CyberWire Daily - IoT DDoS hurricane forming? Sofacy exploits patched Flash bug. NotPetya continues to impose costs. Snooping with mobile app ads.
Episode Date: October 20, 2017In today's podcast we hear that an IoT botnet hurricane may be forming among IP cameras. (IP cameras are to DDoS what the West African coast is to Atlantic tropical depressions.) Sofacy rushes to ex...ploit a patched Flash bug in a use-it-or-lose-it espionage race. Want to spy on someone? Go buy an ad. Cisco patches the wi-fi KRACK. NotPetya's still costing manufacturers and their insurers a lot of money. MalwareTech, a.k.a. Emily Wilson from Terbium Labs responding to post-Equifax breach credit agency claims that they can scan the Dark Web. Michael Sutton, CISO at Zscaler on zero-day hoarding. Marcus Hutchins, gets to take off that GPS and stay out late, since the judge decided his pre-trial behavior has been pretty good. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
An IoT botnet hurricane may be forming among IP cameras.
IP cameras are to DDoS what the West African coast is to Atlantic tropical depressions.
Sophocene rushes to exploit a patched
flash bug in a use-it-or-lose-it espionage
race. Want to spy on someone?
Go buy an ad.
Cisco patches the Wi-Fi crack.
Not Petya's still costing manufacturers
and their insurers a lot of money.
Malware Tech, a.k.a.
Marcus Hutchins, gets to take off
that GPS and stay out late,
since the judge decided his pretrial behavior has been pretty good.
I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, October 20, 2017.
Reports warn breathlessly that a new Internet of Things botnet is shaping up into
a kind of cyber hurricane, and indeed the reports do look, metaphorically, like Atlantic
tropical storm season warnings of a depression forming off the West African coast. In this
case, the early storm warnings are being sounded by researchers at security firm Checkpoint,
who say the coming distributed denial-of-service
wave could be worse than the earlier big IoT botnet Mirai.
They say they see some possible connections with and similarities to Mirai, but on the
whole they regard this new, so far unnamed threat as an entirely new and far more sophisticated
campaign.
The botmasters have concentrated on herding IP cameras, which of
course also figured prominently in the original Mirai. Checkpoint says that more than a million
organizations have been affected. They noted the problem shaping up late last month, and they
advise everyone to get out the virtual equivalents of plywood, bottled water, and other storm
necessities. We hear a lot about zero days, of course,
but not all exploitation is of hitherto unknown vulnerabilities.
Security company Proofpoint reports a campaign
that's pursuing a bug that was swatted this Monday.
In this case, it's the Adobe Flash vulnerability, CVE-2017-11292.
Researchers at Proofpoint say they're seeing a great deal of activity on the part of APT-28,
the Russian threat actor also known as Sophocie,
targeting the flaw for exploitation before enterprises get around to applying the patch.
The vector is a familiar one, a maliciously crafted Word document corrupted with dealerschoice.b,
Sophocie's attack framework that enables them
to load exploit code on demand from one of their command and control servers.
The fish bait dangling the malware is a document describing how North Korea says it was pushed
into pursuing its nuclear weapons program by a terrorist United States.
The bait could appeal to gullible fish of various sympathies.
On the one hand, it unmasks the U.S. as terroristic, but on the other, it calls Pyongyang
tyrannical and makes liberal use of scare quotes around the more outrageous claims.
So whether you're a follower of Mr. Kim or President Trump, don't bite.
So it seems this is a case of a Russian intelligence service threat actor
working to get as much as it can in the wild
before the world gets around to applying the patch.
It's interesting to note that on Monday,
Kaspersky connected exploitation of the flaw to Black Oasis,
an advanced persistent threat distinct from Sophocene.
Proofpoint thinks Sophocene also has the exploit
and is trying to use it before patching renders it worthless.
University of Washington researchers demonstrate how third-party attackers can exploit smartphone apps' targeted advertising systems to conduct surveillance of users.
How can they do it? Easy.
They buy an ad that contains within it code that lets them, say, use geolocation to know where their target is or what they're browsing for on the device.
It costs about $1,000.
Sure, there may be other ways of doing it, and black market malware is commoditized enough that you might get more bang for your $1,000 elsewhere,
but it's still a possibility worth considering.
Cisco joins the ranks of vendors who have patched against the crack WPA2 vulnerability.
Others will follow. It will take some time to mop this vulnerability up.
Facebook draws adverse attention from those concerned with information operations and security.
The social media giant says it's working to secure itself, a painful process, they say,
and promises
to help secure upcoming Canadian elections.
Fairly or unfairly, suspicion of Kaspersky Products as being the Russian FSB's royal
road into the enterprise has taken a firm root in the commercial sector, data centers
are being advised to get rid of the company's security software, and editorialists in the U.S. are telling consumers that they should do likewise.
NATO leaders feel unsure of their ability to counter Russian hybrid warfare and fear losing the battlefield advantage they've tended to assume as their right since the end of the Cold War.
The cost of NotPetya pseudo-ransomware continues to be counted. Verisk estimates that
Merck's insurers will pay out some $275 million, with the big pharma company itself on the hook
for more. And finally, Marcus Hutchins, the hacker known as MalwareTech, credited as a kind of
inadvertent hero for flipping the kill switch on WannaCry pseudo-ransomware,
is out on bail, and unencumbered, awaiting trial.
He's living and working in Los Angeles, part of that city's large British expatriate community,
where a U.S. judge thinks he's behaved well enough, showing up in court as required and
so on, to deserve having his curfew lifted.
He can also take off that GPS tracker he was wearing.
Mr. Hutchins was arrested in August on U.S. federal charges,
alleging that he created and sold Kronos malware.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges
faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora Thank you. ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak. January 24, only on Disney+. executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Emily Wilson. She's the Director of Analysis at Terbium Labs.
Emily, welcome back. You know, after all of this Equifax mess, one of the other credit companies has been sort of tooting their own horn and saying that they will search the dark web to find out
anything about you. And there's been a lot of pushback on that.
People have been saying, well, you can't search the dark web.
That's why it's called the dark web.
This is a specialty of yours and your colleagues at Terbium.
So I thought, who better to ask than you?
If I want to go out and engage with a company and say,
I want to find out everything there is to know about me on the dark web,
how possible is that really? It's certainly possible in that, as you said,
we do this for a living at Terbium. Right. Depending on which company you're talking to,
whether as an individual, you know, you mentioned, you know, one of these credit organizations is
offering a dark web scan, or if as a company, you're kind of looking at different providers, it's absolutely possible, depending on who you're talking to, you're going
to get different kinds of information, whether you're looking for financial information, whether
you're looking for more threat intel, whether you're looking for personal information, in the
case of the individuals who are kind of turning to this credit organization, it's certainly possible.
It's definitely difficult. I mean, that's one of the
engineering challenges we all face, right, in this space is the dark web is a difficult thing to
navigate. Sites go up and down. Many of these sites don't particularly want to be found. And so doing
reliable data collection at scale on this part of the internet, it's definitely difficult,
but it is certainly possible.
And so this is sort of the secret sauce that various companies have
when they're telling you that they can do dark web scans.
Absolutely.
And it really does depend on who you're turning to
and what problem you're trying to solve,
because companies are trying to solve this problem differently,
and companies are looking for different kinds of information.
So you could be looking for more threat intel information about threat actors.
You could be looking for information about vulnerabilities that may impact your company.
In the situations like you're discussing, you're typically looking for more personal information or financial information.
And that kind of information is out there, whether it's something that's been discussed or that's been leaked or that's available for sale.
And it's also important to note that not all of this is on the dark web.
Plenty of this information shows up on, you know, really sketchy, clear websites, too.
The fraud trade isn't exclusively on what we think of as traditionally the dark web.
So this notion that we can't scan the dark web because it's the dark web,
and that's why they call it the dark web.
That's sort of a myth.
It is sort of a myth, and that's, you know,
one of my favorite things to talk about with people in and out of the industry is the fact that the dark web is complex, and it changes constantly,
and it's messy just like the rest of the Internet,
but it is a problem that you can approach and that you can figure out how to solve.
It's a difficult problem.
That's why many of us are working very hard to figure out how to solve. It's a difficult problem. That's why many of us are working very hard
to figure out how to solve it.
But it's definitely something that is measurable
and tractable and accessible,
and you can track data there.
All right.
Emily Wilson, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
My guest today is Michael Sutton.
He's the Chief Information Security Officer at Zscaler.
Prior to Zscaler, he helped build some other security startups,
including SPI Dynamics, who were later acquired by Hewlett-Packard,
and iDefense, which was later acquired by VeriSign.
Michael Sutton is also the co-author of the book
Fuzzing, Brute Force Vulnerability Discovery.
Our conversation centers on zero days, bug bounties,
and whether the U.S. government is following their own guidelines when it comes to zero-day hoarding.
In the early days, let's say 20 years ago,
it was really underground or government entities that would be willing to pay for vulnerabilities.
So there was no sort of open
marketplace. That started to change in about 2002. I actually at the time was part of the first sort
of commercial organization to start a bug bounty vulnerability program, which at the time was
super controversial. But since then, it's evolved and it's become a very normal commercial process.
There are lots of companies that will pay for vulnerabilities, and it's now very normal that most vendors will pay for vulnerability information.
So that's really evolved.
But there has always been an element of hoarding in that, whether it's governments, whether it's criminals, anybody that wants to use a vulnerability for an offensive purpose.
And I suppose these days, the notion of having a bug bounty isn't really controversial anymore.
No, I remember. So I had mentioned that we had launched the first commercial one that was with
a startup called iDefense at the time. We did it in 2002. We called it the Vulnerability
Contributor Program. And I remember at the time, there were people who were just vehemently
opposed to it. You know, we believe very strongly in it.
We had insight into the fact that, hey, this is happening in the underground.
Wouldn't you rather have this out in the open?
And we felt that, hey, it was much better for us to do this very publicly out in the open.
We gave everything to the vendors to get it fixed.
Over the past 15 years, I think attitudes have changed dramatically. You know,
now it is a very regular business. There are companies that specialize in bug bounties.
Pretty much every major software vendor or internet provider has a bug bounty program.
They pay for it. So it's actually quite satisfying to see, you know, all of these people who had their pitchforks out against us have really changed their mind on this topic.
It seems as though the controversy has stirred up again with organizations like the shadow brokers releasing vulnerabilities that allegedly have been hoarded by government agencies.
Yeah. So throughout this entire time, there has always been hoarding, certainly not
just by the U.S. government. I mean, most governments have some sort of offensive cyber
capability. And yes, they want to use vulnerabilities for their offensive purposes.
Now, that's where I think the controversy comes into play, because, of course, there's always a delicate balance to strike there that you may be hoarding it for the benefit of your country.
But if your citizens, companies in your nation are also impacted by somebody else using that same vulnerability, are you doing more harm than good by hoarding?
So where do you think it's going to go?
The U.S. does actually have a policy in place to make that decision. They call it the vulnerability
equities process. So we're not in a situation where if the United States government comes into
the possession of a vulnerability, either through their own research or because they purchase it
from another party and both of those things occur, that they simply hoard it outright or even have
the ability. There are different players, different agencies get invited to the table.
That process has evolved over time. And supposedly, the process is designed to lean in the
direction of, hey, we're going to disclose this to the vendor unless
we can prove certain things and that we don't feel there's a large risk to the public.
Unfortunately, as with most government policies, especially those that involve sensitive
information, there's very little transparency. So we in the general public are left to make evaluations based on leaks that have occurred or snippets of statements that are made off the record to decide if this process actually works.
And I'd say at best, we're left to question whether the VAP, the vulnerability equities process, meets its true intent.
So I think it leaves the general public with perhaps a sense of uncertainty.
Indeed. There isn't much out there. There have been some reports. Jay Healy had done an excellent
one with some grad students at, I believe, Columbia University, where he sort of compiled
what information was available. And so, you know, we're left in a position where the
government has told us that, hey, this process is in place. We know the broad strokes of how it
works. We know that the intent is to disclose vulnerabilities, zero-day vulnerabilities,
especially in situations where they pose a risk to the public, meaning that they are either high
risk vulnerabilities or they're broadly used within the infrastructure of the United States.
The problem is that some of the anecdotal evidence that we have, shadow brokers being a really
important one, that, you know, here was a leak of a treasure trove of NSA tools, and we're left to
say, wait a minute, it was very clear that the fact that these were
hoarded did not tie to the intent of the VEP. You know, these were vulnerabilities that impacted
a huge portion of the computers and the infrastructure in the United States,
Eternal Blue being a big part of that, which was the vulnerability that was used with
WannaCry and NotPetya. If the intent of the VEP was to make sure that we don't hoard vulnerabilities that
could have a very negative impact because they're high risk and widely used, well, clearly the NSA
should have disclosed these to the vendors. So that leaves us with big question marks. You know,
we don't have the transparency to truly know how the VEP works. We don't, we certainly don't know the vulnerabilities that have gone through the VEP
vetting process. So we are left to question how effective this process truly is.
Do you think there needs to be an evolution of the way that these vulnerabilities are disclosed?
Well, I think we have seen an evolution. And I think that this is
continually revisited. You know, there's been an evolution just overall, like, as I mentioned,
back in the 15 years ago, people just couldn't wrap their head around paying somebody for a
vulnerability and vendors were vehemently opposed. I remember when Microsoft finally
launched its bug bounty program a few years ago,
I was shocked and very pleased because they were a strong holdout. Like when we launched that vulnerability contributor program, they were one that begrudgingly worked with us and they were
actually good. They really did do a 180, but they wanted people to just give vulnerabilities to
vendors. That was their view. They said, we're never launching a bug bounty program. And so they did. So I think the general public has really evolved. And now
this is a very accepted piece of it. But even at the government level, we've certainly seen
evolution. Like the whole concept of the VEP actually started within the Bush administration,
George W. Bush. Back then, it was solely run by the NSA, chaired by the NSA,
and they seem to have kind of full say over it. And it has been reinvigorated or was reinvigorated
under the Obama administration to change the process. It's no longer directly chaired by the
NSA. It seems to have broader participation. So I think the government has also evolved as they've seen things occur,
some of the major events where hoarded vulnerabilities cause damage, whether it was
shadow brokers or even things like Heartbleed, which was an open SSL vulnerability that was
arguably the most damaging or the highest risk vulnerability that we've ever seen that
had the greatest impact. And there were rumors that the NSA had known about that for a couple
of years before, never verified. But I think it was moments like that that caused the government
to say, hmm, maybe by hoarding vulnerabilities, we're doing more damage than good. I think this
will be an ongoing debate, both publicly and within the good. I think this will be an ongoing debate,
both publicly and within the government. I think it will have to evolve. I don't think
there is ever going to be one right answer. That's Michael Sutton from Zscaler.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.