CyberWire Daily - Leafminer wants to learn from the best, and that's not good. Shipper hacked. Old malware resurfaces in improved form. Russian grid and election threats. What insurance covers.
Episode Date: July 25, 2018In today's podcast, we hear that Leafminer is infesting networks in the Middle East. Red Alert, Kronos, Mirai, and Gafgyt make their reappearance in new forms. Shipping firm Cosco is dealing with... a cyberattack. US officials raise warnings about Russian threats to the power grid and elections. Congress considers cyber retaliation. A dispute over cyber insurance coverage lands the insured and the insurer in court. Awais Rashid from Bristol University on IoT and OT convergence. Guest is Jason Morgan from Wiretap on their Human Behavior Risk Analysis Report. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/July/CyberWire_2018_07_25.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Leafminer infests networks in the Middle East.
Red Alert, Kronos, Mirai, and Gafget make their reappearance in new forms.
Shipping firm Costco is dealing with a cyber attack.
U.S. officials raise warnings about Russian threats to the power grid and elections.
And a dispute over cyber insurance coverage lands the insured and the insurer in court.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, July 25, 2018.
Symantec researchers are reporting a new cyber campaign active in the Middle East.
Earlier today, the security company released its report on LeafMiner, which is what they're calling the threat actor.
They say it's been active against governments and business verticals in the region since 2017.
The affected countries include Saudi Arabia, which leads in the number of infections,
Lebanon, which clocks in second, and Israel and Kuwait rounding out the field.
Leafminer's target list, obtained due to the attacker's missteps, is written in Farsi and it calls out enterprises in Saudi Arabia, United Arab Emirates, Qatar, Kuwait, Bahrain, Egypt, Israel, and Afghanistan.
Leafminer makes good use of known exploits and commodity attack tools.
Symantec also points out that the threat actor, quote, seems to be actively following developments and publications of the offensive security community when selecting their toolkit, end quote.
They're active, committed to learning from the best,
but also a bit sloppy with their own operational security.
This suggests, the researchers say, a degree of inexperience,
but Leafminer will bear watching.
Several familiar criminal tools are resurfacing in updated form.
Security firm Sophos is seeing a new version of the Red Alert banking trojan, Red Alert 2.0.
Cybersecurity company Proofpoint reports that Kronos is back.
Kronos is also a banking trojan, this one first observed in 2014,
and it made its reappearance recently with attacks in Germany and Poland.
It's being spread largely by phishing,
with the fish bait taking the familiar form of a malicious Word document attached to an email.
Proofpoint notes that its masters are using Tor for command and control traffic.
Kronos is also available on a criminal-to-criminal basis,
and Proofpoint thinks
they've observed circumstantial evidence that Kronos has been rebranded as Osiris, and that
it's available under that name on the black market. And Palo Alto Networks and others note a resurgence
of the Mirai and Gafget botnets, which are run and rerun as commodity attacks against vulnerable Internet of Things devices.
Wiretap is a company that helps provide organizations with insights
on how their employees are using social collaboration and messaging tools
to make sure they're in compliance and that employees aren't misbehaving.
They recently published the results from their Human Behavior Risk Analysis Report.
Jason Morgan is Vice President of Behavioral Intelligence at Wiretap.
With our Aware platform, we help companies monitor their enterprise social networks like
Yammer, Workplace by Facebook, or Microsoft Teams. And so in building the behavioral intelligence
models, the artificial intelligence for this platform, we've gathered
a great deal of data from several hundred data sharing customers. So this is what came out of it,
the human behavioral risk analysis. In the report, we highlight some of the risky behaviors that
people actually participate in, in these enterprise social networks, things like toxic behavior. Maybe people are
sharing crude jokes or photos they shouldn't be. Maybe they are participating in harassing behavior
and maybe they're actually sharing intellectual property when they shouldn't be or customer data.
That said, now that's kind of where we went with this report, highlighting some of these risky
behaviors. What we really want to convey in the report highlighting some of these risky behaviors. What we really
want to convey in the report is also that these risky behaviors, while they exist, they're not
that common. And in fact, it's just usually a few employees, a few messages in a network per day,
per month that really cause any kind of problem. And so we really want to highlight the fact that these enterprise social networks can
help companies be more productive.
Maybe that is reducing some communication complexity, you know, getting away from email,
making communication more rapid.
It may help companies also just get ahead of problems.
Maybe this is problems morale. And it will also help companies,
we hope, understand that they can get at the root of complexity and toxicity in the networks.
We want the companies to understand that they can use these enterprise social networks to
get insight into the patterns of communication on their networks that they can possibly in the future use them to identify stellar employees
or employees that are being excluded from conversations and excluded in a way that may be a drain on the overall culture of a company.
Now, in terms of managing risk, I mean, what are your recommendations for organizations as they deploy these tools,
which clearly are useful and can help workers be more efficient?
And I suppose as you lay out also can help with employee morale.
You know, you sort of have this virtual water cooler where people can get questions answered quickly or check in with their coworkers.
What's the balance there?
What are your recommendations based on the data that you got from this report?
The first thing that I would tell companies that are looking to roll out something like Workplace by Facebook or Yammer or Teams is that on these platforms, because they are a centralized
place of communication, it's probably easier to manage risk on these platforms than it is,
for example, face-to-face conversations
around a water cooler. Companies have always dealt with issues, whether or not it's crude jokes that
are, you know, crude, racist, or other jokes around the water cooler that are extremely hard to monitor
and to control. Whereas on these collaboration networks, they have an opportunity to, first off,
monitor and make sure those type of toxic behaviors are not occurring. And at the same time,
to extend their knowledge about how work within their company gets done. So this is something
I noticed coming from enterprise, and I've spoken to other people here at wiretap and then their customers is that they don't
know a lot of times how work actually gets done.
You don't know who the important people are at a company.
They aren't always the people sitting in the seats that you would think they are.
These social networks, while they do raise another vector of potential risk, they actually, if you
ask me, decrease the ultimate risk to the company because it can be monitored. At the same time,
they're opening up opportunities to identify productive employees, identify where problems
might be arising that wouldn't even ever be talked about otherwise. That's Jason Morgan from Wiretap.
You can check out their Human Behavior Risk Analysis report on their website.
The maritime shipping firm Costco reports that a malware infection is impeding but not
stopping its operations.
The infestation apparently began at the Costco terminal in the U.S. port of Long
Beach, California. It's said by industry publication Lodestar to have spread last
night to the line's U.K. operations. The incident has reminded observers of the effect NotPetya had
on the Maersk line last year. That particular attack is reckoned to have cost Maersk some $300 million,
and NotPetya was in all probability directed principally at Ukrainian targets.
The disruption and economic losses elsewhere were just so much gravy.
The Costco incident seems not to be as serious as the one that affected Maersk and other logistics companies.
Costco says that ship operations are unaffected, and the company
stresses that safety of navigation is not impeded at all, but business communications are being hit.
How the company handles the attack will provide a good indication of how the shipping sector has
improved its resilience since last year's Russian wake-up call. And speaking of the Russians,
they're much in the mind of the U.S. Congress
and media this week. Warning has come from several official quarters that Russian hacking
of American infrastructure, especially the power grid, is a looming threat. Several reports,
rendered both to Congress and the media, describe the extensive battle space preparation and
successful compromise of electrical power infrastructure control centers
that Russian operators, call them Energetic Bear for short, have achieved.
Obviously, the North American power grid hasn't been taken down.
Canadian and U.S. electrical power distribution is so closely coupled
that disruptions cross the 49th parallel north easily and freely.
So this is a Canadian issue as well, but, well, it could
happen. Industry sources vigorously second the official warnings. Security industry comments run
from, well, this is the new normal, to, well, we've known this for years, what took you so long? To,
and why all of a sudden are you shouting the obvious from the rooftops to keep calm and take a deep breath?
In truth, as many point out, such alerts have been sounded for some years, but they're being delivered with unusual urgency this time around.
It's not just the power grid either.
Christopher Krebs, the U.S. Department of Homeland Security Undersecretary for National Protection and Programs Directorate,
of Homeland Security Undersecretary for National Protection and Programs Directorate,
yesterday testified about election security to the House Committee on Oversight and Government Reform.
His statement, for the record, offered a comprehensive overview of the measures the National Protection and Programs Directorate has taken to help state and local election authorities
protect themselves against vote hacking narrowly conceived.
Much of this takes the form of intelligence sharing, technical assistance, and mutual cooperation.
Undersecretary Krebs did say, with respect to the in many ways more interesting issue of Russian information operations,
that Moscow had, as he put it, quote,
continued malign influence operations, end quote, into this year,
although not apparently on the
same scale that was observed in 2016. This seems only right, since, after all, this is an off-year
election, and it's reasonable to think the Bears have a civics-class understanding of the relative
importance of presidential and midterm voting. DHS isn't writing off the prospect of direct
hacking either, especially given reports that some 21 states have seen scans of electoral systems
attempted over the past two years.
Whether the executive branch is crying wolf or not, Congress is certainly howling.
The warnings come as the U.S. Congress shapes the defense authorization bill
in which cyber provisions figure prominently.
Congress is in a mood to take a hard line, with calls for retaliation, in kind, or worse,
to cyber attacks. There's also a move afoot in the Senate to form a commission to study and
develop advice on cybersecurity policy. Finally, a Virginia bank, the National Bank of Blacksburg,
is reported to be suing its insurer, Everett National Insurance,
over coverage of two cyber bank heists that netted thieves about $2.4 million.
The crooks were probably a Russian gang, from evidence the bank's security consultants found when they were called in to help with the mop-up.
The policy Blacksburg had with Everett had two riders, a computer and electronic
crime rider with a single loss limit liability of $8 million and a $125,000 deductible,
and a debit card rider which limited single loss liability to $50,000 with a $25,000 deductible
and an aggregate limit of $250,000.
The bank complains that the insurance company regarded the crimes as covered by the debit card writer,
presumably since they involved ATM exploits.
Whatever the case's outcome, the National Bank of Blacksburg was certainly pwned.
Twice.
So beware of phishing, and remember, when it comes to transferring risk,
the large print giveth, but the small print taketh away.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Professor Owais Rashid. He's a professor of cybersecurity at the University of Bristol.
Professor Awais Rashid. He's a professor of cybersecurity at the University of Bristol.
Awais, welcome back. We wanted to touch today on this notion of IoT and operational technology and how they're converging. What do you have to share with us?
So operational technology, which is a catch-all term, is the kind of systems that we use in
industrial infrastructure. So these are the kind of systems that are used to control water treatment,
power grid, manufacturing facilities,
and increasingly widely used
in high-value manufacturing
and those kinds of settings.
With the emergence of IoT,
we are seeing such devices
being incorporated into
these kinds of operational environments.
And there are plenty of good reasons for that.
This provides enhanced visibility and integration, which means that you can have more effective
business processes. You can glean more real-time intelligence from your operational technology.
You can reduce costs. You can fine-tune physical processes. However, this convergence also means
that the boundary between what are your traditional legacy operational technology environments, which were not originally supposed to be connected to other networks and at least the internet,
is now interacting with more contemporary IoT sensors and actuators that are connected and
are supposed to have remote connectivity and control. And that poses a number of interesting
challenges for security. So take us through what are some of the challenges there?
You can imagine a scenario where you have a number of, say, older devices like programmable
logic controllers or telemetry units, you know, sometimes running on protocols which do not have
authentication and encrypted communication built into that. now interfacing with an IoT gateway, which is gleaning intelligence
and pushing that data into the cloud and so on.
And that in itself provides interesting challenges and new problems
in terms of the attack surface of this kind of a convergent environment.
We need to understand what the attacks look like in this kind of convergent environment. The cyber kill chain is very well known as a model in industry showing how the
attacker may be disrupted at different stages of an attack. And in a simplistic way, maybe we need
some kind of a cyber kill chain that represents this kind of convergent IoT and operational
technology environment. And where do you suppose things stand right now?
Are we where we need to be?
What do you see as we look forward?
I think there are a number of things that we can look at.
One of the things is to understand as to how the convergence
leads to potential vulnerabilities being exposed to attackers.
We need to understand what the attack models in this kind of convergent
setting might look like. So, for example, attackers pivoting from the operational technology
onto the IoT or vice versa. What are the possibilities of lateral movement or, you know,
privilege escalation in these kind of settings? So, there are a number of unknowns at this point
in time, simply because traditionally
these kind of environments haven't had this level of connectivity. And I think we do need to have
better ways of analyzing attacks in this kind of convergent environments. We also need more
specific and perhaps specialized intuition detection systems that are attuned to what you would think of as the melting pot
of legacy and non-legacy technologies and protocols coming together.
Professor Awais Rashid, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow.
Thank you. to innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.