CyberWire Daily - Notes on a reported US cyberattack against Iran. A look at “Secondary Infektion.” And some cases of cyber stalking.
Episode Date: June 24, 2019The US is said to have conducted cyberattacks against Iranian targets related to recent Iranian moves in the Gulf. They cyber operations are also said to have been a covert alternative to conventional... military strikes. The Atlantic Council describes “Secondary Infektion,” a Russian disinformation campaign that begins obscurely, then depends upon amplification. And a case of cyber stalking in Minnesota goes to court. Joe Carrigan from JHU ISI on the escalating calls to patch the BlueKeep vulnerability. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_24.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The U.S. is said to have conducted cyberattacks against Iranian targets
related to recent Iranian moves in the Gulf.
These cyber operations are also said to have been a covert alternative to conventional military strikes.
The Atlantic Council describes secondary Infection,
a Russian disinformation campaign that begins obscurely, then depends upon amplification.
I dig into the details of Blue Keep with Joe Kerrigan,
and a case of cyber-stalking in Minnesota goes to court.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for
Monday, June 24, 2019. U.S. Cyber Command is said to have conducted offensive operations against
Iranian targets
as a reprisal for Tehran's attacks on commercial shipping in the Gulf of Oman
and for the shoot-down of a U.S. Global Hawk unmanned drone.
Yahoo, which broke the story late Friday, said the attacks were directed against an Iranian intelligence unit
responsible for supporting attacks against shipping by tracking tanker traffic.
Thus, the retaliation would be tuned to the attacks on shipping.
The specific Iranian agency was unnamed, but it's said to be associated with the Revolutionary Guard.
On Saturday, the Washington Post was more specific about the alleged U.S. cyber attack,
reporting that U.S. Cyber Command had disabled Iranian rocket
and missile launch control systems in the region, which, if true, would suggest a direct
response to the Global Hawk shoot-down as opposed to the attacks on tankers.
The New York Times' source tell it that Cyber Command hit both the intelligence unit that
supported the tanker attacks and missile launch systems, so the U.S. retaliation may have
been tuned to both the recent Iranian actions. The cyber attack was, a source says, approved by
President Trump. The reports are all sourced to at least three anonymous sources, said to be U.S.
officials who spoke on condition of anonymity because they were not authorized to comment publicly. It's worth noting that this doesn't necessarily mean they were leakers, since comment
on background might have been authorized. In any case, the story is still developing,
and all reports should be received with a degree of circumspection.
How a missile launch system or a missile control system might be susceptible to cyber attack
is by no means as obvious as the reporting seems to assume.
Some shorter-range air defense missiles and a much larger number of surface-to-surface missiles
are as difficult to hack as a rifle bullet.
But if a missile depended upon communication with a ground station for guidance,
and many medium and longer range systems do,
then it might be more vulnerable than a weapon whose guidance was self-contained.
The Iranian system may use such communication.
Iran says the system used to knock down the drone was a Kordad missile defense system
that Iran says can detect targets at ranges of 150 kilometers,
track them at 120 kilometers, and engage them at 85 kilometers.
The Interception is a Syed-3 missile, thought to have been developed from the American SM-1 standard missile,
which Iran received during the days of the Shah.
How networked and vulnerable the Kordad system might be is controversial.
Until recently, there had been doubts that the system was even a real weapon,
as opposed to a Potemkin system built for PR consumption.
But the claim that the system was interfered with in some way is at least plausible.
The RQ-4 that Iran shot down was, by the way, a U.S. Navy drone,
not an Air Force asset, as some early reports had it.
U.S. Navy drone, not an Air Force asset, as some early reports had it. U.S. Central Command and the U.S. Navy have referred inquiries to U.S. Cyber Command, which has declined to comment
for reasons of operational security. Iran has promised a firm response to any U.S. aggression.
Tehran also claims that the U.S. did indeed attempt a cyber attack, but that the attack failed.
We stress again that this story is still developing.
Also on Saturday, the U.S. Cybersecurity and Infrastructure Security Agency, CISA, warned that Iran has increased the tempo of its cyber attacks against U.S. targets.
CISA warned in particular that Iran could be expected to engage in wiper attacks.
These gain access to target networks through familiar criminal methods, particularly phishing, password spraying, and
credential stuffing, but their aim is data destruction, not theft. The Shamoon attack
against Saudi Aramco in 2012, widely attributed to Iran, was an example of a wiper attack.
CISA has collected advice for staying safe in the face
of such threats on their website. It's good advice any time, not just during periods of
heightened alert, so it's worth a visit. The Atlantic Council's Digital Forensic
Research Laboratory, the DFRL, has a report out on a Russian disinformation campaign.
They're calling the campaign Secondary Infection,
after the late Soviet-era Operation Infection,
which published the disinformation that AIDS was a U.S. biowar project,
which of course it wasn't and isn't.
Secondary Infection's goal appears to be the now customary ones
of inducing mistrust and division along various cultural fault lines.
Secondary Infection is interesting in that it began by placing stories in obscure corners of
the Internet's hinterlands, which it then amplified through Facebook accounts and ultimately in the
state media outlet RT. The D.F.R.L. acknowledges that it doesn't have access to Facebook's back-end data,
but they attribute secondary infection to Russian actors on circumstantial contextual and linguistic grounds.
Patching for Bluekeep seems to be up.
It appears that users of affected Microsoft products may finally be heeding the many warnings from Microsoft, CISA, NSA, and others.
many warnings from Microsoft, CISA, NSA, and others.
A police officer in Minnesota has been awarded $585,000 in a lawsuit against the city of Minneapolis and two of her police colleagues,
who were among dozens of officers who had been improperly accessing her Department of Motor Vehicles records,
a violation of the state's Driver's Privacy Protection Act.
records, a violation of the state's Driver's Privacy Protection Act. The snooping was apparently creepily motiveless, cyber-stalking for the lulz. Unfortunately, we end with a very sad
story. How far motiveless, indeed even anonymous, malice can go was tragically on display recently,
where a catfish working from Indiana allegedly induced a teenager in Alaska to kill
a friend and send the catfisher a report on the murder. According to reports by the Anchorage
Daily News, the alleged catfish is one Darren Schillmiller, a 21-year-old living in New Salisbury,
Indiana, who presented himself as a millionaire named Tyler from Kansas. Schillmiller is said to have cultivated an online relationship with 18-year-old Denali Bremer
and allegedly induced her to send him texts describing abuse of minors.
Authorities say he then combined blackmail with an offer of $9 million
to get Bremer to commit a murder for him.
Any murder apparently would do.
Schillmiller, remember, was out of Indiana,
had nothing but an online connection with Bremer or any of Bremer's acquaintances,
but he's nonetheless said to have guided the selection of the victim.
Bremer allegedly recruited three other teenagers to help her murder Cynthia Hoffman.
Authorities say Schillmiller told them he and Bremer
had been planning a murder for
about three weeks. Hoffman, described as a trusting young woman whose learning disabilities rendered
her developmentally younger than her 19 years, had considered Bremer her best friend. An Anchorage
grand jury indicted the six young people involved on June 14th. They're charged with murder in the
first degree, conspiracy to commit murder, and murder in the second degree. Bremer and Schillmiller
have also been charged with an additional count of solicitation to commit murder. We've said alleged
a lot in describing the story, but one thing is certain and not at all alleged. Poor Cynthia Hoffman was shot dead and
then abandoned near the Eklutna River. She wanted friends, thought her friend Bremmer was cool,
and was looking forward to getting her learner's driver's permit soon. The story is unbelievably
heartbreaking, and our hearts go out to the Hoffman family. And should you see anyone sliding
into the kind of maligned digital world
Bremer and Schillmiller apparently inhabited,
please do what you can to pull them out of it.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life. You'll be solving customer challenges faster with agents, winning with
purpose, and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have
continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information
Security Institute and also my co-host on the Hacking Humans podcast. Joe, it's great to have you back. Hello, Dave. I was listening last week. Yeah. Okay. About 2001. You're going to give me a
hard time about 2001. No, I'm not. I just think it's awesome that you had that sound on your
computer that said, I'm sorry, Dave, I can't do that. Yeah. I wish there was something as cool
for guys named Joe. Yeah. Well, there isn't. So there you go. So I want to dig in
today and talk to you about Blue Keep. It seems as though it's getting escalating attention. Yes,
as well it should be, actually. So what do we need to know here? So last week, the Cybersecurity and
Infrastructure Security Agency, which is part of the Department of Homeland Security, issued an
alert for this. So what is Blue Keep?
It's a vulnerability in the remote desktop protocol of older versions of the Windows operating system.
So for user OSes, it's Windows XP, Windows 2000, Vista, and 7.
Okay.
So 8 and 10 are not vulnerable.
For servers, it's Server 2003 and 2008, both the base versions and the R2 versions.
Okay.
Okay.
And RDP was used for what?
It's Remote Desktop Protocol.
So if you want to connect to a Windows machine like you're sitting at the Windows machine,
but you don't want to physically get up and go to the Windows machine, you use RDP.
So I could use this to log into my work computer from home or log into a different machine where I work
and not have
to actually be sitting in front of it.
And that's really what it's used for.
It's used for systems administrators because if you have to go down to the server room
every time you have to make a change to a server or add a user or change something,
that's a lot of time.
You get a lot of exercise.
Right, right.
So systems administrators are like programmers.
We don't like to move.
Okay.
So RDP is there to solve that problem.
Right.
This vulnerability, which is so severe that Microsoft saw fit to issue a patch for Windows XP,
which at end of life, over five years ago.
Yeah.
Okay, but there are still people out there using it.
Don't know if that has anything to do with how easy it is to fix it and issue the patch,
but I tend to think it has more to do with the severity of this issue.
So if somebody exploits this vulnerability, they can do just about anything.
They can add accounts with full user rights.
So if there's a computer with RDP open to the internet, an attacker can just add a new account and then go in and log into that account as an administrator.
Oh, okay.
And just take full control of it.
They can also view, change, and delete data and also install programs.
So, yeah, so they own the machine.
Right. It requires no user interaction, which is why Bluekeep is considered to be
wormable. I put quotes around wormable. Basically, what that means is it's possible to write a
program that infects one system, and once it infects that system, it looks around for
other systems to infect and then goes off and infects that system.
So lateral movement within a network.
Or lateral movement across the internet.
Across the internet.
I see.
That's how this is going to spread, and it is going to spread fast once one of these
worms is developed.
And that's really bad news.
This is something we've seen before, right?
The Eternal Blue vulnerability allowed the
same kind of thing to happen with WannaCry and NotPetya. That's how those ransomware packages
spread. It was using another vulnerability called Eternal Blue. And I like the way how they're all
using the word blue in them. That makes it real easy to differentiate them in your head.
I think we should come up with a better scheme for these things.
What are we talking about in terms of the timeline here?
I think we should come up with a better scheme for doing these things.
What are we talking about in terms of the timeline here?
This vulnerability was announced on May 14th, which was the same day that Microsoft released a patch for it.
So it looks like somebody found the vulnerability, disclosed it to Microsoft, and then Microsoft said, we're going to develop a patch for this.
And now that we have the patch released, go ahead and announce the vulnerability.
Right. What's interesting is later in May, we started seeing tons of scans coming out looking for RDP ports open on computers on the internet from Tor nodes. Okay. Right now, Tor is
an anonymizing network. Right. So there's somebody operating in that network that is looking for RDP
hosts. So they probably don't have an exploit ready for it yet.
Right.
Right.
But they're building up their list of places to go once they have that exploit and that
software written.
And if I were going to do this, I would make that list available to the software somehow.
I'm not going to waste time scanning for machines with RDP open.
I'm just going to go to the list that I know that these are open.
Yeah.
I've done the research, in other words. Yeah, sure. Makes sense. Then we start seeing some people who have proof of concept
exploits. They don't have any payloads in them, but they're out there. There's even a GitHub
repository that has it. And then the NSA issues an advisory on June 4th to install the patch.
Yeah. So sort of the NSA weighing in and saying, hey guys, this is serious.
Right. You know, have at it.
So the NSA comes out and says, patch this system.
The CISA comes out and says, patch this, patch your systems.
I'm going to go ahead and say, patch your system.
You're going to go out on a limb here, Joe.
That's right.
It's a real risky position.
Right.
Exactly.
Oh, boy.
Now, there are other things you can do if you can't patch the system, right?
You can update the end-of-life operating system to a new operating system, Windows 10,
or a newer version of Server, like 2012.
Yeah, but not everybody can do that, right?
You have legacy systems that run on Windows XP, and they run on Windows XP.
Right. A lot of medical devices that were bought 20 years ago, they're still viable medical
devices.
Their operating system on those computers that runs those things is Windows XP.
Yeah.
And if those things have RDP enabled, they are vulnerable to this attack.
You can disable the unnecessary services.
If you just disable RDP, then you've solved the problem.
Right?
That kind of mitigates it.
You can enable network-level authentication
because this attack only works on unauthenticated sessions.
But if you have to authenticate, it won't work.
Okay.
And the last bit of advice in the update from CISA
is blocking the port at the firewall.
Okay.
Okay?
That prevents legitimate connections to RDP, though,
and it doesn't prevent lateral movement from inside the network.
Right?
So it's not really a good solution.
Okay.
The best solution is to patch.
It is to patch or upgrade.
Yeah.
Yeah.
All right.
Well, I think it's safe to say this is one that deserves people's attention. It absolutely deserves attention.
Joe Kerrigan, thanks for joining us.
It's deserves attention. Joe Kerrigan, thanks for joining us. It's my pleasure.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast
of this rapidly evolving field, sign up
for CyberWire Pro. It'll save
you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast
is proudly produced in Maryland out of the
startup studios of DataTribe, where they're
co-building the next generation of cybersecurity
teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.