CyberWire Daily - Home router vulnerabilities exploited in the wild. ACSC warns of a LockBit spike in LockBit. Flytrap Android Trojan is out. SCADA recon. Child protection. Wiretaps and social media.
Episode Date: August 9, 2021Home router vulnerabilities exploited in the wild. ACSC warns of a spike in LockBit ransomware attacks. The Flytrap Android Trojan is still concealed in malicious apps. An unidentified threat actor ha...s been prospecting SCADA systems in Southeast Asia. Rick Howard checks in with the Hash Table about Backups. Mike Benjamin from Lotus Labs on watering hole attacks. Apple’s new child protection measures attract skepticism from privacy hawks. Wiretaps extended to social media. And using three random words for your password. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/152 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Home router vulnerabilities exploited in the wild.
ACSC warns of a spike in lock-bit ransomware attacks.
The flytrap Android Trojan is still concealed in malicious apps.
An unidentified threat actor has been prospecting SCADA systems in Southeast Asia.
Rick Howard checks in with the hash table about backups.
Mike Benjamin from Lotus Labs on watering hole attacks.
Apple's new child protection measures attract skepticism from privacy hawks.
Wiretaps extended to social media.
And using three random words for your password.
From the CyberWire studios at DataTribe, I'm Elliot Peltzman, in for Dave,
with your CyberWire summary for Monday, August 9th, 2021.
Bad Packets has observed active scanning for vulnerabilities in Arcadian Buffalo routers.
The flaws, discovered and disclosed by Tenable, could allow unauthorized remote actors to bypass authentication.
Juniper Networks has confirmed that the vulnerabilities are in fact being exploited in the wild.
Juniper also draws some lessons from the incident.
Quote, it is clear that three actors keep an eye on all disclosed vulnerabilities.
Whenever an exploit POC is published, it often takes them very little time to integrate it into
their platform and launch attacks. Most organizations do not have policies to patch within a few days,
Most organizations do not have policies to patch within a few days, taking sometimes weeks to react.
But in the case of IoT devices or home gateways, the situation is much worse as most users are not tech-savvy,
and even those who are do not get informed about potential vulnerabilities and patches to apply. The Australian Cybersecurity Centre, ACSC, warns of a coming spike in LockBit 2.0 ransomware and offers recommendations on mitigating risk.
LockBit is an affiliate program offered through Roussophone Criminal Markets. It's known for using double extortion.
LockBit's ads on criminal-to-criminal fora provide some suggestions as to how they're likely to operate.
They've sought partnerships with other criminals who might offer credential-based access
to remote desktop protocol or virtual private network solutions.
They've also shown an interest in recruiting Cobalt Strike and Metasploit jockeys.
The ACSC says that the sectors affected so far have been professional
services, construction, manufacturing, retail, and food, but the center sensibly points out that any
sector is, in principle, vulnerable to ransomware, and that no one should take the earlier targeting
patterns as a reason to drop their guard. Zimperium describes an emergent android trojan,
Flytrap, active since March in at least 140 countries. Believed to be the work of a Vietnamese
gang, Flytrap works through infected apps. The malicious apps were initially distributed
through Google Play, but were ejected from that store after their detection.
They're now distributed in third-party stores, where the bait involves such things as coupon offers and opportunities for fans to vote in sports polls.
Once installed, Flytrap hijacks victims' Facebook accounts.
And once a Facebook account is compromised, it can use that account to spread the Trojan
to other connected users
by suggesting they visit the malicious links. Symantec last week described a campaign against
infrastructure targets in Southeast Asia that ran from November through March. The unnamed country
prospected by what appeared, the evidence is circumstantial and semantic stopped
short of an ambiguous attribution, to be a Chinese intelligence collection and reconnaissance effort
which saw intrusions into water, power, communication, and defense companies. The
threat actor seemed interested in SCADA systems. It was also successful at living off the land,
using legitimate services in its operations and in keeping a low, and hence difficult to detect, profile.
Symantec's conclusion reads in part, infrastructure by compromising multiple critical infrastructure organizations, including a defense
organization, could deliver a lot of valuable intelligence into the hands of adversaries.
The Colonial Pipeline attack in the U.S. in May 2021 showed the serious repercussions attacks on
critical infrastructure can have, and this campaign makes it clear that it is not just U.S.
can have, and this campaign makes it clear that it is not just U.S. infrastructure that is under threat from malicious actors. End quote. It's also worth noting that this sort of collection
is also consistent with the reconnaissance necessary for a battlespace preparation.
Apple has announced child protection features that have aroused suspicion
among privacy advocates. The measures involve,
among other things, scanning iCloud content for objectionable imagery.
Some critics see a slippery slope to intrusive surveillance of users.
Others see Apple as having taken some careful steps toward protection against child exploitation.
We'll have more on Apple's changes and the reaction to them in this afternoon's pro-privacy briefing.
The Baltimore Sun reports that police in Harford County, Maryland,
in the course of a drug trafficking investigation last year,
sought and obtained a warrant to listen to the suspect's phone conversations.
That's ordinary enough, but as the Sun observes,
the authorities also had the warrant extended to cover communications over Facebook.
The interception works only when end-to-end encryption isn't enabled. This is expected
to become more common as people increasingly rely on social media for communication.
Aaron Mackey, a senior staff attorney for the Electronic Frontier
Foundation, told The Sun, I think there's a reality that when you have a system that allows
for users to create content to message others, it will be a valuable source of investigative
leads for law enforcement. What this sounds like to me is use of existing law to access
communications. It is perhaps novel that they have
deployed it in this particular context, and law enforcement is realizing that they have this
capability. End quote. And finally, looking for a complicated hard-to-remember password?
Are you substituting certain characters for letters, like a zero for the letter O,
or an exclamation mark for the letter I?
Most of us do.
It's a way of meeting the kind of complexity criteria many sites and services now require.
The character substitutions are a way of making something complex that you still have a chance of remembering.
Britain's National Cybersecurity Centre, however, recommends using three random words instead. The various bad actors who seek to compromise your passwords are as wise to
the character substitution as you are, and they've tailored their attacks to account for it. Could
they guess the three random words too? Sure, but that's a different and arguably more complex process.
The NCSC writes, quote,
meters. None of this is helped by long-standing and poor advice that passwords have to be memorized,
and storing them in any way, either in a password manager, a browser, or on a piece of paper,
is risky. End quote. Is there a chance someone could access your storage place?
Sure, the NCSC acknowledges in a footnote. Take writing it down, for example. If it's on a post-it note that's going to wind up in the vain selfie you take,
then consider it discovered.
But they think the risk is lower than the risk of using the same password everywhere.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for
cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home? Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with
Black Cloak. Learn more at blackcloak.io. And it is my pleasure to welcome back to the show,
the CyberWire's Chief Security Officer and Chief Analyst, Rick Howard. Hello, Rick. Hey, Dave. How's it going? Not bad, not bad. So for this season of
CSO Perspectives, you've been talking about resiliency as a first principle strategy and
the key and essential tactics that we all need in place to have a strong resiliency program.
Now, you did a deep dive on encryption in the first two episodes, and you're winding up two episodes on enterprise backup programs.
Our listeners will remember our sob stories.
Sob stories.
Yes, yes.
But this week, you are talking to a couple of our Hashtable members.
I'm curious, anything surprising coming out of those conversations?
Always, David. Always. Okay. The Hashtable members are security executives and former
security executives who have all been in the InfoSec trenches for years now, and they have
the scars on their backs to prove it. And I love those discussions. They have a way to bring me back down
to earth when I say stupid things like, you know, all you need to do to protect against ransomware
is encrypt everything and backup everything, as if those two actions were the easiest things in
the world to do. You know, it's kind of like when I go home on vacation to visit my mom,
and I'm thinking, you know, I'm this big, fancy pants security executive, you know, important. And she says, yes, dear, you're very important, but if you
want to eat dinner, take the trash out. You know, so you can always count on mom to bring you back
home to reality. Oh, absolutely. Absolutely. Well, what sort of words of wisdom did you get
from the Hashtable members this week? So we had Jerry Archer, the Sally Mae CSO, and Jacqueline Miller, the NTT CISO. They came to visit at the hash table. And let me
tell you, these two are very smart and both help their organizations run robust resiliency programs.
The big takeaway I got out of those discussions is that resiliency in the form of encryption and
backup programs, you know, it's a team sport. There's no CISO that I know of that is the king of the kingdom and can just say,
go forth and implement encryption and backups under my authority. You know, it doesn't work
that way. Disaster recovery and business continuity planning and execution touches
every business unit. And then once you get everybody on the same page about the
plan, testing those schemes and keeping the other company executives in the loop about decision
points in a crisis, that's a full-time job that never ends. Yeah, absolutely. All right. Well,
do check it out. It is part of CSO Perspectives and that is over on CyberWire Pro. You can learn all about that
on our website, thecyberwire.com. Rick Howard, thanks for joining us.
Thank you, sir.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant. And I'm pleased to be joined once again by Mike Benjamin.
He's Vice President of Security and Head of Black Lotus Labs at Lumen Technologies.
Mike, I wanted to check in with you on some work that I know you and your team are doing when it comes to router hacktivism.
What can you share with us today?
Yeah, so back in the May timeframe, we saw an actor go into a number of devices and replace their configuration with a text file. They thought that at first glance that the attacker was breaking in in order to do something nefarious with the configuration, reroute traffic, do things we see when people typically attack routers.
But in this case, the text file was literally text.
It was writing.
And so the person who took this action was releasing a manifesto, so to speak, and overriding the configuration with their view on the world, so to speak, and overwriting the configuration with their
view on the world, so to speak. And as you might imagine, when you replace a router configuration
that has certain syntax with just blobs of text, it's not particularly good for the router.
That was my next question. So please, what happens next?
Next question. So please, what happens next?
Well, as the router tries to interpret the configuration, you might think that it puts us in a position where it would just fail syntax.
But the actor actually replaced the configuration.
And so in this case, the router had no configuration and it would cease to operate.
It didn't have any of its IP addresses, its interfaces, all the things that you need in order to allow routing were all gone.
And so the device was no longer serving its purpose.
And whatever its purpose was, was now causing an outage.
Wow.
How broad was this?
How many organizations got hit this way?
We saw in a range of about 100 organizations hit by it. And the good news is that it's only 100.
Obviously, if you were one of those 100, that wouldn't have been a particularly good day for you. But really,
it's an ode to the fact that the way the actors attacked had been cleaned up over the last couple
of years. So they abused something called the smart install protocol. That's a default
configuration and certain classes of equipment. And as we think about making technology easier to use,
of course, zero-touch provisioning and plugging things into a LAN
and having them just auto light up and auto register themselves
is where a lot of technology has gone.
Unfortunately, some folks in a misconfiguration
still leave that exposed to the internet.
So when you have a device that's made for simplicity of install and you leave it plugged into the open internet, you're asking for trouble. And so this particular actor was able to access what was meant to be sort of a plug-and-play protocol remotely and just walk right in and take control of the devices.
walk right in and take control of the devices.
I see.
So in a perfect world, the folks who had these devices, they would have locked out these capabilities from being remotely accessed.
Absolutely.
So this is not dissimilar to the lessons that we would tell a consumer around
SSDP or UPnP protocols.
These things are really handy inside of a closed environment where it's just you
as a network administrator, your business, or whether you're a home user. When you have those
protocols, don't expose them to the internet. Keep them locked down. And really, it sort of relates
back to that underarching philosophy we should all have in information security, which is to minimize
the attack surface. And so if this protocol shouldn't have been allowed out,
there should have not been an ability for it to get out.
Just a default deny on some of those outbound exposed services,
a default way to make sure that those things don't get out on the internet,
because we're all human beings.
We're all going to forget a step when we do things from time to time.
So making sure those defaults are there so that it can't happen in the first place is really important.
Yeah, it strikes me too. I mean, wouldn't a router be something that would typically have a more, I don't know, a gentle way of going into some sort of fail-safe mode?
The particular devices probably are more accurately described as switches. And so while
modern switches all are capable of being routers, because a lot of us
find reasons for running them that way, they weren't intended to be WAN routers. They weren't
intended to be exposed at the edge of an infrastructure. And that's really where
that sort of default would come into play. I see. So in terms of lessons learned here,
any broad advice for the folks out there?
Well, number one, I think really make sure that you understand the technology you're deploying.
Make sure that you understand what might be exposed to set those defaults within an environment.
Default policy is something that can save your bacon, so to speak, when you deploy things that maybe you
miss or maybe you don't fully understand. And then lastly, pay attention to news like this
when things occur and make sure you double check your policies and your infrastructure.
We still see a huge volume of devices. Over 18,000 are still exposed out on the internet
to this particular vector. And we need those folks to continue to be cleaning it up, continuing to be paying attention. Otherwise, this inevitably will
happen to them as well. All right. Oh boy, what an interesting story. Mike Benjamin,
thanks for joining us.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technology.
Our amazing CyberWire team is Trey Hester,
Puru Prakash, Justin Sabey, Tim Nodar, Joe
Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Elliot Peltzman filling
in for Dave Bittner.
Thanks for listening.
Thank you. uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.