CyberWire Daily - US-Iranian tension expressed in cyberspace. OceanLotus and Ratsnif. Ransomware in Georgia, again. Going low-tech to protect the grid. Magecart update. Cryptowars and agency equities.
Episode Date: July 2, 2019Tensions between the US and Iran are likely to find further expression in cyberspace. OceanLotus’s Ratsnif kit isn’t up to the threat actors normally high standards of coding, but it’s plenty go...od enough. Cyberattacks in the states of Florida and Georgia. Utilities are urged to go lower tech where possible. Magecart skimmer “Inter” is being hawked on the dark web. And no, they haven’t videoed you using EternalBlue: just dump that email. Johannes Ullrich from the SANS Technology Institute and the ISC Stormcast podcast on Weblogic exploits. Guest is Nick Jovanovic from Thales on cloud security in the federal space. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/July/CyberWire_2019_07_02.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Tensions between the U.S. and Iran are likely to find further expression in cyberspace.
Ocean Lotus's rat sniff kit isn't up to the threat actor's normally high
standards of coding, but it's plenty good
enough. Cyber attacks in the
states of Florida and Georgia.
Utilities are urged to go lower tech
where possible. Magecart
skimmer Inter is being hawked
on the dark web. We've got an update on the
crypto wars. And no, they haven't
videoed you using Eternal Blue.
Just dump that email.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Tuesday, July 2, 2019.
The Washington Post surveyed experts and found that most thought the U.S. cyber attack against
Iranian targets was the right call.
It was non-lethal, properly discriminating in that it hit clearly military targets,
and sensibly proportionate as a response to Iranian attacks on shipping and a U.S. surveillance drone.
Reservations, the experts voiced, involved concerns about escalation, the semi-public way the attack was avowed,
the immature state of international laws of cyber-conflict, and the possibility of attack
tools escaping into the wild. An Iranian response can be expected. Tehran has already said it's
exceeding uranium production limits it agreed to observe, and many security experts are advising
businesses in the U.S. to look to their defenses.
CISA, of course, has done the same and warns in particular about the threat of wiper attacks.
BlackBerry Cylance has published an overview of recent activity by Ocean Lotus,
also known as APT32 or Cobalt Kitty.
They're particularly interested in Ratsniff, a set of remote access tools Vietnam
cyber operators work with and used since 2016. Ratsniff, which offers packet sniffing, gateway
and device ARP poisoning, DNS poisoning, HTTP injection, and MAC spoofing, had gone undetected
for some time, probably because of its selective employment. It's not up to Cobalt
Kitty's usual high standards of coding, and indeed BlackBerry Silance finds it sloppy.
But then you only have to be good enough to attain your objectives, and achieve them Ratsniff
generally did. Security firm Talus recently published a report titled,
The Changing Face of Data Security in the Federal
Government. Nick Jovanovic leads the Talus cloud protection and licensing U.S. federal business,
and he joins us to share their findings. The government has jumped in into big data
environments. They've jumped into IoT, mobile payments, and multi-cloud usage is extremely high. So there's over 80% plus of agencies today
are in the cloud
and they're putting tremendous amount of data in the cloud
as well as sensitive data in there.
And what is driving that movement toward the cloud?
What are the benefits that they're seeing there?
That's a great question.
When I've had some sidebars with some senior executives,
a lot of what's driving to the
cloud, while we initially thought was cost savings, there is a bit of that. But simply the ability to
modernize their platform and technologies is probably the largest impetus that I'm seeing
for federal agencies moving to the cloud. You've got lots of legacy systems that are
very complicated and very expensive to modernize on their own.
And if they migrate to the cloud, they're automatically on some of the latest technology that's out there.
Yeah, that's a really interesting insight.
That shift allows someone else to have responsibility for keeping everything up to date.
But it also leaves a pretty big gap in terms of responsibility around security. When you look at digital transformation, and I group cloud into digital transformation, we're looking at
modernizing the environment. And it's a perfect opportunity when you're modernizing to take a
look at your security best practices and make sure that when you do migrate to the cloud,
you're not just putting all faith in the cloud service provider and recognizing that your information and your data,
whether it's sensitive or not, is still your own and you have a responsibility to protect that.
It's a shared responsibility. When it comes to the federal side of things, what are some of the
specific challenges they face when it comes to securing these cloud infrastructures? I think the
biggest thing that people look at is what's the
path of least resistance and what's easy. And many of the federal agencies, when we pull them in our
data threat report, what are they seeing from their end? We're not trying to pontificate as an
organization. Overwhelmingly, they come back and say, you know, some of the most effective tools
to secure their data is encryption. But surprisingly, the number of people who are using encryption to protect their data is extremely low.
Only 30% or less use data encryption, which is a critical technology to secure their data.
So I would say that enterprise key management to control the keys for the data that goes into the cloud and then also encrypting the data,
depending on where you can encrypt, is going to be critical to securing data.
Outside of that, you've got to have authentication tools to be able to
make sure that the right people are accessing that data,
and you're creating that zero-trust environment.
What do you suppose is behind that bit of a disconnect there,
that more people aren't using things like encryption, some of those best practices? There's misconception around complexity with
technologies like encryption. When you go back 10, 15 years, it would be very difficult to encrypt
a lot of environments or use a key management technology. Technologies have shifted and changed
so that there's almost no impact to the ability to process their information when you're encrypting data.
And enterprise key management tools are a lot easier to use, almost simplistic to the point where you can use it between multiple technologies.
So that is probably the biggest reason there's old preconceived notions and people haven't bothered to move forward. Now, there's also
been a big focus around perimeter defense in organizations. And this year in particular,
what I'm seeing is that senior management within organizations is recognizing that the perimeter
is extremely fuzzy, especially when we're talking cloud. They, in fact, don't have
a perimeter anymore. And so at that point, we are really limited to how you're protecting the data.
And, you know, it's not going to be a perimeter focus anymore. People have to actually place
controls closer to their data. They have to enforce these controls that are defined by them
by encrypting the data. It really depends on what you're using
in the cloud. If you're using infrastructure as a service, it's very easy to bring technologies like
bring your own encryption, bring your own keys. And the closer you are to the data when you're
encrypting, the stronger the protection will be in place. If we do that right, you're controlling
your own keys, you're controlling your own keys,
you're controlling access to the data, and then blinding any types of privileged users
from the cloud standpoint from ever seeing the information. So it gives plausible deniability
for the organization, for the cloud provider. It protects your environment. Now, if you're using
technologies like platform as a service, then you
have to look at technologies like tokenization or application layer encryption, which increases your
security posture further because from ingest of your data all the way down to data arrest, you're
going to be protected and encrypted using access controls. Now, if you're using software as a service, you get significant value.
However, you have very little control over how that software platform is being managed
and what you can do to protect your data. So you're relying on those software organizations
to actually protect the information. What you really do want to do is control your keys at that
point, have the ability to report is control your keys at that point,
have the ability to report around how those keys are being accessed by the software platforms,
and the ability to remove access to those keys if you want to essentially crypto shred access to that information. That's Nick Jovanovic from Talus. The report is titled
The Changing Face of Data Security in the Federal Government.
The 2019 Talus Data Threat Report.
Google has removed more than 100 apps from the Play Store
after Trend Micro found 182 camera and game apps infested with adware.
111 were in Google Play.
The rest were in various third-party stores.
A third Florida city, Key Biscayne, has suffered a cyber attack, but it appears to have recovered
better than the first two, Riviera Beach and Lake City, according to the Miami Herald.
Key Biscayne disclosed that it had experienced a data security event last Sunday. The city manager
said that some systems were taken offline during the recovery,
but all systems were back up by Wednesday night of last week. An investigation into the extent
of the attack continues. And there's been another ransomware attack in the U.S. state of Georgia.
The administrative office of the courts was taken offline yesterday as it attempted to deal with the
attack. As is the case with most ransomware,
the problem is data availability and not data theft, so the office's assurances that no personal
data were compromised is comforting, but a bit wayward. All GeorgiaCourts.gov sites were,
the last we heard, still unavailable. One would have hoped that Atlanta's major ransomware mess
in 2018 would have served as a warning shot across the state government's bow,
but any such warning appears to have been insufficient.
That's neither new nor unique to Georgia.
Baltimore, for example, had not only its own warning shot last year,
but several years of internal warning and advice that it disregarded, much to its own cost.
that it disregarded much to its own cost.
Lawmakers in the U.S. are encouraging the power distribution sector to take a technological step back in order to improve security.
In a move designed to increase manual operations in the electric grid,
the Senate has, with bipartisan support, passed the Securing Energy Infrastructure Act, or the SEIA.
Utility Dive explains that the bill asks the Department
of Energy and other agencies to look at ways to harden the electrical grid that would replace
unnecessarily high-tech systems with simpler solutions that are harder to hack.
There's a customizable payment site skimmer up for sale. Fortinet has described a new
mage cart skimmer called Inter that's selling for $1,300
on the dark web markets. The skimmer can be customized to fit different types of websites
and payment vendors, and it has built-in templates for 18 popular payment forms. Dark reading notes
that the skimmer's sophistication, ease of use, and wide applicability means that it will probably be seen in use by Inter's criminal
customers sooner rather than later. And finally, here are some words of comfort.
You probably haven't been videoed in the process of visiting a discreditable website.
Extortionists claiming to have installed a Trojan via Eternal Blue infected adult sites
are lying. It's a pure scam, bleeping computer says.
Just delete the emails and go on with your life.
A little sadder, maybe a little wiser.
Or at least a little more careful where you wander online.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks.
When it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io. Again, as Johannes Ulrich, he's the Dean of Research at the SANS Technology Institute, and he's also the host of the ISC Stormcast podcast.
Johannes, it's always great to have you back.
I wanted to touch base with you today about what we've been seeing with the WebLogic exploits.
What's going on here?
Yeah, so Oracle a couple of weeks ago released yet another patch for WebLogic.
And of course, these vulnerabilities are always very concerning because WebLogic is of course these wallabies are always very concerning
because WebLogic is one of these big business systems people usually keep all
of their goodies kind of in this one spot so we're a little bit concerned
about you know what are the attackers actually doing with these exploits we
have a running a number of honeypots around the internet where we are looking
for exploits hitting WebLogic and what we found surprised us a little bit.
Sure, they're hit pretty hard but most of the exploits like more than 80% of the
attacks or requests being sent to these honeypots actually don't use the WebLogic T3 protocol.
When you're running WebLogic, you have the option to either set them up responding to these T3
requests, which is WebLogic's own sort of protocol that it's using, or they can respond via HTTP.
HTTP, of course, being simpler and also simpler for the attackers.
So surprising, but not surprising that attackers are sending their requests using HTTP.
On the other hand, they may actually be missing a large number of targets
by not supporting some of this default protocol that WebLogic is using.
Interesting.
Now, in terms of available
patches, where do things stand there? Patches are available for these vulnerabilities.
The problem with WebLogic is that it suffers from these ongoing deserialization vulnerabilities.
What WebLogic kind of does or how it's often used is it receives fairly complex data objects that are then being fed
back into various databases. You know things like orders, HR requests and the like. So WebLogic had
a real hard time coming up with a good solution to not allow dangerous objects to be deserialized.
What I have been doing over the last couple of years is essentially building
a blacklist. And we all know blacklists are sort of fundamentally flawed, that you're always going
to miss yet another way to sort of send a dangerous object to a web logic. And as a result,
also writing these exploits has been very easy. And just that last vulnerability was actually
found after it was already exploited in the wild.
Now, is there anything, I mean, fundamentally that folks should be avoiding these WebLogic servers?
Or is it just a matter of keeping things patched and up to date?
Patching is a good idea, but you definitely should not expose them to the Internet.
And that's actually something that seems to be getting through we don't see a ton of
them being exposed on the internet and the one blind spot we really have with our honeypots here
is how are these weblogic servers being exploited once the attacker is inside your network because
that's where you may have less defenses where where you may expose, you really have to expose
these WebLogic servers internally. And so that's where you may actually see some of the more
sophisticated attacks. If you do see a crypto coin miner running on one of these WebLogic servers,
by all means, make sure that you don't just remove the crypto coin miner, but be aware there may be other things that are also sitting on that WebLogic server, even if we didn't see them in our honeypots, which, of course, may easily be detected by some of the more sophisticated attackers.
All right. Well, Johannes Ulrich, thanks for joining us.
Thank you.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.