CyberWire Daily - Cyber reconnaissance. Vulnerability database misdirection. Cryptoming attempts. New Memcrash DDoS. Policy changes in the US coming as agencies report?
Episode Date: March 9, 2018In today's podcast, we hear reports of cyber reconnaissance of Turkish financial institutions: Hidden Cobra is the suspect. The Chinese government appears to have finagled its national vulnerability ...database to afford misdirection to cyber operations. Cryptomining attempts hit Windows endpoints. Other cryptojacking campaigns afflict vulnerable servers. Memcrash DDoS hits new targets. The US Administration hints at possible cyber policy changes. Emily Wilson from Terbium Labs, on the issue of trying to spend our way to security. Guest is Priscilla Moriuchi from Recorded Future, with research documenting a backdating issue in the CNNVD, China’s National Vulnerability Database. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Cyber reconnaissance of Turkish financial institutions is reported.
Hidden Cobra is the suspect.
The Chinese government appears to have finagled its national vulnerability database to afford misdirection to cyber operations.
Crypto mining attempts hit Windows endpoints. Other crypto jacking campaigns afflict vulnerable
servers. Memcrash DDoS hits new targets. And the U.S. administration hints at possible cyber policy Policy Changes.
I'm Dave Bittner with your CyberWire summary for Friday, March 9, 2018.
There appears to be a reconnaissance campaign underway, conducted by North Korea, in what appears to be preparation for state-directed looting.
According to McAfee, North Korean threat actor Hidden Cobra is prospecting Turkish financial institutions.
The campaign appears to be reconnaissance for some larger future operation yet to develop.
It's likely the Turkish financial sector is a set of targets of opportunity in the DPRK's ongoing efforts to redress the pressure international sanctions have imposed on its country.
It's worth recalling, however, that not everything that looks like the DPRK hack is.
Something that's pretty clearly not Pyongyang's work is the series of attacks surrounding
last month's Winter Olympics.
Signs pointing toward North Korea in those attacks are now generally regarded as false
flags, probably hoisted by Russian state operators.
Recorded Future has a report on China's national vulnerability database, the CNNVD.
Dating in that database seems to have been altered in ways designed to obscure Chinese
government hacking.
We'll have a conversation with one of their lead researchers later in this podcast.
At midweek, Microsoft succeeded in stopping a large-scale cryptojacking infestation that
attempted to infect some 400,000 users over the space of a few hours.
The mining software was carried as the payload of the DofOil or Smoke Loader Trojan.
The mining application supports NiceHash and so can work with a variety of cryptocurrencies.
Other crypto mining attacks are afflicting a variety of servers. The SANS Institute particularly notes attempts on vulnerable Apache Solar, Redis, and Windows servers.
Memcrash distributed denial-of-service attacks have spread across a variety of targets.
In addition to the well-known attack on GitHub, other victims have included Google,
the National Rifle Association, PlayStation Network, Amazon, and Kaspersky.
These are only some of the more high-profile victims. There have been others.
Recall that Carrero reported earlier this week that it had found a kill switch for this exploit.
May it soon be put to good use.
A debugging app appears to have been left on OnePlus phones,
leaving them open to attackers who could abuse the app to obtain root access.
In patching news, Adobe has issued more than 50 fixes for Flash Player, Acrobat, and Reader.
In the U.S., White House officials note that cybersecurity reports required of federal agencies under Executive Order 13800 are for the most part in,
and that the public can expect to see policy changes as a result.
Some administration officials are hinting at more extensive information sharing.
Sign-at-ITSEF wrapped up yesterday. We'll have more extensive reports on the proceedings up on
our website early in the coming week. We will offer a brief account of one point several speakers made yesterday.
Some of yesterday's presentations touched on resilience,
and the speakers all agreed on the importance of planning and practice
in achieving resilience,
the ability to continue to do business in the aftermath of a successful cyber attack.
That planning and practice should, the experts who spoke said,
concentrate on incident response.
More than one speaker thought the military model of planning, exercising those plans,
refining them and using them to inculcate a sense of the plan's total goal
in those who will have to manage the incident response,
can serve as a very useful model for businesses to adapt to their own needs.
Finally, we've been following reports from the UK concerning the attempted assassination
of a former GRU officer convicted by Russian courts of spying for British intelligence
services, then resettled in the UK after a spy swap agreement.
Russian media have been following the story as well, but from a different point of view.
One prominent Russian television news presenter, while making a pro forma statement of opposition to violence,
framed the news as a warning to traitors. The two targets of the attempt, which used a nerve agent,
remain in serious condition, as does one of the first responders who came to their aid.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for
security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your again is Emily Wilson. Learn more at blackcloak.io.
And joining me once again is Emily Wilson.
She's the Director of Analysis at Terbium Labs.
Emily, you were at a conference recently in New York,
and you came back having heard from multiple people about when it comes to hiring folks in our business, in cybersecurity,
this notion that we can't spend our way to security.
Fill us in here.
What did you hear?
I heard this a couple different ways.
One, you can't spend your way to zero risk,
and you also can't spend your way to complete security.
You can't spend enough money
to solve all of your problems with technology.
And on the heels of that,
I also heard a lot of conversations
about issues around
recruiting, that we can't spend our way out of the staffing deficit that we're going to be facing
over the next couple of years, right? We're in a world now where every company is a technology
company one way or another, and everyone is facing these deficits in resources and in budget, and you
need to recruit effectively. You need to bring on people
who can face these challenges, and the technical workforce just isn't going to grow rapidly enough
over the next several years to account for that. But I hear stories from HR folks and recruiting
folks about people bouncing from place to place. They're given five-figure bonuses to jump back
and forth. So while on the one side, I hear you that people say we can't do this,
it seems from a practical matter lots of people still are.
And I think we'll see how that bears out over the next couple of years.
I think one of the things that we're seeing a lot of
is a desire to build solutions that are smart enough
that you can staff with the resources that you
have. We hear a lot about that. But I think one of the other things here is not just drawing on
people who are coming out of computer science backgrounds. A lot of these considerations in
recruiting, and this is something else that I heard people talking about this past week,
is the diversity of thought in the workforce.
So not just looking at having people in computer science being drawn into tech, but people from a variety of different backgrounds, whether you're talking about, you know, liberal arts or other parts of STEM, being able to bring those people in and kind of draw them in some of these more technical fields.
We we need that, right?
That's something that we have where I work,
which is really helpful.
You have people solving problems
from a variety of different backgrounds.
And I think it's this idea that tech cannot be staffed
by tech people alone.
And do you think that's actually happening?
Do you think it's being paid more than just lip service?
I think it's hard to tell right now.
I don't think it's as widespread as it could be
because it strikes me as the kind of thing that when I see it happening, I notice because it stands out.
And so I think some companies are doing a good job of this.
I think this is something that's being discussed in a lot of communities, and I think it's a little too early to know yet if we're drawing enough people in.
Yeah, it strikes me as something that I can understand a company being hesitant to do that because they could perceive the risk as being high. But then if you see the true benefits of
having that diversity of thought, that it is a better way to solve problems, then I suspect you'd
be all in with it. Right. And I think there's a way to be reasonable about this, right? You
obviously need to have someone who is qualified for the job that they are taking on.
I'm not suggesting that you hire someone
to be a software engineer who doesn't know how to code.
But I think when you're looking at backgrounds,
I think looking at skill sets
as much as you look at familiarity with an industry,
industries can be learned.
Skills can be learned too,
but not all of us in cybersecurity
come from computer science backgrounds.
A lot of us come from a lot of other fields,
a lot of other experiences.
I think being open to that and hiring
is going to be a good move for a lot of companies.
Emily Wilson, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
My guest today is Priscilla Moriuchi.
She's the Director of Strategic Threat Development at Recorded Future
and co-author of their newly published research,
Chinese Government Alters Threat Database Records.
It takes a closer look at the CNNVD, the Chinese National Vulnerability Database,
and discovers Chinese government manipulation of data,
which could have an effect on security researchers.
We wanted to see which one was faster, which one was more comprehensive,
you know, if there was any way, mainly for our customers, right,
to get the most comprehensive view of which vulnerabilities, you know,
could be covered and how fast we can do it.
So, you know, we profiled the two databases and we found,
you know, for example, that China's vulnerability database or CNNVD, they're generally faster than
the US NVD when it comes to publicizing and publishing vulnerabilities. Takes them on average
about 13 days and it takes the US NVvd on average 33 days there are also like
almost 1800 cves that were currently in cnnvd but were not in usnvd um so we kind of started there
and then we went and we decided to dig a little further into cnnvd data so we kind of hypothesized that because CNNVD is so fast on average and USNVD is slower,
that if we look at a group of CVE where China is very slow but the US is very fast,
that might give us insight into China's process.
And there's a component to this as well where the CNNVD is a component of the Ministry of State Security. Can you describe the background with that? So they have a foreign intelligence, like a foreign human intelligence organization.
But they also do like half of their mandate is domestic intelligence, right?
Keeping an eye on their citizens and making sure that the party, Communist Party, can stay in power.
Right. So the MSS, there hasn't been a lot sort of known on on how the MSS works within China and within China's broad information security system.
So when we were doing the research, this particular research, we were able to discover that
the MSS actually runs China's national vulnerability database, which is sort of
the equivalent to in the US, the CIA running US NBD, which is not the case in the United States.
Department of Homeland
Security and the National Institute for Standards runs the USNVD. In China, the equivalent CIA or
the MSS runs China's NVD. So that was kind of a disturbing trend in terms of the mission of NVDs, the mission in our mind, the mission of NVDs is a public service mission, right, to put out information on vulnerabilities so that companies, individuals and individuals can protect their own networks.
It's not perfect, of course. Nobody's perfect. But China really doesn't seem to take this public service mission very seriously when they have their primary intelligence service running, their NVD.
Take us through the deeper digging that lags and things like that.
So when we got that number originally, there were about 287 vulnerabilities that fell into that
category. When we did a lot of research on those
vulnerabilities, we found out that we had likely discovered what we call the threat evaluation
process, where the MSS was using CNNVD to evaluate high threat vulnerabilities for use in their own
offensive operations. So for example, a vulnerability would get discovered by CNNVD.
We saw evidence of this process, a sort of evaluation process, and hiding these vulnerabilities
from publication in the data that we saw. So you all conclude that there's this lag going on with
some of these vulnerabilities, come to these conclusions and so
in your mind that's a way to track which uh vulnerabilities china is interested in exploiting
for their own use and then it gets a little more interesting from there yeah so we kind of did that
research and we decided to take a look at it again um last month to do kind of a six-month follow-through to see if anything had
changed. So, you know, when we re-examined the data from the NVD side, for example,
we saw that the U.S. NVD had gotten a little faster, right? So the average delay had dropped
from 33 days to 27 days, which is good. NVD was also catching up on the backlog of unpublished CVEs. They had published almost a thousand CVEs in just a couple months of that backlog.
So that was quite good.
Um, and then we sort of took a look at the CNNVD data and try to just try to see what
they had, you know, if anything had changed.
Um, and what we discovered was we started looking at the initial publication dates for
these outlier CVEs.
And we realized that instead of trying to remove the MSS
or the influence of security services
over this transparency process,
essentially they tried to cover it up
by backdating the initial publication date
of 99% of the CVEs that we identified. They've sort of, one, tacitly
confirmed, right, that they're actually using CNNVD, you know, as a kind of experiment and
testing ground, right, for vulnerabilities that they could find useful. They're trying to hide
the evidence of this process, right, and we think limit the methods in which, you know,
cybersecurity researchers and professionals can use to try and anticipate Chinese APT behavior.
So take us through why this matters. How does this affect security researchers?
For security researchers, it's going to be a little bit more difficult to anticipate, at least from the MSS and vulnerability side, you know, which vulnerabilities that the
MSS may be using. But, you know, I think more broadly, you know, we're sort of talking about
a system, China's manipulation of their NVD data fits into this larger sort of MO, right,
that they have, which is kind of data control data control right controlling the data of their own
citizens of foreign companies right within the country um and and how that that impacts uh you
know foreigners and particularly westerners right for those of us kind of who are listening here
it takes you back to some kind of research that we've done earlier on China's cybersecurity law, which is kind of
like their information control law, and how that requires Western companies, for example, to submit
to these reviews, right, that are run by the MSS, you know, of their technology. And we really see
this data manipulation, right, by CNNVD as all part of this larger system of control that china is imposing not just on its
own people but on anyone any company any entity right that does business or travels to china so
that's meaningful you know for for all of us really because we all use products from large
multinational companies right products that you, have store and use our data,
for example. You know, and it could be privacy concern for some people in the future. This is
sort of just one thread of a larger story about how China's controlling of their information and
manipulation of the domestic Chinese information environment, how it can affect sort of the whole
world. That's Priscilla Moriuchi from Recorded Future. There's an extended version of this
interview on this week's Recorded Future podcast. You can check that out at recordedfuture.com
slash podcast. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Listen for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to