CyberWire Daily - More on ASUS supply chain backdoor. FEMA data mishandling. LockerGoga ransomware. Mueller report responses.
Episode Date: March 26, 2019In today’s podcast we hear about supply chain attacks and Operation ShadowHammer’s ASUS backdoor. LockerGoga ransomware may be slow and sloppy, but its masters are determined and willing to play f...or high stakes. What will happen with FEMA over its data mishandling incident? Responses to the Mueller Report’s conclusions. Venezuela says it was hacked again--the rhetorical technique is implausible insistence. And what do PewDiePie fans call themselves? The Nine Year Olds, the Bro Army. Fans of Mr. Pie’s girlfriend are the Marzipans. Joe Carrigan from JHU ISI with thoughts on recent revelations that Facebook was making unencrypted passwords accessible to thousands of employees. Guest is Greg Jensen from Oracle on their 2019 Cloud Threat Report. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/March/CyberWire_2019_03_26.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Supply chain attacks on Operation Shadowhammer's ASUS backdoor.
Locker Goga ransomware may be slow and sloppy,
but its masters are determined
and willing to play for high stakes.
What will happen with FEMA
over its data mishandling incident?
Responses to the Mueller report's
conclusions. Venezuela says
it was hacked again. The rhetorical
technique is implausible insistence.
And what do PewDiePie fans
call themselves? The nine-year-olds?
The bro army?
Fans of Mr. Pie's girlfriend are the marzipans.
Thought you'd like to know.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, March 26, 2019.
Dave Bittner with your CyberWire summary for Tuesday, March 26, 2019.
The ACES backdoor security researchers at Kaspersky Lab disclosed recently has been independently confirmed by security firm Symantec,
which thinks the campaign ran from June through October of last year.
Kaspersky calls the backdoor Operation Shadowhammer.
It spreads through the ACES live update utility
and gave attackers access to and control over infected machines.
The trojanized utility was hosted on ACES' site
and signed with an ACES certificate,
which, Kaspersky says, no doubt helped it evade detection.
Motherboard broke the story yesterday,
and reporter Kim Zetter notes that it took ACES some time to respond,
and registers disapproval that their response didn't acknowledge Kaspersky's role
in finding the compromised utility.
But give Kaspersky full credit for sounding the alarm on this.
Symantec does.
57,000 has been widely quoted as the number of users hit,
but that's a significant understatement, low by at least a couple of orders of magnitude.
57,000 represents the number of Kaspersky installations the company says detected Shadowhammer.
Symantec thinks around 500,000 systems were affected.
Kaspersky guesses that tally of infected machines is probably at least on the order of a million.
That's give or take a couple of baker's dozen. There's no attribution yet, beyond calling the
attackers an APT, which usually means that it's a nation state. Who that nation state might be
is unknown, as are the attackers' objectives. Shadowhammer's known geographical distribution
offers no particular clues.
The U.S. leads in the number of infections, but that's just with 13% of them,
barely nosing out Australia's 12% and Italy's 11%. It's worth noting that this is a supply chain attack.
The attack compromises a third-party device or service as a means of hitting its ultimate target.
Software updating utilities have
been among the more attractive vehicles of such attacks. NotPetya, for example, transmitted itself
via compromised updates to an otherwise innocent Ukrainian tax preparation software package.
Problems with the ASIS supply chain have been suspected for some time. As ITWire points out, Duo Security flagged issues with
the ASUS OEM updater utility back in 2016. They did so in the context of what they colorfully
called shovelware, crapware, bloatware, and they did warn that such unnecessary and unwanted
software posed a security threat. They ironically called it value-added, although value-subtracted might be
better, if less ironic. But Shadowhammer is a different, more serious matter, evidently
deliberately installed for attack purposes. The story is continuing to develop.
Security firm AlertLogic has told ZDNet they found a bug in the Locker Goga ransomware
that could enable potential victims to, as they
put it, inoculate their systems against infection, crashing the malware as it attempts to execute
and before it encrypts files. KnowBefore has an interesting take on LockerGoga. The security firm
says on its blog, quote, technically LockerGoga is just another ransomware strain and not even
a very good one. It's got bugs and it's slow. However, the gang behind it represents a dangerous The attackers are thought likely to patch the bug soon,
so enterprises would be well advised to follow sound practices with respect to regular secure backup.
Norsk Hydro appears to have done that and have been able to recover without paying the
ransom demanded.
The two U.S. chemical companies affected over the past few days are continuing to work on
their recovery.
One of those, Momentiv, is said by Motherboard to have ordered new computers to replace its
infected inventory.
The folks at Oracle and KPMG recently published their
cloud threat report for 2019. Greg Jensen is senior principal and director of cloud security
at Oracle. Organizations by and large, they're simply just not prepared right now. And it points
back to this challenge around shared responsibility, which is what's my role as a customer?
What's my role versus my cloud provider in securing that data that's now in the cloud?
A lot of respondents really feel confused by that.
They don't know where their role ends and the cloud provider picks up.
We also see a lot of interesting anecdotes that come out tied to visibility,
how organizations simply are just
flying down the highway with their most precious cargo in tow, but they can't even see out the
windshield right now. And this is really resulting in the fact that only one out of every 10
organizations are able to analyze at least 75% of their security events that are transpiring within their environment.
And so that means we're really working with blinders on right now.
We can't see the attack coming.
How much of this do you suppose is a matter of folks perhaps looking for the advantages
of the cloud and all the things that it brings, but maybe turning a blind eye to some of the
additional work that comes with it? Yeah. What happens in a lot of organizations is
because cloud has really become very, it's very easy to deploy a cloud solution today.
It's in many cases as simple as spooling up an instance. And that type of ability has given
the line of business. If you take, for example, a legal department, if they know they can spool up
some type of new service within an hour and start getting real value out of it, they potentially
might, and in many cases they do. Now, what's the risk there? Well, quite often in that hour or in those weeks, they have not engaged or don't fully engage the security team.
And what is the security team's role?
Well, you need to have the security team involved.
You need to have compliance involved.
You need to have all these groups involved to look at these new applications and determine, are there any risks?
Is it an insecure platform? Will that new service
meet our regulatory compliance like GDPR or California Privacy Acts? So all of these things
sometimes get skipped. And it's not until the service is rolled out that someone finally
will realize there's a new enterprise app that's being used by our employees,
and we didn't know about it. Now we have to go in and try to put controls around it and that takes more time and leaves
the organization and customers exposed.
So based on the information you collected here, what are your recommendations?
What should organizations do to get a better handle on this?
You know, it starts with, really this is a people process technology type of thing, right?
It's not go acquire a new service that's going to take care of all your problems.
There is no silver bullet.
But it's multiple things.
It's starting with having all the advanced training for your people and do it on a reoccurring basis.
And make sure your users and your cyber teams are fully trained and up to up to spec
the other part is processes make sure all the processes that you're incorporating within the security or it organization are completely in line with closing all these areas of risk in other
words if you aren't sure if your cloud service provider is going to cover maybe
cloud-based penetration testing well don't go on the assumption that that's
just going to happen ask look into the contracts understand for every single
service provider that you have what are they doing what do I need to do and then
make sure that you have a program wrapped around that and then course, the technology is a very important step because with the amount
of events and alerts taking place today, advanced technologies that help create a means of
automation to close the loop, that's so important now. That's Greg Jensen from Oracle. The report
is the Oracle and KPMG cloud threat report for 2019.
FEMA's data mishandling incident seems likely, the Washington Post says, to serve as a test case for
the U.S. administration's stated determination to hold agencies responsible for this sort of misstep.
The Department of Homeland Security Inspector General called the episode a direct violation of applicable data handling rules
and FEMA called it a major privacy incident. Both the Senate and House Homeland Security
Committees are considering investigating. It's worth noting that the FEMA incident wasn't a hack
and the data themselves don't appear to have gotten into anyone's hands other than those of
the still unnamed contractor who was hired to place disaster
victims in hotels and other temporary quarters. So in this respect, the FEMA incident is not like,
for example, the famous OPM breach of 2014 when Chinese espionage services romped through the
U.S. government security clearance files. But many are looking at the FEMA incident as something that
ought to serve as a wake-up call, at least,
and maybe an occasion for the sort of action against federal managers that would encourage the others to do better in the future.
President Trump has done a lot of probably understandable crowing over the announced results of Special Counsel Robert Mueller's investigation,
as reported by Attorney General Barr, even as the president's detractors glom
noisily onto the special counsel's non-call with respect to obstruction. The president
woofed a bit about the treason involved in seeing collusion where the special counsel
found no real evidence, but it's best to read traitor in this context as meaning something
more like jerk or even really bad jerk who ought to get fired,
and not the Constitution's more formal definition in Article 3, which goes something like this.
Treason against the United States shall consist only in levying war against them
or in adhering to their enemies, giving them aid and comfort.
In any case, the likeliest near-term result of the report are further congressional hearings and expressions of determination to do something about security in future elections.
Russian response to the Mueller report is generally being characterized as muted.
Less muted is Russia's response to Venezuela's power outages. In a gesture of friendship and solidarity, Moscow has dispatched military aircraft and some military personnel
to help Caracas recover from cyberattacks and sabotage
the Chavista regime says it suffered over the past month.
Electricity went out again yesterday,
but Venezuela's current de facto leaders say they've mostly restored power.
They blame a cyber attack.
Again, and few, but probably not even most of the chavistas believe this.
Venezuela's power grid has been failing under neglect and mismanagement for some time.
And finally, bravo Emsisoft, which has just released a decryptor
for the recent round of the PewDiePie-boosting ransomware PewCrypt.
The ransomware campaign was mounted by the YouTube star's fans in an attempt to boost
their hero's profile over the rival stars of T-Series, best known as a producer of Bollywood
music. Here's a sample of the PewDiePie adherent's persuasive prose, courtesy of SC Magazine,
quote,
Pi Adherence persuasive prose, courtesy of SC Magazine, quote,
The private key will be deleted and U-files gone forever, end quote,
should T-Series have more followers than Mr. Pi,
and should Mr. Pi fail to reach 100 million followers.
Emsisoft says there's not a pandemic of puke crypt infections out there, but there's definitely a thin sprinkling of victims across cyberspace.
So good work,
Emsisoft. And we hope the nine-year-olds of the bro army and their marzipan enamoratas can move on to other things. Travel, divert yourself, try a laxative, get a GED.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology here innovation isn't a buzzword it's a way of life you'll be solving customer
challenges faster with agents winning with purpose and showing the world what ai was meant to be
let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute.
He's also my co-host on the Hacking Humans podcast, which you should definitely check out.
Joe, great to have you back.
Dave, I'm very pleased to be here.
So we are going to talk today about Facebook.
Yay.
Facebook is in the news again.
Yes, again. They seem to have a hard time getting out of the news. They cannot. Can't get out of their own way. They can't get out of their own
way. I mean, it's like they have so many holes in their feet from the bullets they keep putting
through them and they're going, why does this keep happening? Yeah. Yeah. So this time it is
the storage of many, many passwords. In plain text.
In plain text.
So walk us through how does something like this happen?
So Facebook released a statement that said that when they store your password,
they salt and hash the password.
And then they go through an additional step where they use a cryptographic key
to encrypt it so that even if their password database was stolen, their user database was
stolen or broken into, somebody would not be able to crack the hashes because they don't
have the cryptographic key.
Okay.
This all sounds good to me so far.
That's great.
That's great.
But that's in their database for the users.
This is something from their developers that when they were developing applications, they would log user
credentials in plain text. So before they sent the data off to be processed in this secure process,
while it was still in the plain text that the user entered it, they would store that data in
a log file somewhere. This seems to me like a policy problem. It is a policy problem. This story is replete with policy problems.
In the Krebs on Security article, Brian Krebs quotes a software developer, Scott Renfro,
and he says, in this situation, what we found is these passwords were inadvertently logged
and that there was no actual risk that's come from this.
We want to make sure that we're reserving those steps and only force password changes
in cases where there's definitely been signs of abuse.
So in other words, what this developer is saying is, after the horse has left the barn,
then we're going to close the door.
Right?
Yeah.
Just because you don't have evidence of abuse is not...
Absence of evidence is not evidence of absence.
Correct.
That's what I'm trying to stammer through here.
Right.
This is not the right thing to do.
You need to force users to change their passwords because their passwords have been compromised
and stored in plain text somewhere.
Don't just recommend that they change their passwords.
I think you should force a password change.
Well, and I think that speaks to a fundamental issue here, right?
Which is that these companies ask us to place our trust in them, that they're going to securely
store our passwords. And here is a case where clearly they have not. They've not done that.
And so they say that these passwords were not compromised. I suppose I could make the argument
that the very fact that they mishandled them is a compromise.
I would agree.
I would agree with that.
These passwords have been compromised because they've been exposed and available to 20,000 Facebook employees.
Dating back to 2012.
Right.
Now, they say that only 2,000 of those people have accessed the data.
That's a lot of people.
What if one-tenth of 1% of those people are bad actors?
Right.
You've got two people that have had access to those passwords in unencrypted form.
Where do we go from here? I guess the recommendation is... First thing I tell everybody is change your
passwords on Facebook. Change them now. But why not? Why not? If you're using a password manager,
it's no sweat. You just go in, change your password, you have a new complex 20-character password, and you're done. All right. Well, everybody beware. Go, just, I mean, why not? Just go
change that Facebook password. There's no reason not to. Yep. Yeah. All right. Joe Kerrigan,
thanks for joining us. My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. And that's the CyberWise podcast. Thank you. sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is
Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.