CyberWire Daily - North Korea officially blamed for WannaCry. US National Security Strategy and cyber. Hex Men are up to no good. Cryptocurrency crimes. Cyberespionage. Misconfigured printers. Bad passwords.
Episode Date: December 19, 2017In today's podcast, we hear that the Five Eyes look at WannaCry and officially see Pyongyang. New US National Security Strategy emphasizes economic power and cybersecurity (and names the adversaries...). Hex Men are no super heroes. More Bitcoin theft bankrupts an alt-currency exchange. Android Monero miner can basically melt your phone, it's working so hard. Users leave Lexmark printers open to the Internet. AnubisSpy peeks at Arabic-speaking Android users. Joe Carrigan from JHU on holiday IoT devices. Guest is Chris Webber from SafeBreach, reviewing the third edition of their Hacker’s Playbook. And guess the two worst passwords of 2017. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The Five Eyes look at WannaCry and officially see Pyongyang.
The new U.S. national security strategy emphasizes economic power and cybersecurity and names the adversaries.
Hexmen are no superheroes.
More Bitcoin theft bankrupts an alt-currency exchange.
An Android Monero miner can basically melt your phone.
Users leave Lexmark printers open to the Internet.
Anubis spy peeks at Arabic-speaking Android users.
And can you guess the two worst passwords of 2017?
I'm Dave Bittner with your CyberWire summary for Tuesday, December 19, 2017.
This is perhaps unsurprising news since it's widely become the consensus,
but the U.S. has publicly blamed North Korea for WannaCry.
White House Homeland Security Advisor Tom Bossert said in a Wall Street Journal piece published yesterday that,
quote, the attack was widespread and cost billions, and North Korea is directly responsible, end quote.
Bossert noted that the other four Five Eyes, Australia, Canada, New Zealand and the United Kingdom,
see the same thing.
The White House has since followed up with more official statements today.
The dots are being connected through the activities of the Lazarus Group.
The U.S. isn't alone in blaming North Korea.
Indeed, if anything, it's late to the party,
since the U.K. and others have made this attribution as early as June.
The British Foreign Office today joined again in fingering Pyongyang for WannaCry.
To review the history of WannaCry, its initial outbreak took place between May 12th and 15th of this year.
It infested more than 300,000 devices worldwide.
Regarded as a worm because of the way it propagated itself,
WannaCry scanned
for vulnerable Windows machines, accessed them with the EternalBlue exploit, alleged
NSA attack code released by the shadow brokers, and then used a double pulsar tool to install
itself and execute.
The ransomware then encrypted data on the affected computers and demanded a ransom payable
in Bitcoin.
Less than $150,000 seems to have been paid, which would make an effort like this pretty
much a damp squib.
The relatively low return on attack has led many experts to the conclusion that WannaCry
was really aimed for disruption as opposed to money, although the ease with which the
attack was contained by a researcher, Marcus Hutchins, who inadvertently found and tripped a kill switch, could also be the result of simple criminal ineptitude.
The Lazarus Group has always been interested in making money, and remains so today.
What does the U.S. hope to gain from the attribution? The strategy here seems to be to shame North
Korea and stiffen international consensus against what Washington sees as an
increasingly dangerous rogue regime. Homeland Security Advisor Bossert said today, quote,
it's not about holding a country accountable. It's about simple culpability. We're going to
shame them for it. I hope that they decide to stop behaving badly online. I'm not naive, end quote.
No reaction from Pyongyang that we've seen so far.
When one does arrive, it's unlikely to be conciliatory, still less repentant.
The attribution comes on the heels of a U.S. statement of strategic policy
that identifies North Korea, Iran, China, and Russia as adversaries.
North Korea and Iran get strong talk.
China and Russia are more nuanced but still cold treatment.
Chinese and Russian observers are quick to call the document a return to the Cold War.
It's worth noting that the U.S. hasn't, for all of its strong words, characterized WannaCry as an act of war.
In any case, the new national security strategy disclosed in Washington yesterday
emphasizes that the way the U.S. responds
to cyber challenges will, quote, determine our future prosperity and security, end quote.
Prosperity and security are indeed linked throughout the document, which features an
appreciation of economic power as a key element of national power.
There are, the strategy suggests, five things the U.S. will do to manage cyber risk. As summarized in
Fifth Domain's account, they are identify and prioritize risk, build defensible government
networks, deter and disrupt malicious cyber actors, improve information sharing and sensing,
and deploy layered defenses. It also seems that the document is consistent with other moves within
the U.S.
Department of Defense to push cyber authorities down to lower levels of command, delegating
decisions to the field that would have formerly been held at the National Command Authority.
Turning to more ordinary hacking threats, Lexmark printers are often poorly secured,
and this seems entirely the fault of the operators. Researchers at New Sky Security conducted a showdown search
and found more than a thousand printers misconfigured to allow free access
from public internet. Access doesn't even require a hack, you can
just waltz right in. This is problematic because once in the printer
it's possible to pivot to other places in the printer's network. That wouldn't
be a waltz, it would be a little more ambitious,
maybe a foxtrot, but it wouldn't be that hard either.
Chris Weber is a security strategist at SafeBreach.
They're a company that specializes in attack simulations and control validations,
and every year they put together a report they call the Hacker's Playbook,
based on the data they gather throughout the year. Chris Weber takes us through this year's findings. I think what we see here is
a little bit of the legacy perimeter still getting that, I don't know, lion's share of the attention
from enterprises, right? Trying to keep attacks out and focusing there, not so much focusing on the later stages of the kill chain
with segmentation or stopping exfiltration. We also see kind of a lack of focus on some of the
newer sort of attacks. Ransomware specifically seemed pretty successful in our attacks.
And then generally we see kind of a trend towards lack of optimization across controllers, basically where folks can get
more from what they have. And maybe instead they're investing in, we're sort of supposing here that
they're investing in a lot of different technologies instead of getting the most out of the stuff that
they already have and then moving on. Now, one of the interesting things I saw in the report was
the notion that people aren't watching the exits. That's exactly right. We're seeing,
you know, any successful attack really isn't successful unless somebody gets data out. I mean,
I guess in the case of sort of a ransomware or something where they're trying to break systems
or lock them down, sure, getting in and moving around is enough. But in a lot of the headline
breaches that we've seen over the last few years, it's all about stealing data, right? Whether that's credit card data or customer records.
And a lot of times we see that there's a lack of outbound scanning.
In fact, we see data that shows perhaps even up to or more than 50% of the time, it's pretty easy to steal data outside or exfiltrate data out of a network via simple things like HTTP that probably
could very easily be scanned or have data blocked with already existing technologies. Whatever's
protecting the inbound side could probably be configured to also do some scanning and protection
on the outbound. But we're able to like use, as I say, HTTP, just simple gets and posts over 50% of the time to actually get
simulated data out of an organization. Was there any particular findings that were surprising to
you? I guess what's surprising to me was less any of the specific findings and more kind of what it
seems to indicate. And, you know, for those of us that have been around and doing the security game
here for years and years, we're all familiar with
the idea of defense in depth. What it looks to me like is that defense in depth has gone away from
what I thought it usually meant, you know, back in the day, which is having not redundant controls,
but complementary controls at different stages, different phases of the kill chain. You know,
maybe you have your network controllers
doing some file level scanning with network kind of antivirus or anti-malware. And you also have
endpoints doing, endpoint controllers doing something similar to make sure that you don't
just have a single point of failure if you don't catch that malicious file. What it looks like
we're seeing here, judging by some of the data and
the success rates, is that perhaps, for example, in the case of malware, people are leaning heavy
on the endpoint side. And when we look at network controllers, we can see, you know, executables
packed inside, you know, other kinds of files or encrypted, just sneaking their way right through
network controls and making their way all the way
down to host level to disk without being stopped, blocked, scanned, or anything that will slow down
an attacker or provide that defense in depth. So based on the information that you've gathered,
what sort of advice would you have for folks? We often see a story like we wrote up here,
which is that the initial deployment, the initial few attacks we run
are pretty successful, right? The ability to get in, to move laterally, or to get data out is
pretty high. And then with just a little bit of configuration, just a little bit of tuning,
optimizing what's already there, or getting the configuration cleaned up, usually we see that those levels of success go way down.
What happens is our attacks get blocked.
The tools work as though they're supposed to work, as they should.
And that can take as little as a day in some cases.
The highlight that we did here was three weeks to move, for example, from 30% successful attacks getting through the outer
perimeter to just 9%, just with three weeks of tuning, not a dollar spent. So I think that's
the first big recommendation I have is just go back to what we have. We're often so pushed by
the industry, by vendors, by ourselves to just try to get another tool in, to try to fill every gap in
our minds because we're worried. We're trying to protect against these attacks. But oftentimes,
we already have what we need. Our next-gen firewalls, our proxies, our endpoint controls,
our internal segmentation, our traditional firewalls, they can be better tuned and tweaked
to actually keep us safe rather than having to invest in the next
new thing and have our teams learn that new technology and try to go from the ground up.
That's Chris Weber from Safe Breach. You can find the complete hacker's playbook on their website.
GuardaCore has published the results of its look at an organized Chinese cyber gang.
The gang is operating from a coordinated infrastructure,
and they're going after database service servers. Guardacore finds three attack variants,
which they're calling the Hexmen, Hex, Hanako, and Taylor, their MS SQL server and MySQL services,
and their goals appear to be a mix of cryptocurrency mining, backdooring,
and distributed denial of service.
Another Bitcoin exchange, South Korea's Ubit, has been hit with an attack that emptied its
coin purse of about 17% of the exchange's total assets.
Investors will be able to recover what's left, but Ubit itself is beyond help.
The company has filed for bankruptcy.
Security experts suggest that if you must
invest in Bitcoin, you might wish to consider keeping your coin in a hardware wallet.
Kaspersky Lab warns that another miner, this one interested in Monero and targeting Android devices,
will physically destroy your phone. It's called Lopi, an apparent descendant from the PODEC
malware that surfaced in 2015.
Its mining is so busily aggressive that it will overheat a phone's components.
The battery will bulge, the case will deform, and other bad stuff will happen.
Lopi isn't in Google Play, but lurks rather in third-party app stores,
where it represents itself as either a mobile antivirus program or an adult-themed app.
presents itself as either a mobile antivirus program or an adult-themed app.
Trend Micro reports that Arabic-speaking Android users are being targeted by Anubis Spy in a cyber espionage campaign.
Anubis Spy has been found both in Google Play and various third-party app stores.
Trend Micro points out that what it calls persistent and furtive spyware is an underappreciated, underreported
problem in the Android ecosystem. They've been working with Google to help chase Anubis
from the walled garden of the Play Store.
As we approach the end of the year, people are running through lists of commonly used
passwords. You'll never guess which are number one and number two, according to a study by
Splashdata. Wait for it. The second most common password is that perennial favorite.
Password.
And the first is...
1-2-3-4-5-6.
And like a certain brand of hot sauce, people say,
I use that on everything.
Calling all sellers. thing. Agents winning with purpose and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information
Security Institute. Joe, welcome back. Hey, Dave. So the holidays are quickly approaching here,
and with that is going to come a flood of new IoT devices hitting the web. We'll probably
receive some ourselves. Yes, gadgets. Gadgets, we're gadget guys. People will give us things
with best intentions. And say, here, you can use this. Yeah, and the first thing that device is
going to want is your Wi-Fi password.
That's right.
Access to your network.
Right.
And it wants to go connect to some external server and start uploading data somewhere.
And it also may want to create some external port.
There might be some kind of camera where you now can go out and view your camera,
a security camera, for example, from the outside world.
So if you're at work, you can check on your dog and your cat,
watch what the nanny's doing if you have a nanny.
People should be aware that when these things come,
they're going to come with some default password.
That's the first thing I'm going to recommend.
If you get a new device that is accessible on the Internet,
first off, evaluate, do you truly need this device?
Do you need that connectivity? Do you need that connectivity? Right. If you believe that you do,
take the time to secure it and change the default passwords so that people aren't just,
you know, logging in remotely or putting it in some botnet like the Mariah botnet.
And do that, I mean, quickly, right away. You can do that in a way before it's connected to,
because I've seen these reports where, you know,
people will hose up a camera to the internet and it takes,
I mean, it's moments before that thing is owned by outside forces.
That's correct.
So if you can disconnect your internet connection
and then connect the new device to the Wi-Fi network,
and you can still actually connect to it from your computer,
it just can't reach the internet.
And then you can go ahead and change the password if that's possible.
And what about the idea of basically having a guest network for all your IoT devices,
separating it from the computers where you keep important information?
Yeah, I would definitely recommend doing that if you have that technical capability and the hardware to do it. Yeah, that's always a good thing to do. It's segmentation. It's a basic security practice.
It's a good idea.
However, that's not going to stop those things from being attacked from outside of your network.
They're still going to get attacked.
You're just going to have that attack be isolated.
It will be less damaging.
So you still need to take measures to make sure that the devices themselves are protected.
All right.
Good advice.
Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.