CyberWire Daily - Some fix fast, others not at all. Ransomware campaign's demands are non-negotiable (for most victims—Russians get a hometown discount). Content filtering. Jamming in Syria.
Episode Date: April 26, 2018In today's podcast we hear about another exposed data base, trouble with routers, issues with storage cameras, and problems with storage devices. Some have been promptly fixed, but others are offering... users Hobson's choice: take it or leave it. An apparent ransomware campaign says payment demands are "non-negotiable," unless, of course, you happen to be Russian, in which case, let's talk. Citizen Lab complains about certain kinds of content filtering in South Asia. What's up with Compass Call in Syria? Jonathan Katz from UMD on mathematical backdoors. Guest is Paul Burbage from Flashpoint on the compromised Magento sites. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
More exposed databases, trouble with routers,
issues with storage cameras, and problems with storage devices.
Some have been promptly fixed, but others are offering users Hobson's choice, take it or leave it.
An apparent ransomware campaign says payment demands are non-negotiable,
unless, of course, you happen to be Russian, in which case let's talk.
Citizen Lab complains about certain kinds of content filtering in South Asia.
And what's up with Compass Call in Syria?
in South Asia, and what's up with Compass Call in Syria?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, April 26, 2018.
ChromTech Security says an exposed MongoDB database has leaked information on roughly
25,000 individuals who had invested, were considering investing in the widely promoted Bezop cryptocurrency.
Full names, street addresses, email addresses, encrypted passwords, wallet information, along with links to scanned passports, driver's licenses, and other IDs.
HyperOptics H298N broadband home routers have a hard-coded root account
and suffers from a DNS rebinding vulnerability.
The problems affect personal data security.
and S rebinding vulnerability.
The problems affect personal data security.
They also offer the prospect of widespread surveillance or distributed denial-of-service campaigns.
Hyperoptic is a British ISP,
but the vulnerable routers are made by ZTE,
which will no doubt harden U.S. government resolve
against lightening up on recent sanctions
against the Chinese device manufacturer.
lightening up on recent sanctions against the Chinese device manufacturer.
HPE iLO 4 remote management interfaces are reported to have been hit with ransomware.
Also known as HPE Integrated Lights Out, iLO 4 is a management processor in some HP servers that enables administrators to remotely administer the servers.
It's not yet clear if the threatened hard drives are actually being encrypted,
but the ransom screens say the crooks want two bitcoins to release affected files,
adding reassuringly, if implausibly, that the crooks need the money for good cause.
The ransom demand is composed in clumsy, non-native English.
The note says firmly that the two-bitcoin price is non-negotiable.
Non-negotiable, that is, unless you, the victim, are from Russia,
in which case they're willing to talk.
That reservation is a common one in the Russian underground,
who have no wish to consign themselves to the ministrations
of their country's police and security services.
This story is still developing.
We'll see how extensive the campaign is,
and whether it's true ransomware, a wiper,
or simply misdirection to cover some other caper.
Trustwave says that Western Digital MyCloud EX2 devices are insecure,
exposing users' data to anyone with an interest in obtaining it.
The problem lies in the default settings that enable DLNA, are insecure, exposing users' data to anyone with an interest in obtaining it.
The problem lies in the default settings that enable DLNA,
that's Digital Living Network Alliance, streaming from a storage device.
Instead of fixing the issue, Trustwave complains,
Western Digital simply recommends turning off DLNA if you don't want to use this feature.
Hikvision has patched a vulnerability that exposes its cameras to remote control.
It was an authentication problem that essentially made it possible to reach any camera through the HikConnect.com service.
The researchers found it possible to see live video and playback from vulnerable devices,
lock users out of their devices, take control of users' HikVision accounts,
or to add themselves as a shared user so the legitimate user would be unaware someone else
was watching.
HikVision seems to have been commendably quick to respond to the bug disclosure.
The vulnerability report was filed Saturday, and HikVision had a fix-out on Tuesday.
We recently reported on compromised Magento content management systems,
with at least 1,000 admin panels having been affected.
Paul Burbage is a senior malware researcher at Flashpoint,
where they've been researching the problem.
Magento is a content management system website built for e-commerce
and powers several large to small mom-and-pop style stores
on the internet. You would want these websites to be secure, especially when people are conducting
financial transactions as they are purchasing goods for sale on websites built with Magento.
I was shocked to find out that these Magento website administrators are choosing poor passwords
for security of these sensitive websites where financial transactions
are occurring. And part of the issue here is that people are sticking with default passwords. Is
that the case? Yes, either that or really poor passwords that are not only, well, they're not
unique through other compromised data sets. But right, the initial passwords that they're setting are also weak, not very complex passwords,
or just utilizing the default password that comes with the initial installation.
And so the adversaries were brute forcing these sites?
Yes, that's correct.
So once they have control of the Magento admin panel, what happens next?
You know, with any type of CMS website, be it WordPress, Joomla, and Magento, Drupal even,
once you have administrative access, you can upload files to that website, being, you know,
other PHP server-side code that runs back in on that web server. So it pretty much allows,
server-side code that runs back in on that web server. So it pretty much allows, once admin access is granted, full control over that website to execute arbitrary code. In this particular
campaign, we saw two attack vectors. The first one being, it was a JavaScript redirect that not
only sent victims to CoinHive to mine Monero cryptocurrency within the browser,
but also another JavaScript redirect that presented users with a fake Adobe Flash Player upgrade notice.
Tell me about this AzeroRolt. Is that how it's pronounced?
I believe it's pronounced AzeroRolt.
AzeroRolt, okay. Yeah.
So AzeroRolt InfoStealer, the visitors are presented with an Adobe Flash Player upgrade notice.
Once clicking on that update now button, the Azarolt InfoStealer malware was downloaded and executed on the victim's machine.
Now, Azarolt InfoStealer can harvest credentials on the system, everything from email clients to save browser credentials and it's also
used as a initial loader itself so one thing that the threat actors behind the azerolt infraskeletal
command and control can do is load additional malware on top of that in this particular
campaign they were loading rayrog crypto miner which was, which was another crypto miner hidden within Windows systems that also
mined Monero. And in this case, the attackers were also taking some steps to avoid detection.
As far as detection is concerned, with most Monero miner crypto malware, you're going to have
an element of being able to detect whether or not the system is churning out a great amount
of resources. But with this particular attack, the Ray Rock crypto miner is meant to just kind
of hide in the background and mine crypto coins unbeknownst to the victim. And in terms of who
they were targeting, did it seem like there were any particular groups that they went after?
There have been some industry verticals as far as the initial Magento compromised websites are concerned,
such as the health care and education sector.
This was really just a look of the draw as far as whomever was visiting those compromised websites.
So it really wasn't any type of, you know, directly targeted waterhole attack.
That's Paul Burbage from Flashpoint. You can learn more about their research on compromised Magento sites on their website. It's in the blog section.
Checkpoint and CyberInt says they've found a new phishing tackle for sale on the dark web.
The new kit, compiled and offered by a criminal whose nom
de hack is Apache, enables users to craft convincing emails and redirect sites that
closely mimic branding elements of well-known firms. The kit seems to cater to Spanish-speaking
criminal clients. The University of Toronto's Citizen Lab reports that NetSweeper technology
is enjoying widespread use for online censorship in South and Southwest Asia.
Governments of Afghanistan, Bahrain, India, Kuwait, Pakistan, Qatar, Somalia, Sudan, the United Arab Emirates, and Yemen are said to be using the technology to block content they find objectionable.
they find objectionable. According to Radio Canada International, Citizen Lab and Ontario-based NetSweeper have been at loggerheads before, with at least one lawsuit filed against Citizen Lab
and subsequently withdrawn. Citizen Lab's objection to the filtering doesn't appear to be
content neutral, but is instead based upon its conclusion that the regimes it says are misusing
the technology are doing so to block content
that appears to be protected under various international agreements.
A Chinese think tank mauls a Sino-Russian condominium in cyberspace and likes what it thinks it sees.
The director of the Center for Security and Development of Eurasia, China Institute for International Studies,
said at a conference in Shanghai that it would be good if Russia and China
got together to cooperate on security and stability in cyberspace,
which could help avert cyber war.
Moscow and Beijing probably do have similar views on what would constitute security and stability,
but such a meeting of the minds might not commend itself to other parts of the world.
Speaking of cyber warfare, U.S. EC-130 Compass Call electronic warfare aircraft
are said to be encountering disabling Russian electronic warfare,
presumably jamming, as they operate over Syria.
Breaking Defense quotes General Raymond Thomas, head of U.S. Special Operations
Command, having made remarks to this effect at the GEOINT conference. The U.S. Air Force describes
Compass Call as, quote, an airborne tactical weapon system using a heavily modified version
of the C-130 Hercules airframe. The system disrupts enemy command and control communications
and limits adversary coordination essential for enemy force management.
The Compass Call system employs offensive counter-information and electronic attack capabilities.
Our military desk remembers Compass Call as a big, powerful flying jammer,
a kind of electronic Bigfoot stumping around noisily over the battle space,
clobbering frequencies left, right, and center.
When Compass Call was up and operating,
Army units on the ground tended to shrug their shoulders and give up on tactical FM radio.
Forget it, Jake. It's Compass Call.
Our military desk trusts Compass Call has evolved into a more discriminating system.
There's some dispute over whether the General said EC-130
or AC-130. The EC-130 is the dedicated electronic warfare ship. The AC-130 is a gunship, called
variously Spectre, Spooky, Ghost Rider, and so on, depending on model and local custom. Armament on
the later models include a 30mm Gatling gun, 105mm howitzer,
and various other launch systems and hardpoints. It's a night-flying truck hunter that's seen a
lot of use in the relatively benign airspace one usually encounters in counterinsurgency
and counterterror operations. While it isn't an EW platform, the AC-130 does sometimes carry an
electronics warfare operator as part
of the crew, and it's possible the general may have meant spooky and not compass call.
Whatever's being jammed, the Russians have long had a reputation for capable electronic warfare,
and it wouldn't be surprising if the ether over Syria is a tough place to work.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Jonathan Katz.
He's a professor of computer science at the University of Maryland and also director of the Maryland Cybersecurity Center.
Jonathan, welcome back.
We had a story come by from the Register,
and they were talking about mathematical backdoors in encryption algorithms.
This is a topic that comes up over and over again with privacy. What were they getting at here?
Well, in this talk, what they were basically showing was that these researchers were able
to design an algorithm that, you know, for all intents and purposes looked secure, but actually
had a particular mathematical backdoor embedded in it that would then allow the researchers
to break it. And this was meant to just be a demonstration about what could potentially go
wrong with standardized cryptosystems or any other cryptosystem that a researcher developed
that may look perfectly secure to an outsider, but may have some secret backdoor embedded in it
that would allow the researcher to then completely break security
when it was actually used. To a researcher who is trying to determine whether or not there was
a backdoor, it wouldn't have been readily obvious that there was one in there. Exactly. So number
one, it wouldn't have been obvious that there was a backdoor at all. And so from the point of view
of everybody else evaluating it, they would see nothing wrong with the proposal and they might
even consider adopting it. And even if they suspected somehow that there was a backdoor,
they wouldn't be able to figure out what that backdoor was and so wouldn't be able to break
it themselves. Now, is this the sort of thing that we've seen out in the real world where
these sorts of things have been discovered? So it's unclear. I mean, there were some suggestions
by people about a few years ago claiming that there was a backdoor in a pseudo
random number generator that had been standardized by the U.S. government. It definitely, you know,
was the case that there could have been a backdoor there, whether there was or wasn't,
it's kind of up for debate. But I think really they're just demonstrating the potential for
these backdoors to be present. Now, one of the things I will say is that very often the U.S.
government nowadays develops standards by public consensus or even by public competition. So, for example, the AES block cipher was designed by a
public worldwide competition where, like, you know, anybody from all over the world could submit
their algorithms, and these were studied and vetted by researchers, again, all over the world.
And so while it's possible that one or more of the submitted algorithms had one of these backdoors
present, it seems unlikely exactly because these submissions were coming from all over the world.
Actually, the eventual winner was a European submission, not an American one.
And one of the things the article points out is that you can't prove a negative.
Yeah, that's exactly right. It's very difficult. It's impossible, really,
without some kind of external evidence. If you had, you know, emails or you had some other evidence that this was going on, it would be very difficult
to prove anything. On the other hand, you know, I think the hope would be that somebody who studied
an algorithm for long enough would be able to tell whether or not there was a backdoor,
or there are other techniques that people can use to try to indicate that there's no backdoor
presence. So, for example, what some people do, if they're picking constants to seed their algorithm,
they might choose them as the digits of pi.
And the idea there is that, well, if you're choosing them as the digits of pi,
then you clearly didn't have any influence into what those numbers were.
So people are still thinking about ways to prove to others
that they didn't do anything fishy in the design of an algorithm,
but I guess there's always a back and forth there,
and that always leaves open the possibility that something did actually go wrong.
Yeah, that's interesting.
All right, Jonathan Katz, thanks for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.