CyberWire Daily - Sri Lanka bombing investigation updates. Cryptojacking targets enterprises in East Asia. Oracle web server zero-day. The criminal-to-criminal credential-stuffing market. Who talked about Huawei in UK?
Episode Date: April 26, 2019Investigation of the Easter massacres in Sri Lanka continues. For all the concern about online inspiration, some of the coordination seems to have been face-to-face. Symantec describes a cryptojacking... campaign, Beapy, that propagates using EternalBlue. An Oracle web server zero-day is reported. Recorded Future describes the commodified black market for credential-stuffing. And there’s a cabinet dust-up in the UK over a leak about the government’s plans for Huawei. Johannes Ullrich from SANS and the ISC Stormcast podcast on the increase in DHCP client vulnerabilities he’s been tracking. Guest is Anura Fernando from UL on the technological and regulatory challenges of medical devices and wearables. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/April/CyberWire_2019_04_26.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Investigation of the Easter massacres in Sri Lanka continues.
For all the concern about online inspiration,
some of the coordination seems to have been face-to-face. Symantec describes a crypto-jacking campaign, BP, that propagates
using EternalBlue. An Oracle web server Zero Days reported. Recorded Future describes the
commodified black market for credential stuffing. And there's a cabinet dust-up in the UK over a
leak about the government's plans for Huawei.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday,
April 26, 2019. Investigation into the Easter massacres in Sri Lanka has identified at least eight of the nine suicide bombers.
Three were members of one of the country's wealthiest families.
The family patriarch is among those who've been arrested.
The family's fortune is said to have been made trading spices.
One of those believed to have been a leader of the closely coordinated attacks was among the bombers.
attacks was among the bombers. Jaran Hashim, the imam notorious for online sermons urging the extermination of unbelievers, died when he detonated his bomb at the Shangri-La Hotel in
Colombo. Some are now retrospectively connecting Hashim to the defacement last year of Buddhist
shrines in Mawinella, an earlier jihadist action that some now, again retrospectively, see as a forerunner of the Easter massacres.
He apparently rented a house in Mawinella for a few months, he had made himself unwelcome at the local mosque,
from where he concentrated on face-to-face indoctrination of local youth, so not all of his business was conducted online.
Controversy persists over how clear warnings of an imminent attack could have gone
so generally overlooked. This isn't a matter of missing subtle clues, but of police on the ground
apparently not paying attention to an alert passed through official channels. Foreign intelligence
services, notably India's, are also said to have warned Sri Lanka that jihadist violence was in
the works. And there's more intelligence chatter sufficient to warn tourists that further attacks may be in
the offing, even with the extensive police sweeps being conducted throughout the country.
The death toll in the attacks is proving, as is often the case, to be difficult to arrive at.
The authorities are now suggesting that the final count of losses may be closer to the earlier figure of 250 than the more recently cited 300.
Whatever the final toll, it's tragic by any estimation.
President Cyrus Senya has vowed to search every house, if necessary, to bring an end to the violence.
Protection is being extended to mosques, lest there be a backlash to the bombings.
extended to mosques, lest there be a backlash to the bombings.
Researchers at security firm Symantec are tracking a crypto-jacking campaign that for now at least is concentrating on businesses in China, although a minority of the infections,
about 20%, have hit South Korea, Japan and Vietnam.
They're calling the campaign Beepy, and the worm involved appears to be using the external
blue exploit to
spread. So far, Beepy has left individual users largely alone. It shows a distinct preference
for enterprises. The initial infection vector has generally been a phishing email carrying its
payload in an attached Excel file. It uses unpatched machines to establish a beachhead
in a targeted network, and then spreads from there.
EternalBlue is the most common means of propagation,
but BP has also been observed using the credential theft tool HackToolMimikatz.
BP is a file-based as opposed to a browser-based coin miner,
and so it works faster than competitors that operate from the browser.
This can translate to much greater gains for the cryptojackers.
As Symantec points out,
100,000 strong browser-based botnet could pull in about $30,000 in 30 days.
A file-based competitor of the same size would net $750,000.
So do the math.
Symantec offers some advice on protecting yourself from cryptojacking.
As always, be aware
of phishing and on your guard when opening emails, and especially when following links or opening
attachments. And watch for spikes in battery usage. If you see your battery draining faster
than it ought, scan the device for the presence of coin mining malware.
malware.
KnownSec404 has discovered a zero-day in Oracle web servers.
Two web logic components, WLS9Async and WLSWSAT, are susceptible to remote code execution.
There's no patch yet, and KnownSec404 recommends either removing the two problematic components and restarting the servers, or firewalling the paths an attack might exploit.
A recorded future study indicates the degree to which credential stuffing tools have become
widely available criminal commodities. It's possible to mount a credential stuffing campaign
for as little as $550. That investment is often repaid 20-fold. It's a criminal-to-criminal market,
the money's made
in reselling stolen credentials. Accorded Future says there are six major toolkits available,
with dozens of also-rans being hawked in dark web markets. As always, multi-factor authentication,
and especially getting into the habit of not reusing passwords, are good ideas.
A cabinet dust-up over who talked out of school about a pending decision by Her Majesty's
government to allow Huawei participation in the UK's 5G build-out, at least in non-core
technologies like antennas, may give rise to a criminal investigation, The Telegraph
reports.
But senior cabinet members are all saying the same thing.
I don't know nothing.
I didn't do nothing.
Leave those capers to the wide boys, Sunshine.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform secures their personal devices, Thank you. And joining me once again is Johannes Ulrich.
He is Dean of Research for the SANS Institute, and he's also host of the ISC Stormcast podcast.
Johannes, it's great to have you back.
You have been tracking
some increases in DHCP client vulnerabilities. What are you seeing here? Yes, there has been
really sort of a rash of these vulnerabilities, in particular in Windows at the beginning of the
year. I think there are a total of five different vulnerabilities that were sort of spread through
the January and the March patch set.
And the problem with these vulnerabilities is
there hasn't really been a public exploit for it yet,
but they're really very dangerous,
in particular for users that have to connect
sort of to these open wireless access points.
Hmm. So give us an example of what would be the problem here.
So you're at a hotel hotel and we all know hotel networks are often compromised, in particular to target visitors to the hotel.
And you're getting an IP address from the hotel's wireless network.
DHCP has to be working. There's really no other good way of doing this.
working there's really no other good way of doing this if the dhcp server off the hotel is now compromised is sending you a crafted response the attacker could actually be executing arbitrary code
on your system now what about are you going to get any help with firewalls or if you're using a vpn
not really because all of this really happens before in particular VPN matters.
And even the firewall, the firewall has to allow these DHCP responses back in.
There's really no good way sort of to whitelist anything that maybe a chance for sort of some
intrusion protection system or so closer inspects the payload of these DHCP responses. But haven't we seen anything
good in particular when it comes to these DHCP exploits? So what do you recommend here? How can
folks protect themselves? Well, the bad thing is there isn't really much you can do other than
being careful, watching for odd behavior, trying to avoid these wireless networks, of course.
watching for odd behavior, trying to avoid these wireless networks, of course. But realistically, if you're traveling a lot, there's much you can do to avoid them. You could use your cell phone,
for example. That's, of course, always a better option. Use some kind of LTE connectivity or so
versus the hotel network. But then again, you may find yourself in a hotel with bad reception,
has happened to me, where you really have to rely on the hotel network or whatever the open
wireless access point or network is that you're using.
Should we be waiting for some patches here? What's the ultimate resolution going to be?
Yeah, actually, the best thing you can do is apply patches. And Microsoft came out
with patches.
Like I said, right now, there is at least no public exploit available for this particular vulnerability.
The last one that we have seen sort of widely exploited like this was back the Shellshock vulnerability.
That one was exploitable against Linux DHCP clients.
But here, of course, with Windows being affected,
you have a much larger population that's potentially vulnerable.
All right.
Johannes Ulrich, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
My guest today is Enora Fernando.
He's Chief Innovation Architect for Medical Systems Interoperability and Security at UL,
Underwriters Laboratories.
UL has been a key player in the development of standards covering the testing and certification for the cybersecurity of connected medical devices. In fact, the FDA recently
recognized UL Standard 2900-2-1, which addresses those concerns. Medical device cybersecurity is
a growing area that's being addressed in terms of critical infrastructure protection.
It was really one of three domains that was initially identified by the federal
government here in the U.S. when breaches really started to peak a few years ago. The other two
are industrial control and consumer security products and building products and so forth.
What you all tried to do is to develop some standards to try to address some of
the core outstanding issues around cybersecurity. There are currently a number of different
standards that are out there to address product-level cybersecurity, and there are even
some that deal with secure development processes
and so forth for healthcare technologies, medical devices, and other types of technologies
used to provide healthcare.
What we found to be lacking at the time, and this was in the 2015 timeframe, was repeatable
and reproducible testing that provides objective evidence of a particular product
cybersecurity posture. And so these standards that provide that type of testing were established for
the healthcare vertical, the industrial control vertical, and the building security vertical.
So within the world of medical systems,
what are some of the specific challenges that you all faced?
Some of the unique issues in the medical device industry
really have to do with the fact that the medical industry is
somewhat unique in how it develops products.
In most other product areas, you don't want to develop products that
could harm somebody. In the medical industry, you sometimes do have to create products that will
allow for harm. However, the end goal is to save the person's life. A good example of this is radiation therapy. If you look at
therapeutic linear accelerator, for example, the purpose of that is to apply radiation
in a way that destroys human tissue, in this case, pathological tissue. But it also can cause other bodily injury that has to be sustained and recovered from,
with the end goal being to preserve the person's life.
And so when you connect devices like that to a network, and if that network is not protected,
now there are unknown individuals, some call them bad actors or threat actors out there,
who may access that network or find that device just through internet searches and so forth
and be able to access that device and cause harm when the purpose of that device is to cause healing instead.
And I suppose there's a natural tension there where doctors don't want to
have any security protocols that would get in the way of them being able to provide the medical care
that they need to provide. Absolutely. You know, as device manufacturers struggled with how to
improve security of products, we found things like, you know, ideas to have fingerprint readers on medical devices, for instance.
And that's all well and good unless that medical device happens to be in an operating room in a sterile environment where the clinicians have to have gloves on and the device drops its network connection and they need to re-authenticate.
Then they have to break the sterile field in order to re-authenticate, and that's not acceptable. So, you know, clinicians certainly have very valid
concerns in terms of cybersecurity. And in healthcare in particular, you really have to
balance the need for security as opposed to the accessibility of the device for clinical care,
especially if you're talking about something
like a defibrillator or a ventilator or something that may be needed urgently in an acute care
setting like an emergency room or something like that. Saving the patient's life typically trumps
the need for security. And so security overrides are an important facet of what the healthcare industry
has been looking for and something that's been accounted for in the UL 2900 standards
that I mentioned before.
And what this allows for is carefully managed security override of products when it comes
to the issue of things like saving patients' lives.
Now what about, I've heard folks say, coming at this from the other side,
that when you have a standard like this established,
well, that just gives the bad guys a roadmap.
Certainly, that's one way to look at it.
And so it's well recognized that standards are always lagging technology by and large.
That's one of the reasons that the
medical device industry had to really move from prescriptive standards to risk-based standards.
And what that allows for in the world of cybersecurity now, as opposed to basic safety
and essential performance, is that we have tools in the standards world that allow for manufacturers to establish a baseline of
cybersecurity hygiene using the requirements of the standard, but then go well beyond that baseline
as appropriate for managing the risks of their product. And so while the basics are in the
standard, the provisions to go beyond that are also in the standard, but the details of how you achieve all of the necessary protections aren't outlined in the
standard. And so that's one of the mechanisms to prevent standards from serving as sort of a
roadmap. There's a lot of intellectual property regarding the assets of a product and the security controls that protect that product
that are part of the certification process. They're not exposed in publicly available
certificates and things like that. They are managed under NDA and contracts between the
certifier and the manufacturer. And so they prevent the bad guys from having access to the the
kinds of details that might allow for them to successfully exploit a product
now how do you see things playing out as we go forward where do you see the
evolution of this space as medical devices continue to evolve and also the
the the need to secure them grows as well. Yeah, I see this much like how UL has historically seen the adoption of electricity across society.
Back in the late 1890s, when UL started up, electricity was first being used by consumers.
being used by consumers. And people wanted light bulbs and washing machines
and cooking equipment and all the things that
make our lives easier and our tasks more convenient
than they used to be prior to the introduction
of electricity.
We're seeing that same kind of paradigm
now where data is important to everybody. Our memories are all
in social media. Our interactions are very frequently electronic and not direct and
personal to a large extent anymore. And so we are, as human beings, very, very dependent on data and the exchange of data for how we exist and survive in the world.
And so as we developed mechanisms to allow for society to trust in the use of electricity
without worrying about buildings burning down and people getting electrocuted as they did in
the early days of electricity, now as we look at electricity in the form of data
and data that's being exchanged on networks,
much like electricity is transmitted
and propagated for power,
using those same kinds of trust building techniques
through standards, through certifications,
through trust models that involve compliance and so forth,
it seems that there should come a day
that much like when we plug an appliance into the wall, we don't get overly concerned or observe it
for a while to see if the wall catches on fire, the appliance catches on fire. We don't worry
about touching it because we're concerned about getting an electric shock. I'm really hoping that
as we continue to evolve this baseline of cybersecurity
hygiene and raise the bar and raise the bar, working with stakeholders all across the industry
like security researchers, like manufacturers, like regulators, that the continual evolution
of that bar of cybersecurity hygiene will allow us to eventually trust our connections of devices and our exchange
of data the same way that we do on the use of electricity for power. It's important to understand
that in healthcare, and maybe more so in healthcare than in some other sectors,
cybersecurity is a shared responsibility. And so there are a lot of stakeholders that have a role in this,
ranging from manufacturers of products to the vendors of components that go into those products,
to the system integrators who put those products together in healthcare environments,
to the people who provide healthcare in hospitals and other settings. And so sharing information in a very, very proactive
way and engaging across that whole value chain is really an important aspect of being able to
continuously evolve that baseline of cybersecurity hygiene, as we talked about. And so
raising awareness, using tools, coming out of efforts of various groups.
For example, I'm involved in the Healthcare Sector Coordinating Council.
They're putting out some great documents like the Joint Security Plan that helps even
manufacturers, for example, who aren't very familiar with cybersecurity yet to understand
how to adopt practices into their organization and build and scale those
practices over time. These are all important tools that are integral and necessary to the growth of
that whole value chain and achieving and then evolving a baseline of cybersecurity hygiene.
That's Anura Fernando. He's Chief Innovation Architect for Medical Systems Interoperability
and Security at UL under Writers Laboratories.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.