CyberWire Daily - Memcrash and amplification attacks. SAML vulnerabilities. Thanatos ransomware. Petya returns (so does Marcher). Deterrence and election security.
Episode Date: February 28, 2018In today's podcast, we hear that Memcrash threatens big DDoS events. Problems with single-sign-on solutions. Thanatos ransomware looks like its masters botched it, but that's not necessarily good ne...ws. The Marcher banking Trojan is back and bigger than ever. A new variant of Petya ransomware may be in circulation. What's the point of a false flag if no one's fooled? Dale Drew from CenturyLink on collaboration trends. Guest is Eric Cole, author of Online Danger. And the US Senate asks, how do you solve a problem like Vladimir? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Memcrash threatens big DDoS events.
There are problems with single sign-on solutions.
Thanatos ransomware looks like its masters botched it,
but that's not necessarily good news.
The Marcher banking trojan is back and bigger than ever.
A new variant of Petya Ransomware may be in circulation.
What's the point of a false flag if no one's fooled?
And the U.S. Senate asks,
how do you solve a problem like Vladimir?
I'm Dave Bittner with your CyberWire summary for Wednesday, February 28, 2018.
A few new exploitable vulnerabilities are being reported, some of them being used in the wild.
Cloudflare and Arbor Networks warned yesterday that the memcached open-source memory caching protocol can be abused to amplify distributed denial-of-service attacks.
The vulnerability, which Cloudflare calls memcrashed, probably inevitably,
affects memcached servers where UDP, that's the user datagram protocol, is enabled.
US CERT is taking the threat seriously.
It's updated the UDP-based Amplification Attacks Advisory to include
Memcache as a potential attack vector.
U.S. CERT explains how UDP amplification works as follows.
Quote, by design, UDP is a connectionless protocol that does not validate source internet
protocol addresses.
Unless the application layer protocol uses countermeasures such as session initiation
in voice-over internet protocol,
an attacker can easily forge the IP packet datagram, a basic transfer unit associated with a packet switch network,
to include an arbitrary source IP address.
When many UDP packets have their source IP address forged to the victim IP address,
the destination server, or amplifier, responds to the victim instead of the attacker,
creating a reflected denial-of-service attack, end quote.
According to US CERT, a useful way of measuring the effect of an amplification attack is by
BAF, or Bandwidth Amplification Factor.
US CERT offers a helpful comparison of different attack vectors by BAF.
Other than a memcache attack, a network
time protocol, that is an NTP attack, is the most severe in its effect, returning 556 payload
bytes to answer a request for every byte in that request. Other kinds of attacks have
a BAF of between 2 and 358. But a memcache attack puts them all far, far to shame, clocking in with a BAF of between
10,000 and 58,000. Arbor Networks thinks the exploit will soon be available in commodity
booter services. That is, Arbor says, the typical pattern. New exploits are hand-managed by skilled
threat actors and relatively swiftly turned into commodities that spread through the criminal-to-criminal black markets.
Cloudflare urges everyone to disenable UDP if they can possibly do so.
Note that Memcache, by design, has no access controls, and so shouldn't be exposed to
the Internet.
The SANS Institute's Internet Storm Center also suggests blocking traffic from port 11211.
We'll have more from the Internet Storm Center's Johannes Ulrich
on tomorrow's episode of the Cyber Wire covering Memcache.
Duo Security has found a new class of vulnerability affecting single sign-on systems
that use the SAML, that's the Security Assertion Markup Language.
Exploitation could enable users with authenticated access to induce the system to authenticate
as different users without needing to know the victim's passwords.
This would afford attackers a ready way of pivoting from one compromised user to other
accounts on a network.
Remediation is possible but complicated because there are so many different single sign-on
solutions in use, not all of which are equally vulnerable. Duo observes that what you should do
about the SAML vulnerability, and you should certainly do something, would depend upon your
relationship with your vendor and then sensibly recommends contacting said vendors for the right
patch or mitigation. There are patches out there. Disclosure was coordinated with vendors.
There's a newish strain of ransomware in circulation, too.
According to malware hunter team, Thanatos ransomware makes it effectively impossible
to recover files.
Thanatos' masters generate a unique encryption key for each file but save none of them which means
victims pay ransom in vain researchers regard this as a botched process rather than an intentionally
added layer of nastiness some believe there may be effective if time-consuming ways of brute forcing
decryption some of the current threats are resurgent varieties of familiar ones. Researchers at security firm Lookout warn that Marcher, also known as Benka Mar Steeler,
a banking trojan discovered almost five years ago, is back and bigger than ever.
This month, Lookout has observed 7,700 samples in the wild,
almost four times the number seen back in Marcher's 2016 heyday.
And of course, you'll remember Petya,
the ransomware that spawned notorious pseudo-ransomware imitators like NotPetya.
A new variant of Petya called PetRap is rumored to be circulating in Europe and India.
F-Secure told Safe Gmail that it spreads through the eternal blue exploit
published by the shadow brokers.
Given that you're a listener of this podcast,
I'm going to go out on a limb here and guess that there's a good chance
you spend a good bit of time doing tech support for your friends and family,
helping to make sure they're as safe as possible online.
Dr. Eric Cole is founder and CEO of Secure Anchor Consulting
and the author of several books on cybersecurity.
His latest work is titled Online Danger.
I've been working in security for 30 years and have written a lot of technical books.
And what I find is when companies are getting breached and having problems,
it's not because the technical people don't know what to do.
They usually are doing a great job, have big budgets. It's everyone
else in the company is making mistakes. You have executives, you have managers. Even when you look
at large data breaches, you often have doctors, lawyers, parents, and teachers that have no clue
what to do when it comes to cybersecurity. And I started looking for a book that I could recommend and recognize that not
one single book existed that was easy to read for that audience. So I took it as a mission
to write a book to help make cyberspace safe for families, for parents, for teachers and doctors
to help raise their awareness and most importantly, help them recognize that they are a target and there are actual things they can do to be protected online.
Yeah, I have to say your book Online Danger is a book that those of us in the business
could buy and give to our friends and relatives, our family,
and it's a nice overview of the things that they could do to make themselves safer.
I'm wondering, from your perspective, for those of us who are in the business,
what are some of the things that we should be doing to better protect our families?
Most importantly is have the conversation.
Make them aware that they are a target, because it amazes me how many people I talk to,
and they go, Eric, I'm not important enough.
I don't have enough money. No one's going to target me. No one's going to come after me. How many people I talk to and they go, Eric, I'm not important enough. I don't have enough money. No one's going to target me. No one's going to come after me. And they don't
understand that this adversary, it's all about the numbers. They don't care who you are. They
need to steal 10,000 identities a month. And if you have weak security, you're one of 10,000.
And if you have weak security, you're one of 10,000.
Second most important thing is help them understand that most of our devices or applications, the system we use, have security built in.
That's the good news.
The bad news is it's often turned off by default.
So you have to take action to turn on the security, properly lock down, properly protect.
And then finally, the third thing is get rid of anything you're not using.
With my kids, I look at their phone, and they have 100 to 150 apps that they just download randomly.
Kids collect these things like they're the coolest thing out there. But when you go in and look under your privacy settings,
my children had no idea that many of these apps were tracking their location,
had access to their camera, had access to their microphone.
So I helped them raise their awareness and then get rid of all those unnecessary apps that could create exposure points.
That's author Eric Cole.
His most recent book is Online Danger.
points. That's author Eric Cole. His most recent book is Online Danger.
The U.S. intelligence community is telling Congress that deterrence has failed with respect to Russian operations in cyberspace. There just ain't no disputing that old Vlad Putin has been
one busy bear. So how do you deter the bears? Classically, you come up with a countervalue
strategy. You hold something the opposition values at risk.
Finding that value is challenging.
Perhaps that value is wealth, perhaps prestige.
It's doubtful its human life or suffering,
as the recent experiences of Russia's green men, deniable mercenaries,
on the receiving end of American airstrikes and artillery in Syria would seem to indicate.
The U.S. Senate has been asking Admiral Rogers what NSA and Cyber Command are doing about
Russian election interference.
Admiral Rogers' answer, in brief, is that his organizations lack the authorities to
do much, that he can openly discuss, that is.
And countering disinformation would be something new for NSA.
This seems unsurprising.
The Department of Homeland Security would have general responsibility
for election security, with the Department of Justice responsible
for the sort of naming and shaming that so far has figured prominently
in U.S. deterrent efforts.
Looking back at the Olympics, it's striking how quickly suspicion
of responsibility for the hacks during the open ceremonies turned to Russia.
Right, sure, security experts tended to say there are some North Korean IP addresses,
some code reuse, some Korean language clues, but come on, straight up, it's the Russians.
We're summarizing here.
So, one might ask, why bother with a false flag operation when the imposter is so easily seen through?
Why bother with a false flag operation when the imposter is so easily seen through?
A piece this week in Wired suggests that one reason for attacking under a false flag is to induce doubt about future attributions,
which is probably part of the point in Moscow's Olympic hacking Moskirovka.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on
point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have
continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Hello, dearest listener.
In the thick of the winter season, you may be in need of some joie de vivre.
Well, look no further, honey, because
Sunwing's Best Value Vacays has
your budget-friendly escapes, all the way to
five-star luxury. Yes,
you heard correctly. Budget and luxury
all in one place.
So instead of ice scraping and teeth chattering,
choose coconut sippin' and pool splashing.
Oh, and, uh,
book by February 16th with your local
travel advisor or at...
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
and their families at home.
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Dale Drew.
He's the chief security strategist at CenturyLink.
Dale, good to have you back.
I know you have been a real proponent of collaboration throughout the industry,
and you've got some stuff you want to
share about that today. I do. So, you know, I think I'm in the business of cybersecurity,
which means I'm in the business of giving people bad news. Welcome to my world, Jardell. Welcome
to my world. And, you know, I think this is a great, you know, a great good story with regards
to the industry and the impact that we're having together in a very collaborative way.
And so I'd say the second half of 2018, you know, after sort of the bow wave of Mariah and the impact that it had on the cybersecurity industry and the implications it could have as that sort of challenge evolved for the future.
And the implications it could have as that sort of challenge evolved for the future, you know, a botnet that was over 1.2 million nodes large that was being rented out to a wide variety of people to launch revenue-based extortion attacks on the industry was a really big wake-up call for the security research community to start collaborating.
And let me be very clear.
The research community collaborates very well within their own layers.
So the malware people talk to the malware people.
The network people talk to the network people.
But we really discovered with attacks like this that we have to be crossed ecosystem in order to effectively stop these attacks.
And so at the second half of 2017, you know, I can point to
a couple of examples that we really got together as a community and stopped attacks within,
one within hours, most within days, but no longer the weeks or even months of collaboration
thresholds that we were dealing with before.
You know, there was a recent report from Pena Labs that said that there were 18 new million
malware samples captured in 2016.
And so the amount of development that's happening from the bad guy perspective is not stopping.
And it's dramatically increasing because they are discovering a way to commoditize revenue from these attacks.
And so the time has never been more important for the industry to collaborate.
And I'm really glad to see that a number of us are getting together and sort of, you know, it does take a village to protect the Internet and that village is coming together.
So I think there's no shortage of forums out there where people can share information like this. But so what separates this? What sets this
apart from those sorts of things? You know, you are right. There are a number of forums available
today that at different layers and even some cross layer that are intended to share information
within the industry. You know, I think the issue is that the entrance criteria for a lot
of those forums are set very, very high. They're intended to identify serious players, and so they
have serious entrance criteria in the form of a pay-for-play sort of criteria. There's a fair
amount of fee-based entrance to get access to those cross-industry sharing collaboration
forums. And we're really encouraging sort of just the community to get together and govern itself,
and the community to get together and share information for the purposes of stopping
threats before they become industry threats. And so we definitely want, I'm a huge fan of
any information sharing on any forum.
So I'm not saying that any of those other forums should stop or should be represented as a bad example.
But we definitely want to encourage more cooperation and collaboration and action from the community to stop threats before they emerge as actual threats.
I see. All right, Dale Drew, thanks for joining us.
All right. Thank you for having me.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. Thank you. run smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire. For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Databe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett
Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm
Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.