CyberWire Daily - VPNFilter and battlespace preparation. XENOTIME may be back, and after industrial systems. GDPR updates. Following Presidential Tweets.
Episode Date: May 24, 2018In today's podcast, we hear that VPNFilter, described by Cisco's Talos research unit, looks like battlespace preparation for Fancy Bear. The FBI may have succeeded in impeding its operation. Dragos... describes XENOTIME, the threat actor behind the TRISIS industrial safety system attacks, and they say we can expect them back. GDPR is coming tomorrow, and a company has found a way of letting worried CISOs sleep at night. And your right to follow theRealDonaldTrump on Twitter has now been secured by the US Federal Court for the Southern District of New York. Enjoy. Dr. Charles Clancy from the Hume Center at VA Tech, discussing how cell towers track you even when you have location services disabled (and why that’s a good thing). Guest is Erez Yalon from Checkmarx with their research on Amazon Echo eavesdropping vulnerabilities. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
VPN filter described by Cisco's Talos research unit
looks like battle space preparation for Fancy Bear.
The FBI may have succeeded in impeding its operation.
Dragos describes Xenotime, the threat actor behind the Trisis industrial safety system attacks,
and they say we can expect them back.
GDPR is coming tomorrow, and a company has found a way of letting worried CISOs sleep at night.
And your right to follow the real Donald Trump on Twitter has now been secured by the U.S. Federal Court
for the Southern District of New York.
So you got that going for you, which is nice.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary
for Thursday, May 24, 2018.
Cisco's Talos Research Unit yesterday reported its discovery of VPN Filter,
a modular and stealthy attack that's assembled a botnet of some 500,000 devices,
mostly routers located in Ukraine. There's considerable code overlap with the black
energy malware previously deployed in
attacks against Ukrainian targets, and the U.S. government has attributed the VPN filter campaign
to the Safasi threat group, also known as Fancy Bear, or Russia's GRU military intelligence service.
It's believed that VPN filter has been quietly out there for nearly two years.
Its precise infection mechanisms aren't entirely clear, but consensus holds that it established itself by exploiting known vulnerabilities left unpatched
and by gaining its entree into devices by taking advantage of weak or default passwords.
The malware is regarded as sophisticated.
It can use any one of three redundant means of communicating with its command and control servers
Through the photobucket photo sharing site
Through a hard-coded domain notoall.com
And finally, if all else fails
A fallback direct connection from the attackers to the compromised device itself
Cisco notes that the malware moves through a three-stage process.
In stage 1, VPN Filter installs itself in such a fashion
as to survive device reboots and to discover the IP address
of the stage 2 deployment server.
In stage 2, it downloads malware to the affected device.
That malware can collect and exfiltrate files and data
as well as manage
the device and execute code on it. Stage 3 involves installation of plugins. Researchers
have analyzed two of them. One sniffs and collects traffic passing through the device,
and the other enables communication via the Tor network. Researchers believe it likely that VPN
Filter has more Stage 3 plugins that have yet to be isolated and analyzed.
Thus, the malware has complex functionality and the ability to carry any number of malicious payloads.
One interesting capability is destruction of infected devices,
although researchers believe this is probably intended for use once VPN filter's cover is blown.
believe this is probably intended for use once VPN filters cover is blown. The devices affected include routers from Linksys, Microtic, Netgear, and TP-Link. It also affects QNAP network storage
devices, and researchers are looking for infestations in other devices. Ukrainian
cybersecurity authorities think, and a lot of others agree with them, that Russia was gearing up a major cyber attack to coincide with a soccer league championship match
scheduled this Saturday in Kiev as part of the run-up to the World Cup.
They also think it possible an attack could be timed for Ukraine's Constitution Day, June 28.
The botnet is adaptable enough to serve a variety of disruptive purposes.
The botnet is adaptable enough to serve a variety of disruptive purposes.
Its black energy cousin, for example,
appeared in conjunction with earlier attacks on Ukraine's power grid.
Talos's Craig Williams told Wired that, quote, This actor has half a million nodes spread out over the world,
and each one can be used to control completely different networks if they want.
It's basically an espionage machine that can be retooled for anything they want, end quote. VPN filter has been under investigation by U.S.
authorities since August when a Pittsburgh resident agreed to let the local FBI field
office inspect her router, infected with what at the time was characterized simply as Russian
malware, and to put a network tap on her router to monitor traffic passing through it.
On Tuesday, the FBI obtained a warrant from a U.S. federal magistrate
that enabled it to seize control of toknowall.com.
Thus, the Bureau has taken over the key node that enables VPN filter
to reestablish itself after the infected device was rebooted.
U.S. authorities hope this will cripple
the campaign. The Justice Department says that VPN filter could be used for, quote,
intelligence gathering, theft of valuable information, destructive or disruptive attacks,
and the misattribution of such activities, end quote. So while it's early to cry victory,
bravo Cisco and bravo to the FBI, especially the Pittsburgh office.
Cozy and fancy, don't even think about snuffling through the steel city.
Since this obviously involves at least the potential for cyber war,
it's worth noting that Britain's Attorney General has this week said that a massive cyber attack could constitute an act of war,
and that a nation so
attacked had the right to self-defense. This is either, as the peace-loving Putinists at Sputnik
suggest, a bloodthirsty provocation just shy of dropping the SAS into Red Square, or as the lads
and lasses at the register think, a threat to give you another good talking to, only louder.
think, a threat to give you another good talking to, only louder. We hope things quiet down in cyberspace. As we install more smart devices with cameras and microphones in our homes, offices,
and vehicles, there are understandable concerns about the ability to leverage those devices for
eavesdropping, malicious Amazon application.
Amazon application is known as Alexa skill.
Amazon application is known as Alexa skill.
This is something that can be either built in in the Alexa device or you can find other skills in the Amazon skills store.
It was decided to use a malicious skill.
And then without you knowing, record everything you say in the room. What the researchers in Checkmarks did was to create what looks like a calculator skill.
The benign skill is actually working.
I mean, it actually did give us the answer for whatever calculation we gave it to run.
But unlike other built-in or benign skills, it didn't stop listening when the response was given.
It was keep on listening to what we were saying, transcribing it, and sending it to the attackers, which were us.
So take us through, how did you get this skill to perform this task?
The first thing we needed to address was that after Alexa is giving a response, the session ends. We wanted
to make sure that it keeps listening. So there is a flag in Alexa. It's called should end session.
You flag it when you want to session to stay alive for another cycle. We figured that if we
can make Alexa still be live and listening for endless cycles, we could eavesdrop for as much time as we want.
When you invoke Alexa, there's a time limit on the amount of time that the device will listen before it prompts you to speak some more.
Is that how it works?
Yeah, exactly. It's the time limit, and also it makes sure you said the correct thing.
it makes sure you said the correct thing.
We found out that we could actually create an empty reprompt,
which means that the reprompt would be silent.
This brought us to the point that we have endless cycles, which between them the reprompt is silent,
and the user cannot know that another cycle of listening just started.
So is there a limit to the length of a transcription that you
will get? Is it a situation where as long as someone keeps talking, you'll keep getting that
transcription? No, there is absolutely no limit. We tested it. It just keeps on recording, keeps on
transcribing. We didn't hit any limit in our tests. You have worked with Amazon to close up this vulnerability.
What was their response to your research?
The response was amazing.
And I'm saying that with my experience of disclosure,
many other vendors and developers,
we disclosed it to Amazon Lab 126.
We worked closely with them.
They were extremely proactive.
They mitigated the risk and actually went the extra mile. What they did was very interesting. They, first of all,
added some criteria to identify this, what we call eavesdropping skills during certification.
Every skill that goes up to the Amazon store goes through some sort of process of certification.
We don't really know what that is, but as far as we know from Amazon, it didn't check these specific eavesdropping features.
So now it should check them.
The second thing they did was they're going to try and detect empty reprompts and take appropriate actions when they find them.
This would actually be enough to mitigate what we found.
But Amazon decided to go, as I said, the extra mile, very proactive.
And they decided to detect longer than usual sessions in future skills, and take the appropriate actions.
This means that if a future researcher or hacker or attacker
will find another way to eavesdrop,
even if he doesn't use the exact mechanism we did,
probably the detection of longer than usual sessions
will raise a red flag.
That's Erez Yalon from Checkmarks.
You can learn more about their research into the Amazon Alexa on their website.
Dragos has an update on Xenotime, the threat actor behind the Trisis malware
used to disable Schneider Electric Triconic's instrumented industrial safety systems.
The Trisis attack last December disrupted operations at a Middle Eastern
petrochemical facility. Targeting safety systems represents a dangerous escalation in attack
patterns. Dragos is moderately confident that xenotime means we should be prepared for further
campaigns. Although its initial targets were located in the Middle East, there's little reason
to think that the threat actor will confine its operations to that region. Dragos believes Xenotime operates worldwide and has
no known connections to other threat groups. They also probably have capabilities that enable them
to work against systems other than the already targeted Schneider Triconics. Xenotime's objectives
are clearly disruption, not espionage. The threat actor establishes itself in systems where it can cause future disruption or destruction.
Their earlier attempt back in December wasn't fully successful.
As Dragos explains,
The group created a custom malware framework and tailor-made credential gathering tools,
but an apparent misconfiguration prevented the attack from executing properly.
As Xeno time matures, it's less likely that the group will make this mistake in the future.
GDPR comes into full effect tomorrow, attended by much advice for enterprises.
A lot of people have said they're losing sleep over the data protection regulation and its hefty fines. One enterprising company in the UK has a cure for that.
Calm, a firm that specializes in providing a range of soothing noises for relaxation, meditation, and sleep,
has realized that the text of the general data protection regulation is so stupefying
that it can do you more good than counting sheep or listening to white noise.
They've added Once Upon a GDPR to their soothing repertoire
and engaged Peter Jefferson to read it.
Mr. Jefferson is famous in the UK as the BBC's voice of the shipping forecast,
a maritime weather report that became known as Britain's unofficial national lullaby.
Finally, the US Federal Court for the Southern District
of New York says President Trump can't block you from his Twitter feed. It's a First Amendment
issue, so your right to see and comment on at the real Donald Trump is secure. The president,
of course, is under no legal compulsion to pay attention to your comments, so don't get cocky,
compulsion to pay attention to your comments. So don't get cocky, kids. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Dr. Charles Clancy. He's the director of the Hume Center for National Security and Technology at Virginia Tech. Dr. Clancy, welcome back. We've seen stories coming
by recently about the ability to locate mobile devices
and specifically some of the cellular providers selling off that data. You know, what's
interesting to me was, I guess I never really thought it through, the notion that even if I
have my GPS turned off, that sort of by design, these systems need to know my location. Of course,
in order for you to receive an incoming phone call, the network needs to know my location. Of course. In order for you to receive an incoming
phone call, the network needs to know which tower to route that call to in order to reach your phone.
The networks typically don't know where you are 100% of the time. They only sort of know where
you are when they need to complete a call or you need to complete a call or complete some sort of
data transaction. Whenever you initiate any sort of data service
or phone call, the towers obviously have to know where you are, and they record that information
in their records. And similarly, if you have an inbound call or inbound data, then they will use
this system called the paging channel to try and find you, and then would record your location in
their logs as part of that. Now, is there any sort of triangulation going on here?
Are multiple towers sort of comparing notes to decide who will best serve you?
No.
In fact, the networks do not do that.
Currently, the networks only record the ID of the cell sector that you're communicating with,
which, particularly in rural areas, could be a very large area,
but in urban areas, it can be a very small area. The triangulation feature only kicks in if you were
to, for example, dial 911 and the E911 system was to kick in and perform a more precise location of
you. But right now, the carriers are only allowed to do that if you dial 911.
That's interesting. So in terms of the accuracy of being able to pinpoint where someone is,
what's a reasonable expectation of what these systems are capable of?
So, again, in an urban environment where you have maybe a cell tower every 500 meters,
you could imagine an accuracy to within a few hundred meters, a few hundred yards perhaps.
Again, in a rural area, though,
you may have a cell site that's on the top of a mountain that's providing coverage to a valley
below. And there it could be tens of kilometers of location uncertainty associated with those
measurements. And in terms of just a policy situation here, is this another example where
perhaps the policy needs to catch up with
the technology? That's a great question. Certainly law enforcement uses this feature now. So if they
have an ongoing case, they can serve a warrant on a cell phone company and retrieve those records
and use that as part of their case. It's important to have that information. It's also important
generally for accounting purposes for the cell phone carriers.
I think the real policy question is under what circumstances can they sell that information?
And should the consumer have the ability to opt out of that kind of sale or not?
All right.
Well, we'll certainly keep an eye on it as it develops.
Dr. Charles Clancy, thanks for joining us.
My pleasure.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.