CyberWire Daily - Ransomware hits US natural gas pipeline facility. DRBControl’s espionage campaign. Firmware signing. No bill of attainder against Huawei. A mistrial in the Vault 7 case?
Episode Date: February 19, 2020CISA reports a ransomware infestation in a US natural gas compression facility--it arrived by spearphishing and there are, CISA thinks, larger lessons to be learned. A new threat actor, possibly linke...d to China’s government, is running an espionage campaign against gambling and betting operations in Southeast Asia. More notes on firmware signatures. Huawei loses one in US Federal Court, and the defense asks for a mistrial in the Vault 7 case. Caleb Barlow from CynergisTek on Wigle and the impact your SSID name can have on your privacy, guest is Anita D’Amico from CodeDX on which developers and teams are more likely to write vulnerable software. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_19.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
CISA reports a ransomware infestation in a U.S. natural gas compression facility.
A new threat actor, possibly linked to China's government,
is running an espionage campaign against gambling and betting operations in Southeast Asia. More notes on
firmware signatures. Huawei loses one in U.S. federal court. Reality winner hopes for a pardon.
And the defense asks for a mistrial in the Vault 7 case.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, February 19, 2020.
CISA, the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency,
has responded to and reported a ransomware incident at an unnamed natural gas compression facility in the U.S.
While the facility didn't lose control of operations at any time,
it did experience a partial loss of visibility into real-time operational data.
Plant managers elected to implement a deliberate and controlled shutdown, which cost two days of lost productivity and revenue.
The attack was confined to a single facility.
It's noteworthy that the attack vector was spear phishing.
CISA outlines what happened after the spear phishing email delivered its payload.
First, inadequate segmentation between information technology and operational technology networks
allowed the attackers to pivot from the
IT to the OT side. Assets on both networks were disabled. Second, the attacker used what CISA
calls commodity ransomware against Windows assets in both networks. The ransomware affected human
machine interfaces, data historians, and polling servers. Third, the PLCs, the programmable logic controllers
used to monitor and control physical processes, were left unaffected. And finally, the facility
was able to recover by installing replacement equipment and loading last known good configurations.
CISA draws several lessons from the incident for other infrastructure operators.
They're too numerous to recount here, but in some, most of them come down to improved planning,
more effective and realistic training, better authentication, and more network segmentation.
ZDNet suggests the possibility that the malware involved was ECANs,
but CISA is silent on this point,
and so the suggestion
that the ransomware could have been ECANS remains at best speculation. Dragos, which ZDNet properly
cites as the source of research into ECANS, itself reached out late this morning to say that ECANS
wasn't a likely suspect. Instead, Dragos thinks with high confidence that the incident CISA responded to was the same Raiuk infestation the U.S. Coast Guard reported this past December.
They describe the infection as well-known ransomware behavior and is not an ICS-specific or ICS-targeted event.
Dragos thinks the attack doesn't show even the limited process targeting observed in ECANs and some megacortex incidents.
Security firm Trend Micro has found what it considers a hitherto unidentified threat actor,
they call it DRB Control, working against gambling and betting operations in Southeast Asia.
DRB Control's techniques aren't entirely unfamiliar, however, as Trend Micro discerned some connections
with the Winti and Emissary Panda APTs, both of which have been associated with the Chinese
government. The Emissary Panda link is particularly interesting. DRB Control uses the Hyperbro
backdoor, which until now had been observed only in Emissary panda operations. Trend Micro considers the campaign an espionage effort.
When I was growing up, I remember my father telling me,
Son, you never want to end up with a car that came through the assembly line late on a Friday
afternoon.
All those workers are more concerned with starting their weekend than building a quality
car.
I don't know what evidence there is to support that claim,
but the notion that the quality of a product could be affected
by the mindset of the people making it is a compelling one.
Anita D'Amico is CEO at CodeDX,
a firm that aims to address the need to discover and manage vulnerabilities
in software applications.
She's also part of a team of researchers looking into the question of whether several human factors,
developer, team, and environmental characteristics
influence whether developers will inadvertently
introduce security weaknesses into their code.
I have been interested in human factors for quite some time.
I am an experimental psychologist by education,
and I work in the area of application security.
So I was very interested in the human factors that affect secure code development.
I recently was the principal investigator of a research project funded by DARPA to study
what are the characteristics of software developers, of development teams,
and what are the work conditions that affect secure code development.
Well, let's explore that some.
That's fascinating to me because I think it's so easy,
particularly when it comes to all this technology,
to think sort of in the cold terms of ones and zeros and so on and so forth.
But what you're looking into here is the fact that those real-world,
everyday human factors that we deal with can actually find their way into the security of code.
Absolutely.
Software is written by people, and people perform differently depending on the circumstances.
So if human factors affect how well a pilot pilots an
airplane, if it affects truck drivers, if it affects medical doctors, why wouldn't human
factors affect how well a software developer develops code? And I was specifically interested
in the human factors that affect both code quality and security.
And there's been very little research done in this area.
So the first thing we did was we did a literature review.
And so we developed a way of mining open source repositories for indirect measures of human factors.
For example, we looked at the time of day that code was committed to find out
if it had an effect on code quality or code security. One of the things that I'll be talking
about at the RSA presentation is the results of that study. I'll give you a little bit of insight that code is buggier when it's committed between midnight and 7 a.m.
I have a couple of specific suggestions for anybody who is managing a software development team.
And these suggestions are based on scientific evidence.
So the first is stop coding after about 11 hours of work.
Really take a break.
And probably put it down until tomorrow.
Any code that is developed between 10 p.m. and 6 a.m. in the morning should be carefully reviewed.
I would also suggest that you keep developers focused on just a few files.
Don't spread them across many different ones, because the more you spread a developer across
a lot of different files, the more likely they are to accidentally insert quality or security issues.
That's Anita D'Amico from CodeDX. She'll be presenting on this topic next week at the RSA conference in San Francisco.
Eclipsium, the security firm that yesterday reported widespread issues with unsigned firmware in peripherals,
recommends that signatures be verified every time the firmware is loaded into memory
and not just upon initial installation.
is loaded into memory and not just upon initial installation.
The researchers note that Apple products routinely do this,
whereas Windows and Linux systems do not.
But they also argue that verification is better treated as the device manufacturer's responsibility
and not something to be left up to the operating system.
The trade press has been hard on the industry on this one.
Wired takes a glum view that supply chain firmware has been only laxly secured for years,
and that this is generally known, but that there's been little progress made toward fixing it.
ZDNet thinks the research shows that companies have failed to learn the lessons they ought to have taken
from the equation group revelations of a few years ago,
and it imputes a mix of discreditable attitudes
to device makers. They say, the reason why device manufacturers aren't doing this,
that is, verifying signatures whenever firmware is loaded, is because of laziness, indifference,
or because they don't feel they or their customers are under any threat. End quote.
There's some news from the legal world today.
The U.S. District Court for the Eastern District of Texas has tossed out Huawei's suit against a congressional restriction of the company's products and federal programs, Reuters reports.
The National Defense Act, the court found, is not an unconstitutional bill of attainder after all, and Congress was acting within its proper authority
when it moved to exclude Huawei and ZTE from federal contracts.
And finally, attorneys for Joshua Schulte have asked for a mistrial
on grounds of a Brady violation,
claiming that the prosecution failed to disclose potentially exculpatory evidence.
Mr. Schulte is the former CIA employee
accused of having
leaked classified information about Langley's hacking tools to WikiLeaks, in what became known
as Vault 7. The evidence and the filing are classified, but there have been reports in
Cyberscoop and elsewhere of some of the testimony in the case, and the picture that testimony paints
of the CIA's day-to-day workplace life
is one of pranks, joshing insults, rearranging desks, shooting one another with Nerf guns,
and so on.
It's unlikely that this has anything to do with a Brady rule violation, of course, but
it does suggest that working at Langley has more in common with an Ivy League frat house
circa 1950 than one would have suspected. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with BlackCloak.
Learn more at blackcloak.io.
And joining me once again is Caleb Barlow.
He's the CEO at Synergistech.
Caleb, it's always great to have you back.
You've got some interesting information you want to share today
about some ways to go online and gather up some information here.
What do you have for us?
Okay, so it's the early part of the year.
It's time for resolutions and all that good stuff.
Maybe this year you ought to change the name of your home Wi-Fi router, Dave.
Because I don't know, is the name of your home Wi-Fi router got your actual name in it? Like a lot of people name things like Davis or Wilson Ned or Jones Family Wi-Fi.
Abraham Linksys.
Yeah.
Yeah.
Not a good idea.
And let me tell you why.
So for years, the cars that drive around and map streets aren't only gathering GPS mapping information and taking pictures of the streets.
aren't only gathering GPS mapping information and taking pictures of the streets,
they're also mapping out the location
of every cell phone tower
and every Wi-Fi hotspot they pass
and its exact location.
And in some cases early on,
they were even employing taxi drivers
to put antennas on the taxis and map it out.
And triangulating the available Wi-Fi signals
is really important because it turns out
it's an even more accurate
way of determining location than even GPS or GLONASS because GPS and GLONASS don't work well
when you're inside of a building. But knowing what Wi-Fi hotspots are immediately available
and their signal strength can tell you exactly where you are. So think of it this way, Dave.
This technology isn't just used for your own phone,
but let's say a retailer,
let's say you're inside of a large retailer like a Target
and somebody wants to know,
are you in front of the women's section
or are you in the Starbucks?
Literally this location technology is that accurate
to be able to tell you where you are inside of a building based on the Wi-Fi signals.
Now, to put this in the full perspective of creepy, one of the providers of this type of data was able to leverage location information of the attendees of the Super Bowl, correlate that with census and other data to determine where attendees came from, their average income, age, and education level. Now, how does this happen? Well, remember,
when your phone is looking for a Wi-Fi signal, it isn't just listening for what's available,
it's broadcasting out what it wants to see. So let's just say your home Wi-Fi network,
I don't know if it is, is Bittner
net, right? Yeah. Right. Your phone is constantly going Bittner net. Are you out there? Hilton
honors you out there? American airlines are you're out there. It's constantly broadcasting,
looking for these signals. Well, I can actually be near you with something like a pineapple
and actually see what you're looking for. So I say, okay, he stays at
Hilton. He travels in American Airlines. What's this Bitternet thing? I bet you that's his home
address or his home wifi signal. Well, I can then go look it up in an open source database
and find out exactly where you live. Because with this new technology and, you know, the largest
purveyor of this is certainly Google, but this open source project called Wireless Geographic Logging Engine, or WIGL,
will allow pretty much anyone to put in a unique SSID and find out where in the world that SSID is broadcasting.
So if you're the only person in the world with an SSID called Bitternet,
I can find out exactly where you live within a foot or two.
Now, if your SSID is something not unique, like let's say Jackie was the name, good luck because there's going to be thousands of those that pop up all over the place.
Sure. But this becomes really problematic for people that want to keep their travel and the locations that they frequent, not just their home, but the locations they frequent private.
So, Dave, you can think of a whole variety of ways in which this could be used nefariously.
Give me some examples.
Okay.
So let's say we're talking about law enforcement, private investigator.
Maybe this is a divorce situation. I can probably
figure out where your girlfriend lives just off of what your phone is broadcasting. If you've ever
connected to her, her wifi network, I can figure out, you know, where she lives and probably also
who it is. Hmm. Okay. Now there is, there is a way, there is a way to hopefully protect yourself on this.
Let's talk about the good side.
Bring it home.
So the first thing is go out to Wiggle and have some fun and play with it.
It's pretty interesting what you can find out there.
Yeah, it's wiggle.net.
There's one G in Wiggle.
That's right.
All right.
Okay, first of all, and I don't know how well this works,
but one of the things some of the providers, mapping companies like Google do, is if you append your SSID with underscore no map, they won't map it.
So, you know, if it's, you know, Bitternet, change it to Bitternet underscore no map.
Now, I don't know if they all respect that, but hopefully they do.
The second thing to do is clean out all the old SSIDs on your phone,
your laptop that you're constantly broadcasting, right? Reduce it down to the ones you actually
use. I mean, if you haven't gone in there in a year or so, you probably have hundreds of SSIDs
you're broadcasting. You might as well be broadcasting your whole travel history out
everywhere you go. And then the third thing is rename your home network. Use something that's
not your name and use something that's not unique. So my strategy with this, and I'd be curious of
feedback from people on how well they think this is going to work, but I'm going to name my home
network after a car because all these cars now have, you know, like you'll see like Audi
Wi-Fi or Jane's Audi Wi-Fi driving around.
I'm going to name my home network after a car because I think that's not only is it
not unique, but cars pop up all over the place when you're doing Wi-Fi mapping.
All right.
Well, something to play with and also lose sleep over.
So thanks for both of those, Caleb.
Always great to talk to you.
Thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, Thank you. and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you.