CyberWire Daily - New Mirai variant forming. Meltdown and Spectre remediation updates. Notes on Russian hacking. Charges in swatting death.
Episode Date: January 16, 2018In today's podcast, we hear that a new Mirai variant, Okiru, is forming botnets of ARC-based IoT devices. Meltdown and Spectre remediation continues. CIA is said to have confirmed that NotPetya ...was a GRU operation. Suspicions rise that the Shadow Brokers used security tools to scan for classified documents. US and Canadian officials raise alarms about election influence operations. Wichita swatter charged with involuntary manslaughter. Malicious Chrome extensions spotted. Robert M. Lee from Dragos on the security of petroleum ICS. Guest is Lance Cottrell from Ntrepid on the importance of net neutrality for security. And USB drives contain the darndest things. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A new Mirai variant, Okiru, is forming botnets of ARK-based IoT devices.
Meltdown and Spectre remediation continues.
The CIA is said to have confirmed that NotPetya was a GRU operation.
Suspicions rise that the shadow brokers used security tools to scan for classified documents.
U.S. and Canadian officials raise alarms about election influence operations.
The Wichita Swatter's been charged with involuntary manslaughter.
Malicious Chrome extensions have been spotted.
And USB drives contain the darndest things.
I'm Dave Bittner with your CyberWire summary
for Tuesday, January 16, 2018.
A Mirai variant, Mirai Okiru, is active in the wild.
The DDoS botnet is said to be capable of targeting widely used ARC-based Internet of Things devices.
Its signatures diverge significantly from earlier Mirai strains, which will impede detection and blocking.
ARC CPUs are found in a very wide variety of products,
prominently including automotive, mobile, televisions, cameras, and so on.
Researchers at the Malware Must Die team are credited with spotting Okiru.
Reports say that about a billion IoT devices ship with ARK CPUs annually,
so the potential for very large botnets capable of strong distributed denial-of-service attacks is very high.
Note that many of the affected devices, as is so often the case with the Internet of Things,
will be difficult, if not effectively impossible, to patch.
The response to Meltdown and Spectre proceeds
with performance penalties that,
while smaller than initially feared,
remain real concerns.
Enterprises receive divided counsel
on whether to apply patches
or adopt other approaches to defense.
Mobile devices seem particularly affected.
U.S. sources, seconded by retired American and British officials,
are saying that the Central Intelligence Agency has concluded that Ukraine was right.
Not-Petya attacks on the former Soviet Republic indeed were the work of Russian military intelligence service GRU, specifically GTSST, the GRU's main center for special technology. You'll recognize the GRU
under one of its several familiar nicknames. Call them Fancy Bear and let it go at that.
The method is being described as a watering hole attack. The extortion requests were so much
misdirection to make it appear that the campaign was criminal and not a state directive move in hybrid warfare.
It was a destructive attack. Files were being eliminated, not held for ransom. The CIA has
declined to make any official public comment. The U.S. Senate believes it's seeing signs of
Russian influence operations directed against midterm congressional elections.
There are reports of fishing expeditions against political targets,
which is believed to be the method used to compromise the Democratic National Committee
during the last election cycle.
Canadian authorities are also bracing for an expected wave of election influence operations,
which they too see as emanating largely from Russia.
Russia continues to deny any meddling in the elections.
Essentially, everyone else thinks they're trying to finagle.
There may also be an approaching consensus that two mysteries are converging.
What, if anything, did hackers use Kaspersky security software to accomplish,
and where did the shadow brokers get the material they've leaked?
Sources close to the U.S. intelligence community are saying it looks as if the shadow brokers
obtained the material they leaked via scans conducted by Kaspersky security tools.
Kaspersky Lab has consistently denied allegations of involvement in espionage or improper collusion
with Russian intelligence services.
The identity of the shadow brokers has long been controversial and obscure,
with the three most commonly entertained theories being that they're a Russian intelligence organ,
that they're a small crew of disgruntled U.S. intelligence community insiders,
or that they're a very high-end and unusually capable set of anonymous-style hacktivists.
Right now, signs are pointing strongly toward door number one,
one of the Bear Sisters.
The debate over net neutrality continues,
with many unhappy that the FCC recently rolled back
Obama-era rules for Internet service providers.
Lance Cottrell is chief scientist at Intrepid Corporation,
and he weighs in on the debate.
So at this point, we've gone back from the net
neutrality laws, which placed ISPs as being common carriers and therefore required to
follow net neutrality principles. The FCC has rolled back those rules, but they've not yet
taken effect. But when they do, the ISPs will then be treated as content creators. They won't have those same requirements to treat all of the traffic the
same. And then that will probably have a whole range of consequences, mostly not immediately.
There'll certainly be a time delay as the ISPs decide what they want to do and start changing
their policies. And is there any sense for how that might roll out, what we might see? Are we expecting them to
nibble around the edges to see how people react to changes?
I think that's exactly what we're going to see. It would be a tactical mistake to make
radical changes quickly. I think the odds of a major backlash would be significant. So we're going to see more of a slow
progression of these behaviors, probably starting with things like privileging the price of certain
services. So ISPs preferred video streaming service will become free with your subscription
or, you know, certain other traffic will be accelerated. I think the biggest problem is that it sends a very
strong signal to the ISPs that the government wants to take a hands-off approach to this
regulatory environment. They're saying, in general, we don't want to be trying to get in the way of
what you do. And I think that's where the real danger is, because ISPs have a long history
of pretty questionable behaviors, including actively
monitoring and modifying user content to insert, for example, advertising to provide tracking to
advertisers to put in alerts. They'll actually write JavaScript into some third party's website
as it comes across the wire. And I think those are the sort of behaviors that we'll also see accelerating, even though they're not directly a part of the net neutrality legislation.
And in terms of any implications from the security point of view, what do you see coming there?
I think the biggest problem from a security point of view is exactly that
interception and modification of content by the ISPs, the more they feel empowered to engage in
that sort of activity, the more risk that imposes for end users. So that every time you're going in
and changing things, it obviously has the possibility of breaking the web page, but it's
also a fantastic lever point for a hacker. And if that interception and modification system was ever to be subverted,
that would be a gigantic opportunity for an attacker to insert malware and phishing links
and disable other kinds of security right there. And so I think the most important thing for people
to do is start adopting encrypted connections, VPNs, secure webpages, that sort of thing,
just to ensure the integrity of that end
to end connection one of my perspectives on this is as an entrepreneur and i think i started a
company back in the mid 90s and the internet was at that time absolutely flat and i was able to go
in and compete with anyone else i was able to stand up services. The big players didn't have any meaningful systematic advantage over me, and it allowed
me to get in and establish myself and be successful.
And I think one of the things we're going to see here is not so much as a information
security risk, but as a systemic risk that when net neutrality ends, the ability of new
players to come in and compete gets significantly
reduced because the people who will be able to pay to play will be the major players. And so I
think it has the potential to really reduce the diversity of offerings and new technologies and
new platforms that we'll see rolling out over time. That's Lance Cottrell from Intrepid.
out over time. That's Lance Cottrell from Intrepid. Canadian authorities are hearing two cyber-related cases. In one, the Mounties again get their man, Jordan Evan Bloom,
former proprietor of now-defunct Leaked Source, the site that compiled and sold access to public
data breaches. Mr. Bloom is appearing to answer charges that include trafficking in identity
information, unauthorized use of a computer, mischief to data, and possession of property obtained by crime.
In the other case, streaming service Twitch is bringing a case against a British Columbia resident,
Brandon Lucas Apple, who's alleged to have clogged the service with hateful spam.
The criminal charge is mischief related to computer data.
Mr. Apple is also under
a civil injunction to stop doing what he's been doing. Motherboard points out that Twitch users
are often bothered by stream sniping, that is, in-game distraction, or the much more serious
swatting. A sad and tragic swatting case in the U.S. is proceeding as Tyler Raj Barris, age 25, is charged with involuntary manslaughter.
If convicted, he faces up to 11 years in prison.
Barris is said by police to have made a swatting call in connection with some online game chess beating
that resulted in Wichita, Kansas police shooting dead a completely innocent and uninvolved man.
The victim's address was apparently picked at random.
Barris, in a jailhouse interview with Canvas TV station KWCH,
said he felt a little remorse for what happened.
He added,
I never intended for anyone to get shot and killed.
I don't think during any attempted swatting
anyone's intentions are for someone to get shot and killed.
If Barris is convicted and gets the max, he'll be getting off lightly,
whether he intended for his lurid call to police to kill an unarmed father of two or not.
Barris also faces charges in Canada,
where police in Calgary, Alberta, suspect him of other swatting calls.
Researchers at Iceberg, that's Iceberg but spelled I-C-E-B-R-G,
have identified a large number of malicious Chrome extensions.
They say they've observed the extensions used for browser proxying
in the course of what looks like a click fraud campaign.
Finally, would you plug in a USB drive you found on the street?
No? Good.
How about one you were given by the national police for
acing a quiz about cybersecurity? Maybe? Well, us too. But it didn't work out so well during a
national InfoSec event in Taiwan, where the Criminal Investigation Bureau, known as the CBI,
last month handed out USB drives as prizes during a data security exposition hosted by the country's presidential office.
The CBI was celebrating a recent crackdown on cybercrime.
Unfortunately, they had a contractor scan the drives to verify that they held 8 gigs.
And in the process, an old strain of criminal spyware was uploaded from said contractor's infected machine.
It's embarrassing and a lesson to all who give away promotional swag.
Stick to low-risk items.
Even some of those can cause trouble.
One of our stringers once worked for a company that gave away coffee mugs as promotional items.
Unfortunately, they went with a low-cost supplier,
and when you microwaved the mugs, they exploded.
They exploded. faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Robert M. Lee.
He's the CEO at Dragos.
Robert, welcome back.
You and I have been working our way through some of these ICS categories,
going through some of the risks and complexities.
And today I wanted to touch on oil.
What do we need to know about the security of those systems?
I think oil is another one that does get a lot of attention, especially being a
major energy player in any national economy. And so there have been investments in that space over
the year, but there's very unique challenges that they have, of course, as well. So when we talk
about the oil industry, we usually divide it up into upstream, midstream and downstream oil.
So what are we where are we getting it? What are we doing with it? How
are we getting it there kind of aspects, whether it's you're going to your gas station and pumping
gas or we're drilling it out of the ocean, right? Like what is this process of oil? Each one of
those is a different sort of challenge in and of itself. How do you protect the oil refinery? Is
that going to be different than the drilling wells? Well, yes. Well, what about the pipelines? Okay. What about shipping? Well, we'd probably leave shipping out from them when we just put that in the classification of like shipping for maybe next time transportation.
The risk at the gas station level is not so significant.
An adversary doing just damage or disruption of one gas station, not too significant.
But if we are using homogeneous devices and the gas pumps are all the same and we start connecting those to the Internet and they're all like embedded devices and maybe they have some default passwords on or something like that, that can actually be an issue. Because in most places, just having a default password on like a SCADA environment is not going to let you take down a power.
If you're talking about end devices,
if your scenario is just to annoy the heck out of the populace there,
shutting off gas stations would be disruptive.
Maybe even an activist issue for them.
If you're now talking more of really hurting a country,
you're talking about the midstream operations
or maybe even the upstream
operations. Like, could you do something that's potentially environmentally unsound when you're
talking about actually drilling for the oil or maybe even in the oil refinery itself? So
long story short, there's a lot of different things that come into scope for them.
They each have different risk scenarios, but almost, I wouldn say uniquely, but but in a in a way kind of is for the oil
industry is also the activist threat where the electric transmission substation is not
truly concerned about protesters at the electric substation that a remote adversary that it
takes advantage of or inadvertently is with sort of sort of combined threat scenarios, even if it's accidental,
that is a consideration definitely for the oil industry, as that is always a hot topic for them.
So they have to think of a lot of different threat models. When it comes to the cyber-specific one
of like a true cyber threat model, there historically have been a lot of different
threats that we've been aware of, plenty of them active actually the past year, going after oil sites around the world. And it's not so much where a electric substation that gets
compromised in Ukraine may not really scare the heck out of everybody in the U.S. It actually
kind of did. But it isn't the worst thing in terms of, oh, my gosh, it's happening here now. It's bad
for our community neighbors, of course. But but those oil companies often operate in a global and interconnected way. What happens to oil production in Algeria
might actually affect how we're importing it into Louisiana and processing it. Right. So it is a very
global, interconnected community as well. So the security for them, I would say, is very globally important on the interconnection of the community.
And they have a much wider variety of types of threat landscapes that they have to deal with.
And I think for that reason, more so than many industries, they need to take a very intelligence driven approach of understanding and specifically understand the threats they're up against and how they're actually reducing risk according to those.
It can't just be every single possible thing to occur, but they've really got to consider how am I going to protect an oil refinery different than the pipeline?
How am I going to recover from an outage or disruption in my ecosystem or supply chain that is a continent away?
So they definitely have to think about these things. Robert M. Lee, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.