CyberWire Daily - Magnibur ransomware spreads. LabCorp discloses suspicious incident on its networks. Spectre, Meltdown notes. Oracle patches. Helsinki summit backing and filling and backing.
Episode Date: July 18, 2018In today's podcast, we hear about the spread of Magnibur ransomware. LabCorp discloses "suspicious activity" on its networks. The Pentagon will add cybersecurity checks to its test and evaluation pro...cess. Siemens updates customers on Spectre and Meltdown. Oracle's quarterly patch bulletin is out. Fallout, clarifications, and more fallout from the Helsinki summit. US agencies continue preparations to secure elections and infrastructure. Robert M. Lee from Dragos on the Electrum threat group. Guest is Jonathan Couch from Threat Quotient on Dark Web markets. For links to stories in today's CyberWire podcast, check out our daily news brief. https://thecyberwire.com/issues/issues2018/July/CyberWire_2018_07_18.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Core discloses suspicious activity on its networks. The Pentagon will add cybersecurity
checks to its test and evaluation process. Siemens updates customers on Spectre and Meltdown.
Oracle's quarterly patch bulletin is out. There's fallout clarifications and more fallout from the
Helsinki summit. And U.S. agencies continue preparations to secure elections and infrastructure.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, July 18, 2018.
MagnaBur ransomware, which has for some time been endemic in South Korea,
has spread in new variants to other East Asian linguistic communities.
Chinese-speaking users in Macau, Singapore, and Malaysia are held to be newly targeted by the criminal campaign.
U.S. medical diagnostics provider LabCorp has sustained a potential data breach
that could expose the medical records of millions of patients.
LabCorp, the largest company of its kind in the United States,
disclosed the breach to the Securities and Exchange Commission in a Form 8K dated this Monday.
The company said in its filing that it detected suspicious activity on its network over this past weekend,
responded by taking some systems offline in accordance with its comprehensive response.
They do warn that some customers may experience brief delays
in receiving the results while LabCorp completes remediation.
The company said that, quote,
At this time, there is no evidence of unauthorized transfer or misuse of data, end quote.
The concern, obviously, is that sensitive records may have been lost.
LabCorp subsidiary Coverage Drug Development was unaffected by the incident.
When these kinds of breaches occur, the data often ends up on the dark web.
But what does that really mean, and how do you protect your organization against it?
Jonathan Kuch is Senior Vice President of Strategy at Threat Quotient,
and he helps bring us up to speed. I think there's a lot of misperceptions about what it really is.
Out there on the internet, you have the regular internet that most people interact with,
and those are the sites that you can go to Google, you can do searches, and it'll point you to
Wikipedia or news sites or whatever it happens to be.
Then there are those websites that are unindexed. And by unindexed, what I mean is that Google will not crawl those sites to find out information. So corporate intranets are an example of that,
or private companies or subscription services, things that are behind some sort of authentication,
that Google will not scrape those sites and you won't be able to find them through regular web searches.
And that's what's called typically the deep web.
The dark web is kind of its own special little place.
That not only is unindexed, but typically you require special software in order to access those websites.
So, you know, the Onion Router, what's known as Tor,
is the most popular way to get into those websites.
And what that does is it provides you an encryption mechanism
to provide anonymous web browsing.
So that using a Tor client, I can go out and I can visit websites,
but those websites don't know who I am.
They don't know where I came from or where I'm
making the requests. And so, you know, this whole concept of the dark web was really to provide
anonymity around web surfing. And it has grown to really be a haven for cybercrime and cyber
criminals. And so what you find on the dark web are a lot of websites that are selling wares that are illegal to be sold elsewhere because they have this anonymity.
It's very difficult to figure out where these websites are actually located, who's hosting them, the people behind it, and the infrastructure that surrounds it.
So why should it be important to people looking to defend their organizations? What's the concern there?
So the concern is really being able to find out what the threats do. You know, if you want to know
what your adversary knows, if you want, as an organization, if I'm holding a lot of information,
if I have a lot of credit card numbers that my organization relies on in order to protect and
make money off of, I want to be able to see,
do criminals have my credit card numbers? Are they reselling them on the underground? If I
am operating a certain kind of database, if there are tools that exploit that database,
that can break in and steal information from that database, I want to know about the existence of
those tools and how they're being utilized. And the dark web is kind of that marketplace.
It's that black market that people can go and be able to sell those kinds of capabilities,
but also sell that information and data.
It's not a kind of place where you just want to go and interact and that your organization
may want to have direct contact with.
A lot of times you'll want to interact more with third-party organizations, experts that live and operate within the dark web day in and day out, so that you can now leverage their expertise and their knowledge to provide you that intelligence, to provide you that information of here is what we found. putting your resources and your people and technology toward going out there and trying
to set up this infrastructure and collect and monitor the dark web, you can now just take the
information coming from these third-party providers and be able to take a look at it and say, all
right, what applies to me? What am I interested in? And so it really saves you time, efficiency,
and resources from being able to have to go out there and do it yourself.
That's Jonathan Kuch from
Threat Quotient. The U.S. Department of Defense intends to add cybersecurity checks to the test
and evaluation phases of its acquisition cycle. It intends to conduct more of its own testing
and will not rely upon contractor certification that their systems are secure against cyber attack.
upon contractor certification that their systems are secure against cyber attack.
Siemens has updated its security guidance on the Spectre and Meltdown chipset vulnerabilities,
warning of new variants and promising software and firmware updates to address them.
Users of Siemens products have been asked to stay alert for coming fixes and to apply them promptly.
Oracle's quarterly patch update was released yesterday.
It addresses 334 vulnerabilities, which the SANS Institute calls a record.
Vulnerabilities in WebLogic, Oracle Spatial, and Oracle Fusion Middleware Map Viewer are rated as particularly significant.
Attacks on WebLogic servers have figured in cryptojacking campaigns over the past
year, and such attacks are expected to continue against unprotected systems.
At a mid-afternoon press conference yesterday, U.S. President Trump walked back remarks he made
at the conclusion of his summit with Russian President Putin, which gave the impression that
he accepted Mr. Putin's word over that of U.S. intelligence services,
apparently agreeing that Russia had not attempted to influence U.S. elections.
Mr. Trump's remarks in Helsinki were roundly criticized from all political sides.
The president said that he either misspoke or was misheard
and that he believes what the U.S. intelligence community has concluded about Russian influence operations.
and that he believes what the U.S. intelligence community has concluded about Russian influence operations.
The U.S. intelligence community, including its current leadership appointed under this president, has reiterated that it stands by its assessment.
Mr. Putin did a bit of woofing about conducting a joint Russo-American investigation
into the Russian influence operations he insists didn't happen.
Again, essentially nobody thinks this is a particularly promising idea.
It's a familiar gambit in Russian information operations.
Deny involvement, offer to cooperate in a joint investigation,
and then use the veneer of legitimacy the joint investigation confers
to cover over what would otherwise be a bald and unconvincing denial.
Similar misdirection has been seen recently in Russian insistence on participating in an international investigation
of the nerve agent attacks in the United Kingdom. There is or was a 1999 treaty under which the U.S.
and Russian Federation agreed to join investigation of certain crimes, but observers
have called that agreement a dead letter. As Sean Sullivan of security firm F-Secure told the
Register, quote, that sort of thing halted years ago after the FBI found that the Russians were
recruiting rather than arresting and investigating the criminal leads forwarded to the FSB, end quote.
So while there's undoubtedly some scope for international cooperation in cyberspace, this wouldn't appear to be one of them.
Consensus is that the U.S. would have much to lose and nothing to gain.
Many investigators and media outlets are reviewing the course the Russian information operations took during the last election.
operations took during the last election. Spear phishing against poorly protected networks is generally thought to have been the principal means by which discreditable emails were obtained and
made public. The public leaks were generally achieved through various false personae and
distributed through trolling social media accounts and similar channels. There will certainly be
additional U.S. measures taken to protect elections and infrastructure from cyber attack.
NSA and U.S. Cyber Command were last week directed by their head, General Paul Nakasone,
to coordinate actions to counter Russian attempts to interfere with midterm elections,
this lying within the organization's authorities.
Other agencies, including the CIA, the Department of Homeland Security, and the FBI, are, according to the Washington Post, taking similar steps.
A National Security Council spokesman told the Post, under conditions of anonymity, that, quote,
The NSC has regular and continuous meetings to coordinate a whole-of-government approach to foreign malign influence and election security.
There will no doubt be more backing and filling, clarification, and so on in the days to come.
For example, President Trump earlier this afternoon was asked by a pool reporter at a cabinet meeting whether Russia was still targeting the U.S.
Trump's response was, no.
It's been widely and promptly noted that Director of National Intelligence Coats said as recently as Friday that the warning lights were flashing red with respect to the threat of Russian cyber attack. Finally, in another clarification, Slate retracts a story about a Verizon data breach the online
publication ran early this week.
Their report mistook an old story for a new one, mistaking a disputed account of a third-party
breach from July 2017 for a newly breaking incident.
Well, Slate said, we goofed.
And no, Verizon wasn't breached. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Joining me once again is Robert M. Lee. He's the CEO at Dragos. Robert, welcome back. You all
recently published some information about Electrum. Take us through what you all found. Yeah, absolutely. So Electrum is the activity group,
the threat associated
with the crash override malware
that was deployed
against the Ukrainian Kiev substation in 2016.
So it was the first piece of malware
specifically to be designed
to disrupt electric power.
And what was interesting to me
about this case,
besides sort of the
significance of it and diving into the capability and understanding all the things that did.
But what was interesting is the group is so active, sort of this activity group, if you will,
still going out and targeting other locations. We haven't seen any attacks to follow. We haven't
seen, you know, sort of pre-positioning of crash override-like capability, but we've seen them absolutely
target and breach other providers, other electric providers outside
of Ukraine, including some water sites as well.
And I think this is, you know, a reoccurring, continuing
lesson in the community that it is a natural tendency
of defenders to think about a big
report getting disclosed or a big attack happening, and the intel report comes out, and we sort
of have this idea that, and we're done.
Well, we know now.
The report's published.
We're finished.
And that's not the case.
These adversaries still obviously stay active, find that report publishing is not necessarily
even deterring to them, of course,
but just the start of getting the message out to people to take a look for this.
And what I really like about industrial control, specifically in these type of threats that we
track here, is it highlights that just focusing on things like technical indicators are not going to be sufficient. The Electrum targeting of one power site versus another
and the capabilities they ultimately deploy
for the specific industrial controls in that site
are going to be pretty specific to those sites.
It's going to make a lot of changes.
If we're just tracking IP addresses and hashes and things like that,
it's not going to be sufficient.
But when we track this higher level
analysis, like Electrum as this activity group, we instead track their behaviors and their trade
craft, their methods, and the styles and patterns of infrastructure choices and styles and patterns
of victims. And we move from the technical to the trade craft. That's where we can absolutely
make this scalable in terms of detection and focus
and insight. And that's pretty empowering as a defender.
Now, is it that tradecraft, is that one of the elements that allows you to track them,
to know that you're dealing with the same group?
Absolutely. So every time an adversary does something, they generally leave kind of a human
fingerprint behind, you know, the way they do it, the way they configure their malware, the way they develop capabilities, the way they choose infrastructure.
It's like if I were to go through and make a persona and start registering domains, maybe the way that I register the domains or the type of who is information that I put in it, maybe that would have a pattern.
And I would position it likely does because humans are creatures of patterns.
And effectively, you do try to follow those patterns and tradecraft and look for largely those methods
versus just the technical components that are much easier to change.
Now, in terms of misdirection, when folks are intentionally
trying to throw you off the path, have we reached a point where misdirection can usually be spotted?
Is it obvious or is it still a tricky thing? Yeah, so misdirection and then sort of its
sister discussion of like false flags, they're absolutely a tricky thing but they're
they're much more tricky thing for attribution than they are defense if i really want to know
who did the attack then i very much have to factor in the idea that there might be some
misdirection or even a false flag nature to this if i'm trying to defend against the attack
if they use a hundred percent overlap with tradecraft, 100% overlap
with methods, and do everything that would really make it seem like it's misdirection
or false flag, it still doesn't matter because they still did the attack and they're still
using the methods and tradecraft from tracking and still doing defense.
So the how versus the who changes the difficulty of the questions we're asking.
How versus the who changes the difficulty of the questions we're asking.
In this case, false flag operations from a defense perspective are no different.
It is only in the who that that begins to really matter.
Robert M. Lee, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is
Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Thanks for listening.
We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.