CyberWire Daily - ECB sustains an intrusion into a third-party-hosted service. Norman quietly mines Monero. MetaMorph appears in a stealthy phishing campaign. Information operations.
Episode Date: August 16, 2019The European Central Bank shutters a service due to a hostile intrusion. Norman quietly mines Monero. MetaMorph passes through email security filters. Some Capital One insiders thought they saw troubl...e brewing. Instagram crowd-sources epistemology. Deep fakes are well and good, but the will to believe probably gets along just fine with shallow fakes. US Cyber Command posts North Korea’s Electric Fish malware to VirusTotal. Johannes Ullrich from the SANS Technology Institute on IP fragmentation in operating systems. Guest is John Smith from ExtraHop on the aftermath of an insurance claim. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The European Central Bank shutters a service due to a hostile intrusion.
Norman quietly mines Monero.
Metamorph passes through email security filters.
Some Capital One insiders thought they saw trouble brewing.
Instagram crowdsources epistemology.
Deep fakes are well and good,
but the will to believe probably gets along just fine with shallow fakes.
And the U.S. Cyber Command posts North Korea's electric fish malware to VirusTotal.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, August 16th, 2019.
The European Central Bank closed down one of its websites yesterday after sustaining an unspecified cyber attack on the bank's integrated reporting system. It's called Bird. Reuters reports that ECB says no market-sensitive
data were compromised, but that email addresses, names, and titles of Bird newsletter subscribers
may have been taken. Bird is used to give bankers information on the production of statistical and supervisory reports.
The server for Bird is hosted by a third party.
The ECB says none of its own systems fell victim to the attack. The bank is in the process of notifying affected customers of the incident.
The Norman crypto miner, tracked by Varonis, is said to be showing some unusual evasiveness.
Its dynamic link library arrives
with the Agile obfuscator. Once Norman is in, the malware also injects an obfuscated miner
into an appropriate application along its execution path. Should a user suspect that
something's amiss and open Task Manager to see what's up, Norman stops mining. Once the user's
suspicions are allayed and Task Manager is closed,
Norman goes back to work, piling up the Monero.
Security firm Avanan is also warning of a relatively evasive kind of attack.
They call this one Metamorph, and it's turning up in a phishing campaign
that mimics Microsoft voicemail notifications.
Avanan says the link the phishing presents
will take the unwary to a credential harvesting site.
The evasion that has passed Metamorph
through the link parsers in Microsoft Office 365
is the use of MetaRefresh to redirect the victim
from the locally hosted HTML attachment
to a phishing page out in the wild, wild internet.
Avanon offers two recommendations.
First, be suspicious of any email that contains an HTML or.htm attachment.
And second, admins might consider treating HTML attachments the way they treat executables.
The Wall Street Journal reports that employees at Capital One expressed concern
over what they saw as high turnover among the bank's cybersecurity unit. There are reports that a third of the cybersecurity staff
left in 2018. The unit was responsible for threat hunting, firewall configuration,
and similar security tasks. Even given the turnover, Capital One points out that total
cybersecurity headcount actually increased over that period. Nonetheless, insiders complained of a poor organizational climate,
lax security oversight, and slow deployment of security tools.
Capital One has long enjoyed a reputation as a technologically savvy organization,
sometimes described as a tech company with a bank,
as opposed to a bank with a serious commitment to technology.
Approximately five years ago, the bank began its migration to the cloud.
Some observers think that migration and Capital One's tech-friendly culture
paradoxically made the enterprise more difficult to secure.
Many of the bank's personnel were empowered to make tech decisions,
and that decentralization may have left the bank open to the sort of misconfiguration
allegedly exploited by accused packer Paige Thompson,
who went by the hacker name Erratic, to compromise its data.
I want to take a quick moment to tell you about an exciting CyberWire event.
It's our sixth annual Women in Cybersecurity reception.
It's taking place October 24th at the International Spy Museum's new facility
at L'Enfant Plaza in Washington, D.C.
The Women in Cybersecurity reception highlights and celebrates the value and successes of women in the cybersecurity industry.
The focus of the event is networking, and it brings together leaders from the private sector, academia, and government from across the region and women at various points in their careers. The reception also provides a forum for women seeking cybersecurity careers
to connect with the technical and business professionals
who are shaping the future of our industry.
It's not a marketing event.
It's just about creating connections.
We're grateful to our sponsors.
Here are some of them.
During the event, guests will have opportunities to hear perspectives
on diversity from our industry from this year's presenting sponsor, KnowBefore.
Our 2019 platinum sponsors include Cooley.
This year's gold sponsors include T. Rowe Price, CyberArk, FTI Consulting, Saul Ewing, Arnstein & Lair, Observit, and SYNAC.
And if your company is interested in supporting this important event, we still have a few sponsorship opportunities available.
supporting this important event, we still have a few sponsorship opportunities available.
And if you're interested in an invitation to the event,
tell us a little bit about yourself and request one at our website, thecyberwire.com slash WCS.
That's thecyberwire.com slash WCS.
We look forward to hearing from you, and we hope to see you there.
Instagram is introducing a feature that would permit users to flag information they believe to be false. Reuters has an account of the tool, which appears to be an interim gesture
in the direction of controlling fake news. It's not entirely clear that this sort of crowdsourcing
will readily get to ground truth, which of course may not necessarily be the same thing as community
consensus. Perhaps this represents an attempt to move toward John Stuart Mill's marketplace of ideas,
but then Instagram isn't really the sort of ideal or rational market that one might hope
would converge on truth.
In that light, it will also be interesting to see how the tool fares in countering the
Russian and other disinformation operations it's presumably intended to fend off.
The Russian approach,
which has aimed at disruption, might not be affected to any noticeable degree at all.
If you're simply aiming at widening fissures in a targeted civil society by amplifying the more
extreme and ultra voices, haven't Instagram and other social media famously served as echo chambers
for the like-minded? In any case, we shall see.
The other concern that's been surfacing recently has been the potential for deep fakes to influence
public opinion. Axios argues this week that this particular threat has been much exaggerated.
For one thing, they point to claims by ZeroFox that it can now reliably detect manipulated
imagery. For another, Axios notes that
those who wish to be deceived will deceive themselves come what may. Such ploys as Stalin's
airbrushing of unpersons from official photographs did the job back in the 1930s, and they can do so
again. With respect to influence operations, it's hard to escape the conclusion that, as Pogo Possum said a half century ago,
we have met the enemy and he is us.
U.S. Cyber Command has posted electric fish malware from North Korea's APT38 threat group to VirusTotal.
FireEye has reported that APT38 is heavily involved in state-directed financial crime.
Its activities overlap those of the Lazarus Group.
Many of you are no doubt aware that CyberCommand has a Twitter feed
dedicated to telling followers when it's posted something to VirusTotal.
Just search for U.S. CyberComm Malware Alert on Twitter.
They've got the blue checkmark and everything. winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. Thank you. that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's
vanta.com slash cyber for $1,000 off. And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Johannes Ulrich.
He's the Dean of Research at the SANS Technology Institute.
And he's also the host of the ISC Stormcast podcast.
Johannes, it's always great to have you back.
We wanted to touch today on some stuff that you've been tracking when it comes to the fragmentation of IP within operating systems.
What are we talking about here?
IP fragmentation is, well, as old as IP itself. The problem you have with packet-based networking
is that not all networks support the same packet size. So as packets traverse the internet,
they may hit a network segment that has a smaller maximum packet size, also called the maximum transmission unit or MTU.
And routers then need to essentially split up packets into small fragments.
This process has always been problematic.
And particularly the way the standards, the RFCs were written for IP,
it specifically required receiving hosts to deal with some odd fragments.
Like, for example, if you receive two fragments that overlap and then it's not really clear,
is the first or the second copy of the packet going to get used?
One part of the network that particularly had issues with this was intrusion detection systems.
Intrusion detection systems have to understand how a particular recipient will deal with the traffic.
And a lot of papers have been written about how different operating systems are actually dealing with some of these ambiguities that can show up when we're dealing with fragmentation.
Then even though this problem is pretty old, like it's like said, as old as IP, so about
30 or so years old, it still keeps coming up.
Just last year, we had like a big denial of service vulnerability in Linux, as well as
in Windows and dealing with fragments.
Fragments Mac was the name there.
In response, a couple of the
operators like Linux and Windows, they stated that they're going to actually change how they're
dealing with Fragments. So I went back and looked at some of these operating systems to really sort
of map out is what we sort of assume still true. And what did you discover? And I discovered, for example, that one thing that
surprised me a little bit, that Windows will not accept overlapping fragments at all anymore.
And this is going back to Windows XP Service Pack 3. That's of the oldest I could easily set up
there. It was sort of known for the newer versions of Windows, but I was kind of surprised that even
these old versions of Windows, they don't accept overlapping fragments anymore. That actually is important because now
you have to make sure that you're telling your intrusion detection system that this is how
Windows is reacting. Otherwise, your intrusion detection system may actually consider packets
as valid that your operating system will drop. So folks may be running under outdated information.
Correct. Folks may be using outdated information.
Same is true somewhat for Linux.
Now, at this point, Linux is still accepting overlapping fragments.
So that's still true. That still works.
But Linux announced that they will actually also start dropping them in the near future. I believe
some of the more recent kernels that haven't sort of made it into the current distributions yet
already drop overlapping fragments. So in terms of being proactive and getting ahead of these
changes, what are your recommendations? Actually, I would go even further. I would tell my firewall drop fragments. One thing in modern IP stacks is
that they are actually pretty good in avoiding fragmentation. The only system in your network
that you should still see fragments at all is your DNS server. So give it a try and see what happens if you just drop all fragments in your firewall and
just put an exception for a DNS server if you're running one. And is there any fallout that could
happen there? Well, there's always an odd chance that you have some interesting protocols that
would get blocked by this. As a preliminary thing, you could maybe just log all the fragments
and see if anything shows up in your logs.
I tried a couple networks.
I talked to a couple people
that install firewalls in large networks,
and they pretty much confirmed
it's actually safe at this point
to just drop fragments.
All right.
Well, Johannes Ulrich,
thanks for joining us. a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
My guest today is John Smith. He's a principal sales engineer at ExtraHop.
Our conversation was sparked by the recent news that Mondelez, a company that owns the Oreo and Cadbury brands, is suing its insurance company for refusing to
pay out damages caused by the NotPetya attack. The insurance company, Zurich, refuses to pay
out the policy, stating that there's an exclusion for a hostile or warlike action by a government.
It's interesting. I first got interested in cyber insurance back in 2014 when a company called Schnucks was actually sued
by their umbrella policy. And I kind of saw early on that there was going to be some friction with
the insurance company when they started offering cyber insurance. They wanted to kind of move that
out of the umbrella policy and offer that as a separate rider. Obviously, the Cadbury lawsuit
that stemmed from that is part of where I saw maybe there being
some friction where they weren't quite fully underwriting this in the same way they were
underwriting it more as a hazard insurance right like flood insurance or hurricane insurance I live
in Florida so both of those are relevant versus something that is inevitable right I mean I have
life insurance and you know it is inevitable that i won't be on this earth
forever and sooner or later they're going to have to pay but part of that underwriting was i had to
get on a scale a nurse came and i had to take a physical we don't really do that with cyber
insurance so they're sort of i think what i saw was an issue where maybe the industry didn't have
a full understanding of the risks that they were undertaking really isn't something that is a hazard
it is more something that is a hazard.
It is more something that is an inevitability.
And maybe there was going to be some changes.
And obviously, the pending friction with the myriad of both Merck and the Cadbury lawsuit,
both of those have a lot of friction and will be settled in the courts.
And so I kind of saw that there were some opportunities there to maybe reassess how you talk to customers,
basically kind of have an understanding of where underwriting is maybe not fully understanding what
they're getting themselves into. So where do you suppose we find ourselves today? If I'm
an organization that wants to go out and buy an insurance policy as part of the spectrum of tools
I want to use to protect myself, what am I going to encounter?
You need to have an understanding of at least what are the outcomes you need in order for them to pay
out, right? If you look at where they're basically saying the recent breach was an act of war,
an act of war is becoming a common tool that insurance companies are using to basically
to limit their risk and liability for a breach, you have to assume that there will be collateral
damage in any state-sponsored cyber warfare campaign, right? If you look at the U.S. military,
they sort of cordon off or they organize their theaters by comms. There's Northcom,
Africom, Southcom. Cybercom is a global command, if that makes sense, right? So,
if you look at the U.S US and the Ukraine, we are,
I googled it, we are 5,687 miles away from the Ukraine. And while you might be 5,000 plus miles
away from a conflict, it's a cyber conflict. In most cases, you are digitally fractions of a
second away from that conflict. If you have a public IP address, you're basically in theater.
away from that conflict. If you have a public IP address, you're basically in theater.
So you have to understand exactly what risks you're going to take in terms of what get out of jail free cards are there for the insurance company. I don't know if I'm using the right term,
but you have to understand what are the things that can nullify your policy, right? And you need
to understand that we live in this world where if it's a digital conflict, if you have a public IP
address, you are in theater and you definitely run the risk of collateral damage in a way that physical confrontations don't.
that the unlikely happened in Canada found themselves at war with Mexico. And, you know,
Mexico was flying a plane over the U.S. heading towards Canada and accidentally dropped a bomb on someone in the U.S. Well, I suppose the insurance company could say you're not covered
by that because that was an act of war, even though the U.S. wasn't an active member of that war.
Absolutely. And in the world of TCP IP, right, in the digital cyberspace, everyone is in theater.
That's why, again, that's why the U.S. sort of isolates that as a single command, because it is a global conflict.
Like I said, in general, you are faster than you can blink in terms of how fast it takes for communications to get to you.
So you're always in the blast zone when you're on the public Internet.
And so you have to have that understanding when you negotiate your policy with your insurance company.
It also strikes me that it seems as though some organizations, they kind of try to have their
cake and eat it too. And what I mean is this, that they will say, perhaps just from a PR point
of view, they'll say, well, we got attacked and the data was breached and we believe this was a nation state. And so, goodness gracious, there's nothing we could
have done about that because it was a nation state. But I suppose that opens them up with
their insurance company for the insurance company to say, well, okay, if that was a nation state,
then, you know, act of war, we're not covering you. I agree. In fact, we're probably going to
have to wait for the courts to settle this and determine at least how that's liable. Either way, right, one of two
things I think will happen, and I'm not a legal expert or an insurance expert, but what I will
say is that if the insured prevail, then you're going to see tougher policies and you're going to
see something a little more consistent with the underwriting of health care. You know, if, you
know, for me, take, for instance, I was a little heavy and my
blood pressure was a little high and I paid a little bit more. Now I made some lifestyle changes
and now I'm paying less. And I think you're going to see the act and the practice of underwriting
cyber policies is going to evolve drastically to one that accommodates both incentivizes the
insured, but at the same time also gives some
assurances for the company that's on the hook, basically that they're doing all they can to
prevent the breach, right? If I'm a race car driver, or I like skydiving, or if I build my
house on the beach in the Caribbean, my homeowner's insurance is going to be much more expensive. And
obviously my health and life insurance runs the risk of being more expensive. So I think what's going to happen is those two,
the insured and the insurers, how they work with one another is going to evolve over time.
That's John Smith from ExtraHop.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
save you time and keep you informed. Listen for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Thanks for listening.
We'll see you back here tomorrow.
Thank you. innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.