CyberWire Daily - Supply chain hacking campaign looks like espionage. Airstrikes versus hackers. FTC versus Facebook. Notes from the Global Cyber Innovation Summit. What’s up with MegaCortex.
Episode Date: May 6, 2019Tracking a group that’s after the software supply chain. Israel adds airstrikes to the array of responses it’s prepared to make to hackers. The US Federal Trade Commission still doesn’t know how... you solve a problem like Mark. Some more notes from last week’s Global Cyber Innovation Summit. Sophos has more details on MegaCortex, a new strain of ransomware. And criminal organizations organize and operate a lot like legitimate businesses. Joe Carrigan from JHU ISI with information on a remote code execution vulnerability affecting Dell systems. Guest is Blake Sobczak from E & E News on the recent electrical grid “cyber event”. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/May/CyberWire_2019_05_06.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Tracking a group that's after the software supply chain,
Israel adds airstrikes to the array of responses it's prepared to make to hackers.
The U.S. Federal Trade Commission still doesn't know how you solve a problem like
Mark. Some more notes from last week's Global Cyber Innovation Summit.
Sophos has more details on Megacortex, a new strain of ransomware.
And criminal organizations organize and operate a lot like legitimate businesses.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, May 6, 2019.
Researchers at a number of firms, including Kaspersky, ESET, Avast, CrowdStrike, and Alphabet's Chronicle security unit,
are tracking an increasingly aggressive and capable Chinese gang that's been hitting software supply chains.
It's a bit unclear whether it's actually a gang or a unit controlled by Chinese intelligence and security organs.
Variously called Barium, Shadowhammer, Shadowpad, or Wicked Panda,
the group has, over the last few months,
afflicted Piriform's backup tool, CCleaner,
apparently en route to its ultimate target, computer manufacturer Asus,
NetSarang's enterprise remote management tool,
and various online games.
The goal appears to be espionage,
and so speculation about attribution is trending toward a state actor,
especially as evidence of interest in credential theft seems a Johnny-come-lately and perhaps a bit of 11th-hour misdirection.
But focusing on the software supply chain in this way is troubling,
and security researchers are pointing out that NotPetya started as a supply chain attack, too.
The Jerusalem Post says a joint Shinbet IDF operation prevented a Hamas cyber attack,
with an air attack on the Gaza headquarters of Hamas cyber operations.
Forbes calls it a significant first, kinetic retaliation for a cyber attack,
or perhaps kinetic preemption of an imminent cyber attack.
The nature of the prospective cyber attack isn't clear.
In the past, Hamas has shown mid-grade capability, some defacement and denial of service,
and somewhat more sophisticated social engineering aimed at gaining access to information
that could be developed into intelligence. An IDF spokesman is quoted in the Times of Israel
to the effect that, quote, Hamas no longer has cyber capabilities after our strike, end quote.
Shin Bet is said to have in some fashion neutralized the Hamas cyber capability, after which IDF aircraft destroyed the building that housed the operations.
But the operational reality is both more complex and more conventional.
both more complex and more conventional.
Israel and the Palestinian Sunni Islamist militia have been engaged in active combat for the better part of a week,
with Hamas firing an estimated 600 rockets into Israel
and Israel responding with hundreds of airstrikes.
It would probably be more accurate to regard Hamas cyber headquarters
as one target in a larger air campaign,
and the combat itself as another
round in a war that's long had a cyber dimension. Cyber units will appear on target lists as other
electronic warfare units have for decades. So to see the airstrike as exclusively a response
to a cyber threat is a stretch. It was one strike in an extensive campaign. Nor is it the first, as ZDNet hints,
at least not internationally. The U.S. killed ISIS hackers with a drone strike in 2015,
as defense systems observed in contemporary accounts of American action against the caliphate.
The U.S. Federal Trade Commission's enforcement action against Facebook remains up in the air.
It's likely to be severe, but the New York Times reports that the form such severity will take,
especially the nature of the penalties, if any, to be directed against CEO Zuckerberg himself,
are believed to remain the subject of partisan disagreement within the commission.
There's bipartisan skepticism of big tech, but disagreement over details.
bipartisan skepticism of big tech, but disagreement over details.
Late last week, an anonymous electric utility filed an electric disturbance report to the Department of Energy, indicating that some sort of cyber event had taken place.
Blake Subcheck is a reporter at E&E News, and he's been leading the coverage of the story.
It's still a little bit hazy because we don't actually know the utility
who initially filed this form. Obviously, that information is available to the Department of
Energy and to other federal officials. But what DOE did share, what the Department of Energy did
share was that a denial of service condition was involved. And in fact, they also mentioned that it
was not only any denial of service, but a denial of service that
exploited a particular vulnerability. And they said that there was a patch already available
for this vulnerability. And so the utility in question was able to apply that patch and get
back up on its feet fairly quickly. They also were very careful to say that no power outages
were involved, no actual disruption to power
generation happened as a result of this cyber incident. So things function the way that they
were supposed to in case of an event like this, I suppose. That's right. And the best that I was
kind of able to glean in terms of details surrounding this was that a particular type of
Cisco Adaptive Security Plants product was involved. Now, Cisco declined comment on this. terms of details surrounding this was that a particular type of Cisco adaptive security
appliance product was involved. Now, Cisco declined comment on this. They said that they
weren't aware of any reports, but of course, they're incredibly widely used, both network
security devices and just routers. So my understanding is that there was some sort of
denial of service condition instigated in these devices, likely positioned at the edge of some transmission network based on the geographic footprint that we know.
And this would have triggered the filing with DOE.
It would have been enough basically for the utility to say, oh, we're having trouble accessing these devices or peering into our own networks. So we're going to have to, you know, tip off regulators that something's wrong here.
And when they did actually dig in, they discovered that some remote hacker hackers had, you know, again, exploited this vulnerability, triggered essentially an equipment outage.
But again, no actual blackouts associated with that.
It sounds like the transmission grid and the power grid in that entire region was up and running when this happened on March 5th, and there were no service interruptions.
Can you take us through how the Department of Energy categorizes things as a cyber attack, some of the nuances there?
I understand there's a wide range of things that could fall into that category. Is that accurate?
there. I understand there's a wide range of things that could fall into that category. Is that accurate? That's correct. And this was part of the tricky nature of the story was at least at first,
there was a lot of fog of war around, okay, was this really a malicious hacking episode? Or was
this something perhaps more benign, or even, even a mistaken filing, which happens from time to time,
and, you know, the utility says something and then later discovers, well, actually, maybe that wasn't a cyber event. And there's no requirement that a cyber event
actually be malicious in nature, or that it even has to come from remote hackers. So for instance,
the first time that I actually noticed a utility file one of these and classify it as an actual
cyber event, what ended up happening, this was something that affected consumers energy in Michigan in the
beginning of 2018. And it was a, an employee who had been undergoing training and inadvertently
got some escalated privileges on that particular training system and basically triggered a blackout
for about 15,000 people. And that was classified as a cyber event because it had this element of
unauthorized access. The employee wasn't supposed to get to that system and it, you know, had a real actual grid disruption tied to it.
Where do you expect this to go from here? How will, do you expect more information to
trickle out? Will there be clarity over the next days, weeks, months?
I do expect more information to come forward at some point. I filed for a Freedom of Information Act request as soon as I saw the cyber event listed.
And sometimes the Department of Energy does opt to redact some portions of these OE417 filings because they consider it to be sensitive, critical electric infrastructure information that shouldn't get out to the public.
infrastructure information that shouldn't get out to the public. And I understand that, you know,
the utility here is certainly concerned that maybe if the general public knew that this particular vulnerability was able to be exploited somewhat recently, that that could invite future hackers
or future interest from hackers. And so, you know, I definitely sympathize with the position of the
federal government and certainly the utility industry that maybe it's best to keep a tight lid on some of the information surrounding these events. But on the other hand,
I do think that with some of the lack of clarity surrounding precisely what happened and how such
a wide geographic array of networks were apparently impacted, I do think that certainly the public
deserves to know a little bit more about exactly what played out here. Certainly, the North American Electric Reliability Corporation, as the main grid monitor and enforcer
of cybersecurity rules, I have to imagine that they're going to be taking a very close look at
this. And in fact, the Department of Energy disclosure that this utility in question didn't
patch this vulnerability that was available for apparently quite a long time,
that's the sort of thing that could invite regulatory scrutiny from the North American
Electric Reliability Corporation. So I expect perhaps we haven't heard the last from them.
And, you know, it wouldn't be hard to imagine regulators there pursuing some sort of fine
or enforcement action against this utility if it did did emerge that this vulnerability and some presumably pretty critical grid software
just went unpatched for a long time.
That's Blake Subchak. He's a reporter at E&E News.
We'll continue to share some notes and observations on the Global Cyber Innovation Summit
held last Wednesday and Thursday in Baltimore.
The symposium offered an overview of current and emerging threats, and of the technology
trends that both expose enterprises to such threats and offer the prospect of enhanced
defenses.
Estonia's Ambassador-at-Large for Cybersecurity, Heli Tirmaklar, shared her country's experience
as not only one of the most thoroughly digitized societies in the world,
but as the victim of what's come to be generally regarded as the first cyber war,
Russia's 2007 attacks against the networks of the Baltic Republic.
She characterized it as the, quote, first politically motivated cyber campaign in history, end quote,
and drew the lesson that good public-private partnership and solid expertise
can work to build a society resilient enough to withstand even attacks by a highly capable
cyber power. Not all threats are the proximate work of a nation-state. During a panel discussion
on the conference's first day, Carbon Black's Mike Viscuso emphasized the sheer size of the
criminal underground at work in cyberspace.
The underground cyber economy is now larger, he emphasized, than the illicit drug trade.
In fact, it's now a better-than-trillion-dollar industry. He thinks that as defenses get better,
and they have been getting better, the criminals will cease playing the long game because the long game will no longer pay off. They'll increasingly turn to smash-and-grab attacks.
He compared the criminals to a caged lion.
They're confined and increasingly hungry, and they won't be patient.
The Cyber Wire will have further coverage of the summit later this week.
Security firm Sophos has released a report on Megacortex,
a new strain of ransomware it found last week.
It doesn't appear to be spread by spam, but Sophos thinks it may well be spread by Trojans that themselves arrive
by email, so the usual caution about emails and backups are in order. So far, it's not known
whether the hoods are honoring ransom payments. Sophos says customers in the United States, Italy,
payments. Sophos says customers in the United States, Italy, Canada, France, the Netherlands,
and Ireland have reported incidents. The criminals have the brass to suggest that they'll throw in some security consultation if the victims pay the ransom. As they put it, quote, the software's price
will include a guarantee that your company will never be inconvenienced by us. You will also
receive a consultation on how to improve your company's cybersecurity.
This sweetening of the pot to deliver best value to the victim
is another sorry instance of criminal enterprise aping legitimate ones.
As researchers at IBM point out, they compete for talent,
they sometimes cooperate with one another,
since almost any business will need a subcontractor at some point,
they have CEOs, those CEOs hire program managers, they have goals, and they work regular hours,
taking weekends off.
That last point makes them sound more like large stable firms than like scrappy startups.
Anywho, to return to Megacortex, researchers seeking to explain the ransom note point out
that it's likely an homage to the name of the corporation NEO worked for in the film The Matrix.
Sophos suggests the ransom note reads like something voiced by Morpheus,
to which we say,
What have I told you?
Everything you've securely backed up can be restored.
Calling all sellers. We'll be right back. Winning with purpose and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io.
And joining me once again is Joe Kerrigan.
He is from the Johns Hopkins University Information Security Institute.
Also my co-host on the Hacking Humans podcast.
Joe, welcome back.
Hi, Dave.
Interesting news came from Dell about some patches that they have sent out recently.
Bring us up to date here.
What's going on?
So Dell has a product that they install on almost all their machines called the Support Assist Client.
Okay.
Right.
And you may see this frequently.
It comes up and says, hi, I'm the Support Assist Client.
Let me run a scan on your computer.
Let me make sure.
And it is a legitimate product from Dell.
Right.
But there is a young researcher, and by young, I mean this guy is 17 years old, named Bill Demirkapi.
And I hope I'm saying his last name correctly.
Right.
I'm probably butchering it, but I'm just going to call him Bill from now on.
Okay.
But he found a remote code execution.
Using social engineering, you can trick somebody into running code that they shouldn't run.
Let's just back up just for a real basic explanation.
What's remote code execution? So basically remote code execution means I can, as an attacker,
can run whatever I want on your machine. From somewhere else. From somewhere else. And it's
a really bad vulnerability. Right. Dell ships this product with the idea of helping their customers.
And it probably does provide some real benefit to the customer. But we as customers of Dell,
and even Dell themselves, have to realize that this increases your attack surface.
All these pre-installed applications and bloatware that you get from these computer manufacturers
increases the vulnerability surface of your computer when you get it out of the box.
Yeah.
The support assist client, I mean, one of the things it was supposed to be keeping tabs on was security.
Correct.
It was supposed to be keeping an update on security.
And it in itself is insecure.
Well, it's software, right?
Yeah.
So it can have vulnerabilities in it just as well.
I want to talk about something with Bill.
Bill is a sharp young man.
He's going to Rochester Institute of Technology next year, which is a good school.
And Bill has done a bang-up job here.
All right.
And he has done this exactly right.
The first thing he did, he discovered this vulnerability back in October.
He has a timeline on his webpage where he shares the write-up about the vulnerability.
And it takes Dell about a month to confirm the vulnerability.
Then it takes Dell about to the end of April to finally patch the vulnerability.
And Bill did not discuss the vulnerability.
He kept the vulnerability confidential until Dell had fixed it, which is great.
So thank you, Bill, for your work.
It's great.
And we assume that he had had some back and forth with Dell about this.
I'm sure that that went on.
I would like to say to Dell that five months
is kind of a long time to
let this vulnerability linger.
The fact that Bill found
it and notified you of it
is great, and you guys are lucky that
happened, but you don't know who else
has found this vulnerability and not disclosed it
to you. And that means that
if there's a good chance that somebody
else out there had it, they had it for five months, they really didn't need to have it. I think this vulnerability should
have been fixed a lot faster than five months. Yeah. Well, and I wonder what's going on behind
the scenes. I wonder, was there any way that Dell could establish how often this was being used,
if at all, out in the wild, if there was any mechanism for that? That's a good point.
Yeah. And another good point that counters my argument about this taking so long is that Dell has
a pretty big configuration management issue with this product.
They have to push it out and make sure it works on all the devices that they're going
to deploy it to.
Right.
Right.
So there is a big issue.
And all these devices are different.
They have hundreds of model numbers.
Some of these machines are years old. How do you know if your fix is going to make it so that these
things don't work anymore? It's a difficult problem for Dell to have. So maybe I'm being
harsh on Dell. I don't know. I still think five months is a long time, though.
Yeah. Well, and so I guess the bottom line here is that if you are running a Dell system,
go in and check to see what version of this support assist client you're running.
Make sure you have the latest one.
All right. Well, Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
We'll see you back here tomorrow. Thank you. to innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows, helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.