CyberWire Daily - Ransomware and a zero-day. A newly discovered espionage platform. FIN7’s new tricks. Beijing speaks and Apple listens. A visit to NSA’s Cybersecurity Directorate.
Episode Date: October 11, 2019BitPaymer ransomware is exploiting an Apple zero-day. “Attor” isn’t your ordinary malign faerie: it’s also an espionage platform that’s been carefully deployed against Russian and Eastern Eu...ropean targets. FIN7 upgrades its toolkit. Apple does what the Chinese government asks it to do, blocking a mapping and a news app from users in China. And a look inside the black box, as we visit NSA’s Cybersecurity Directorate. Awais Rashid from Bristol University on the need for real-world experimentation. Guest is Kumar Saurabh from LogicHub on the importance of making breach forensics public. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/October/CyberWire_2019_10_11.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
BitPaymore Ransomware is exploiting an Apple Zero Day.
Ator isn't your ordinary malign fairy.
It's also an espionage platform that's been
carefully deployed against Russian and Eastern European targets. Bin7 upgrades its toolkit.
Apple does what the Chinese government asks it to do, blocking a mapping and a news app
from users in China. And a look inside the black box as we visit NSA's Cybersecurity Directorate.
visit NSA's Cybersecurity Directorate.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, October 11, 2019.
Researchers at security firm Morphosec
have found BitPamer ransomware
exploiting an Apple Zero Day,
an unquoted path vulnerability
in an Apple software update component
that comes bundled with iTunes for Windows.
Thus, the ransomware evades security tools by effectively presenting itself as a legitimate software update.
Earlier reports said the vulnerability was associated with Apple's Bonjour updater,
but Morphosec has concluded that's not the case. It's an unrelated updater.
Note that only Windows users are affected.
Mac users, once they update to macOS Catalina this week, will be untroubled.
Apple is sunsetting iTunes for Mac with this update.
ESET reports the discovery of Ator, a modular espionage platform
that has been deployed mostly against select individuals in
Russia, many of whom have shown an interest in using privacy-focused services. The malware has
also been used against a smaller number of diplomatic and government targets in Eastern
Europe, notably in Ukraine, Slovakia, Lithuania, and Turkey. ATOR has been in use since 2013 at
least, and ESET describes it as professionally written.
Its plug-in architecture enables its controllers to customize ATOR's functionality to specific targets.
In general, the malware uses an unusual device fingerprinting technique, automated data collection, and TOR-enabled exfiltration.
ESET does not know what ATOR's infection vectors have been, and the researchers
think it's probable that the malware has still undiscovered plugins. Ator itself is named after
a malign fairy in the book A Court of Thorns and Roses. The book has lots of fans, and lots of
fanfiction, too. FireEye researchers have caught FIN7, known for the Carbonac financial crimes, using new tools.
Fin7, that is, would be the one using the new tools, not FireEye.
Fin7's new kit has two items, which FireEye calls BoostRite and RDF Sniffer.
BoostRite is an in-memory-only dropper that's carrying both Carbonac and a second payload, which is RDF Sniffer.
RDF Sniffer has a range of malicious functionality. Among other things, it's able to intercept SSL
connections, delete data, and run commands on remote systems. The payload affects NCR Aloha
Command Center client sessions. The Aloha Command Center is widely used in the hospitality industry to manage hardware and software at remote locations.
At the request of Chinese authorities, Apple has removed both a U.S. news app and a mapping app from its Chinese service.
The Telegraph notes that the optics aren't good for Cupertino,
which some see as having joined the National Basketball Association in a kind of shadow extension of China's social credit program into the West.
Verge says the app is Quartz's, blocked for content not legal in China.
The Quartz news service is both widely read and not typically seen as extreme,
and so its illegality would appear to be publication of stories not to the liking of Beijing.
its illegality would appear to be publication of stories not to the liking of Beijing.
The mapping app HKMap.live was allegedly used to target police and commit crimes where police weren't present.
Apple had this latter information from the Hong Kong Cybersecurity and Technology Crime Bureau.
The opposing point of view holds that the protesters in Hong Kong were using HK Map Live to avoid the police,
and that the crime they were interested in committing was, generally speaking, assembling to protest.
That, and graffiti, sure, but graffiti wouldn't alone seem serious enough to warrant that kind of pressure on Apple.
Anyway, Apple has taken the authorities' line all the way to the bank.
Quartz is understandably on the other side of this dispute.
The company's CEO, Zach Seward, told The Verge,
We abhor this kind of government censorship of the Internet and have great coverage of how to get around such bans around the world.
He suggested that people read Quartz coverage of VPNs
as means of evading government crackdowns on content.
It's perhaps worth noting that officials in three Western nations recently addressed VPNs too,
but they had a decidedly different take on them. U.S., Canadian, and British intelligence and
security services have over the past week published warnings that unspecified threat
actors were actively exploiting vulnerabilities in widely used virtual private networks.
redactors were actively exploiting vulnerabilities in widely used virtual private networks.
One of the U.S. agencies that issued its own warning on the matter was NSA's new Cybersecurity Directorate. Their public warning was noteworthy in that it offered some brief
advice on how to use VPNs with more assurance they'd work as advertised. The Directorate's
five pieces of advice were as follows and seem easy enough for the ordinary user to do.
Its five pieces of advice were as follows and seem easy enough for the ordinary user to do.
1. Immediately upgrade your VPN to the latest version.
2. Reset credentials before reconnecting the upgraded devices to an external network.
3. Review your network accounts to ensure adversaries did not create new accounts.
4. Update VPN user, administrator, and service account credentials.
5. Revoke and create new VPN server keys and certificates.
We were at Fort Meade yesterday for the NSA Cybersecurity Directorate's first media roundtable.
The directorate's leaders, Director Ann Neuberger and Technical Director Neil Ziering,
said that Monday's announcement concerning VPN vulnerabilities and remediations was the first in what they expect to be a continuing line of such warnings and advice.
As nation-states increasingly hit targets that aren't themselves opposing nation-states,
they said it's important to open the black box and provide individuals,
businesses, not-for-profits and local governments
actionable intelligence and the context necessary to use it.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Awais Rashid. He's a professor of cybersecurity at University of
Bristol. Welcome back, Awais. We want to talk today about the importance of real-world
experimentation, getting out of the lab and with your research and practice. What do you have to
share with us about that today? I think the challenge we are going to face is that within
the next few years, the number of devices connected to each other and the internet will
outnumber humans by, depending on whose estimate do you believe, something like five to one.
And, you know, these systems of connected devices will underpin everything from healthcare to transport to energy and finance.
And, you know, the way we communicate and share information with each other will change.
So we are really talking about, you know, really large scale hyperconnected systems.
So as a result, you know, we need to ensure that what we develop in the lab actually works in the real world.
As a result, the way to test any kind of security solutions and architectures has to be to deploy them in the wild and understand what are the implications of that.
can't deploy prototypical solutions on production environments because, of course, they may not necessarily be fit for purpose or scale very well. So we really do need large-scale experimental
infrastructures that are close enough to the real world to be able to do that. And that's a big
challenge. Yeah, well, there's that old saying from warfare that no battle plan survives contact with the enemy.
It seems like that could apply here as well.
Absolutely, and that's exactly the reason.
Normally what happens is we develop things, they are developed with rigor and with all good intentions by researchers and practitioners,
but usually we test them on small-scale things in the lab or in an experimental setting. And then when they are deployed in real world infrastructures,
they don't always scale. I'm not saying that they never scale, they don't always scale.
And that's why we need to think about as to how we might be able to do this.
There are a number of academic and industry organizations that run testbeds. And I think
there is a good argument for us to try and link some of these
testbed infrastructures together so that we do have economies of scale, but also that really
large scale environment that would represent the realistic setting in which security takes place
in the real world. I'm thinking of the rigorous testing that takes place when it comes to pharmaceuticals, is that not a good example?
Is it simply too expensive to do something at that scale?
I think it's not a case of expense.
It's how you may deploy and test something. example, because the trials only move on to large-scale clinical trials once they've gone
through smaller-scale testing, and then increasing level of confidence is built up. And I think we do
need to be able to do something very, very similar. But the question is, how do we test in the wild?
For example, would you be willing to deploy an experimental security solution on, say, a power grid or a nuclear power plant or
transportation system. And I think you would have to have a lot of confidence and then a lot of
fail-safes built into it. And I think we need to develop those kind of protocols. Other disciplines
have developed those protocols. And I think we are a little bit further from that at this point in
time. Awais Rashid, thanks for joining us. security solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed
to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
My guest today is Kumar Sarup, co-founder and CEO of Logic Hub, a security automation company.
Our conversation centers on his notion that security organizations need to do a better job sharing information about breaches and
security lapses, and that in the long run, we'll all be safer for it. Many times when you hear
about breaches, right, many times when you look at that, it takes a long while to even piece together,
you know, what actually happened at a hundred thousand foot level. And if you actually want
to get deeper into it and you want to figure out
really what happened, have data about it, and kind of you want to get to a place where you can figure
out as a defensive team, as a blue team, what could you have done, what could have the team done
to prevent or detect and respond to these attacks faster, that kind of data is simply unavailable to many people, especially, you know, for
practitioners to learn from, you know, that data is virtually impossible to get your hands on.
And that's why I think, you know, we as an industry could probably do a much better job,
you know, breaches are going to happen, right? But the key part of it is how well are we learning from those?
You know, I do look at aviation industry as a very good example of that, right? And there is a lot of
talk about, you know, quote unquote, black box thinking and trying to get to black box. I think
in security and in cyber ops and sec ops, you know, people are still quite hesitant to share data more broadly
so that people can learn from it. That's a really interesting analogy there. I mean,
do you suppose that we need a cyber equivalent of the FAA?
Absolutely. And I used to run a DevOps team, running 100 engineering team devops team you have to keep the site up and
running and and the reality is um the sites go down sites have issues uh one of the biggest
things that made a difference is every time it went down we looked at the data very very closely
and we tried to figure out why did it go down there there is a culture of like blameless postmoderns
or retrospectives, if you will,
to try to learn from that and establish the root cause.
There are things like root cause analysis,
the five whys, asking the why, why, why question
to get to the root cause,
because unless and until you can find the root cause,
you can't actually apply a fix
that you know will fix the
problem for good. So that culture of openly discussing the why some kind of a failure
happened without assigning blame was a big, big, big step towards improving the site reliability
and resiliency. And I think something similar
could very well happen on the security operational side of things. But it's a mentality,
it's a mindset that has to be there. There has to be a learning mindset. And I do understand a lot
of hesitation in admitting to the failures and kind of being open and candid about it, it's easy for me to say it's
it's, I do acknowledge that's a really hard thing to do and put in practice. But I think if we want
to get really good at making our security much, much, much better, I think being able to share
such data and such learnings will go a long, long way towards that.
So you're making the case that there's a strong public interest in having this information
distributed broadly and quickly?
Absolutely.
And also for the longer term, definitely quickly.
I would say much more so in terms of broadly, right? Like if this kind of information is only present
and available to three-letter agencies
and law enforcement only,
there are many private sector companies
that could actually benefit
and build much better defensive technologies
and it can come into all sorts of places.
Academia could probably benefit
from this quite a lot as well.
So I can imagine that a lot of like expanding how different people can benefit from this data. Again,
the goal is not to assign a blame, right? It's not a news story if you're preventing a breach
for like 10 years in a row, but the one day that you slip up, right, it's a major headline.
but the one day that you slip up, right, it's a major headline.
So it's very asymmetrical. It's a hard problem.
But in spite of that, there is a very, very valuable learning opportunity that we are not capitalizing on right now.
And so in your mind, how would something like this play out from a practical point of view?
How would we execute a plan like this? If you had looked 10 years back, right, there was virtually very
little sharing of Intel data, right. And if you look at threat
Intel as a space, especially in financial sector, there are
organizations that focus around sharing of data. And I would
just as a conference yesterday, and one of the big things about,
you know, sharing of data between government agencies.
So I could imagine that there is a place where there is an organization.
You have to be members of that organization.
So there is a little bit of trust built in, and you have known quantities around the table.
But again, the goal there is to foster sharing of this data
and sharing the learnings. And it becomes something that we learn from and the knowledge
and the data is available to a broader audience. I would not go as far as saying, you know, hey,
let's put everything on the web, right? And I can understand why some people might be hesitant
to do that. But the sweet spot might be somewhere in between the two. But certainly where we are
today seems far too restrictive, far too narrow. And when people push back against this idea,
where are they usually coming from? I think I've been in those shoes,
right? I've been in those shoes.
If your site has gone down, right?
If something didn't work as you expected it to do, it's hard to admit that, right?
And the spotlight that it brings along with it is painful.
I find it completely natural to resist that.
Another thing that i quite often hear
is that hey adversaries will learn from it you know what adversaries are already sharing
techniques and data among themselves on the dark web on other places forums and all of that right
so if the adversaries are sharing i think the net net-net of it is by not sharing, we are probably
saving a little, but we're losing a lot.
So in my personal opinion, the net-net of getting over the hurdle, that yes, it puts
a spotlight on you, and yes, that the spotlight is very painful to be under.
And yet, and this is where I think, you know, some kind of government regulation
can come into play. Like if you went back five, 10 years ago, nobody wants to advertise or even
acknowledge or broadcast a breach. But over the years, you know, there have been laws and
regulations in place and their customers that are asking their vendors and their suppliers to notify them
in case of a breach within a certain amount of time, right? So those kinds of things are becoming
more and more normal. And so I think that is the right thing to do. Is it the convenient thing to
do? Is it an easy thing to do? Probably not. But is it a right thing to do? Is it going to be for the
greater good in the long run? Absolutely. That's Kumar Sarup from Logic Hub.
And that's the Cyber Wire. For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders
who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.