CyberWire Daily - Influence operations. A new Mirai version is potentially more dangerous than the old one. Proofs of concept. New York's cyber security regulations for banks. What Verizon will get from Yahoo!
Episode Date: February 22, 2017In today's podcast, we hear from Paris that Moscow's not welcome in upcoming French elections. A new version of Mirai is out, spreading through Windows systems. Researchers warn of FTP protocol inject...ion vulnerabilities in Python and Java. A new JavaScript exploit may affect Internet Explorer. New York State's new financial sector cyber regulations take effect next Wednesday. The Johns Hopkins University's Joe Carrigan reviews privacy tools from the EFF. Mark Dufresne from Endgame explains Fileless Attacks. A quick glance back at RSA, and some analysts' thoughts on why Verizon still wants Yahoo!'s assets. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Paris says Moscow's not welcome in its elections.
A new version of Mirai is out, spreading through Windows systems.
Researchers warn of FTP protocol injection vulnerabilities in Python and Java.
A new JavaScript exploit may affect Internet Explorer.
New York State's new financial sector cyber regulations take effect next Wednesday.
A look at fileless attacks, and a quick glance back at RSA,
and some analysts' thoughts on why Verizon still wants Yahoo's assets.
and some analysts' thoughts on why Verizon still wants Yahoo's assets.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, February 22, 2017.
As U.S. investigation of Russian attempts at influence operations during the last election cycle proceeds,
France warns Moscow to stay out of upcoming French elections.
There are concerns that Russia Today and Sputnik in particular are peddling scandal disinformation about disfavored candidates, mostly candidates of the center-right.
Kaspersky lab researchers are tracking an evolved Windows-based botnet that's spreading
Mirai malware.
The emerging Mirai variant under examination also
seems able to migrate to Linux systems. Kaspersky concludes from an inspection of the code that the
person or persons behind it are more sophisticated than Mirai's original author. Recall that Mirai's
source code was released last year, which suggests that such refinement and propagation was probably
effectively inevitable.
Kaspersky speculates that the actor researchers call a muck spreader probably has some large-scale attacks in view,
although it's also worth remembering in this context the widespread concern last November
that the original Mirai was a dress rehearsal for a massive state-directed Internet takedown.
The muck spreaders are thought in this latest version to be Chinese,
or at least Chinese-speaking.
The code was compiled on a Chinese system,
host servers appear to be in Taiwan,
and the controllers are abusing code-signing certificates
stolen from Chinese companies.
Infections have so far been limited,
but researchers think the countries most likely to be hit
with bigger waves of mirai are, quote,
emerging markets that have invested heavily in connected technology, end quote.
Researchers report unpatched FTP protocol injection vulnerabilities in Java and Python.
The Russian security company Onsek described the technique in 2014,
but their warning attracted little attention.
Researchers at Blindspot
Security have recently gotten people's attention by demonstrating that FTP protocol injection can
be used to bypass firewalls. They've tested it successfully, they say, against firewalls from
Cisco and Palo Alto networks, but they suspect it would work equally well against any number of
other Linux-based firewalls. Blindspot told Bleeping Computer they disclosed the exploit to the Python team in January 2016
and to Oracle last November, but that no patches have yet been distributed.
Another report in Bleeping Computer offers notes on Internet Explorer 11's susceptibility
to an unstoppable JavaScript attack that enables ad fraud and tech support scams.
It's also said to render systems vulnerable to various zero days.
The more serious issue is that the browser can be made to execute JavaScript
to do, well, basically whatever the attacker wanted.
A trend we've been tracking is the growth of fileless attacks
as a way for adversaries to gain access and escape detection.
Mark Dufresne is director of threat research and adversary prevention at Endgame,
and we asked him for an overview of fileless attacks.
Traditional security tools are largely file-centric in their detection,
so they look for files written to disk, files that are executing, what's backing a process and scanning that file.
Adversaries know that. And so it's quite interesting and much easier for them to evade
defenses if they're running only in memory. And that is largely because memory, I think of it as
a very permissive environment for attackers these days, because it's very, very challenging to do
memory forensics at scale. You know, A lot of people just pick a few critical systems
and maybe once a quarter we'll take a full memory image of those systems and do offline forensic
analysis, which means combing through and searching through many gigs of RAM, which is a very kind of
niche skill that it's just hard. There's really two aspects to this problem. One aspect of this
is how do they hide in memory? And that's done typically by process injection, which means running your code in the memory space of another process.
It's a technique that's been around for a really long time, tried and true thing that adversaries do.
Using tools.
there are tools like PowerShell and things of that nature, which are commonly used admin tools that are very powerful and allow you to just go actually take, skip that whole file-based step
and just do process injection into a running process using just PowerShell, which is an admin
tool on everybody's box. And so what you're able to do at that point is skip that whole file-based
detection step if you're able to successfully inject, and then you're running in memory
in a way that's very difficult for traditional tools to detect. And so we're seeing
a massive explosion in the number of actors doing exactly that, or maybe having like a hybrid
approach where they might drop like an initial file on disk, but then everything else happens
only in memory. And at that point, once they're in memory, is your best hope scanning for exfiltration?
Yeah.
I mean, that's how – so some tools that are out there, they'll attempt to detect that process injection step by looking at a whole bunch of events created on endpoints and having rules for saying, hey, if these five things happen, a process injection might have happened.
You might have a problem.
Go look at that.
That doesn't really address the full scope of ways that adversaries can do this.
So it's not the best approach. I think still the stats are about half of breaches are discovered through external notification.
Like the typical case is just think of an FBI agent showing up and knocking on your door and saying, hey, you have a problem here.
Go look here. And then you're really in tough shape because you probably have a well-entrenched adversary running in memory all over the place. And how the heck do you find that?
Because memory forensics, looking across eight gig memory images across maybe 50,000 endpoints,
that doesn't really scale very well to take you years and years and years with forensics experts
you don't have. And you might just say, well, this machine is X-filling and I'm just going to
re-image the box. Well, that could work, but then you might lose a bunch of critical data or business disruption.
So we have in our platform at Endgame what is a very powerful tool we call fileless attack
detection, not requiring this traditional forensics approach to the problem, but it's
really it turns into a kind of a point-and-click detection problem. That's Mark Dufresne from Endgame.
New York State's new cybersecurity requirements for financial services companies
will go into effect next Wednesday, March 1st.
They're expected to be widely influential,
the way California's stringent automobile emission standards
shaped the car industry in the 1970s and 80s.
Balabit's CTO and co-founder, Balazs Scheidler, points out that one big impact the regulation
will have is that, quote, banks are now required to scrutinize their suppliers and to report
on breaches that affect them, end quote.
He expresses the hope that the regulations will motivate closer monitoring of third parties.
Prevalence Jeff Hill agrees that the requirements will drive more attention to third-party risk,
something he characterized as the soft underbelly of enterprise security.
We'll be watching the Empire State over coming months
to see what effects the regulations in fact have.
They're likely to extend well beyond New York.
As attendees look back at RSA,
they seem prepared to award the Mindshare Prize to Internet
of Things Security. We would say that artificial intelligence, workforce development, and endpoint
security gave the IoT a run for its money. We'll continue to look back at RSA through the end of
this week, trends, warnings, spycraft, cyberwar, and some of the splashier IoT hacks, a lot of
which involve increasingly smart cars.
And if you're in the market for a used car,
maybe you should think about it in the same way you would
if you were buying a jailbroken used phone.
We close with a look at some industry news.
Verizon has negotiated a discount for its purchase of Yahoo's core assets.
While Yahoo has certainly been dinged and dented
by a series of large data breaches
those dings and dents are what drove down the price
Verizon still sees value in its acquisition.
It's particularly interested in Tumblr, Flickr
and Yahoo News and Fantasy Sports services.
And with those properties, of course,
comes a great deal of potentially lucrative behavioral data.
Online ad revenue continues to be a lucrative venture.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations, Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young
son. But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest
part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking
and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch
January 24
only on Disney+.
Cyber threats are evolving
every second
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute.
Joe, you know, I know you and I talk a lot about personal privacy.
The EFF, the Electronic Frontier Foundation, has some pretty good tools and some pretty good guides available.
If that's something that you're interested in.
That's right.
If you go to ssd.eff.org, that is their guide for surveillance self-defense.
That's what SSD stands for.
And they've got some pretty good information there on what kind of tools to use,
how to use these tools, how to vet these tools yourself.
And that's really the most important thing.
You don't know when you're downloading a tool whether or not it's a good tool
unless you actually go through some kind of vetting process, right?
I mean, how do I know that the open source disk encryption that I'm using is still a good disk encryption tool, right?
Should I be using TrueCrypt anymore?
Well, the authors of TrueCrypt say no, you shouldn't be using TrueCrypt anymore, right?
Well, and how do you know if something, if some random tool that you come across isn't actually doing the opposite of what it says it's doing?
Exactly.
Not everybody's a software engineer. Not everybody, even those that are software
engineers, fewer of them can actually reverse engineer a product or do analysis on it to see
what's going on behind the scenes and see what kind of information is being sent out and how and where.
One of the things I like about this surveillance self-defense kit is that, you know,
like yourself, I get asked by a lot of people, families and friends, what do I do to protect
myself? And this is a good way, this is a good starting point for people who aren't in the
business to kind of get a rundown of what to do and why and, you know, some tools that are really
accessible. And they talk about password managers in in here which is one of my favorite topics uh with once you start using a password manager there's
really no excuse for repeating passwords across different sites and that's really one of the ways
that people get taken advantage of is they're using one password across all their sites and
if one of these sites gets breached and the password is encrypted, even if it's a very strong password, if the password
is encrypted with a weak hashing algorithm or, God forbid, not encrypted at all, now you've
just opened yourself up to, or these people coming into all of your accounts. But a password manager
really makes it easy to use a different password on every single site. I have these conversations
with friends and family, and probably you hear the same thing that I do,
where I say to them, do you reuse passwords?
And they kind of sigh.
They say, yeah, I know I shouldn't,
but everyone, well, so many people just do it
because it's so hard not to.
If you get a password manager, it's not hard to do it anymore.
I mean, you could ask me right now what my Facebook password is.
I don't know what my Facebook password is.
I don't know what my Twitter password is.
I don't know any of this information.
I just don't waste my time thinking it.
I do know the combination, and I'm using quotes since we're on a podcast.
I'm doing the finger quote thing.
The combination of my safe, that's just one big password.
on a podcast, I'm doing the finger quote thing. The combination of my safe, that's just one big password. I know what that password is, but I don't waste time remembering 20 character random
strings. I just let a computer do that. Computers are very good at that. All right. Well, it's good
advice for sure. Yes. Joe Kerrigan, thanks for joining us. It's my pleasure, Dave.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io. Thank you. products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your
role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.