CyberWire Daily - VFEmail attacked, infrastructure wiped. EU considers a response to APT10. US Executive Order on AI is out. GPS jamming threat. Stryker hack. Shadow IT in the Corps.
Episode Date: February 12, 2019In today’s podcast, we hear that VFEmail has sustained a devastating, data-destroying attack. The EU considers whether it should, can, or will make a coordinated response to China’s APT10. A US ...Executive Order outlines a strategy to maintain superiority in artificial intelligence. Norway warns, again, of the risk of GPS jamming. US Army Stryker vehicles were hacked during testing last year. And some Marines are getting ahead of themselves, downloading close air support control apps to personal tablets. Johannes Ullrich from SANS and the ISC Stormcast podcast on using hardware flaws for network access. Guest is Shane Harris from the Washington Post with an update on the Paul Whelan case in Russia. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/February/CyberWire_2019_02_12.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
VF email sustains a devastating data-destroying attack.
The EU considers whether it should, can, or will make a coordinated response
to China's APT-10. A U.S. executive order outlines a strategy to maintain superiority
in artificial intelligence. Norway warns again the risk of GPS jamming. U.S. Army striker vehicles
were hacked during testing last year. And submarines are getting ahead of themselves,
downloading close air support
control apps to personal tablets.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Tuesday, February 12th, 2019.
Secure email provider VF Email sustained an attack yesterday afternoon
that wiped its U.S. infrastructure. Someone attacked and reformatted its servers so as to
make the data they held unrecoverable. It's potentially a business killer. There's a good
chance the company will cease operations. The company tweeted, quote, every VM is lost, every file server is lost,
every backup is lost, end quote. They're working on the one file server they caught in mid-formatting,
hoping to be able to recover something from that one, but this seems a best-case scenario.
That server was in the Netherlands, and the company does appear to have been able to retrieve
some backed-up data in that country, but as far as it can tell, its U.S. customers' data are gone for good. The company
has been, as far as anyone can tell, commendably open, prompt, and transparent with its disclosures.
Others might learn something if they look at VF Email's public response to the incident.
They might also see the attack and its effects as a
cautionary tale about the importance of secure offline backup, routinely checked and regularly
exercised. Milwaukee-based VF email has been around since 2001, offering a service that scans
email for potentially malicious content. It has offered both a paid and a free service,
and its free service has been used by
a number of not-for-profits, smaller charities, local churches, and the like, and these will be
particularly affected. If you're acquainted with any of those users, this would be a good time to
check in with them and offer whatever IT or security advice and help you might be able to give.
The attacker's identity is so far unknown, VF email says a Bulgarian IP
address turned up in the traffic it caught during the one server reformatting it caught in progress,
but that in itself means little. The attacker's motive is as unknown as the attacker's themselves.
VF email, like other email services, has been hit by extortion attempts in the past,
like other email services, has been hit by extortion attempts in the past,
weathering DDoS extortion in 2015, 2017, and 2018, but this doesn't seem to be one of them.
There was no ransom demand of the sort one would expect in a straightforward criminal attack,
nor were there any of the statements, manifestos, or communiques one would expect from hacktivists.
It's difficult to imagine a plausible reason for a state espionage service to have conducted the attack.
But based on what's known so far,
the motive may be simple malice or just the lulz,
which usually amounts effectively to the same thing.
We've been following the curious case
of American security professional Paul Whelan,
who claims he was
visiting Russia to attend a wedding and was handed a flash drive that the Russians say was full of
classified information, after which they promptly arrested him. Shane Harris covers intelligence and
national security at The Washington Post. He has been sitting in the jail ever since and trying to
meet with officials from various embassies and getting ready to, it looks like, perhaps actually plead his case when it goes to trial in Moscow.
It's been kind of an uphill battle arrested, you're supposed to have access to
officials from your home country's embassy or their consulate. And in this case, Paul Whelan
actually claims citizenship in four different countries, which is quite unusual. He has
four different passports, Canada, the United States, Great Britain, and Ireland. And he has
been trying to see officials from those
countries. But as you say, the Russians have been dragging their feet. They've been throwing up
various administrative roadblocks. For instance, the State Department wants to allow him to sign
something called a privacy waiver, which would actually allow the U.S. government to talk
publicly on his behalf. And they've been able to finally get the waiver to him. But now the
Russians are saying he has to mail it to the United States. And so they keep it's kind of
one thing after another, according to his family. And all this time, we should add,
as he's going through these various diplomatic maneuvers to try and get someone to represent him,
he has a Russian lawyer, but the government in Russia has not detailed any of the precise evidence of the case.
So he hasn't seen anything like a criminal information or an indictment, which you would see normally, for example, in a United States court.
And so what's the speculation here? What do we suppose is actually going on?
Well, it's pretty much nothing but speculation at this point.
I think one thing that seems fairly sure is Paul Whelan is not a spy for the
United States. His background is such, and we can talk more about this, that he would not at all be
a likely candidate as being an intelligence operative, say, for the CIA or the FBI,
somebody spying for the government. In Russia, the legal definition of espionage is quite broad. So when they say he
has committed espionage, it may not be in the way that we traditionally think about it.
But some experts believe that this was perhaps some kind of a setup, that maybe he was tricked
or lured into taking some information that he shouldn't have. And now that the Russians have
him in custody, they might be using him as some kind of a bargaining chip, possibly to get concessions from the United States.
Or some former U.S. officials have speculated as a potential trade for a woman named Maria Butina, who is right now has pleaded guilty to acting as an unregistered agent of Russia in the United States and is awaiting sentencing from an American court.
But really, we haven't even seen that much attention to this coming from the State Department.
We've heard Secretary of State Mike Pompeo has spoken briefly a couple of times about
Whelan's case. You're not really seeing a concerted effort by the Trump administration,
publicly anyway, to pressure Russia or to demand that
it disclose more information about what they think Whelan actually did.
Yeah, that was actually going to be my next question to you. I mean, with this,
obviously, peculiar relationship that President Trump has with Putin and the Russians in general,
you know, is that affecting the negotiations here and what the what the State
Department wants to do or is able to do? You know, I think in some ways it has to be affecting them.
We know this is an administration that on the one hand, it has undertaken some policies like
sanctions and the expulsion of Russian diplomats from the United States that are certainly tough
on Russia and are pushing back at it for a number of its different transgressions as the U.S. sees them, including interference in the 2016 election and the
attempted murder of a former Russian agent in Great Britain. But as you said, the president
himself has this very peculiar relationship, I think, to put it mildly, with Vladimir Putin.
And you don't see him certainly coming out and pleading on behalf
of Paul Whelan, which is a bit strange, I think, because the president has actually made a big show
in other cases where other countries have been holding Americans either, you know,
against their will in some cases or under dubious circumstances. The president has come out
and made a point of talking about their cases. And we haven't seen that with Whelan. So I think it's left a lot of people, particularly members
of his family, wondering why they're not making more of a public case about this. I mean, it could
be that the U.S. government is just waiting to see if Paul Whelan was involved in something maybe
that was nefarious or inappropriate. But even in cases like that,
usually you see a bit more of a kind of sticking up for the American, frankly,
more of a willingness to, if not necessarily defend that person, to certainly demand that
the government holding him show their cards and say, OK, what do you think it is that this person
actually did? And the Russians haven't done that, and the Americans haven't publicly demanded that. That's Shane Harris. He covers intelligence and
national security for The Washington Post. The EU deliberates a coordinated response to
APT10's recent activity. The deliberations are believed, according to reports in Bloomberg,
to have been prompted by British briefings to its counterparts on January 28th, during which the British presented evidence of APT10's
infiltration of networks in Europe and elsewhere. The meetings were not public, but the British
presentation is believed to have fairly closely tracked the recent U.S. indictments of certain
members of APT10. Unanimity is required for the EU to take action, and that unanimity
will be tough to achieve. Not every member sees the same things, or at least wishes to see the
same things. The EU is working on a policy for coordinated response to cyber attacks generally
considered. The APT10 affair is expected to be raised during high-level Sino-European talks scheduled for April.
President Trump yesterday signed an executive order designed to maintain American leadership
in artificial intelligence against determined, effective Chinese competition. It enunciates
determination and some principles, and it directs agencies to make AI funding a priority
when they plan their budgets.
But actual resources for research and development will have to come from Congress.
Three incidents of military concern have come up this week.
Norwegian intelligence services are warning NATO partners again of the risk posed by GPS jamming.
Such jamming occurred during exercises NATO conducted along its northern tier late last year. It was widely attributed to Russia at the time, and there's been no particular reason beyond
rather routine Russian denials to doubt that attribution. The jamming is particularly worrisome
not so much because it's a nuisance during military exercises, but because of the threat
it poses to civil aviation, whose navigation systems were also affected.
The other two reports come from the U.S.
The Drive reports that U.S. Army striker combat vehicles,
specifically the up-gunned Stryker Infantry Carrier Vehicle Dragoon, have been hacked.
The publication says it's unclear whether the hacking was a test or a live cyber attack by an actual adversary,
but a look at the report from the U.S. Defense Department's Office of Test and Evaluation
suggests that the hacking was conducted during early user testing the Army conducted last year in Germany.
As the Pentagon report says,
quote,
says, quote, adversaries demonstrated the ability to degrade select capabilities of the ICVD when operating in a contested cyber environment. In most cases, the exploited vulnerabilities predate
the integration of the lethality upgrades, end quote. And a report by the Department of the Navy
Inspector General finds that the Marine Corps appears to have a problem with shadow IT.
It's the sort of issue that surfaces wherever clever and motivated people in an organization look for easier ways of
doing their job. In this case, the job is coordination of close air support, something
the Marines would like to push down to platoon level, moving away from the centralized system
exemplified by, for example, Anglico teams.
According to the IG, Marines have been downloading two apps,
Kill Switch and APAS, onto their personal devices.
Kill Switch and APAS were both designed by the Naval Air Warfare Center Weapons Division.
There is authority to operate them, and the Marines have been using them for their intended purpose.
The problem is the personal devices.
They should only be used in the arguably more secure service-issued tablets,
not the ones they might have bought for themselves at a Black Friday doorbuster sale from, say, Best Buy in Jacksonville or Oceanside.
The concern is that the personal devices might be hackable,
as the Russians are said to have hacked Ukrainian fire direction app Hopr-D30 a couple years ago.
So, a friendly reminder, use the proper tool for the proper job, Terminal Lance.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Johannes Ulrich. Herich he's the dean of research for the sands institute
and he's also the host of the isc stormcast podcast johannes welcome back um we wanted
to touch today on the ability for folks to sort of get a foothold in a network via flaws with
hardware what are we talking about here well there are sort of really two issues here.
One is sort of your good old, you know, things
and these devices being exploited
and then being used. But then you also have systems
that are parts of larger systems, like
very famously these baseboard management controllers
that you have in many systems, in particular
in servers that almost act like their own little computer
within that larger server.
And they, if exploited, can be used then to attack the network again.
So they're then sort of a little beachhead that an attacker could build
in order to attack the network and not necessarily attack more of the systems
they're already on.
And how does this play out in a real-world environment? Can you give us an example?
So, for example, with these baseboard management controllers,
now, they themselves are sometimes considered a vulnerability,
but what happens here is that an attacker gets a foothold on a server,
gets administrator access on that server, but then uses that administrator access to actually upload new firmware, for example, into the baseboard management controller or just gain access to the baseboard management controller using standard tools that are typically installed with the onboarding system.
From the baseboard management Controller, they're actually
connected to an administrative network. And that's standard
best practice. You want to isolate the control of these
devices from the rest of the network. But now the attacker
can actually use the controller on the server that the attacker
compromised to attack other servers using that administrative network,
which often is, well, more open in the sense that it has access to all of these administrative functionalities
that the normal network wouldn't have access to.
So what's to be done here? How can folks protect themselves against this sort of thing?
Well, I would start by removing these tools if you can.
That's not a perfect solution.
An attacker can easily upload them,
but then you may be able to detect uploading of these tools to the system.
Secondly, of course,
monitor your management networks.
What I often see is that
people have all kinds of logging set up
for people logging into systems the normal way,
either via SH or via various remote control methods.
But they often overlook logging of access via these administrative networks,
for example, to serial consoles and things like that.
So that's something that you really have to worry about
and something you have to be careful about, that you have the's something that you really have to worry about and something you have to
be careful about that you have the visibility here that you need.
All right. Well, it's an interesting one to look out for. As always,
Johannes Ulrich, thanks for joining us.
Thank you.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
Thank you. Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Thanks for listening.
We'll see you back here tomorrow. Thank you. and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.