CyberWire Daily - How were US agents in China compromised between 2010 and 2012? EternalBlue updates (including notes on WannaCry and EternalRock).
Episode Date: May 22, 2017In today's podcast, the FBI and CIA are reported to be looking for the source of a compromise that shut down CIA agents in China between 2010 and 2012: hackers or moles, no one knows. Or was it just a... tradecraft mismatch? WannaCry has been slowed, at least temporarily. Observers speculate the ransomware may have been a probe. Other uses of EternalBlue exploits look more focused and more disciplined, and arguably more serious. WikiLeaks dumps another leaked implant. Johns Hopkins' Joe Carrigan gives us the VPN basics. And the ShadowBrokers are expected to open their Leak-of-the-Month Club in June (subscription only). Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The FBI and CIA are reported to be looking for the source of a compromise
that shut down CIA agents in China between 2010 and 2012.
Hackers or moles, no one knows.
Or was it just a tradecraft mismatch?
WannaCry has been slowed, at least temporarily.
Observers speculate the ransomware may have been a probe.
Other uses of EternalBlue exploits look more focused and more disciplined and arguably more serious.
And WikiLeaks dumps another leaked implant.
And WikiLeaks dumps another leaked implant.
I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, May 22, 2017.
The New York Times reported Saturday that Chinese counterespionage efforts from 2010 to 2012 rolled up CIA assets.
Agents recruited in China to collect information on that country, causing considerable damage
to U.S. intelligence efforts.
It also had tragic consequences for those arrested, who were said to have been imprisoned
and perhaps in some cases executed.
This is an older case that's only now come to public light.
The agents' identities were compromised in some fashion,
but whether by careless tradecraft routines, a mole in the U.S. intelligence community,
or successful hacking of U.S. clandestine communications or data is so far unknown.
The compromise is being compared to the damage done by rogue CIA officer Aldrich Ames,
arrested in 1994 and convicted of spying for the KGB,
and treasonous FBI Special Agent Robert Hansen, arrested in 2001 and convicted of betraying
U.S. agents to Russian intelligence services.
In a more recent development, China's government has decided to put the brakes on new information
security regulations its cyberspace administration was set to implement this coming month.
The regulations would have imposed stringent security review
and data sovereignty restrictions on companies doing business in China.
The projected rules attracted a great deal of international resistance from industry groups.
The ultimate outcome is of course unknown,
but at least in the short term,
Chinese authorities have decided to listen to objections from some 50 organizations.
Among those industry groups are the U.S. Chamber of Commerce and the Business Software Alliance.
WannaCry infestation slowed late last week, but there are signs of an attempted revival as botnets assail the domain that sinkholed the ransomware.
Looking back at the WannaCry incident, Russian banks, Britain's National Health Service,
and many, many Chinese users of unauthorized and unpatched Windows software seem to have
been the most prominent victims. Preliminary and circumstantial attribution continues to
focus on North Korea. In a statement at the UN, Pyongyang dismissed
the accusations as ridiculous, but of course we bet Pyongyang says that to all the boys and girls.
The connection to North Korea runs through what investigators see as traces of Lazarus Group code
in the campaign, the Lazarus Group of course being the North Korean state criminal threat actor
thought to have been involved in the Bangladesh bank heist.
Those skeptical about North Korean involvement point to the fact
that the most severely affected countries were Russia and China,
who seem on the face of it unlikely targets.
But relations between North Korea and Russia and China have cooled of late,
and the WannaCry attack seems to have been indiscriminate more by mistake than design.
There are reasons to suspect, however, that WannaCry may have been deliberately sloppy
in its execution. Eric Schlesinger of security company Polaris Alpha this morning told the
CyberWire that WannaCry might be considered a shot across the bow, a probe to determine
how vulnerable enterprises were to known but unpatched vulnerabilities.
probe to determine how vulnerable enterprises were to known but unpatched vulnerabilities.
Cyfort and other security researchers report that EternalBlue, the exploits that enabled WannaCry, are being used to distribute a remote-access Trojan.
The rat appears to be establishing persistence in networks whence it could stage future operations.
Unlike WannaCry, it's not ransomware and it's not a worm.
It looks like espionage.
There's also a WannaCry successor that uses seven of the tools dumped by the shadow brokers.
The Croatian government's CERT has been observing and describing it. They call it Eternal Rocks.
It can be readily weaponized not only with ransomware, but with a variety of rats as well.
We heard from Plixers' Michael Patterson, who sees the incident as the opening gun in a race
between hackers and sysadmins, the admins needing to patch the SMB file-sharing protocol before the
hackers can infect systems. Patterson says, quote, once a device is infected, applying a subsequent
patch does not remove the malware. The most effective way for security teams to monitor There is some good news on WannaCry, however.
It's been reverse-engineered, and decryptors are now available from several sources.
Malwarebytes has posted instructions on how to use them.
There are other variants of ransomware out that are unrelated to WannaCry.
X-Data, a new strain of ransomware, hit Ukraine hard over the weekend,
with signs of preliminary infections spreading to Estonian and German targets.
And finally, where WikiLeaks and the shadow brokers get the material they're leaking remains an open question.
WikiLeaks continues to disgorge the contents of its Vault 7 with another document dump late Friday.
This latest tranche continues WikiLeaks' recent concentration on alleged CIA tools,
in this case an implant, Athena,
said to be capable of infecting Windows systems from XP to Windows 10.
WikiLeaks' Julian Assange may be out from under the shadow of Swedish criminal law,
but the Americans continue to be interested in him,
and so Mr.
Assange can be expected to maintain his residence in Ecuador's embassy to the United Kingdom.
British police still have an eye on him, although a somewhat less focused eye now that Sweden
has dropped its intentions to prosecute.
For their own part, the shadow brokers still plan to open their Leak of the Month club
to subscribers beginning in June.
brokers still plan to open their Leak of the Month club to subscribers beginning in June.
They're selling still what they claim are Equation Group, that is, alleged NSA, tools. Their most recent dump included the Eternal Blue exploits used with significant, albeit ineptly executed,
effect last week. The brokers themselves say they are not interested in stealing the grandmother's
retirement money, but in doing battle with the equation group.
So for a price, you can subscribe to the club.
We'll leave you with two good words.
Caveat emptor.
Buyer beware.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off. Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Night Bitch, January 24, only on Disney+. Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. Joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University
Information Security Institute.
Joe, with the recent story about
the FCC rolling back privacy rules
when it comes to ISPs,
this has really brought the subject of VPNs to the fore.
I thought maybe we'd just talk about some basics.
It's nice to cover some of these things to start from the beginning.
Sure.
Just what is a VPN and why should you be using one?
Okay, so VPN stands for Virtual Private Network.
And basically what it is, it's an encrypted tunnel between your machine.
It can actually be between any two points on the internet. In the case of most commercial VPNs that users are going to use,
it's a piece of software you install on your machine that then takes all of your network
connection and encrypts it and sends it to one location on a provider's site.
So the VPN provider's site.
The VPN provider's site, right?
And it's not really a site.
Well, I mean, when you say site, I think website.
But it's a computer that has a server that listens for your VPN connection,
authenticates you as a valid user of the system.
And then all of your traffic is routed through their network.
So it comes out of their network from wherever they want it to. And
some of these VPNs, the one I use, I actually do pay for a VPN to use for my purposes. And on my
home computer, it's on all the time. As a matter of practice, I keep it on all the time.
And so it's just running. You don't even notice that it's there.
I don't even notice that it's there. Exactly.
And what does this do for you in terms of privacy and security? So in the case of what just happened with the change of the rules, now my ISP is Verizon.
Now when Verizon watches my traffic, they don't see anything other than encrypted traffic
from my computer to the VPN site.
That's all they ever see coming out of my computer.
So they can't tell where you're going, what you're visiting. They just don't know what you're up to. They don't know what I'm up to.
And that means they can't gather marketing information on me and other things. I'm not
saying that Verizon is going to do this or any other ISP, although now that they can do it,
I would not be the least bit surprised if they monetize that. Sure. And if you're someone who's
interested in privacy, a few bucks a month seems like a decent investment to make.
Yeah. The one I pay for costs me less than $40 a year. And just to have the level of security that
I think it provides, I enjoy it. I think it's a good value. All right. Interesting stuff as always.
Joe Kerrigan, thanks for joining us. My pleasure, Dave.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Thank you. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses
that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard.
Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.