CyberWire Daily - Unpatched Apache Struts installations being exploited in the wild. Windows local privilege escalation flaw. Similarities among spyware. Stalkerware hack. Criminal threats to the grid. Breaches.
Episode Date: August 29, 2018In today's podcast we hear that the Apache Struts vulnerability, patched last week, is being actively exploited by cryptojackers. Microsoft works on a fix for local privilege escalation flaw in Windo...ws. Trend Micro sees similarities among Urpage, Confucius, Patchwork, and Bahamut campaigns. Air Canada suffers a breach. Criminal threats to power grids. And searching for search engine optimization in all the wrong places. Jonathan Katz from UMD on flaws in Intel processors’ secure enclave. Guest is Fred Kneip from CyberGRX on third party risk. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/August/CyberWire_2018_08_29.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
An Apache Struts vulnerability patched last week is being actively exploited by cryptojackers.
Microsoft works on a fix for local privilege escalation flaws in Windows.
Trend Micro sees similarities among
Erpidge, Confucius, Patchwork, and Bahamut campaigns.
Air Canada suffers a breach.
Criminal threats to power grids.
And searching for search engine optimization in all the wrong places.
in all the wrong places.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, August 29th, 2018.
The Apache Struts vulnerability discovered by Semmel
and patched last week by Apache
is now undergoing active exploitation in the wild.
The security firm Valexity reports that it's being used to run a cryptojacking campaign against unpatched systems.
The researchers have detected extensive automated scans looking for vulnerable installations,
and they found that subsequent attacks can install versions of CNRigMiner,
a cryptojacker that runs on Linux distributions. Attacks can also plant
script that downloads other malicious code. Thus, while the current threat is cryptojacking,
other forms of exploitation are entirely possible. In the current cases, the scans seem to be
originating from Russian and French IP addresses. The actors appear to be criminal.
As we've mentioned, this is a known and patched vulnerability.
Many will recall that last year's notorious and damaging Equifax data breach was enabled by an unpatched vulnerability in Apache Struts.
To avoid a repetition, by all means, patch.
The Apache Software Foundation has got the fix out.
It's time to apply it.
A previously unknown Microsoft Windows Local Privilege Escalation Zero Day
was announced on Twitter late Monday by SandboxEscaper,
whose Twitter account displayed some misgivings about the disclosure shortly thereafter.
Cert.cc quickly verified that the zero-day was real and that it
worked against a fully patched 64-bit Windows 10 system. The vulnerability exists in Windows
Task Scheduler and has been given a CVSS score of 6.4 to 6.8. There are no known workarounds,
but Microsoft has also confirmed the issue and is believed to be working on a patch.
The complexity of attribution and the correspondingly complicated connections
among threat groups are on display in a Trend Micro account of Urpage, whose activities are
interestingly similar to those of Confucius, Patchwork, and Bahamut. Urpage targets InPage,
a word processor designed for Urdu and Arabic.
Trend Micro notes that Urpatch uses a Delphi backdoor like Confucius and Patchwork,
and its malware payload resembles the espionage tools
found in Bahamut.
The Truth Spy, which Motherboard and others
call a stalkerware vendor, was hacked, losing logins, audio images, text messages, and other data.
The hacker, whose work the magazine has verified, told Motherboard that, quote,
I control victims all over the world. I have admin access to the servers, end quote.
It's consumer spyware, designed for keeping tabs on a spouse or significant other the customer thinks may be stepping out.
Cheaper than a private eye, but not nearly as engaging as Philip Marlowe would have been.
Oh wait, Marlowe always said he didn't do divorce work.
There's a concerted effort among many organizations to try to get a better handle on their third-party risk, the vulnerabilities of your suppliers and contractors that may have an effect on your
business should they be exploited. It's complicated. CyberGRX is a company that's
trying to streamline the process with a third-party cyber risk information exchange.
Fred Knipe is CEO at CyberGRX. I think as people started to focus on cybersecurity, the first area people focused on was securing their own environments.
And so the last decade or so, you've really seen an increase in focus on cybersecurity, but it's very much around how do I ensure my environment, my controls, my processes, procedures in place.
processes, procedures in place, what is happening in parallel is companies are becoming more and more reliant upon an ecosystem of third parties to deliver their business. People no longer have
all in-house counsel or in-house payroll from that sort. It's, you know, use ADP,
use outside counsel, you use Salesforce, et cetera. And it's kind of an interconnected web.
What's happened is as people have built security for their own environment.
Hackers have said, OK, let's move a different direction, follow the path of least resistance, and let's go through third parties as a channel in.
I think Target was probably the biggest wake-up call for everyone.
An HVAC provider was the original point of access to get the credit card information.
People have not been focusing on that space.
And the effort and attention on third parties today
has really been below what is necessary. And thus, you see, I think it's anywhere between 50 to 60
percent of breaches today originate from a third party. Yeah, it seems to me like it's a hard
problem to even wrap your head around when I think about the number of organizations that
any business would interact with and the potential is sort of an exponential
web of risk there. You're absolutely right. I think one measure or one important approach to
manage that is recognize that while a typical Fortune 500 company has between 5,000 and 10,000
third parties that they work with, that only a fraction of those are the ones that are really
the ones that create that highest exposure to risk.
Do they have network access? Do they have logging credentials? Do they come on site, et cetera?
So one of the first things that we've helped companies do is work through what we'll call an inherent risk mapping to understand who should I even be focused on?
So instead of trying to go out and determine the risk around a thousand companies,
they can first focus in on that top 10, top 100,
or whatever it might be, as the first step in the process. Now, how do you manage some sort of,
I guess for lack of a better word, standardization for how you deal with your third-party providers?
I would think it would be impractical to deal with each one as a one-off situation.
impractical to deal with each one as a one-off situation.
That's exactly right. And it's remarkable what happens today. So in some of the regulated industries, such as financial services, healthcare, or even retail, because of the PCI,
personal confidential information, you have seen some level of third-party management.
But what that typically is, is a very paper-based sending an Excel file
saying, tell me about your password policy, tell me about your phishing program, et cetera.
That if you repeat over a thousand or so companies, it's almost impossible to manage through that.
People have teams dedicated to just processing that data. And on the other side of it, there
are companies who are being assessed. One of my favorite examples is the payroll company, ADP. They've been assessed in excess of 4,000 times
per year. And so that's a team dedicated just responding to questionnaires. You're all asking
roughly the same questions. Of those 4,000 for ADP, the vast majority are basically the same.
Some will ask for a different format. They'll be in Word files, they'll be in Excel files, whatever it is, but it's the same type of information. And so let's standardize that
in a comprehensive set of information and allow it to be assessed once and used multiple times.
The analogy that I use for that is, you know, if you rewind, call it 100 years or so,
you're trying to raise money in the financial markets, you have to go to any each bank and they do their own due diligence. And now if you're trying to raise money in the financial markets, you have to go to each bank and they do their own due diligence.
And now if you're trying to raise capital, you know, you get an S&P or a Moody's credit rating.
And that gives you all that depth of information that you would need to kind of make that risk based decision.
We're trying to do the same thing for cybersecurity.
That's Fred Knipe from CyberGRX.
Air Canada has disclosed that its mobile app
sustained a data breach last week.
It's thought to affect some 20,000 people
whose basic profile data were exposed.
That information includes names,
email addresses, and phone numbers.
It may also include more sensitive optional information
users might have added to their profiles.
As operational technology experts at Applied Control Solutions continue to warn of potential
security issues with power plants' process sensors, researchers at security firm Cyber Reason
point out that criminals also pose a threat to the grid. Unlike nation-states, cybercriminals
may not mean to turn the power off, but they might do so inadvertently.
Cyber Reason concluded an experiment last week in which they set up a dummy utility network
and observed what happened as cybercriminals attempted to hack into it.
Attempt they did, and not just a few of them succeeded.
In Cyber Reason's assessment, the attackers exhibited some advanced skills,
but they were also sloppy in many respects. Cyber Reason told the Washington Post,
quote, they're not looking to throw the switch, but they might throw the switch by accident,
end quote. Most concerns about power grid attacks have focused on the threat of state espionage
services, especially those of Russia, deliberately seeking to get into an adversary's electrical distribution system
and gain the ability to shut it down.
This is a form of warfare, or at the very least a form of very aggressive statecraft.
But, Cyber Reason argues, the criminal threat can't be overlooked either.
Their motives are doubtless different.
They might, for example,
seek to hold utilities up for ransom, or they might be interested in simply penetrating business
networks for the usual reasons of credential theft, financial fraud, and so on. But it's worth
noting that at least two incidents that disrupted industrial control systems appear to have been
inadvertent, incidental to the attacker's presumed primary purposes.
These are the 2014 attack on a German steel mill that damaged a blast furnace.
The attack prevented the furnace from being properly shut down.
And last year's incident in Saudi Arabia, where tricis malware caused, again probably unintentionally,
systems at an oil and gas production facility to enter their fail-safe shutdown mode.
So, Cyber Reason points out, hackers make mistakes too,
and when those mistakes touch operational control systems, the results could be very damaging indeed.
Reuters reports that an Iranian influence campaign major social media platforms have struggled with is bigger than initially
believed. One indication of its size is the effort's linguistic reach. Reuters counts Iranian
information operations in 11 languages. Finally, you've heard of search engine optimization,
of course. There's a newish form of unwelcome SEO out there, the promise of bot-driven negative reviews coming to dominate the online image of a company or organization.
There's currently an active gang of extortionists out there seeking to do exactly that. cluelessly, the STD Corporation, and they're trying to shake down airfare comparison site CheapAir
for over $10,000 in cryptocurrency, of course,
to make sure CheapAir's reputation doesn't get blasted by a wave of bad reviews,
all amplified by botnets.
CheapAir says it's not paying, to which we say, bravo,
and use reviews with caution.
Bots wouldn't recognize good customer service if it bit them in the bites.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home. Black
Cloak's award-winning digital executive protection platform secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Jonathan Katz. He's a professor of computer
science at the University of Maryland. He's also director of the Maryland Cybersecurity Center.
Jonathan, welcome back.
We had a story come by. This was in Wired, and this was about some flaws in some Intel processors,
particularly dealing with the secure enclave. What do we have going on here?
Well, I'm sure a lot of your listeners remember the attacks from early on this year,
Spectre and Meltdown, that were used by some researchers
to basically expose secret information from code execution. And what those same researchers then
did actually was they applied those techniques to the Intel SGX, which is supposed to be a
secure enclave that Intel produces. And they showed that using extensions of those attacks,
they were able
to, number one, get secret information from within the enclave, which is something that
you're not supposed to be able to do. And even worse, they were able to actually extract
the secret keys put in there by Intel from those secure enclaves.
Now, is this secret key, does every instance of the processor get its own secret key, or is this some sort of a master key?
So it's a little bit of both, actually.
So every instance of the enclave does get its own secret key, but because of the way the protocol is designed,
it's using what's called a group signature scheme, which essentially means that every enclave has the ability to sign,
but a verifier can't tell, actually, which enclave has the ability to sign, but a verifier can't tell actually which
enclave generated the signature. They can only tell that it was a legitimate Intel SGX platform
generating that signature. So once you're able to get one key out, it means you can impersonate
a legitimate Intel SGX enclave and then fraudulently sign whatever you like. So just
getting a single key is already bad enough to basically impact security
of the entire system. And is this patchable? Is this something Intel is on top of? Or is this
a deeper flaw than that? Well, it's patchable in the sense that Intel, as far as I know,
is currently working on the designs of next generation enclaves that would be resistant
to these attacks. But it's not patchable in the sense that the ones that are already deployed,
the hardware that you already might have running on your machine,
is not going to be fixed and it's not going to be able to be resilient to these attacks, unfortunately.
Now what about the bigger picture with this?
I've heard some folks being critical of Intel and other processor designers saying that, you know, this is a result
of their inability to keep making processors that are faster. So in exchange for that,
they've come up with these, you know, these speculative processing techniques.
And then that's what led to these vulnerabilities. Well, there is some truth to that. It certainly
was the case that by trying to improve efficiency, they left themselves open to these vulnerabilities? Well, there is some truth to that. It certainly was the case that by trying to improve efficiency,
they left themselves open to these attacks.
On the other hand,
I don't think it's really fair to blame Intel
because the idea of speculative execution
goes back decades,
and it wasn't until recently
that people were able to exploit it.
So, you know, it's not like Intel understood
that these were going to be vulnerable
or that they were going to cause vulnerabilities.
They were doing the best they could
to make the most efficient processors. And it's only the
researchers who have been able to get better and better at exploiting what Intel has done.
Yeah. So it's not like folks haven't had time to look at these sorts of things and see if it was
potentially going to be a problem. Yeah, exactly. And I think the research was actually quite
clever. I want to say that nobody really saw this coming.
Being able to exploit, like I said, speculative execution has been around for decades,
and nobody had noticed that it was a problem before.
And so the work that was done to leverage that and then extract secret information
was technically quite advanced and really, like I said, quite clever.
All right. Well, as always, Jonathan Katz, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep
your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders
who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in. Thank you. insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.