CyberWire Daily - Warnings of Russian cyber threat to power grids. Phishing rises. Patch gets patched. SingHealth breach. Satori botnet. Bluetooth MitM. Evil maids?
Episode Date: July 24, 2018In today's podcast, we hear that warnings of Russian prep for an attack on power grids become more pointed. Phishing and impersonation attacks continue to rise. Microsoft patches a patch. The SingHea...lth breach remains under investigation. The Satori botnet may be taking another run at Android devices. Bluetooth vulnerabilities render paired devices susceptible to man-in-the-middle attacks. And evil maid attacks may be less difficult than you thought. Emily Wilson from Terbium Labs, sharing her experience attending a conference for professionals working to fight fraud. Guest is Brian Martin from Risk Based Security with their research on vulnerabilities they discovered with the Click2Gov service.  For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/July/CyberWire_2018_07_24.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Warnings of Russian prep for an attack on power grids become more pointed.
Phishing and impersonation attacks continue to rise.
Microsoft patches a
patch. The Sing Health breach remains under investigation. The Satori botnet may be taking
another run at Android devices. Bluetooth vulnerabilities render paired devices susceptible
to man-in-the-middle attacks. And evil-made attacks may be less difficult than you thought.
you thought. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, July 24th, 2018. Security experts continue to expect renewed Russian
attention to electrical power grids in the UK and the US, the period of relative restraint coinciding with the World Cup
having ended when France edged Croatia. The World Cup hangover mood is more prevalent in the UK,
where tensions with Russia have been heightened by a death from Novichok poisoning.
The UK and essentially everyone else thinks the Novichok attack is Russian wetwork.
Russia says it was framed.
In the U.S., the concerns have a different source,
evidence that Russian operators have successfully fished various elements connected to the power grid.
The U.S. Department of Homeland Security has been warning of this for some time,
but yesterday it issued an unusually stark and direct alert.
Energetic Bear, the name this particular threat actor has come to be known by,
succeeded in compromising hundreds of victims in a long-running campaign against electrical distribution control centers.
Energetic Bear got in by targeting vendors in phishing campaigns.
It's worth noting that phishing was the Russian entry point, many believe,
in their demonstration attacks on segments of the Ukrainian power grid.
We heard from Phil Nire, VP of Industrial Cyber Security at CyberX.
He pointed out, quote,
It's dangerous and reckless to assume that Russian cyber reconnaissance can be discounted because no one has actually turned off the power yet.
It's clear that our adversaries now have direct access to hundreds or potentially thousands of systems
that monitor or control our electrical grid,
and they've vacuumed up all kinds of sensitive information
to help them plan their attacks.
Now it's only a matter of political will
and desire to test our red lines
that's holding them back from throwing the switch.
The potential consequences would be dramatic,
ranging from
human safety issues to a temporary shutdown of our entire economy. End quote.
Phishing remains a problem and not just for power grids. Mimecast's second annual report on the
state of email security, released today, indicates that phishing and impersonation attacks continue
to trend upward.
Why pursue exotic zero days when social engineering gets you what you're after?
Singapore continues to take measure of the SingHealth breach.
The attackers seemed principally interested in the Prime Minister's records,
but they scooped up millions of others, too.
The story is developing, but investigators in Singapore continue to pursue the theory that the attacker was a nation-state.
Security firm Trend Micro reports a spike in what appear to be Satori infestations
that are using open Android debug bridge ADB ports to install themselves.
Satori is a variant of the Mirai botnet,
and the code Trend Labs is observing looks like the work of the Satori botmasters. If you're an Android user, consider
turning off ADB USB debugging and apps from unknown sources. And of course, updating your
system is also a good idea, as newer versions of the Android software tend to be more resistant to this kind
of attack. Brian Martin is vice president of vulnerability intelligence at Risk-Based Security,
and his team recently tracked a vulnerability that seemed to be affecting governments and
municipalities using a software package called Click2Gov. Brian Martin shares what they found.
They noticed that there was a pattern where Click2Gov kept coming up either in the description
or the website URL or some aspect of the disclosure. They decided to investigate a
little further and try to figure out if they're all related, if it was a single website,
like a hosting provider that had been compromised, or if these were
multiple different organizations, or in this case, cities. And it turned out to be one piece
of software they had in common, but they were different deployments across the U.S.
So can you describe to us what exactly is Click2Gov? It's basically a piece of software written by a
company called Superion. And it basically handles a wide variety of government-related resources,
everything from allowing citizens to pay bills online for like water or trash. And it can also
be used to manage and allow people to look up property
records basically a wide variety of those government services and one of the things it does
is it enables credit card processing and that seems to be where some of the problems occurred
well the credit card processing uh is one of the aspects that basically brought this to light when those credit cards were compromised and cities had to notify people.
But the actual flaw is kind of underneath that.
It wasn't a flaw in the credit card processing per se, but the underlying software that Click2Gov runs on, actually.
So let's dig in here. What did you all discover? Once you had established that there was a pattern
here, how did you go about trying to discern what was going on, and what did you discover?
Right. So the first thing we did is basically click to and load a lot of these sites just to
get a feel for what they were like. The first thing that we had to identify is if this was a piece of software
that a city would download and host on their own servers,
or if this was part of a managed service or a combination.
And after quite a few sites and going through this,
we determined that the Click2 gov software is run on separate
servers by these cities but the payment processing goes through uh superion so it was kind of a
blended solution and then once we determined that information and more we wrote a pretty extensive
blog piece covering all of it after After that, several journalists took interest,
and they were able to get a comment from Superion,
who did not reply to us when we asked for a comment.
And that's when it came to light that the vulnerability that was being exploited
was actually in the underlying software called Oracle WebLogic,
which Click2Gov runs on. So Superion was very quick to say
that their security patches were widely deployed. Over 99% of the customers have applied them,
et cetera, et cetera. What they didn't really cover is that while their software may have
been patched, the vulnerable web server that it's running on wasn't being patched.
So in your estimation, was Superion being coy about this because they didn't want to highlight
the fact that they were running on this Oracle system? It's hard to determine. I think based on
the wording that I've read personally, that yes, they are trying to be a little coy that this is a case where the vendor, even though it's not their software, since they require it to run their software, should have been more proactive.
They should have been telling customers, hey, there's a new set of security patches for WebLogic.
You need to install these in addition to the patches that we send out and basically help drive their customers to maintain a better security posture.
That's Brian Martin from Risk-Based Security. You can find a complete accounting of their
research into Click2Gov along with Superion's response on the Risk-Based Security website.
Microsoft's July patches include a patch of a patch, a zero-day fix made in May to a VBScript engine bug
open to exploitation by Internet Explorer,
turned out to not fix things at all.
But fix now, most people think.
A vulnerability found in Bluetooth secure connections pairing
and secure simple pairing can expose paired devices to man-in-the-middle attacks.
As Carnegie Mellon's CERT puts it in their vulnerability note,
Bluetooth firmware or operating system software drivers may not sufficiently validate elliptic
curve parameters used to generate public keys during a Diffie-Hellman key exchange,
which may allow a remote attacker to obtain the encryption key used by the device.
End quote. which may allow a remote attacker to obtain the encryption key used by the device.
The good news is that fixes are currently available from most vendors of Bluetooth products,
and more are to come soon.
You'll need to be within wireless range to exploit the vulnerability,
but that's possible for a war driver or even an evil maid.
Apply the updates as they're available,
and stop looking over your shoulder or in the rearview mirror,
as the case may be.
Speaking of evil maid attacks,
how about those hostile housekeepers, eh?
An evil maid attack is one in which someone with physical access to an unattended machine compromises that machine.
This kind of attack has long been known,
but there's been a tendency to treat it as a kind of interesting outlier,
a real possibility to be sure,
but maybe too complicated and time-consuming
to be something you'd worry about on a regular basis.
But if you thought that, maybe you should think again.
Security firm Eclipsium has posted a demonstration video
that shows how a firmware backdoor could be installed in a laptop in under five minutes.
Four minutes and three seconds, to be precise.
Eclipsium researcher Miki Shkatov built a small device
that he can slip onto a chip to flash a laptop's firmware or BIOS
with a backdoor or rootkit.
He built the little wonder for the low, low price of just $285,
and he used a generic backdoor that anyone
can find for free on GitHub. You can watch the video easily at Motherboard's article on the
proof of concept. So four minutes and three seconds does it, and we can't help but notice
that he fumbled with his screwdriver a bit, so a mechanical virtuoso could no doubt achieve an
even quicker hack, and there are some physical attacks available that don't even require you to open up a computer's case.
All of these attacks would leave the evil maids plenty of time to make the bed,
empty the trash, leave a mint on your pillow, and pocket the tip.
You do tip housekeeping, don't you?
As a public service, we'd like to remind all you planning to attend Black Hat and DEF CON at the beginning of August that, yes, it's the right thing to do.
Remember housekeeping when you stay in a hotel.
Travel and Leisure magazine says that $2 to $5 per occupant per night is customary and just good manners.
Just leave a few bucks to take care of the people who take care of you.
Remember, most maids are good and not
evil. If you find that housekeeping flashed your firmware, of course, you can reflect your
displeasure in the amount you leave. Installing a rootkit would be housekeeping's equivalent of
the waitstaff sticking their thumbs in your soup. It'd be worse, I guess. A side note on human
intelligence tradecraft. When recruiting agents, the smart human officers don't necessarily want to recruit the head of the enemy's secret police.
They'd be just as happy to obtain the services of the cleaning crew employed by the head of the enemy's secret police,
especially if the head of the enemy's secret police leaves his Chromebook lying around.
Think about it, Chief, and take a look at what you're leaving behind in that hotel wastebasket before you head out to the arsenal or the business hall.
Innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Emily Wilson.
She's the Director of Analysis at Terbium Labs.
Emily, welcome back.
You recently attended a fraud conference, which
news to me that there is such a thing. But you had some interesting conversations there.
Bring us up to date. What did you learn? Definitely. I am fresh back from Vegas and
not just a fraud conference, but the fraud conference, in fact, hosted by the Association
of Certified Fraud Examiners. And I spent a couple of days surrounded by all different kinds of fraud professionals, everything from investigators to law enforcement,
auditors, people who are working on different kinds of internal controls, risk and compliance.
I have to tell you, it was a great experience. If you have any interest in getting a better
grasp on what fraud professionals are dealing with, I would recommend this conference. It was really informative.
Now, one of the things you discovered was that the fraud folks and the InfoSec folks
may not be communicating effectively.
I did.
I use this chance as sort of, you know, I go to a lot of different kinds of security
conferences and industry events.
And so this was a chance for me to kind of be a minority
practitioner and do a little kind of impromptu survey of the audience. And I was asking people,
you know, hey, on the fraud side, are you guys discussing kind of your workflow? Are you working
with your security teams? You know, are you guys sharing tools or resources? And I was surprised
to get consistent answers. They were kind of uniform and uniformly
optimistic, I'll say. I heard from people consistently that they are not working as
fraud professionals with their security teams, but they're starting to. It's starting to get
better is how everyone phrased it. And everyone expressed a real desire to see more collaboration. They understand that
security professionals have access to data and intelligence and resources that can impact
the fraud departments. And they want to get their hands on that. They want to collaborate.
They're just not quite sure how to get there. Now, one of the other things you shared with me
is that you spoke to some folks from some large companies that had had breaches, and they found that to be a place to kind of pivot on how they deal with these things.
That's true.
I spoke with a couple of different individuals from companies who have not had the best year or last 18 months, sort of that reaction of, oh, how are things at your organization once you see the name tag?
And what they told me was that these crises, while unfortunate and really disruptive,
have actually been the catalyst for allowing fraud teams to communicate with security teams.
Now, whether because they're getting what they've always asked for,
which is more
conversation and more collaboration, or because of the changes in oversight, it's now required
that the teams work together. And so they have shared budgets and shared resources,
and they're moving people around in departments so that they're shifting perspectives to try and
figure out how to prevent these crises from happening again. And so what I'm trying to figure out,
I think we should all be trying to figure out,
is how can we get ahead of that?
We shouldn't have earth-shattering crises
to get to the point where departments are talking to one another.
What if we can get to it before that happens, and how do we get there?
Yeah, learn from the lessons that they've experienced
and get ahead of the problem.
Yes, if we can get ahead of the problem,
if we can stop this constant struggle of each department reinventing a portion of the wheel
only to find out that everyone else is working in parallel,
if we could, God forbid, all work together on solving problems that impact multiple departments,
maybe some of these crises wouldn't have happened.
Interesting insights. Emily Wilson, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is
Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.