CyberWire Daily - Malicious misdirection. Found on the subway. A summary of file exposure. Turla’s back, and as clever as ever. ICRC proposes rules of cyberwar. Baltimore ransomware update.
Episode Date: May 31, 2019Malicious misdirection served up from unpatched WordPress sites. A big, big set of dating site records has been found exposed online--it’s in China, but the records seem to belong to anglophones. Ma...ny other files are exposed elsewhere, too, so it’s not a single problem. Turla’s back, and still after diplomats. The International Red Cross proposes rules for cyber conflict. And Baltimore City calculates the cost of not patching. It’s a lot higher than the cost of patching. Craig Williams from Cisco Talos with his take on a critical Microsoft vulnerability, CVE-2019-0708. Guest is Matt Aldridge from Webroot on the San Francisco facial recognition ban. Justin Harvey from Accenture on the dramatic increase in targeted ransomware. Guest is NSA’s Diane M. Janosek, celebrating the 20th year of their Centers of Academic Excellence in Cybersecurity program. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Hidden Wasp backdoors Linux systems and aims at more than the usual coin mining or DDoS.
Thousands of Huawei and ZTE devices remain in U.S. federal networks.
It takes time to fully implement a ban.
China considers retaliation for the U.S. entity list
as the U.S. works to bring its allies on board.
Baltimore may have been warned about its vulnerable servers
as long as five years ago.
NSA celebrates 20 years of their Centers of Academic Excellence in Cybersecurity,
and Netscout sees signs of a coming IoT hacking campaign.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday,
May 31, 2019. Security firm Intezer described Wednesday the operations of Hidden Wasp,
a campaign that installs a backdoor into Linux systems.
Most Linux-focused malware has tended to concentrate on coin mining
or distributed denial of service,
and it's also tended to be, relatively speaking,
observers say, heavy-footed and noisy.
Hidden Wasp, in contrast, is not only relatively stealthy,
but also has as its aim the control of infected devices by the attacker,
and many who've commented on the backdoor see this as a new and disturbing development.
Hidden Wasp borrows freely components of Mirai, the Chin-Z Elkanaut implant, the Azazel rootkit, and the Linux version of WinT have all been seen in its code.
Attribution remains unclear, but some think it looks like an operation with Chinese origins, either with criminal organizations or intelligence services.
AT&T Cybersecurity's Alien Labs, for one, tells SC Magazine that they've concluded, with high confidence, that Hidden Wasp falls under the WinT umbrella, a set of groups associated with China.
Inteser says that Hidden Wasp's infrastructure bears some similarities to some of the recent WinT Linux variants researchers at Alphabet Security Unit Chronicle have been discussing. It's got a user mode rootkit, a trojan, and initial deployment script
that bear a family resemblance to those Winty strains.
Intuzer also sees other signs of connection to China.
They say that files were uploaded to VirusTotal
using a path that contains the name of a China-based forensics outfit,
Shenzhou Vant Yun Information Technology.
The malware implants, Intiser thinks,
may be hosted in servers from a Hong Kong hosting company,
ThinkDream.
It's worth noting that Hidden Wasp
seems to have escaped detection by most antivirus software.
This will doubtless change
as the defenders adapt to the new malware.
Forescout tells NextGov that some 4,000 Huawei and ZTE devices
remain on U.S. federal networks.
The security company reasonably notes that purging networks of all the devices
in a given category is often harder than just issuing a simple make-it-so.
You can't just rip them out, a representative of the firm said.
TechCrunch reports that Huawei is, on an interim basis at least,
trying to limit the damage of U.S. measures by limiting contact between its U.S. and Chinese workers.
This response to placement on the U.S. entity list seems to be a bit of a scramble
as the company works its way through the consequences of U.S. action.
The Chinese government itself
has announced that it's compiling an evidently retaliatory blacklist of what it calls unreliable
U.S. companies. It's already indicated an intention to stop using Windows on the grounds that, for
all Beijing knows, Windows could be exploited by the U.S. for espionage purposes. China is also
considering a halt to exports of
rare earth metals, which are vital to the solid-state electronics industry.
The U.S., however, shows few signs of relaxing the pressure on Huawei. President Trump is widely
expected to make British action of some kind against the Chinese device manufacturer,
a condition of the continuing and very close Anglo-American
intelligence sharing arrangements. It's unlikely in the extreme that Five Eyes' collaboration would
be completely dismantled, but an impasse over Huawei would have unfortunate effects on the
special relationship. Turning to what is, for us, local news, Baltimore's IT office seems to have played Cassandra to the city's King
Priam and Queen Hecuba. It warned in an undated risk assessment memorandum that seems on internal
evidence to have been prepared between August 2016 and September 2017 that servers running
unsupported versions of Windows posed a clear risk. The memo, according to the Baltimore Sun,
specifically called out the likelihood of ransomware attacks
and observed that the two critical servers in question
were also not being regularly backed up.
So there appears to have been a trifecta of questionable decisions,
continuing to use outdated software,
failure to patch when that software was given an upgrade,
and neglecting to back up critical systems.
And like Cassandra, the authors of the risk assessment were fated to be disbelieved,
or at least ignored. Baltimore's mayor and city council have sought, with some support from parts
of Maryland's congressional delegation, notably Representative Ruppersberger and Senator Van
Hollen, to shift blame for the mess over to the federal government.
Specifically, they've pointed the fingers at Charm City's hometown intelligence agency, NSA.
But this line of self-exculpation may not have legs for much longer.
The Robin Hood ransomware, first of all, wasn't an NSA tool,
whatever casual reporting may have led one to believe.
The initial infection was probably through a commonplace phishing attack,
nothing that required the dark arts of Fort Meade.
But the ransomware did appear to exploit the Eternal Blue vulnerability
that NSA is widely believed to have discovered and then held back for operational use.
Still, the shadow brokers blew the gaff in 2017 when they dumped EternalBlue onto the web,
and warnings and patches have been available for a good two years.
NextGov reports that NSA's Rob Joyce said yesterday that,
while everyone feels bad for Baltimore, the city did, after all, have two years in which to patch.
Chris Tonjes, a former Baltimore City CIO who resigned in 2014,
said he tried to get the city to upgrade the servers back then, but without success.
He put it more brutally than NSA did. He told the Baltimore Sun, They rolled the dice and they lost. I really have no sympathy.
Researchers at security firm Netscout warned this morning that people should expect an upswing in IoT hacking campaigns.
Since the end of April, their honeypots have been collecting a surge in exploit attempts
directed against routers affected by a vulnerability in the Realtek software development kit.
The vulnerability, CVE-2014-8361, is being used to deliver and install a version of the
HackEye DDoS bot malware.
HackEye is most often used in distributed denial-of-service campaigns.
Who's conducting the campaign and why remains unclear,
but it's known that most of the attack traffic originates in Egypt
and that it seems most interested in routers located in South Africa.
The Long War Journal reports that ISIS, now in its diaspora phase, was quick to go online to claim responsibility for a suicide bombing in Afghanistan's Marshall Fahim National Defense University in Kabul.
Inspiration and franchising appear to be the caliphate's post-territorial approach.
Thank you. and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Justin Harvey. He's the Global Incident Response Leader at Accenture.
Justin, it's always great to have you back. We wanted to focus today on ransomware,
some of the things that you all are tracking when it comes to that. What can you share with us?
Well, Dave, what I can share with you is there's been a dramatic trend increase in targeted
ransomware. Targeted ransomware is a lot different than your normal commodity ransomware.
When you think about ransomware, you think about random emails
showing up that have been blasted out to millions of people.
Someone clicks a link and boom, their hard drive or or their documents
have all been encrypted with with an automatically generated link
that says click here, deposit a Bitcoin into this wallet,
and we'll email you the key. There has been a dramatic turn into something a little bit more
nefarious. Now, cyber criminals, instead of penetrating an organization and finding the
high value assets and taking them out of the enterprise, they're just simply encrypting them
in place because they've realized that when you steal
data, you have to monetize that. You run the risk of dealing with law enforcement.
You've got to deal with the dark web and finding a buyer and registering in underground forums.
Listen, from a criminal's perspective, I'm sure it's pretty onerous to go through all of those
processes when in fact, you can just go where the data isn't encrypted, sometimes using the victim's own tools.
You can encrypt the file, you can encrypt the disk, and then of course you send an anonymous email back to the victim and say, hey, I need this many Bitcoins in order to return the data to you.
also seeing a startling trend where in order to cover their tracks or to create quite more of an impact or impetus for the victim to pay, they're also compromising domain admin credentials and
pushing the ransomware out to the entire enterprise using very valid and normally used tools that
administrators are using to push normal software updates out. Now, help me understand this. I've
heard folks say that if you find yourself falling
victim to ransomware, one of the things you should do is make a copy of all that encrypted data so
that, you know, if the bad guys come back and try to wipe that data or if your attempt at decrypting
it is unsuccessful, you'll even though it's still encrypted, you'll have a copy of that encrypted
data. Is that is that on the money? I think that that's a very valid strategy, but I think that that breaks down when you start to
look at the scale at which some of these incidents are happening. We're talking about organizations
at 5, 10, 15, 50,000 endpoints in an enterprise, and there's simply no way to copy all that data.
Clearly, if you have some
high-value assets like your customer database, credit card database, something that is more
centralized, absolutely, 100%, copy that encrypted data. But I would say that for the most part,
you're not going to be able to handle an incident of that size just by copying that data.
And what's the advice that you're sharing with your clients these days when it comes to whether or not to pay the ransom? Great question. I'm a
hardliner, Dave. I say under no, actually under one circumstance should an organization consider
paying. And that would be if there is a material impact to loss of life or damage to the environment.
For instance, is an entire oil refinery going to blow up and affect the quality of life or damage to the environment? For instance, is an entire oil refinery going to blow
up and affect the quality of life for an environment or for a city? Or is it a hospital?
Can they still get care to their patients? And if all of that is at risk, I think you should
definitely consider it and consider working with your local law enforcement office before making
that sort of decision.
But if you do go down that route, and believe me, Dave, there's a lot of cons to paying these criminals. And one of them is thinking about the regulatory filing aspect of this,
because if you don't acknowledge it within your quarterly or yearly filings, and if it was a
sizable payment, then if it does come out,
you could be nailed for not notifying shareholders. The other thing is you may not even know who
you're paying. So if you are paying an entity and it turns out that later on that was a sanctioned
entity, perhaps a country or a terrorist organization, that will also have to come
out in your filings, which could have a material impact in stockholder value. Yeah. So keep those backups current and make
sure you test that they're actually working, right? Yeah. I can't say enough about both hot,
warm, and cold backups. So definitely keep some of your backups around in the cloud, on-prem,
keep some of your backups around in the cloud, on-prem, keep them around so that you can quickly roll back. But in some cases, those backups themselves have also been encrypted. So what
you're going to need is definitely some longer-term storage. There are some organizations out there,
some businesses that store them in big, cooled warehouses for you. But a little trick here, make sure that you keep your manifest of backups
out of harm's way
because you don't want to be in a circumstance
where you're like, well, we need to restore this server,
but the manifest for which backups to pull from
are on this encrypted file server over here.
So you want to think through
having an all-out disaster recovery scenario, which is a little bit different than having to restore a data center.
Because most organizations today, they think, okay, I've got four data centers and I have the cloud.
So as long as I don't lose everything at once, I'm okay.
I always have a hot spare.
Well, in the event of some of these crippling cyber attacks we've been working, everything is down.
Voice over IP,
email, calendar, contacts, legal, file systems. So you have to think to yourself, how are you going to communicate and work that incident if everything that you normally rely upon is down?
Well, Justin Harvey, thanks for joining us.
Thank you, Dave.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant.
and compliant.
My guest today is Diane M. Janicek.
She's Commandant of the National Cryptologic School at the National Security Agency.
She joined us recently in our studios to recognize 20 years of NSA's Centers of Academic Excellence in Cybersecurity program.
The program brings together colleges and universities along with industry
to help bridge the cybersecurity skills gap,
establish rigorous standards for academic programs in cybersecurity,
and to provide a pipeline for cybersecurity professionals.
We started our conversation with a look back at the program's inception.
At the time, there was more cyber attacks occurring,
more with the military and the defense areas. And we were recognizing that the need to secure
information networks was tremendous. And what the need was, is as you probably would guess,
there was no textbooks back then. You really didn't even have academic professors. You wouldn't
have professors that could teach cybersecurity at the collegiate level, let alone even at the high school level.
So from going from nothing to a full on-ramp in terms of now having programs at the college level, at the community college level, through the Ph.D. level in cybersecurity has really been tremendous for the country.
Take me through some of the ways that the program has evolved over the years.
What changes have you seen?
Well, we're recognizing now that we have to focus more on what's on the horizon.
So we've now established a designation for CAE-research.
So you can be a research institution
so that you can take a look at what technology is on the horizon,
what innovation is occurring in the area of technology
that we might have vulnerabilities that we're not thinking of.
We all see what's going on with respect to internet of things and social media and all the
vulnerabilities that may occur there with respect to all the connections that we have in everyday
lives and everything that we do. So recognizing that, we partnered with the schools. We now have
rigorous standards in the area of research. We have standards now at the advanced levels with the master's and PhD level.
And so we're just trying to really say, what do we need to do as a country to come together and
say, what are our adversaries, whether they be foreign adversaries or even within our own country,
what are adversaries doing to address and attack our networks? And what do we need to do to come
together to respond to those.
So we've really embraced the two-year programs with the community colleges.
We also really embraced older workers or more seasoned workers
that want to cross-train.
So if you're right now working maybe in the health care sector,
but you also want to branch out a little bit
and do maybe the work on the cybersecurity side of health care,
which is really important, you can now do that as well through the cross-training efforts
that we have with these academic institutions, these 272 schools across the country.
Yeah, one of the things that really impresses me about the program is the breadth
of it.
One of my partners on the Cyber Wire, his name's Joe Kerrigan, and he works at Johns
Hopkins, and of course you all partner with them, But then also here locally, you work with Howard Community College.
And so there really is opportunities from elite schools to institutions that are available to everyone and beyond.
Thank you for raising that.
We absolutely agree with you.
It is for the best, really high-end institutions as well as the local community colleges.
What Howard County Community College is offering is tremendous,
as well as Prince George's Community College and Arundel Community College.
They're so diverse.
And what the goodness about the program is, is that once you join the CAE program,
you belong to a community.
They actually have an institution, a legal entity that they've created,
called the CAE Cybersecurity Community.
They come together, they share resources, they'll share curriculum, they'll share cyber
labs, they'll share training resources so you don't have to recreate material from scratch.
They share information, they share opportunities for students to then go from a two-year program
to a four-year program to a master's program.
The cybersecurity community is very, very innovative.
What they recognize now is they had to come together to give students an opportunity to get hands-on experience.
They've created opportunities where there's partnerships with over 50 businesses where they can recruit from virtual career fairs for these students.
students. So the CAEs, through the program over the course of 20 years, the CAE schools have come together, really leveraged each other, shared resources, and really have made this country a
better place. And so it really is reaching beyond those college-level institutions. You're going
down to the high school level, the middle school level, really building that pipeline, getting them
while they're young,
sparking that interest in them. Absolutely. The CAE program, through its 20-year history,
has created a sense of community. So not only do they have a community with the colleges and the federal government across all the different states, they've established a
community right where they are, right in their local area. What can you tell us about what the colleges get out of it? Is this a feather in their cap that they can then go talk about and say,
hey, we're a part of this? Absolutely. Our schools that are the CAU certified, you will see that
designation prominently on their websites. They absolutely say we have met the standards that are
being expected us for rigorous curriculum. That will also show up just the curriculum is a high standard, but the professors, the faculty are also well credentialed.
They are skilled in the area that they're teaching. They're not just teaching something
they don't have familiarity with. So you know when you go to a CAE school that you will get
faculty that understands the discipline for which they're teaching. In addition to that,
they also have an opportunity to have scholarships for their students
while they're attending the schools. The neat thing in the Department of Defense
is that they're recognizing now that we need to have something akin to a cyber
ROTC program. It's called the DoD Cyber Scholarship Program and it essentially is
recruiting high schoolers to go to one of the CAE schools, attend one of the CAE schools on
scholarship, and then do a couple of years with the federal government in a particular area and
serve back. And it really is the cyber ROTC program is really the first of its kind. And that is
definitely a feather in the cap for those institutions that are getting those students.
So through the programs like the CAE program, what NSA is really committed to doing
is increasing the pipeline of cybersecurity professionals.
We are especially committed also to increasing the pipeline
with more female and minority involvement.
The diversity part of cybersecurity is so important.
As we know now,
and we all be experiencing this with cybersecurity,
it's multidisciplinary.
It's not just the technology side.
You have to understand multifacets, the diversity that's out there
with respect to having different viewpoints on a team is really important.
Making sure that there's a team effort, that all team players feel that it's safe to share information,
that they're included in that response.
So diversity and inclusion is really important,
and we're hoping to achieve that as well in the area of STEM and cyber through the CAE program. One last thing I wanted to
mention is that NSA can't do this alone. We do this through our partnerships with other federal
agencies. We do this with the state involvement as well, with industry involvement. Through the
federal government, through grants, through the grants process, NSA has invested over a hundred
million dollars annually in support of academic partner programs, through educational grants, through the grants process, NSA has invested over $100 million annually in support
of academic partner programs, through educational grants, through research, through recruitment
efforts. We recognize that this whole country can benefit from a rigorous academic program such as
these, through the sharing that occurs as a result of it, through the community that's created.
And it's very, very powerful. And we really appreciate
the CAE schools rising to the occasion, agreeing that there's a need to raise the bar,
agreeing that our whole country benefits from cybersecurity professionals,
and we just value the partnerships that we have. Our thanks to Diane M. Janicek from NSA for
joining us. If you want to learn more about the Centers of Academic Excellence in Cybersecurity,
visit the NSA website. It's in the resources section.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.