CyberWire Daily - TSMC recovers from WannaCry infection. OpenEMR fixes 30 bugs. UK will ask Russia to extradite two GRU operators for Novichok attacks. Twitterbots flourish.
Episode Date: August 7, 2018In today's podcast we hear that chipmaker TSMC says the virus that shut it down in Taiwan was WannaCry. It appears to have been an incidental infection enabled by inattentive installation of software.... OpenEMR fixes bugs that could have exposed millions of patient records. British authorities are said to be readying an extradition request for GRU operators they hold responsible for the Novichok attack in Salisbury—the incident has prompted Russian hacking and disinformation. Mike Benjamin from CenturyLink on DDoS attack trends. Casey Ellis from Bugcrowd with an overview of bug bounty programs. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A chipmaker says the virus that shut it down in Taiwan was one to cry.
OpenEMR fixes bugs that could have exposed millions of patient records.
British authorities are said to be readying an extradition request for GRU operators
they hold responsible for the Novichok attack in Salisbury.
The incident has prompted Russian hacking and disinformation.
From the Black Hat Conference in Las Vegas, this is your CyberWire summary for Tuesday, August 7, 2018.
There's now some clarity about the cyber incident that struck Taiwan-based chipmaker and Apple supplier TSMC.
The company has brought its plants back online after a cyber incident that caused them to shutter operations over the weekend.
The malware in question is said to have been WannaCry, which is familiar from last year's widespread infestation.
The company said the outbreak happened during software installation of a new tool,
which then evidently carried the infection into other parts of the company's network.
TSMC added that neither data integrity nor confidential information were compromised.
The incident appears to have been due to operator carelessness, a secondary infection and not
a direct attack, as had been widely feared in Taiwan when the malware infection was first
reported.
TSMC's CEO bluntly told the press,
This is purely our negligence, so I don't think there is any hacking behavior.
TSMC attributes the infection to failure to scan software for known threats before installation,
and they say their staff won't make the same mistake again.
To review its history, WannaCry is a ransomware strain that propagates itself as a worm.
It was discovered on May 12th of 2017, and it's been associated with North Korea's Lazarus Group.
As TSMC implied, it's a known threat, with readily available detection and mitigation.
Still, a nasty piece of work the world has probably not seen the last of.
piece of work the world has probably not seen the last of.
The BBC reports that Project Insecurity has found vulnerabilities in the widely used medical malpractice management system OpenEMR.
The researchers disclosed the bugs to OpenEMR, which worked with them to fix the system.
Some 100 million patients' records worldwide are thought to touch OpenEMR.
100 million patients' records worldwide are thought to touch OpenEMR.
Many organizations have put bug bounties in place to incentivize outsiders to report vulnerabilities in their code and to keep them from going to the highest bidder on the black market.
BugCrowd is a company that looks to crowdsource that effort.
Casey Ellis is CEO at BugCrowd, and he notes that more and more organizations are getting on board and putting old preconceived notions aside.
There is this general perception that's been carried over the past 20 years that if you can do bad things to a computer, you're inherently a bad person.
So that's been the biggest thing, I think.
They look at the model, like when you think about the crowdsource model, the economics are actually a perfect match to what they're trying to face uh on the bad guy side like they've got a crowd of
people that have lots of different reasons to attack and have an incentive based on results
bug bounties actually replicate that same resourcing and economics and make it available
to defense so it's perfectly logical you just have to get over that kind of initial gut fear of the person in the balaclava, so to speak.
Yeah. And do you find that organizations are, I guess, emotionally defensive to people coming and pointing out the flaws in their products?
Sometimes.
You know, what we're seeing as a sort of adjacent trend is this idea that, you know, vulnerabilities are inherent to software development.
Like people aren't perfect.
People are creatively powerful, and that's what allows us to build all these great things.
But in the process of doing that, mistakes are made because people aren't perfect.
So, you know, vulnerability existing in software isn't necessarily a point of shame.
It's something that's just a function of development itself.
That thinking is starting to grow and starting to catch on.
I still think there is, you know, a lot of instances where people don't like their baby being called ugly, so to speak.
But that is the shift that we're starting to see.
So, yeah, there is reservation sometimes, but that's changing too, which is a good thing. Well, take us through the notion of crowdsourcing this.
Rather than having individuals, what are the advantages there?
Yeah, so the basic model is that all or part of a community is invited to come in and find
vulnerabilities in a system or a set of systems or even right across a company.
And the first to find each unique issue that's within the scope of the program gets paid for that finding.
And, you know, the incentive is the more severe
or the more critical the issue you find, the more you get paid.
So what it does is it encourages breadth.
There's people, you know, the whole idea of being paid first
encourages people to go very wide and try to find as many things as possible.
But it also encourages depth of testing by incentivizing more highly those more critical results, which are often more difficult to find.
And does it instill a certain level of discipline?
You sort of put, I don't know, for lack of a better word, guardrails on the communications channels between the developers and the folks out there
finding the bugs? Yeah, I mean, what we do and what we've seen
done in other places as well is to basically start with
this assumption that hackers and companies don't really have a rich
history of understanding each other very well. So a lot of
what Bug Crowd's actually
done is through the platform, put those guardrails in that you talk about within the platform itself.
But then we've also got a fairly large team that essentially acts as translators between these two
communities. And I think that's really important because, you know, there is, you know, this is a
new thing. I think this conversation between people with a breaker mindset and people with a builder mindset, the idea of that happening at scale is something that's new to the businesses, and they actually need help making that successful.
Now, one of the things that you pointed out is that this approach can improve code velocity. What do you mean by that? What we're seeing happen is pretty much everyone is working out how to move towards a more agile approach to development.
And that's a fairly recent thing.
That's obviously been a thing that's common with companies that are 10 years old or less.
But what we're seeing now is the more traditional organizations have at least some parts of their organization that are adopting like agile or fast release methodologies because
they see the value of it, right? What you need when you do that is this continuous feedback loop
between people that are operating with a builder mindset and folks with a breaker mindset that can
catch those vulnerabilities that I mentioned before. And really what happens is if you can
incentivize the continuous coverage from that breaker community of the code that's being released, what it does is it allows code to be pushed faster because they're less concerned.
I mean, for starters, they're learning how to code more securely from the feedback they're getting, which is the primary goal.
But also, if they do release a vulnerability into their code, they know it's going to be caught quickly.
That's Casey Ellis from Bug Crowd.
British authorities are reported to be preparing extradition requests for Russian operators.
Their investigation has concluded are responsible for the Novichok nerve agent attacks in Salisbury.
The operation claimed one life, apparently incidentally to attack on the intended targets,
and injured four more. The
targets were Sergei Skripal and possibly his daughter Yulia Skripal. Sergei Skripal had been
a GRU double agent working against Russia for the British MI6 intelligence service. He was handed
over to the UK in a spy swap with Russia. He's lived in England for several years. Both he and his
daughter were injured and hospitalized in the attack. Wiltshire detective Sergeant Nick Bailey,
exposed to Novichok during the response to the Skripal's poisoning, was also hospitalized.
Some months later, Charlie Raleigh and Don Sturgis were exposed through a vial of Novichok apparently left behind in England.
Raleigh was injured but survived. Sturgis died in the hospital.
British authorities hold Russia's GRU military intelligence service responsible for the chemical attack.
The Crown Prosecution Service is readying a request for extradition of two Russians
who are suspected of committing the attacks, a request Russia is sure to deny.
The case has figured prominently in Russian information operations
and will no doubt continue to do so.
The Russian line has been that the attack is either a hoax or a provocation.
The provocation, by some Russian accounts, a put-up job by MI6 and the
US CIA, with an assist from Czech intelligence, whom the Russians have said could well have
provided the Soviet-era chemical agent to its co-conspirators.
They also claim the British are illegally detaining the Skripals, and have rather brassily
demanded that Russia consular officers be permitted to meet the father and daughter
to ensure that they're okay, not in any distress, and so on.
Various international investigations are in progress,
and at least one laboratory consulted about the attack,
the Spitz laboratory in Switzerland, came under a phishing attack during the last week in July.
Investigation resulted in quick attribution of the phishing campaign to Sandworm,
a lesser but still well-known relative of Fancy Bear, both of which, of course, are GRU hacking operations.
Russia's foreign ministry claimed back in April that Spiets confirmed the Novichok samples as being of non-Russian, Western origin.
Spiets, of course, said nothing of the kind. The Novichok samples as being of non-Russian, Western origin. Spitz, of course, said nothing of the kind.
The Novichok agent is Russian.
The entire incident shows the full convergence of the elements of hybrid warfare on the low,
but still very dangerous side of the spectrum of conflict.
It includes denial, lethal kinetic operations, an extensive information operations campaign,
and cyber attacks directed against targets involved in the response to the campaign.
Twitter botnets are said to be growing in reach and sophistication.
Experts warn of their potential for exploitation in information operations.
Duo Security is presenting research at Black Hat on the increasing effectiveness of spoof accounts,
often difficult to distinguish from genuine accounts.
Their impersonation of celebrities serves to draw followers and amplify the noise the networks emit.
There's a great deal of Russian activity in evidence, Duo notes.
We are represented this week at Black Hat in Las Vegas,
and look forward to learning more about these varieties of disinformation. Things are still getting set up for the main events that
begin tomorrow, but a couple of our stringers did notice none other than Pete Rose signing
autographs between the Luxor and the Mandalay Bay. They're sure it was Charlie Hustle himself
because they were right there in the physical space, not even looking at their phones.
were right there in the physical space, not even looking at their phones.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for
security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
Learn more at blackcloak.io. how this is evolving. What can we expect in terms of the next generation of DDoS attacks?
DDoS attacks are something that have been really front of mind for us for the last couple of years.
Obviously, as a large-scale network provider, our customer's very interested in being protected from it. And so a lot of the work we've been doing and done is on the IoT DDoS botnet space. It's been a relatively low-hanging fruit for actors,
and they've been able to create some relatively powerful instances over the last couple years
with some well-publicized events. And what we've seen evolve over that time is very interesting,
is we see the lower sophistication actors move away from the more difficult malware families.
And so Mirai is a very popular DDoS malware that's utilized in order to launch attacks.
We've seen the actors use it less.
The reason for that is that ourselves and a number of other groups that focus on DDoS attacks
have been successful in breaking their botnets.
And if you're going to use something that requires standing up a few different processes,
potentially even infecting multiple computers in order to launch the botnet, that's harder
than doing a single computer in a single process and a less sophisticated code base.
So they've gone back to malware that they utilized in the past, namely the Gafget malware
family, in order to launch their attacks.
The other, however, is that we've seen the higher
sophistication actors branch the Mirai code base and continue to monitor, whether you want to call
it one days or whatever you want to describe, but they're looking for other published bugs
to inject into their malware. And they've been relatively successful in integrating newly
released exploits against more IoT IoT home router type embedded Linux devices
in order to grow their potential pool of infected devices.
And so from our perspective, the work is really focused on looking for the infection pool,
isolating what's common about it, and then ensure that we inform the operators of that
infrastructure that they need to be cleaning it up. And so we're constantly working to minimize the available pool
for their infections, as well as, of course, break their infrastructure when it becomes a
point at which it's a risk to the internet. So you all can actually see when these
potential DDoS botnets are staging themselves. The warning can go out that we're
not sure this is going to happen, but there's some potential here. Yeah, absolutely. So think
about the fact that in order to build a large scale botnet of infected devices, you have to
scan a large chunk of the internet in order to find that. And so by watching network traffic,
we're able to isolate either large associated pools of devices scanning for common things or for new things.
And so in the example of where they found a new exploit or a new bug to integrate into their code, we'll see an anomaly in a group of devices scanning for a new port or maybe a new URL in terms of what's going on.
And so the ports are obviously able to be gleaned from
network communication data. However, URLs, we need to be more sophisticated in how we
glean that. And so the operation of honeypots is really effective in order to collect that type
of data. And so anybody with a virtual machine running in a VPS provider, or even their home
connection, if you were to simply packet
capture things, connecting and scanning the external IP space that you have at your house, or
that one VM you have, you'll actually see a lot of this traffic on a pretty constant basis.
And so what we've been able to do is actually group it together and associate it and find the
commonality in order to understand how big has the button had gotten, how impactful could it be to
the internet from a volume perspective. I see. No, it's interesting. All right. Well,
as always, thanks for bringing us up to date. Mike Benjamin, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
informed. Listen for us on your Alexa smart speaker too. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.