CyberWire Daily - Warnings about Emotet and BlueKeep. Crooks test their stolen cards before the holiday shopping season. Amazon fixes Ring. Chinese security gear allegedly sold as made-in-USA.
Episode Date: November 8, 2019Warnings and advice about Emotet and BlueKeep, both being actively used or exploited in the wild. Two new carding bots are in circulation against e-commerce sites. Expect more of this as criminals tes...t stolen credentials in advance of the holiday shopping season. Amazon fixes a security flaw in its Ring doorbell. A Long Island company is charged with selling bad Chinese security systems as good made-in-USA articles. Michael Sechrist from BAH on preventing supply chain attacks. Guest is Andy Greenberg, senior writer at Wired an author of the book Sandworm — A new era of cyberwar and the hunt for the Kremlin’s most dangerous hackers. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/November/CyberWire_2019_11_08.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Warnings and advice about Emotet and Bluekeep,
both being actively used or exploited in the wild.
Two new carding bots are in circulation against e-commerce sites.
Expect more of this as criminals test stolen credentials
in advance of the holiday shopping season.
Amazon fixes a security flaw in its Ring doorbell.
My conversation with Wired senior writer Andy Greenberg
on his new book, Sandworm.
And a Long Island company is charged with selling bad Chinese security systems as good made-in-the-USA articles.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, November 8, 2019.
The Australian Signals Directorate is urging enterprises to look to their defenses
against Emotet and Bluekeep, which are showing renewed levels of attention by threat actors
in the wild. Emotet is the widely deployed malware that emerged in 2017 when a criminal group,
TA-542, also known as Mummy Spider, used it as a banking trojan. It went into temporary eclipse earlier
this year, but resurfaced on August 22nd, and by September had resurfaced with a bang
as a multi-purpose trojan. Proofpoint says in its third quarter threat report that Emotet alone
accounted for 12% of the malicious email samples they looked over that quarter. It's fallen off a bit this week, but it remains an
active threat. And so the ASD's Australian Cyber Security Centre and its state and territorial
partners is advising everyone to be on the lookout for Emotet. They recommend blocking Microsoft
macros from all but the most trusted sources, backing up systems daily, scanning email contents
and segmenting networks.
The Australian Cybersecurity Center, if you're unfamiliar with it,
fills a role analogous to the one GCHQ's National Cybersecurity Center has in the UK
and to those filled in the U.S. by the Department of Homeland Security's
Cybersecurity and Infrastructure Security Agency and NSA's Cybersecurity Directorate.
and Infrastructure Security Agency and NSA's Cybersecurity Directorate.
The other warning ASD issued pertained to Bluekeep,
which has given people the willies since the discovery that it's being exploited in the wild.
To be sure, it's only been confirmed to have been exploited to spread a crypto-jacker,
but that's been startling enough for many.
The Bluekeep vulnerability affects Microsoft's remote desktop protocol.
It's been patched for months, yet as Bleeping Computer points out, the enterprise patching rate for this particular vulnerability is about 83 percent, a big majority, but on the other hand,
surprisingly low. Home users have probably patched at far lower rates and are probably
proportionally more vulnerable to exploitation.
Microsoft is again reminding people to patch. So why so much fuss over a crypto-jacker? Well,
for one thing, crypto-jacking isn't irritant in its own right, a resource hog and just an
untidy mess. But Bluekeep worries people most because it's wormable, and because they remember
the widespread and costly damage
the WannaCry pandemic wreaked against a sister vulnerability, EternalBlue.
Bitdefender, while acknowledging the potential risk,
has posted some notes they call debunking,
but that might, with equal justice, be called reassuring.
Their point is that this risk is manageable.
They suggest three steps.
One, patch.
Two, mitigate the risks of remote desktop protocol,
perhaps by configuring remote desktop service with network-level authentication.
And three, maintain strong network attack defenses.
As the holiday season approaches, new attacks on retail and e-commerce begin to take shape.
Security firm PerimeterX has found two new carding bots, CanaryBot, which exploits major e-commerce platforms,
and ShortcutCardingBot, which exploits card payment vendor APIs bypassing e-commerce websites.
This form of carding, PerimeterX notes, aims at validating cards by making small
purchases. CanaryBot is interesting for the way it mimics user behavior, filling a shopping card
and heading for the online checkout. Yes, we know the holidays do seem to creep up. Some of our
retail stringers say they see Halloween stuff on the shelves as early as August, and that includes
candy, which, well, just doesn't seem
right. But this kind of holiday creep is understandable, at least from the criminal's
point of view. While the traditional start of spend-it-like-a-sergeant-on-payday holiday
shopping in the United States is the ill-omened Black Friday, the day after Thanksgiving,
forward-thinking hoods like to be prepared, as if they're Boy Scouts from the Upside Down or some other malign dimension.
Anywho, they're leaning forward in their foxholes and getting ready for the holiday crime rush.
Arcos Labs is seeing some of the same things that have come up in Perimeter X's research.
Arcos' own third quarter report shows a 70% increase in bot-driven account registration fraud
as the gangs test their stolen credentials in advance of the Christmas rush.
Bitdefender reports finding a flaw in the Amazon Ring doorbell security system that
could expose users' Wi-Fi credentials. They disclosed it responsibly to Amazon,
and Amazon has pushed an automatic security update that fixes the problem.
So ring users should be out of the woods.
The U.S. attorney for the Eastern District of New York has filed charges against Long
Island-based Adventura Technologies Limited.
The government alleges that the company sold Chinese-made security and surveillance equipment
falsely marked as made in the USA.
The charges cover fraud, money laundering, and illegal importation of equipment manufactured in China.
In effect, this amounts to a hardware supply chain problem.
The systems Adventura sold may not have been strictly speaking counterfeits,
but if the government is right, their origins were misrepresented.
counterfeits, but if the government is right, their origins were misrepresented.
The agencies cooperating in the investigation suggest the scope of the alleged fraud,
the FBI, U.S. Customs and Border Protection, the Internal Revenue Service, the U.S. Air Force Office of Special Investigations, the Naval Criminal Investigative Service, the Defense
Criminal Investigative Service, the Inspector General of the General Services Administration,
the Treasury Inspector General for Tax Administration,
and the Inspector General, U.S. Department of Energy.
Whew.
An update to the case of alleged infiltration of Twitter
by persons working on behalf of Saudi Arabia
saw a new development overnight.
One of the men charged, the Telegraph reports,
worked at Amazon for three years after leaving Twitter. Ahmad Abuamo, the one defendant in
custody, moved to Amazon from Twitter in 2015. There's no word on whether he or his alleged
confederates were up to anything at Amazon, but Mr. Abuamu's work history suggests the difficulty of detecting
malicious insiders.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks,
and connected lives. Because
when executives are compromised at home,
your company is at risk.
In fact, over one-third
of new members discover they've already
been breached. Protect your executives
and their families 24-7,
365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Michael Sechrist.
He's chief technologist at Booz Allen Hamilton,
and he also leads their managed threat services intelligence team.
Michael, it's always great to have you back.
I wanted to touch today on supply chain attacks. You had some information that you wanted to share about
preventing those kinds of attacks. What do you have for us? Sure. Yeah. Thanks again for having
me on. One of the things that we're seeing is sort of third party and fourth party risks being
a significant concern for enterprises. There is a growing number within the ecosystem and IT environments of vendors,
and vendor management has become a top concern for security professionals.
One of the aspects of that that falls on is how do you secure your ecosystem
when you're dealing with so many significant parties that have access to
potentially critical data, critical assets within your enterprise.
One of the things we're working on with those clients is to work to profile the client's
enterprise and identify sort of where are those critical nodes and links for the enterprise
with those vendors and providers.
And so we do that by doing sort of baseline profiling,
assessments, sort of risk prioritization and mitigation strategies. And we implement those
with the clients in order to build up their program awareness and their visibility into
their entire ecosystem. How do you recommend that organizations go about sort of dialing in how far down that chain to go?
It goes pretty far. I don't think it's the ability to kind of just be reliant on a
questionnaire or a survey is going to satisfy concerns or kind of the security risks that
are present today. It's going to take actual baseline profiling of, you know, which IP
addresses potential vendors are using in order to relay
or have some sort of communications with your IT environment. It's going to be the exact sort of
software that has to be downloaded, the versions that are being used, how software packages get
updated. Those type of details are very important today in order to identify anomalous activity.
What are your recommendations for people getting started with this,
kind of starting that journey of trying to get a handle on what's going on with their supply chain?
Top priority is understanding your critical risks and where your critical data and assets lie.
risks, and where your critical data and assets lie. Without knowing that, it's going to be very difficult when you're looking at your vendor ecosystem, so to speak, and identifying which
ones or which vendors you want to make sure you have a very strong profiling of. Without that
sort of internal linkage, you're going to kind of maybe have to boil the ocean, which is going to drain resources and be kind of inefficient over the
long term. All right. Well, Michael Sechrist, thanks for joining us. Thank you very much.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and
securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant. My guest today is Andy Greenberg.
He's a senior writer at Wired and author of the 2012 book, This Machine Kills Secrets, which was a New York Times editor's choice.
His latest book is titled Sandworm, A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers.
most dangerous hackers. In it, he tells the story of the Olympic destroyer malware and how security researchers traced it so far they could attribute it to Russia's FSB. It's that rare combination of
meticulous history lesson and thrilling page-turner. That's part of the story of the book is that the
world did not really react to this series of attacks that just got more and more aggressive
and indiscriminate. The West,
including the US, really just watched these attacks unfold in Ukraine and treated it as
somebody else's problem. You know, this is Russia's sphere of influence. We've sanctioned
them for their illegal war. We don't need to say anything. You know, it seemed to be the attitude
about these unprecedented attacks. I mean, you would think that the first time in
history that hackers actually turn off the power to civilians, that the US government would want
to say something about that, like, hey, that's a red line that maybe you shouldn't cross. Or,
you know, this is a reckless act of indiscriminate aggression against civilians and will not be
tolerated, no matter who the victim is.
Ukraine is not a part of NATO. But nonetheless, it seemed to me that this was the sort of red
line that we want to establish in cyber war. And yet nobody said anything, not after the first
blackout and nor after the second. It seemed to me that this was what allowed these hackers,
Sandworm, to escalate with impunity until they released what became the worst cyber attack in history.
to many times on the cyber wire.
And it's sort of a running theme through the book that Rob shares his frustration with our response,
or I suppose you could say our lack of it.
Yeah, Rob was one of the kind of Cassandras,
not quite a whistleblower,
but some sort of like one of the researchers
who spotted what was going on early
and tried to sound the
alarm. I think that John Hulquist at FireEye is another. And then the Ukrainians, of course,
were trying to tell the world too, that something dangerous was happening here. And I think, you
know, they did even say to me that what happened in Ukraine seems to be bound to spill out to the
rest of the world, that what Russia was doing to them in Ukraine,
Russia would sooner or later do to the West as well. And there was a kind of precedent for that because Russia had hacked the Ukrainian election, tried to spoof the results, actually, and just
barely kind of failed. The Ukrainian Central Election Commission caught the fake results just
in time before they were posted on their website. And then Russia meddled in the US presidential election. At this point, we were seeing Russia mess with Ukraine's power grid.
And the kind of logical conclusion was that maybe they would try that against targets further
abroad as well, just as they had kind of tested out election hacking in Ukraine. I initially wrote
a story for Wired that kind of made that prediction. It came true far more quickly than I expected in the form of NotPetya.
We published this story, the cover story in Wired, that essentially said that what happened to Ukraine should not be ignored because it would eventually spill out to the rest of the world.
was the day that NotPetya hit, a Russian attack on Ukraine that within hours spilled out to the rest of the world and became the worst, most expensive, devastating cyber attack ever.
Well, let's dig into NotPetya.
You mentioned earlier this notion that people were saying that these attacks would spill out into the rest of the world.
And that is what happened with NotPetya.
NotPetya was, of course,
this worm that looked like ransomware, but wasn't. It was just a destructive wiper that seemed to be
targeted at Ukraine, but was entirely reckless in its scope. It spread initially by this Ukrainian
accounting software, but that accounting software, MEDOC, was used by really anybody who filed taxes
or did business
or had partnerships in Ukraine.
As I'm sure everybody who listens to the show knows, it first hit Ukraine.
It really carpet bombed the networks there, but it immediately spread beyond Ukraine and
hit a long list of multinational companies like Merck and Maersk and FedEx and Mondelez.
And these are massive multinationals. And in
each case, it did hundreds of millions of dollars in damage, kinds of numbers that we'd never seen
anywhere before, totaling to $10 billion in total damages, according to a White House assessment,
which is more than we'd seen, you know, even in WannaCry the month before.
And again, the global reaction in terms of uh
additional sanctions or punishment or any sorts of actions against russia were what well initially
nothing and that was so vexing to not just me but i had been speaking to people like john hulkwist
and rob lee who had been warning about this group and the Ukrainians. Now, I felt like I was part of
this weird club of Cassandras who were saying, watch out, this group is dangerous and its attacks
are escalating and will hit us sooner or later. But then they did hit us in the West. I mean,
Merck eventually lost $870 million to NonPetya and they're in New Jersey. This is an American
company. And yet in the wake of non-Petya,
it took eight months for anyone to call out Russia as the aggressor. That includes like
all of these companies who were simply totally unwilling to name Russia as the source of this
attack that had devastated their balance sheets. I thought I was going crazy. I followed this group
for a year at that point. I could understand in this kind of
cruel logic why the West would ignore these attacks on Ukraine. You can make this kind of
realist argument that that's Ukraine's problem. It's not our problem. But once Napeka spilled
out and it hit all of these Western targets as well, that of course was our problem. And yet
nobody was saying anything. The US government didn't say anything until february of 2018 eight months later none of the companies said anything i just
couldn't understand this the silence around what was starting to become clear to be the biggest
cyber attack in history so what are your conclusions there i mean why the was the silence
coordinated i mean obviously uh president trump has a peculiar affection for Russian leaders.
Was it at all related to that?
I never really got to the bottom of why it took so long to attribute to NatPetya.
Because after all, ESET, the Slovakian cybersecurity firm, they found forensic connections between NatPetya and the black energy attacks, which they called
telebots, but everybody else calls
sandworm. Within days
of NatPetya, they could
kind of show this sort of interlinked
series of components used in
those early attacks
that evolved into NatPetya.
It was very clear that this was
Russia, to me, from the beginning.
And of course, who else is going to be targeting Ukraine?
I mean, it's confusing because NatPetya spilled out to Russia too.
And that, I think, speaks to the fact that the damage done to the West was probably collateral
damage, like the damage done to Russia.
But it was totally avoidable collateral damage.
It would have been easy for NatPetya's creators to filter its
infections using the actual tax ID numbers that were available in the MEDOC software that they
hijacked. They could have made sure that the attack only hit Ukraine, and they didn't.
But yeah, I don't know why the US government was so slow to do this. I think maybe the attribution
took a long time. It could be also a factor that nobody wanted to go into the Oval Office and talk to President Trump, of all people, about Russian hacking.
That that was just a kind of uncomfortable subject and one that you were not rewarded for bringing up in an intelligence briefing.
I ultimately couldn't kind of get the palace entry in the White House to
understand why it took so long. But eventually, I did hear the story from, you know, Tom Bossert of
the decision to finally call out Russia eight months later. You know, I don't want to take
credit away from the White House for eventually acting and calling out Russia, imposing sanctions.
In fact, coordinating this attribution that all five five-eyes carried out together, imposing sanctions. In fact, coordinating this attribution that all five
five eyes carried out together, Canada, Australia, the UK, New Zealand, all together named Don
Petya as a Russian act. It took a long time to do it. The real mistake, in my eyes, is that we
waited until it hit us to make that call. When everyone knew that this highly dangerous group of hackers was escalating
its attacks on Ukraine and doing things that should not have been acceptable in the first
place. We waited for it to bite us before we took action. That's author Andy Greenberg. We were
discussing his book, Sandworm, a new era of cyber war and the hunt for the Kremlin's most dangerous
hackers. We'll be publishing an extended version of this interview in the next few days.
Watch for it in your Cyberwire podcast feed.
And that's the Cyberwire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.