CyberWire Daily - LockerGoga hits Norse Hydro. Mirai botnet malware gets an update. The DHS is concerned about cybersecurity.
Episode Date: March 19, 2019In today’s podcast, we hear that an aluminum manufacturing giant in Norway has suffered a major ransomware attack. A new version of the Mirai botnet malware is targeting enterprise systems. The US H...omeland Security Secretary says the private sector and the government in the United States need to work together against cyber threats. Europol has a new cyber incident response strategy. And cybersecurity executives say some vendors’ marketing tactics are having a detrimental effect on the security industry. Johannes Ullrich from SANS and the ISC Stormcast Podcast on hardware security issues at the perimeter. Guest is Nathan Burke from Axonius, winners of the 2019 RSAC Innovation Sandbox competition. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/March/CyberWire_2019_03_19.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
An aluminum manufacturing giant in Norway has suffered a major ransomware attack.
A new version of the Mirai botnet malware is targeting enterprise systems.
The U.S. Homeland Security Secretary says the private sector and the U.S. government
need to work together against cyber threats.
Europol has a new cyber incident response strategy.
And cybersecurity executives say some vendors' marketing tactics
are having a detrimental effect on the security industry.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, March 19, 2019. Norway's Norsk Hydro, one of the world's largest aluminum producers,
suffered an extensive ransomware attack last night against its facilities in Europe and the United States.
The company said in a message to investors that
IT systems in most business areas are impacted and Hydro is switching to manual operations as far as possible.
The Norwegian National Security Authority, or NNSA,
said the attack is suspected to have used a fairly new strain of ransomware called Locker Goga.
A spokesman for Hydro told the BBC the company was able to continue production
by reverting to manual methods and that it has data backups to restore from
as soon as the attack is neutralized.
Currently, however, Hydro is still working with the NNSA to contain the attack and identify the extent of the damage.
Employees have been told not to turn on their computers or connect any devices to the network,
and all communication is taking place via telephone, mobile devices, and text messages.
There have been no safety-related
incidents as a result of the attack. In a press conference this afternoon, Hydro's chief financial
officer said, quote, the situation for Hydro is quite severe, adding that the entire worldwide
network is down, end quote, affecting production as well as office operations. He said the attack began in the United States and escalated overnight,
but he didn't specify which facility was first affected or how it was compromised.
According to CyberScoop, the company has remelting facilities in Kentucky and Texas
and has offices in Baltimore.
The company's website is still down,
and there's no time frame for how long the recovery may take.
The Locker Goga ransomware was first spotted in January,
when it was allegedly used in an attack against a French engineering consultancy called Ultron Technologies.
Earlier today, researchers identified a new strain of Locker Goga,
uploaded to a public malware repository from a Norwegian IP address.
Palo Alto Network's Unit 42 published a report yesterday on a new variant of the Mirai Botnet
malware. This version is using a total of 27 exploits, 11 of which are new. It's also targeting
a wider range of devices, including WePresent wireless presentation systems and LG SuperSign TVs.
Since these devices are meant for use in business environments,
the researchers believe this new strain indicates a potential shift to using Mirai to target enterprises.
Enterprises provide a larger attack surface and access to greater amounts of bandwidth,
allowing for more powerful DDoS attacks.
The researchers advise organizations to keep their devices up to date with patches.
If a device can't be patched, remove it from your network.
Mirai botnets have been used to carry out some of the largest DDoS attacks in recent years. These botnets are particularly powerful because they utilize
embedded devices such as routers, modems, security cameras, and DVRs, which can generate
massive amounts of data to be launched at a target.
It's been a couple of weeks now since the team at Axonius took home the Most Innovative
Startup Award at the 2019 RSA Conference Innovation Sandbox Competition.
They describe their asset management solution as the Toyota Camry of cybersecurity challenges.
Not particularly sexy, but ubiquitous. Nathan Burke is chief marketing officer at Exonius,
and he tells us that before they could compete for the big prize,
first they had to deal with getting the boss to San Francisco.
It happened during the middle of two snowstorms on the East Coast.
And so I got there early on Sunday.
But Dean Sissman, who is our CEO and co-founder, who was supposed to be presenting, did not have as much luck as I did and ended up sitting on the runway for four hours before his flight got
canceled, then rebooked. And so he was going to miss the rehearsal, the judges demos, and then
maybe be there in time for the final presentation. So we just called an audible and said, all right,
I've got to do this. And so I changed up the presentation a little bit at the beginning to
make it about my personal experience and then practiced a few hundred times and said, let's do this. And I guess it went pretty well for you. You guys came away as
the winners of the innovation sandbox. Yeah, I guess the judges saw something in a company doing
something that we're all calling the most unsexy part of cybersecurity, and that's asset management.
Well, take us through what exactly does your tool do?
Yeah, so really we want to do exactly three things, right? So we want to be able to give
customers a credible and comprehensive asset inventory, everything they've got from laptops,
desktops, servers, VMs, mobile devices, anything. If we can do that, then we can show them where
they have gaps in their security coverage, and then we can automatically validate and enforce
their security policies. And what's different about the way that Exonius
has approached this is we just connect to all of the different security and management solutions
that customers are already using. So we connect to these solutions, gather and collect all the
information we can about assets and users. We correlate that together, and then we can show
you how each of these assets fits against their security policies. And this has been a persistent challenge
for organizations to get a handle on this. Why has asset management been so challenging?
Yeah, I think it's been so challenging because if you look at it over time, the more devices and
device types that we have, the more solutions we have to manage them. And the more solutions that
we have, the harder it is to ask basic questions around assets and how they adhere to the policy.
And so just over time, when you think you start off with a PC on a network that
is in a physical location, asset management is as simple as a guy with a clipboard, right?
But then we move into the world of mobile devices, IOT devices, the cloud, and then it becomes really fractured and fragmented.
And it just becomes very difficult to understand what you have.
And so it's been a challenge. And I think that's what one of the judges said during the presentation and the judging, which is that he's lived this before, not being able to get a straight answer about assets.
And I think one of the things that's nice is that now everything has an API.
And so we're kind of here at the right time where we can interface with all these solutions that know about assets,
gather that information, correlate it together, and present it back in a way that customers can query
and find answers to the questions about assets very, very simply.
Can you walk me through an example?
I mean, what's a typical type of asset that usually gets overlooked or is hard to track that you guys are able to get a handle on?
Sure. A couple of good examples.
I mean, I think there's an inevitable march to the cloud.
And so we see more and more of our customers are using cloud instances like Amazon.
see more and more of our customers are using cloud instances like Amazon, yet the security tools that they had to secure their on-premise instances and devices just don't necessarily
work the same.
So a good example of that is I'm using Amazon, but my vulnerability assessment tool doesn't
necessarily know about a new Amazon instance that's been spun up. And, you know,
we've said this several times to customers, you know, I don't think there's ever been a time in
history where DevOps said, hey, security, is it okay for me to spin up a new instance?
It just doesn't happen, right? And so what we're able to do is say, we've found these new Amazon
instances. We can look at the VA scanner and say, all right, do you know about these? And if the VA scanner just isn't aware of the new instances,
we can just kind of bridge that gap.
And that's just one of the simple ones.
And then another one that we see all the time is a company will say,
I'm using an EDR or EPP solution, and I've got it deployed everywhere.
And then we find out that around 18% of their devices are missing that
endpoint agent. So that's something we're always able to find. And I think the idea is by being
able to connect to all of the different solutions we have, we're able to uncover things that they
wouldn't be able to just looking at that single management console. That's Nathan Burke from
Exonius. Our congratulations to him and the whole team there for winning the 2019 RSA Innovation Sandbox.
Homeland Security Secretary Kirstjen Nielsen said yesterday that emerging cyber threats are among her top concerns in the coming year.
Nielsen believes that America is not prepared for these threats, saying that she's, quote,
more worried about the ability of bad
guys to hijack our networks than their ability to hijack our flights, end quote. She said that
the private sector needs to work with the government to defend against these threats,
quote, it's not just U.S. troops and government agents on the front lines anymore,
it's ordinary Americans. Threat actors are mercilessly targeting everyone's devices and networks,
and they are weaponizing our own innovation against us.
She added that our adversaries are using state-owned companies as a forward-deployed force
to attack us from within our supply chain.
The European Union has adopted an incident response protocol for major cross-border cyber attacks.
A press release from Europol said the WannaCry and NotPetya attacks showed that previous incident response protocols were
quote, insufficient to address rapidly evolving cyber criminal modus operandi effectively, end quote.
The new protocol gives a central role to Europol's European Cybercrime Center,
and it aims to complement existing EU crisis management mechanisms.
Four top cybersecurity executives at Fortune 500 companies told CNBC that some cybersecurity vendors resort to unsavoury business practices
in order to gain an advantage in the market.
All four of the executives said they had encountered sales pitches in which vendors took advantage
of the fact that small security flaws at a well-known company can generate major headlines.
The vendors in these cases threatened to tell media outlets if the executives didn't listen
to their entire pitch.
Two of the executives also described vendors who have
called to report emergency security incidents, only to give routine sales pitches once they
got on the phone with an executive. Even when the issues they point to are real,
some vendors don't differentiate between an imminent threat and a minor vulnerability.
These marketing tactics have resulted in mistrust between cybersecurity executives and vendors, and they make it harder for both to identify and address the real threats. Thank you. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award
winning digital executive protection platform secures their personal devices, home networks,
and connected lives. Because when executives are compromised at home, your company is at risk.
In fact, over one third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Johannes Ulrich.
He's the Dean of Research for the SANS Institute,
and he's also the host of the ISC Stormcast podcast.
Johannes, it's great to have you back.
You know, back in 2018, certainly the CPU flaws, things like Spectre and Meltdown, caught our attention.
But you wanted to point out some other flaws.
So what you're describing is perimeter hardware flaws.
What's going on here?
Essentially what this is about is if you're looking at your standard computer mobile device,
the CPU is only one of many chips
that you find in these devices.
And all these other chips,
like columns of perimeter chips
that start sitting around the CPU,
feeding it with data,
well, they're vulnerable too.
And in some ways,
sometimes actually more exposed than the
CPU. And as one recent example are Wi-Fi chipsets. And here in particular, the Marvel AvaStar,
there was an interesting paper that looked at that particular chipset. Now, these are names
that usually don't ring a bell with anybody. I personally hadn't heard about this chipset yet, but well, it's in many Microsoft Surface laptops.
It's in many Samsung laptops and such.
So it's a widely used chipset.
And it has some flaws that, as was demonstrated here by Dennis Salianian, can be exploited without the user doing anything and get full access of the system.
the user doing anything and get full access of the system.
Is this a situation where because these chips are on the motherboard, the rest of the system has a default situation of trusting these chips and maybe that's going a little too far?
Correct. That's part of the problem. The other side of it is that these chips, well,
there is no real hardware anymore. Everything has software in it.
These are actually little systems on a chip.
They have their own operating system.
They have their own software running in it.
And all of this, of course, is vulnerable.
And what makes it sort of versatile is because these are fairly minimum systems,
a lot of the standard protections that you have that prevent exploitation
sort of in normal operating systems, they don't apply to these chips.
In some ways, they're actually easier to exploit once you have a vulnerability like a simple buffer overflow.
Now, in a situation like this with these auxiliary chips, would they be updated with an OS update or a firmware update?
Or are they sort of baked in with what they have when they're manufactured?
That's actually the good part of it, that most of them come sort of as a blank slate.
And the operating system loads the firmware into that chip as it's being booted.
So, yes, an operating system update usually can take care of these flaws if it is released.
Interesting.
So what are people to do here?
Is this a matter of keeping up on the latest updates?
That's pretty much the only thing you can do here.
Of course, turn off your Wi-Fi card if you can turn it off in public environments.
But that's, I think, always difficult advice to follow.
It's really difficult to do anything but just staying up to date
and staying up to date with your operating system patches.
Now, I guess keeping an eye out to see if your particular device
is one that might be vulnerable.
Yes, but it may actually be difficult to figure out
what device is in your system.
And then also, there is no real standard feed for these vulnerabilities.
They're often not disclosed very widely, like for operating system vulnerabilities.
I see.
Now, is this also a situation where, you know, as a motherboard is manufactured,
that, you know, a certain percentage of the run might have one brand's chip in it, and another percentage of the run might have one brand's
chip in it and another percentage of the run might have another's?
That's certainly possible in particular different sort of subversions of the chip and
some may be vulnerable, others maybe not. Or another case that can also happen is that
the particular version of the chip that you have in your system is no longer being supported and
there are no more updates for it,
while the same laptop bought a couple months later
has a new version that's still receiving updates.
That's interesting stuff.
Johanna Solrick, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the Cyber Wire. Thank you. for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.