Following up on security scrambles in Sweden and Ukraine. #LeakTheAnalyst. Blu Product phones booted by Amazon. BitCoin's hard fork. The Internet of Things Cybersecurity Improvement Act of 2017.

Dave Bittner: [00:00:01:02] A heartfelt thanks to all of our Patreon supporters for helping us do what we do here everyday. If you're not yet a supporter, we hope you'll check it out at patreon.com/thecyberwire.

Dave Bittner: [00:00:13:13] We've got some midweek follow up: the latest on Operation #LeakTheAnalyst, firmware spyware in down-market phones, Sweden's big breach, and Ukraine's new cyber friends. BrickerBot is back, offering Indian routers and modems unwelcome help. The US Senate considers IoT security legislation, and the US Justice Department issues a framework with guidelines for bug-hunting programs. Bitcoin's hard fork occurred yesterday. And why do people care about the HBO hack? It's not just because winter is coming.

Dave Bittner: [00:00:47:13] Now I want to share some notes from our sponsor Cylance. We've been following WannaCry, Petya, NotPetya and other forms of destructive ransomware for weeks. Cylance would like you to know that they can prevent Petya like ransomware from executing in your system. They'd also like you to know that they've been doing that since October of 2015. How's that for getting ahead of the threat? Their success against NotPetya demonstrates the benefit of their temporal predictive advantage. Cylance protects, stops both file and fileless malware. It runs silently in the background, and best of all, it doesn't suffer from the blind spots in legacy defenses that NotPetya exploited to such devastating effect. If you don't have Cylance Protect, and if you'd like to learn more about how it can defend your enterprise, contact them at cylance.com and find out how their AI driven solution can predict and prevent the unknown unknowns from troubling you. That's cylance.com. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:01:53:06] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, August 2nd, 2017.

Dave Bittner: [00:02:03:03] Today we follow up on stories that have been developing over the past few days. FireEye confirms, again, that its own systems weren't penetrated by Hacker Group 31337 in Operation #LeakTheAnalyst. But the company has disclosed that information about two customers was exposed in the successful hack of a Mandiant analyst's own accounts. The company is working with the affected customers.

Dave Bittner: [00:02:27:12] Amazon is stopping sales of low-cost Android phones produced by Blu Products, citing researchers' discovery of spyware in the phones' firmware.

Dave Bittner: [00:02:37:07] Observers worry that the HBO hack (involving Game of Thrones among other properties) will prove a bellwether: a cheap way for a hacking group to gain publicity. Another note on pirated shows, they're usually obtained from BitTorrent, which in recent months has become, as ESET points out, a notoriously malware-laden way of getting content. Resist the urge to go there just to find out early what's happening in Game of Thrones. We can assure you of one thing: winter is coming.

Dave Bittner: [00:03:06:04] Sweden's government continues to scramble to lock down sensitive data in the wake of a longstanding and botched outsourcing of transport ministry information. Two members of the government have been forced out (they held the interior and infrastructure portfolios) and more may follow. The investigation of the incident has now spread to six state agencies, and remediation is not expected to be complete until some time next month. Several members of the cabinet are also said to have been aware of the problem but kept the prime minister in the dark for eighteen months. Expert opinion tends to see the episode as indicating government officials' gross naiveté with respect to information security.

Dave Bittner: [00:03:45:24] Ukraine, facing continued Russian pressure in cyberspace and a guttering hybrid war on the ground, is also beefing up its defenses, probably with a significant degree of Western help and help from countries in the Near Abroad, especially Moldova, in which Ukraine has developed a close and valued cyber intelligence-sharing relationship. From the West, help is arriving mostly from the UK and the US, with forensic and cyber law enforcement expertise among the first support to arrive. Russia isn't pleased with such cozying up to its adversaries, and relations with the US in particular have become frosty. US Secretary of State Tillerson recently warned Moscow that US-Russian relations "Could get worse. And they just did."

Dave Bittner: [00:04:30:01] There's that famous quote attributed to bank robber Willie Sutton, when asked "Why do you rob banks?" He replied: "That's where the money is." And these days, the same could be said for financial institutions and cyber attacks. David Murray is Chief Business Development Officer at CorVel, providers of streaming real time analytics, and he provides us with some insights on the challenges facing financial institutions.

David Murray: [00:04:52:23] First of all, you have criminal activity. That's a big driver of ransomware. Data is important. There's a tremendous amount of financial data held by financial organizations, and therefore about individuals, and so if you're able to access that information it provides attackers a treasure trove of information that they can use for other attacks. You'll see that, you know, obviously wherever there are banks and money, there's libel to be agreed somewhere nearby and there's certainly a fair number of hacktivists, who get involved and take a righteous approach that they may be able to embarrass a bank or look at huge disparities in pay between senior executives and employees at banks and what not. You have, in some cases, espionage, as a risk to bank, both in terms of key deals that the bank may be working. So for merger and acquisition or investment banking activity, that would be extremely valuable, as well as just understanding key accounts and key targets. And then you've got nation state attackers. So banks are very much a critical infrastructure of any nation and so, if you're able to disrupt the banks, then you're able to ultimately trigger a result, an outcome that may be deemed successful.

Dave Bittner: [00:06:15:10] And, you know, as you say, we certainly hear about the high profile stories. We hear when millions of dollars get stolen and so forth, but I guess, as with many things, we don't hear the stories about the success defense, about the theft that is thwarted. Can you give us some perspective on that. How do the financial services do overall?

David Murray: [00:06:35:10] I think they're among the most sophisticated security teams in the industry. I mean they have to be, because they are such a target. And so, your point is a good one, there are countless, countless critical saves that are accomplished by financial services security teams. You know, it's not unusual for it to be very cyclical with security, while there is a constant stream of attacks and threats across, whether it's through credit card fraud, or market disruption drivers, or someone stealing credentials to log into a brokerage account. And then there is just the constant bombardment of attacks against overall financial services infrastructure. The financial services community has done a pretty good job in the past of being able to pool as a community and at least share information about common attacks that are hitting them at a given period of time. The access and the cost of launching a successful cyber attack is only dropping over time, and that's certainly driving an increase in supply. The same technologies that allow cyber security professionals to look, manage more data and be able to try to identify anomalies are the same technologies that are being used, or the same core technology capability that bad actors are using to attack. And they have a surface which is far more variable, which is social engineering and working through individuals, so that will continue, and they'll continue to use machine learning to test different models and approaches for compromise.

Dave Bittner: [00:08:17:05] That's David Murray from CorVil.

Dave Bittner: [00:08:20:21] BrickerBot is back, its author claiming responsibility for an attack on modems and routers in India. BrickerBot sees itself as a positive, vigilante operation, hitting poorly secured Internet-of-things devices and, as its name implies, bricking them, rendering them inoperable, before they can be roped into a larger, dangerous botnets. BrickerBot's victims have not generally welcomed its ministrations, so it's difficult to count BrickerBot among the good guys, whatever its intentions may be.

Dave Bittner: [00:08:50:11] A better approach to IoT security may be embodied in a bipartisan bill introduced this week in the US Senate. The Internet of Things Cybersecurity Improvement Act of 2017 seeks to incentivize good security by requiring vendors to meet certain baseline IoT security standards before they can sell to the US Government. The principal sponsors are Senators Mark Warner of Virginia and Cory Gardner of Colorado, the co-chairs of the Senate Cybersecurity Caucus, joined by Senators Ron Wyden of Oregon and Steve Daines of Montana. The legislation's core provisions would require vendors to ensure their devices can be patched, that they use industry-standard protocols, and that they contain neither hard-coded passwords nor known vulnerabilities. The bill's provisions include protections for legitimate security researchers, something other legislation is often thought to have overlooked. Supporters see it as an improvement over what Senator Wyden calls the "overly broad" legislation currently in effect, notably the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act. Under the new legislation, White hats would be specifically protected from prosecution under those two laws.

Dave Bittner: [00:10:01:00] Concern about exposure to prosecution also motivated the US Department of Justice to issue a framework with guidelines for setting up vulnerability disclosure programs, including bug bounties. The goal, Justice says, is to substantially reduce "the likelihood that such described activities," that is, vulnerability research and responsible disclosure, "will result in a civil or criminal violation of law under the Computer Fraud and Abuse Act.”

Dave Bittner: [00:10:28:19] Bitcoin's hard fork occurred yesterday as expected, splitting into Bitcoin and Bitcoin cash. If the latter, smaller currency is successful, observers see positive competition. They also see jockeying for the legacy of legendary Bitcoin creator Satoshi Nakamoto, wherever Nakamoto-san may be. Satoshi? Give us a call.

Dave Bittner: [00:10:55:13] A quick note about some research from our sponsor, Cylance. The hoods at Shell Crew, an organized cyber crime gang, are using and improving a family of malware Cylance calls StreamX. Unfortunately, StreamX flies below the radar of conventional signature based antivirus solutions, and when it gets in, all kinds of bad things follow. Shell Crew can modify your file system or registry, create system services, enumerate your resources, scan for security tools, change browser settings and, of course, execute remote commands. StreamX is being served up by some legitimate websites, mostly Korean. It's a nasty rat you want nothing to do with. To get the information on StreamX, go to cylance.com/blog and check out the paper on Shell Crew. That's cylance.com/blog. And while you're there, find out how to defend yourself from this and other threats with Cylance Protect. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:11:54:00] And I'm pleased to be joined once again by Robert M. Lee. He is the CEO at Dragos. Robert, we were talking, of course, with you about ICS attacks, and I thought we'd address some basics here. How do ICS attacks happen, particularly here in the United States?

Robert M. Lee: [00:12:08:15] Yeah, a great question. So, when the industry, and sort of what I’ll call the larger IT security industry, has historically evaluated intrusions. One of the models that a lot of people use is the Cyber Kill Chain. And this idea of stepping through the steps an adversary can take, and it's not really about predicting every possible step they're going to do. It's really about clumping things together in a structured schema, you know, data into buckets that people can analyze and draw knowledge from. And in an IT, a lot of what we hear as called “cyberattacks,” are really just intrusions or espionage or theft. Right, I break into a bank and I steal a lot of credit cards. Well that's not really an attack. You didn't lose availability of your systems, and you didn't have destruction, you know, take place, but obviously it's very personal and companies call it attacks.

Robert M. Lee: [00:12:57:11] In industrial control systems, though, the type of systems that run our power grids and water facilities and oil and gas companies, there's nuance there about what an attack actually means. And to be an attack in an ICS, it really needs to manipulate or disrupt or potentially destroy the industrial process or its equipment, and we've seen Stuxnet in 2010 physically destroy centrifuges. We saw, in 2015 and in 2016, a cyber attack disrupt the electric grid in Ukraine. So there's nuance in what that means, and when we look at how it happens in industrial environments, we usually refer to the ICS cyber kill chain, and it goes to show that the IT kill chain that most use is just the first stage of an attack. The second stage is where the adversaries have to develop specific knowledge or tradecraft or capabilities, like malware, test it out, redeliver it into the industrial environment and actually execute that specific attack. One piece of malware developed for a petrochemical process is not really going to be able to disrupt in a high confidence way a nuclear emission process. We have very, very specific environments.

Robert M. Lee: [00:14:13:01] So I would say that what we generally see in the media and what we generally hear about, is that first stage. And the question is always in our mind of, is it going to go to that second stage? The adversary is gathering the type of data in stage one, that they would actually move to stage two. So, to give you two examples, in the United States, we heard a while ago about the breaches into the energy sector, and we heard about spearphishing emails being delivered to a nuclear site as well as a couple of power companies, about 14 in total. That is very interesting, but it's not an attack, and it didn't need all the alarmism that we saw. Nobody was at risk. No industry control systems were compromised. It was the business networks, the IT networks of those facilities. The question is what were they stealing? If it was, you know, normal espionage inside those business networks, there's no indication they could go to a stage two. But on the converse, we see discussions in the UK and Ireland about maybe a similar, if not the same group, targeting energy sites there, but also targeting engineering firms, these third party data source holders, where they have the physical layouts in the industrial environment, the engineering documentation, integration documents, and stealing those off. That's the type of stage one activity that gives us pause, because that's the type of stage one espionage that you would need to facilitate a stage two. Not saying that it is going to happen, but that's what we look for when we're looking for that nuance of when do we really care about a stage one impact? And when do we think that a stage two is even possible? And that nuance is hard to capture sometimes, but that is at a high level, a simple breakdown of really how ICS cyber attacks occur.

Dave Bittner: [00:15:47:10] All right, Robert M. Lee, thanks for joining us.

Dave Bittner: [00:15:52:06] And that's the CyberWire. Thanks to all of our sponsors, who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance and how they can help protect you using artificial intelligence, visit cylance.com. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.