CyberWire Daily - Recruiting spies at university? GoldBrute botnet and RDP vulnerabilities. MuddyWater update. RIG delivers Buran. Achilles claims to sell access. NRC’s IG reports on cyber. Antitrust for Big Tech.
Episode Date: June 7, 2019The Australian National University hack and data loss look to many observers like the work of Chinese intelligence services. The GoldBrute botnet is scanning vulnerable RDP servers. MuddyWater is back..., undeterred by leaks and learning from the best. The RIG exploit kit is delivering Buran ransomware. Achilles says he’s got the goods. The Nuclear Regulatory Commission IG looks at cyber inspections. And Big Tech prepares for big antitrust. Robert M. Lee from Dragos on natural gas infrastructure security. Guest is Frank Downs from ISACA on the challenges educators face preparing the cyber security workforce. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Australian National University hack and data loss
looked to many observers like the work of Chinese intelligence services,
the gold-brute botnet is scanning vulnerable RDP servers. Muddy water is back, undeterred
by leaks and learning from the best. The rig exploit kit is delivering Buran ransomware.
Achilles says he's got the goods. The Nuclear Regulatory Commission IG looks at cyber inspections.
And Big Tech prepares for big antitrust.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday,
June 7, 2019. As investigators continue to look into the cyber incident at the Australian
National University.
Signs point to Chinese intelligence services as the operators behind the recent hack.
It's consistent with other Chinese operations, which have aimed either at the cultivation of sources or the acquisition of intellectual property.
In this case, the ANU hackers appear to have been engaged in recruitment. The attackers exfiltrated some two decades' worth of personal data
that the Sydney Morning Herald says includes bank account numbers,
tax information and academic records of both students and staff.
Investigators believe one of the campaign's principal objectives
was to groom Australian students headed into civil service careers
for recruitment as agents.
ANU graduates are heavily represented in public service.
The evidence pointing to China is circumstantial.
First, only a small number of countries have the technical wherewithal to execute an attack of this kind.
Second, an even smaller subset of those would be interested in doing so.
And third, the attack seems to fit the pattern displayed in
other Chinese cyber espionage campaigns. Why would an intelligence service be interested
in financial and academic records? For any number of reasons. The more one knows about
prospective agents, the easier it is to get your hooks into them. You might wish to develop the
sort of rapport that might be useful in recruitment. You studied Levi's poetry?
What a coincidence. Me too. I always found quiet night thought particularly moving. Or maybe you
wouldn't believe the trouble I had with the credit department at regional... What? You too? Let's talk.
Or you could accustom them to doing small innocent favors that lead to less innocent favors that lead
to quite guilty
favors. I've completely lost touch with Chloe. You remember her from ANU? You wouldn't happen
to have a copy of a staff directory you could give me. I'd so love to get back in touch.
And who wouldn't want to help out Chloe? And the next staff directory might be from an Australian
Signals Directorate contractor. And then maybe an internal memo would be much appreciated
because that nice person is interested in investments.
Eventually, you get the point where you feel you have to refuse,
but by then you may have given away things that the nice person points out
well, people just wouldn't understand.
Better for you if you keep playing ball.
And rougher still, it's also possible to turn up material
that might be useful in compromising a target.
I notice you wrote an honors essay on
Li Bai's Waking from Drunkenness on a Spring Day.
Did your drinking problems at Canberra lead you to that particular poem?
Or perhaps, worst of all, something like this.
It would be a shame if your second cousin in Shenzhen lost his job.
Actually, losing his job might be the least bad thing that could happen. Chinese operators have been behind this kind of
hack before, and it fits well into traditional espionage craft. The risks of remote desktop
protocol vulnerabilities are coming into sharper focus. Morphus Labs warns that a botnet, GoldBrute, is scanning and brute-forcing about a million and a half RDP servers.
There are several known RDP vulnerabilities out there, and there are patches available,
including patches for Bluekeep, which Microsoft and NSA and their sisters and cousins and their aunts
are really urging everyone to patch.
Iran's hacking group Muddy Water, also known as Seedworm,
might have seen more of its tools leaked online, but that hasn't made it pull in its horns.
Klirsky warns that the threat group is actively impersonating government accounts
and using at least two new techniques.
Microsoft documents carrying malicious macros, an exploitation of
CVE-2017-0199, that is Microsoft Office WordPad remote execution vulnerability with Windows API.
These, of course, aren't new attack tactics, but they're new for Muddy Water and represent
Iranian intelligence and security services' long-standing determination to learn lessons and improve their game.
It doesn't have to be novel, and it doesn't have to be innovative.
It just has to be well executed, and it just has to work.
These work, especially against unprepared victims.
The RIG exploit kit is now being used to deliver Buran ransomware.
Buran looks like gangland for profit work,
although of course there's often a degree of penetration and control of the Russian mob
by organs of the Russian state. The best defense against this Russian strain of ransomware
are updated security software, since Buran arrives via exploit kits, sound offline backup,
and properly suspicious users. That of, is good advice at any time.
Our linguistic desk helpfully points out that Buran means blizzard.
Researchers at security firm Advanced Intelligence are calling out another criminal active in
dark web markets.
He goes by the name Achilles, speaks English, and is suspected of being Iranian.
He goes by the name Achilles, speaks English, and is suspected of being Iranian.
He's selling, he claims, credentials that would give the buyer access to security companies,
charities, and at least one international organization, UNICEF.
There's no confirmation yet that Achilles can deliver the goods he's offering, but he enjoys a good reputation in this very bad neighborhood.
His criminal clients consistently give him strong reviews,
so maybe there's something there.
In any case, Achilles bears watching.
Cryptocurrency firms are under attack, as usual.
GitHub users lost some $9.7 million,
and blockchain startup Komodo,
not to be confused with security firm Komodo,
hastily patched a vulnerability in its
wallet. The U.S. Nuclear Regulatory Commission is short on cyber workers. A report by the
commission's inspector general found that the NRC's cybersecurity inspections, quote,
generally provide reasonable assurance that nuclear power plant licensees adequately protect
digital computers, communication systems, and much as it trains current staff to conduct cyber inspections,
still finds itself facing a familiar problem.
Good cyber talent is in high demand and not that easy to hire, especially into the government.
The IG also found that the current cyber inspection program is risk-informed but not fully performance-based.
The report urges the Commission to work on appropriate performance measures.
And finally, as the antitrust sharks circle Big Tech, Big Tech is putting K Street shark
repellent
into the Beltway waters,
hiring lobbyists to fend off the regulatory predators.
And Facebook is reported to have begun
bringing in more defense talent to its legal team.
The administration seems to be serious about the feedings,
which for now are divided between justice
and the Federal Trade Commission.
Congress is also taking an interest.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Robert M. Lee. He's the CEO at Dragos. Robert, welcome back. You know,
I thought we could run through some of the ICS environments that you all deal with. And why don't
we start with natural gas? Give us an idea here in the United States. What is the lay of the land with our natural gas system?
How is it controlled?
And what are the threats?
Yeah, absolutely.
So when it comes to natural gas, it's an interesting changing point for the industry.
For years, although it was still critical and important, there wasn't as much national attention on it because it wasn't as critical to the bulk electric system.
attention on it because it wasn't as critical to the bulk electric system. As we have moved away from coal and moved more towards renewable sources, we still need a quick way to be able to
generate power, which is natural gas. And so natural gas is starting to feed the electric
grid much more so, even a lot of larger energy companies buying up natural gas companies,
which means that that national focus has definitely increased. There are threats that have targeted natural gas already, and we've heard about these over the
years. We've never seen destruction or disruption as a result of an intentional attack. But of
course, it's still something that weighs very heavily on the focus of minds, especially when
we start seeing the criticality of the industry increase. What they're sort of up against today is a variety of risk that
they're trying to mitigate. One of the factors for them is they do have sort of that traditional
SCADA approach, meaning very long distances, right? A lot of pipelines, very large landscape
that they have to cover, as well as very boutique kind of systems. You know, gas compressor station
along the side of a pipeline is not really normal knowledge for a lot of those, even in the industrial control security community.
And so for them, they're trying to reduce that risk, not only the physical threats and the things
they have to deal with, like crazies along the pipelines, but also in the fact that their threats
can get out to those locations. And it's not some easily tapped infrastructure. It's not like they
could drive to every single gas compressor station
and every single aspect of the pipeline and storage wells and all that and throw a managed
switch on there and start tapping that traffic. It's not really achievable in that way. So they're
much more around ingress and egress filtering and understanding if they can identify threats
from the control center down or back up again from those sites. And at the same time, they're
just dealing with the nature of the politics. So we've got some good organizations like the Downstream Natural Gas
ISAC, who's trying to do a lot of advocacy and outreach in that sector. But I expect this will
be a very turbulent next couple years for them as they try to figure out how to articulate what the
real risk is while minimizing it without letting, as you noted, the hysteria get taken away as
congressional members and others start asking questions on,
oh, no, what is the threat to this new industry?
It was not really new, but this industry that's new in its criticality to the electric grid.
So fantastic opportunity for them, definite challenges.
But as always, we've got some fantastic people taking on that challenge.
And what would be the impact of an interruption of natural gas
service? It could be significant. It depends on a lot of factors. But one of the factors to consider
is other generation sources of power in that region, as well as time of the year. So as an
example of a particularly bad scenario, if we're talking about the dark sort of months of the year,
we're not getting as much in terms of like solar and move towards
solar more in the grid. And we also combine that with it being winter in places like the northeast
or northwest, you know, a significant outage could actually have loss of life impact when it comes to
people in that region. Now, we're not talking about everybody in the region dying, but nobody
should take any loss of life lightly. So we're talking
a number that is uncomfortable mostly just because we're talking about people's lives there.
So I think there's a realistic scenario where an attacker can make planned and coordinated
strikes against pipelines that have real repercussions, but it still is much more
difficult and nuanced than people make it out to be. But the
complexity of a natural gas pipeline is not the same as the complexity of the overall grid, which
means to take down a giant portion of the grid for any significant portion of time is a very complex
problem. It's not as complex in gas pipelines, but it is still not trivial by any stretch of
imagination. Robert M. Lee, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. Association for IT Auditors and Cybersecurity Professionals. Our conversation today focuses
on his experience as an adjunct professor in cybersecurity and the challenges he sees
the community facing when it comes to educating the next generation of cybersecurity pros.
There's kind of a two-pronged problem here with getting everybody, actually there's more like a
three-pronged problem here when we're talking about getting everybody up to snuff for cybersecurity.
First and foremost, we have this continually growing gap of a great quote that was told to me by one of our members was,
every time someone buys a new iPad or iPhone or computer or laptop, the Internet gets a little bit bigger, right?
little bit bigger, right? And we, uh, with the pace of new devices coming online online every day, we're not making cybersecurity professionals or site or training cybersecurity individuals
fast enough. Um, so the gap keeps growing. If you take a look at our state of cyber report,
every year we put out, uh, the gap is still there and it's still concerning. Uh, the second thing
is, uh, when it comes to training these professionals is that you're using more
traditional, primarily more traditional methodologies such as passive learning for the
individuals, for the students. That means think of when you were in college, right?
You would sit in these big halls and you would have people sit and they would all learn math
from one person who would put it up on the chalkboard. And then it was your job to take
it all in and then regurgitate it when it came
exam time. That doesn't really work for cybersecurity. That doesn't really work for
cybersecurity at all. You can't just, you know, sit down, have a passive death by PowerPoint
experience, go in, sit down, take a multiple choice exam, and then all of a sudden be good
at cyber, right? It just doesn't work that way. And so we have to change more thoroughly
the method of learning across the board, not just in academia. And thirdly, there needs to be
greater awareness, in my opinion. There was a study that was put out last year where nine out
of 10 students, nine out of 10 millennials graduating, said that they didn't even consider cybersecurity
as a career path. Not like they thought about it and then said no, as in it just never even
crossed their mind as an option, which means there's lack of awareness. And they took a look
at that one out of 10. And one of the things that they really had in common was that they had
somebody who worked in the field directly or had told them about it in school.
So that lack of awareness that's even an option is also concerning.
So it's a three-pronged approach, three-pronged problem, if you will, that we are working with and trying to remedy.
Yeah, I mean, it's a really interesting insight. And I wonder, I mean, what you described there of, you know, that that's literally old school technique of a professor at the front of a big lecture hall, which I certainly experienced, you know, way back in the day. Do I imagine neither you nor I want to talk about how back in the day that was, right?
That's right.
I think you might be on to something there.
But I don't want to overgeneralize, right?
Because right now there seems to be this strong push of college is bad, trade school is good,
right?
Everything seems to be flipped on its ear.
And that's not necessarily the case, right?
Trade school is good and college is good.
But I think we need to look at something on a more basic base level, right?
A more basic level of how do we train these individuals, whether it is in some type of
trade school or whether it is in college, right?
Because what we've seen is individuals who do best in the field have some type of experience.
I'll give you a great example.
I've had several students over
the last several years who have come to me and have said, I want to get a job in this field,
but I don't even know how to do this. And I'm really concerned about it. Right now,
these are my graduate students and that I would teach at night and I teach them cybersecurity.
And they were really concerned, right? Because most of these students come in and their big
thing is we would like to get a job.
Meanwhile, I talked to all these different professionals in the field, many of these
executives, and they go, we need more people for these jobs.
There's clearly a miscommunication there, right?
And I told the student, I said, you really shouldn't be concerned.
You've done so much practical hands-on stuff here that when you go to this interview compared
to X, Y, or Z individual or
applicant, you're going to blow them out of the water. That, and you actually know what the NIST
policies are. I can't make you comfortable, but I can encourage you that things will go well.
And I'll tell you what, she was one of my best students. She came back and said,
you're 100% correct. They said the majority of the people who are applying to this have no actual
hands-on experience, haven't actually worked with malware, haven't actually worked with packet analysis and so forth. So when they knew
that I could do these things and I even showed them, that combined with the misunderstanding
of the NIST policies, well, they gave me a job. So I think, and that was in a college environment,
right? That was in a grad school environment. Now, can this be replicated in a trade-like experience? Yes. And as a matter of fact,
it is on a regular basis. There are several different things that ISACA is working with
partners on having more of a trade school environment and wherein individuals can come,
can sit down and don't have to go, don't necessarily experience this more formal education path and are able to re-skill into the field of cybersecurity.
So I think it's an issue that is both impactful for trade schools
and for traditional academia as well.
So the institutions that are doing it right, those colleges and universities,
even down to the community college level, the ones who are, who in your estimation
are setting up the proper mix of things here, what do they have in common? What are they doing
that sets them apart? There's two things that I've seen in a lot of successful
academic institutions and schools and programs. One is they're ensuring that the students are
getting real experience, whether that takes the form of a range, right? Or whether that takes the
form of a lab that they do in class, they're actually working with real malware. They're
working with real denial of service attacks. They're stopping these things. They're responding
to incidents and, and people are living then, right? Because there's no substitute for experience
that there's no substitute for being saying, sitting down and saying, oh yes, I've dealt with Spectre,
right? I've dealt with Meltdown. We can work with these things. The other thing that they're doing
is they have partnerships and or programs that help these individuals get lined up with a job
and can point them or at least prepare them to be competitive in the job market.
I think that some institutions who aren't doing as well have this consistent mentality of, well,
you got your degree, didn't you? Go ahead and get that job. That's not me. When you're starting to
see some schools actually take a step back. And what's really, really interesting is you're seeing
some schools do this with certain liberal arts arts majors, for example, right?
It's no longer, speaking as a liberal arts major, getting an English degree doesn't necessarily equate to getting a job.
And you're seeing a lot of these more successful schools say, okay, well done.
You got the English degree.
Good job.
You may notice that's a little hard to get a job. We have this program that is a
either cybersecurity or IT or technical or engineering program that we can put you through
and give you these additional skills that can make you more attractive, which I'll be perfectly
honest with you. Speaking from experience, it wasn't always my English degree that got me my
job. In fact, it pretty much never was my English degree that got me the job. Now I could write and
that did help at the job and I could communicate. And as you probably know,
in the field of IT or cyber or any other field, someone who can do the job and communicate it
effectively, that's really valuable. So in the long term, they're setting these students up,
but not all of these programs and these institutions are doing that, which makes it a
lot more difficult for these students to then succeed. People need to know that this is an option. So I think we're finally getting a good beachhead
established in trade schools and academia and re-skilling programs for adults. However,
I think there needs to be, I think we won't really have a good long-term solution until
as a field we've successfully infiltrated, say, that high school
and middle school level of learning and understanding. We're going to need to actually
come together and build a more consistent and capable workforce through having a consistent
training mechanism and methodology. When I start seeing these classes offered in high schools and
it's a curriculum they can pick, then I'll be a little more encouraged. And I think we are going in that direction. It's just going to take some more time.
It's really because, like I said, we're fighting this fight on multiple fronts.
That's Frank Downs. He's the Director of Cybersecurity Practices at ISACA.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions. Thank you. and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.