attack was probably intended to disrupt operations for weeks or months, as opposed to the hours the actual outage lasted.
They also think that the threat actor, which they track as Electrum, and which is widely regarded as working on behalf of Russian intelligence,
intended the destruction of some pieces of equipment.
Electrum now seems to be taking an interest in other sectors' industrial control systems,
and those interests appear to extend beyond Ukraine.
So, as troubling as the attacks were, Dragos thinks Ukraine actually dodged the metaphorical
bullet.
One of the tools they found when investigating the incident seems to have been designed to Attacks were, Dragos thinks Ukraine actually dodged the metaphorical bullet.
One of the tools they found when investigating the incident seems to have been designed to induce a denial of service condition on protective relays.
Thus, once power was restored,
the relays would no longer provide the overcurrent protection they were designed to deliver.
This is troubling because it would have exposed transmission equipment to power surges
that could have physically damaged them, requiring lengthy repair or even replacement.
Some of these devices have long replacement lead times,
and this could have disrupted power delivery for an extended period of time.
Why didn't this happen? For two reasons.
First, the attackers apparently affected fewer relays than intended,
and second, their DDoS code was flawed and not as effective as they'd have hoped.
But the whole matter is sobering, and one hopes is being taken with due seriousness by utilities everywhere.
Again, it's not just Ukraine, and it's not just power distribution.
Think in terms of risks to water and other essentials, too.
Security firm Zscaler has described Infirat,
a remote-access trojan designed to steal cryptocurrency wallet information.
It looks like a criminal operation.
The rat does what most rats do, goes after access and information,
but it's particularly interested not only in cryptocurrencies,
but also in the browser cookies where coin wallet usernames
and passwords are so often stashed. It's also capable of taking screenshots for much the same
purpose and it's armed with the usual array of enabling tools like keeping an eye out for active
antivirus software. Adaptive mobile security yesterday announced the discovery of SimJackr, a vulnerability and associated exploits in which an SMS is used to effectively hijack a mobile device's SIM card.
The company says that a sophisticated threat actor has been exploiting SimJackr in the wild for at least two years.
The attacks collect geolocation data and other information from the affected phones.
The purpose of the exploitation appears to be surveillance.
Most of the affected devices have been in the Middle East.
Adaptive Mobile says that while geolocation seems to be of most interest to the current attackers,
SimJackr could also be used for other purposes, like distributing disinformation by SMS.
The SciNet- 16 have been announced.
This annual selection of the most innovative, potentially disruptive companies in the cybersecurity
industry picks 16 winners from an international pool of applicants.
This year's selection was made from among 161 companies based in 18 countries, from
North America to Europe to Asia and to Oceania.
Some of these names you may already be familiar with, but you're likely to hear more from
and about them in the future.
In reverse alphabetical order, the SCinet 16 class of 2019 includes
XM Cyber, which specializes in fully automatic breach and attack simulation that enables
customers to recognize attack vectors and prioritize their remediation.
TIGERA, whose Zero Trust Network security supports continuous compliance for Kubernetes
platforms across a range of environments.
Tempered Networks, which provides simple and affordable means of segmenting and isolating
control systems and industrial Internet of Things devices.
Sunrise Security, with a cloud data control service
that delivers a risk model for identity and data relationships
across a range of cloud and third-party data stores,
C-Amplify, an independent security orchestration, automation, and response provider
whose workbench enables enterprises and managed security service providers
to manage and respond to cyber threats.
OPAC delivers security as a service from its cloud that enables enterprises to overcome
staffing and management challenges in the protection of their IT infrastructure.
Kena Security, whose platform delivers cyber risk predictions that enable security teams
to get ahead of exploitation.
Karamba's embedded cybersecurity solutions protect connected systems with automated runtime Thank you. CryptoMove, whose continuous moving target defense and distributed fragmentation offers a new approach to data protection for managing keys and DevSecOps secrets.
BigID, a machine learning shop that enables personal data discovery, correlation, and privacy automation
for compliance at scale with regulations like GDPR and CCPA.
Bulbix, whose specialized artificial intelligence deliver continuous and predictive
assessment of breach risk. Awake Security, which offers advanced network traffic analysis for a
privacy-aware solution that can detect and visualize incidents in full forensic context.
Arcos Labs, which solves fraud by pairing global telemetry with an enforcement challenge to
control fraud without false positives or
degraded throughput. Aqua Security, which secures container-based and cloud-native applications
from development to production. And finally, Accepto, which delivers continuous identity
access protection by inferring contextual data to analyze and verify user identity and behavior.
Our congratulations to all of them, and as we've said earlier,
we're sure you'll be hearing from them in the future.
Here's a disquieting story out of the American heartland
that illustrates the importance of the customer's understanding
exactly what the scope of a penetration test will be.
A pair of coal-fire pen testers were arrested during an engagement
at the Dallas County, Iowa courthouse. The Des Moines Register says that the Iowa Judicial
Branch did indeed hire them to conduct penetration testing of court records, but that the court
administrators did not expect physical penetration to be within the scope of the job. We hope the misunderstanding is cleared up soon.
And finally, the Baltimore Sun reports that Baltimore has gotten around to realizing,
or at least acknowledging, that it permanently lost some data in May's ransomware attack.
The city now thinks backups are a good idea. Winning with purpose and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io. And joining me once again is Johannes Ulrich.
He's the Dean of Research at the SANS Technology Institute,
and he's also the host of the ISC Stormcast podcast.
Johannes, it's always great to have you back.
You have been tracking some web spam systems that are using some stealthy methods here.
What are you looking at?
Oh, what's happening here is you may have seen that you're clicking on the link you're not supposed to click on,
and you're ending up at a compromised website that essentially delivers spam,
some advertisement for some product you probably don't want to buy.
What usually happens here is a website gets compromised, and the attacker will place that page on that website.
The problem the attacker has, that page on that website.
The problem the attacker has, and well attackers have problems too sometimes, is it's not all
that straightforward for an attacker to necessarily update these pages.
What they have done sometimes is, for example, set up some JavaScript on that page that will
then go out and fetch some HTML snippet from some backend server that the attacker runs
and copy that data into the page. But these outbound requests, of course, go to other
compromised web pages. And overall, this is a relatively fragile kind of setup.
What attackers have done lately is they have discovered DNS. Now in the past there wasn't
really a good way to do a free form DNS request with JavaScript. But more recently we have this
new protocol DNS over HTTPS. So what the attacker can do now, the attacker can use JavaScript's ability to couple of DNS text records and deposit a JavaScript
on the vulnerable page.
The victim will really only see outbound HTTPS requests to Cloudflare, some of these sort
of well-known services, which of course is much more difficult to detect as an anomaly.
So what are your recommendations for folks to get on top of this?
Really, what you have to do is you have to, first of all, make sure that your website
isn't vulnerable.
And what we typically see here is your standard vulnerable Drupal page or some of these big
content management systems that are all too often vulnerable.
Secondly, watch for outbound requests
from your web server. Really take a close look at them. There's only very little that really should
connect outbound from a web server to HTTPS sites. You may have some automatic updates running.
Maybe you want to pull this in-house and set up your internal server that distributes these updates.
It's usually a better way to go anyway if you want to sort of get control of your update mechanisms
and block as much as possible of these outbound HTTPS requests. Of course, ideally for the
remaining HTTPS requests that you do have to allow, yes, you may set up some HTTPS proxy or so
that should allow you to block these DNS over HTTPS requests.
And how widespread is this?
What are you seeing there?
We don't really see a lot yet.
It really showed up just in a couple of cases,
but it's one of those things I really expect to become more popular
because it's very easy to copy this idea.
So there isn't really much to it.
An attacker who realizes,
hey, this is actually how I'm able to fly under the radar. And now my spam sites will survive a little bit longer than
they used to survive before I did that. So I think it will probably pick up pretty quickly.
All right. Well, Johannes Ulrich, thanks for joining us.
Thank you.
Thank you. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data,
and ensuring your organization
runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
can keep your company safe and compliant.
My guest today is Rosa Smothers.
She's Senior Vice President of Cyber Operations at KnowBefore.
Rosa Smothers will be one of the speakers at our upcoming Women in Cybersecurity reception at the Spy Museum in Washington, D.C., and KnowBefore is one of our sponsors for the event.
I began our conversation by asking her what sparked her initial interest in technology.
Admittedly, probably growing up as a total Star Trek nerd had a lot to do with that.
So I had a computer at a very young age, thanks to parents who really wanted me to learn technology and not be intimidated by it.
So I give a lot of credit to them for that. My first computer was a used Commodore VIC-20
with a tape drive, like an actual cassette tape drive.
I remember those days.
And it was just, to me, it was the gateway to another universe.
And then, you know, things progressed.
And then I had a computer with a modem and went on to bulletin boards.
And then we all gained access to what we're now calling the Internet.
So that was, you know, a lot of the late 80s and the 90s.
So I grew up with that movement.
And so that was an exciting time.
I was really fortunate to see all of that growth as it transpired.
And so what were your thoughts as you headed off to college?
I didn't think about the idea of formal education as much as I should have.
I really started out.
I was so good with computers and networking and security and things that I actually started working full time and making a great living before I obtained my bachelor's degree.
So I had an associate's.
of my life in a rather dramatic way because after the attack, I decided I wanted to go work for the government and go fight the bad guys.
So I left my job and went back to school full time.
And I did a junior and senior year in one year's time.
And then I was initially hired on at the Defense Intelligence Agency.
I worked there for about two and a half years as a cyber threat analyst focusing on al-Qaeda,
and then transitioned at that point over to the Central Intelligence Agency, where I was for
a little over 11 years, almost 12 years. Can you give us some insights as to what the atmosphere was like in
those days? I can imagine there was a lot of focus on the mission at that time. You know, I think it
was a jolt for our country. It was a jolt for the intelligence community. It's sometimes until an
emergency happens that our agencies can't necessarily obtain the funding they need for the fight.
And so once, God forbid, this emergency happened, the intelligence community received a huge surplus of funding.
So there was a hiring surge.
There was a surge in technology procurement and research, everything that you can think of, because it was such a dire need to expand in the area of counterterrorism that we really hadn't thought much about since, you know, Khobar Towers, the initial attack on the World Trade Center, and even the
Hezbollah attacks in Lebanon. So it was the immediacy of it spurred so many things into
action so rapidly. And what was it like for you in terms of it being an opportunity
for an environment in which to learn? It's not an understatement to say that the scope and depth of our intelligence community's resources is truly mind-boggling.
So for anyone who loves a great learning opportunity, which I certainly do, I'm an avid reader,
learning about all of the tools, techniques, and procedures, if you will,
that are available to us for fighting the good fight, it was quite an enlightening
and often daunting experience.
Now, as you looked around during that time, when you were finishing up your education and then beginning your government career, were there very many other women who were there along with you?
There were women in the intelligence community, certainly, but not as nearly as many specifically in the technical field as much as I would hope.
field as much as I would hope. And that's certainly not to say that the intelligence community isn't doing their darndest to hire qualified personnel of any gender, any cultural
status, any minority status. I think the challenges I see it is also it's really stimulating the interest in technology when they're young.
I was so gratified when I read recently that the Girl Scouts are now giving out STEM badges.
And I think it's things like that that are going to increase the role of women in the cyber workplace because, you know, they can't hire us if we're not there
and we're not qualified. So I'm hoping as time goes by, our numbers will increase and the hiring
pool will thus increase. I'm often asked, you know, and I travel a lot for my position here
at NOVA4. And so whenever I'm having those conversations next to people in the
airplane on a long flight, and I'm asked, you know, what would, you know, I have a son, I have a
daughter, they're 13, 14, 15, what would you do? I start with giving them my business card and
letting them know I'd be happy to talk with them at any time to encourage them. But the one thing
that I always try to drive home, especially even if they're small children,
there are so many apps out there that are learning opportunities, even for computer programming, for coding.
There is such a dire need for good coding out there, and we're definitely not filling that bill.
good coding out there. And we're definitely not filling that bill. So that's something that I always encourage people to consider, you know, finding those apps in the various app stores
that can help kids learn and in a fun way, because, you know, it's not only a constructive
use of their time, but it's also can bolster those technical skills and provide them a
really promising career.
They will always have job security with a skill set like that.
I want to touch on our upcoming Women in Cybersecurity reception,
which you're going to be a part of and we're grateful for KnowBefore for being a sponsor of.
Why do you think events like this are important? Why do they matter? challenges and be frank and open and honest. And I think sometimes it's also providing a blunt
series of feedback regarding sometimes we're not as forthcoming or as forthright, I should say,
as forthright in the workplace as we should be. I've had a number of conversations with women that
they struggle with that, you know, I want
to be liked and I want to be respected. And I said, well, if you're doing your job well, that
respect will come. Don't worry about those things. These will all come in due course, you know,
focus on your technical skills. So I think in encouraging one another to be strong, to stand up, to not be quite so docile, you know, a lot of women tend to say, you know, I was just wondering.
No, you have a question.
You know, it's a different way of making the same statement, but they sound very different to those who hear it.
You know what I mean?
sound very different to those who hear it. You know what I mean? So it's even those sort of little coaching moments, I think, are hugely significant. So I, you know, I think any community building
opportunity, especially for women in the technical field, should always be taken full advantage of.
That's Rosa Smothers. She's the Senior Vice President of Cyber Operations at KnowBefore.
You can find out more about our Women in Cybersecurity reception
by going to thecyberwire.com slash WCS.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Listen for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.