CyberWire Daily - Manchester bombing investigators look at bomber's network. EnSilo patches ESTEEMAUDIT. Cron cyber gangsters arrested. What we hear at the Cyber Investing Summit.
Episode Date: May 24, 2017In today's podcast we hear that the Manchester bombing investigation is looking closely at the bomber's networks, with international cooperation. NSA says it's waging cyber war against ISIS. EnSilo pa...tches ESTEEMAUDIT, one of the vulnerabilities set up for exploitation by EternalBlue. Russian police arrest members of the Cron cyber gang. Ben Read from FireEye describes recently discovered zero-days. Jonathan Katz outlines some Bitcoin vulnerabilities. And the Cyber Investing Summit opened with some demonstrations of the use and abuse of misdirection in hacking. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Manchester bombing investigation is looking closely at the bombers' networks with international cooperation.
NSA says it's waging cyber war against ISIS.
FireEye gives us a rundown on some EPS zero days.
And the Cyber Investing Summit opened with some demonstrations of the use and abuse of
misdirection in hacking.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Wednesday, May 24, 2017.
Investigation into the Manchester terror attack continues.
ISIS has, of course, praised the attack as an inspiration and claimed the bomber as a soldier of the caliphate.
Authorities in the UK are increasingly approaching the conclusion that the attack wasn't the work of an isolated fanatic,
but rather one carried out with some degree of encouragement, inspiration, and support from others.
Police won't say yet whom they're looking for,
but the investigation is reported to be concentrating on unraveling Abedi's network.
One of the arrests made so far occurred in Libya.
A counterterrorism task force took Abedi's father into custody during a raid in Tripoli.
France's defense minister has pledged closer intelligence cooperation with the UK,
and such an arrangement was part of President Macron's projected policies during his campaign.
U.S. President Trump has also offered solidarity and collaboration.
In testimony yesterday before the U.S. Senate, NSA Director Admiral Rogers said that the U.S. was conducting extensive cyber operations against ISIS, doing everything possible within the scope of existing law.
What those operations are, of course, remains unspecified.
Remediations for the Eternal Blue exploits used by WannaCry and other campaigns continue to appear.
One notable one was announced earlier today.
Security firm EnSilo released a patch it devised
for one of the more significant EternalBlue vulnerabilities.
Their work closes off a Steam audit,
which had been used to exploit Windows XP and Windows Server 2003.
So bravo, EnSilo.
Another noteworthy patch was issued yesterday by Trend Micro,
who have fixed a serious vulnerability in their server protect for Linux 3.0 product.
Trend Micro offered a tip of the hat to Core Security, whose researchers found and reported
the bug. Ben Reed is an analyst at FireEye Eyesight Intelligence, working on their espionage research team.
They recently discovered some zero days taking advantage of a flaw in the way Microsoft software handled EPS files.
He joins us to share their findings.
So we found a total of three vulnerabilities being exploited in the wild, sort of before patch or at zero days.
There were two EPS vulnerabilities that allowed remote code execution,
and there was one escalation of privilege vulnerability.
So one of the EPS vulnerabilities, CVE-2017-0261,
was actually being used by two different groups.
One of the groups we track as Turla.
They are a Russian cyber espionage group.
They have been around for a long time, probably up to 20 years.
They're sort of one of the old ones on the block.
And so they were using this zero day to drop their signature Shermy malware.
And they used it against a European diplomatic target.
The second group using this vulnerability was an unidentified group we hadn't seen before.
But they were
targeting Middle Eastern banks. So they were hitting both regional banks, sort of based in
the Middle East, and the Middle Eastern branches of global banks. The second set was activity by
APT28, people are hopefully familiar with, if you're interested enough to be listening to this
podcast, you probably have heard of APT28. So they obviously associated with the hack of the DNC,
longtime espionage actors, also acting in support of Russian goals. They were targeting, again,
European military entities and diplomatic entities, so things like ministries of foreign affairs,
ministry of defense. And the sample we recovered from them actually was exploiting two different zero days.
This was CVE 2017 0262 and 0263.
0262 was also exploiting a vulnerability in how Microsoft Office handles EPS files, the same as 0261.
Different ways they handle EPS files, so very different vulnerabilities, not linked.
And they also bundled that with an escalation of privilege vulnerability. So they were using two zero days in this one campaign. So that's a lot of firepower in one document. So likely these were targets that were of high value to them.
These are out in the wild. What are the recommendations for making sure that people are protected against them? If you apply Microsoft's latest patch, you will be protected. We worked with Microsoft following responsible disclosure guidelines. So we let
Microsoft know as soon as we found these, they were able to patch them quickly. And so this past
patch Tuesday, which I think was May 9th, there were patches released. So if you install those
patches, you will be protected. There are two interesting things that I think is worth pointing out. The first is about 0261.
It was used by both a nation state group and a likely financially motivated group, which tells us some interesting things about the sort of gray market and vulnerabilities.
Both vulnerabilities were implemented very similarly, where it looks like they sourced the vulnerability from the same place.
So somebody out there is selling to both Russian government and to criminals.
So it's interesting to see that both criminals have access to sort of some of the highest caliber stuff out there,
but also that this vulnerability market is fluid.
So that's one point.
And the second point is sort of refute some of – there's been some discussion about APT 28,
and this is casting a little bit of a straw man.
But there's been talk about, hey, if they're this big, bad Russian group, why are they using things like credential stealing that, you know, I can stand up a website that looks like Google and tell somebody to go to it.
But this shows that this group following the same patterns that we track, following sort of all the things that lines up with attributing to them, using two zero days in one thing.
So they really can bring their fastball.
But they only use these valuable things and sort of expose these vulnerabilities to being patched when they need to.
If they can get in with using just credential stealing or a document with a macro, they'll do that.
That's Ben Reed from FireEye.
Taking a quick look at our CyberWire events calendar,
if you're going to be in Seattle on the 1st of June,
consider looking into that city's Cybersecurity Summit.
You'll get the skinny on the latest threats and solutions
from the U.S. Department of Justice, CenturyLink, Route 9B, IBM, and others.
Register with promo code CyberWire50 for half off your admission.
The regular price is $350, so it's a nice savings.
Another conference you might be interested in meets June 19th in Fairfax, Virginia.
CyberTech Fairfax will cover global cyber threats, solutions, innovations, and technologies.
And if you're looking to continue your professional education in cybersecurity,
did you know that the SANS Institute offers a master's degree?
They do.
Find out more in their free online session Tuesday, June 13th at noon Eastern Daylight
Time or visit sans.edu.
We spoke a minute ago of the possibility that WannaCry was misdirection for some other,
possibly more serious campaign.
In cyberspace, the possibility of misdirection should never be
dismissed out of hand. We saw some of that yesterday in New York at the second annual
Cyber Investing Summit. The once notorious hacker Kevin Mitnick, now famous and much petted since
turning in his black hat for a white hat and signing on with No Before, gave an opening keynote
in which he traced his own interest in hacking to a high school period in which he was interested in magic.
We mean, of course, conjuring, like the amazing Randy,
not real magic like you see in Harry Potter.
He showed the uses of misdirection in several live demonstrations.
We'll just say this.
If Mitnick comes within three feet of you,
he's probably remotely read the various cards you carry with you to open doors.
We'll have more
on the cyber investing summit in tomorrow's Cyber Wire, but until then, we've got our eye on you,
Midnick. Finally, Russian police are said to have rolled up members of the Kron gang on a beef
involving the sale of the tiny Z Android banking trojan and the Pony Fork's Windows spyware.
Android banking trojan and the Pony Fork's Windows spyware. The Cyber Wire heard from Alien Vault security advocate Javed Malik. He said the Android trojan in particular is a good
reminder of the growing threat to mobile security, and there are things users do that render them
more vulnerable than necessary, like jailbreaking their phone, or downloading apps from unofficial
third-party stores, or indiscriminately clicking links in unsolicited emails or SMS messages.
He said, quote,
users should be wary of what permissions an app is asking for
and exercise caution where excessive permissions are being sought, end quote.
Heard and noted.
So don't try any of that stuff on us, Mitnick.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge
of technology. Here,
innovation isn't a buzzword.
It's a way of life. You'll be
solving customer challenges faster
with agents, winning with purpose,
and showing the world what AI
was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant. by Jonathan Katz. He's a professor of computer science at the University of Maryland and also director of the Maryland Cybersecurity Center. I saw an article in Naked Security that was called
Internet Routing Weaknesses Could Cost Bitcoin Users. What's going on here? Well, the Bitcoin
protocol fundamentally relies on the assumption that different users in the network are able to
communicate with each other. So in particular, that's very important for the consensus mechanism that Bitcoin uses. It allows everyone to agree on a common view of transactions
in the system. And if you can partition the network into two disconnected halves, or if you
can partition a user from the network, it could have serious implications for the security of
the Bitcoin protocol. So walk me through, what exactly would that mean from a practical point of view? Well, what they were showing here was that under certain conditions,
your ISP, if they were malicious, could actually induce this kind of a disconnection in the network.
So for example, they could look at things that you're trying to send if you're a Bitcoin miner,
and they could refuse to forward those to the rest of the network, or they could choose to
partition the network into two halves that couldn't communicate with each other. So looking at the first case, for example,
right, that would mean that a Bitcoin miner that had been able to find one of these proofs of work
that effectively allowed them to mine fresh Bitcoin would not be able to communicate that
with the rest of the network. And that would mean they would lose out on the Bitcoin that they had
mined. So basically, an ISP that really disliked or wanted to get at one particular user could, in effect, make it impossible for that user
to ever mine fresh Bitcoin. And so once a user got segregated, got forked from the main fork of
Bitcoin, I suppose, is there no way to join them back together again? So they can. I mean, I think
actually this attack is pretty
theoretical and for several reasons, I doubt it's very practical. I think the main point is something
that you're hinting at is that the user would certainly notice. So it might be possible for
an ISP to carry out this attack, although I think it's unlikely because they would, you know, if
they were ever caught doing that, it would really risk a lot of business for them. But anyway, it
would certainly be possible, but then the user would notice and they would then have to switch ISPs to get reconnected to the network. So it's not
something that would be kind of catastrophic for the user. But until they noticed, it would
certainly be very damaging. The way Bitcoin works is that it can resolve these forks automatically
when people reconnect, correct? That's true. But let me just say that it would be pretty bad if that
disconnection went on for a long time. So just let's say that this was going on undetected for,
I don't know, let's say a two-week period. Well, eventually the network would restabilize and
everybody would be able to re-agree again on a common set of transactions. But any transactions
that have occurred in that two-week period might get undone. So even though you could eventually
recover,
it would certainly be bad for the network as a whole. I see. All right. Interesting stuff.
Jonathan Katz, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you.