The CyberWire Daily Podcast 9.14.17
Ep 434 | 9.14.17

Binding Operational Directive 17-01 hits Kaspersky. Point-of-sale malware found in some ElastiSearch servers. BlueBorne proves widespread. Equifax breach updates, industry notes, a look at the Billington Summit.

Transcript

Dave Bittner: [00:00:01:05] A special thanks to all of our Patreon supporters at patreon.com/thecyberwire. If The CyberWire is a valuable part of your day and helps you do the work you do, we hope you'll become a supporter, check it at out patreon.com/thecyberwire. Every little bit helps, thanks.

Dave Bittner: [00:00:19:23] DHS tells the US Executive branch to stop using Kaspersky security software. Kromtech finds Elasticsearch search servers hosting point-of-sale malware. BlueBorne bugs buzz billions of boxes. Equifax says that its breach was accomplished via the Apache Struts flaw patched in April. Industry notes including both venture funding and acquisition news. We take a quick look back at the Billington CyberSecurity Summit and, in a scene soon to be ripped from the headlines, counselor watch yourself, I may not hold you in contempt but, if you continue, I'll cycle power and reboot you.

Dave Bittner: [00:00:59:24] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future, is the real-time threat intelligence company who's patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At The CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely, because that's what you want, actionable intelligence. Sign up for The Cyber Daily email and, every day, you'll receive the top trending indicators Recorded Future captures crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates, and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:02:09:05] Major funding for the CyberWire Podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, September 14th, 2017.

Dave Bittner: [00:02:19:11] Yesterday the US Department of Homeland Security issued Binding Operational Directive 17-01, directing that all US Government Executive Branch agencies stop using Kaspersky security software within 90 days. Acting Homeland Security Secretary, Elaine Duke, issued the order, which, as the DHS public statement says, "Calls on departments and agencies to identify any use or presence of Kaspersky products on their information systems in the next 30 days, to develop detailed plans to remove and discontinue present and future use of the products in the next 60 days, and at 90 days, from the date of this directive, unless directed otherwise by DHS based on new information, to begin to implement the agency plans to discontinue use and remove the products from information systems."

Dave Bittner: [00:03:07:20] The directive is based on an assessment of risk, and DHS has not presented evidence publicly of any Kaspersky wrongdoing. It has, however, explained the risk as follows, "Kaspersky anti-virus products and solutions provide broad access to files and elevated privileges on the computers on which the software is installed, which can be exploited by malicious cyber actors to compromise those information systems. The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks. The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates US national security."

Dave Bittner: [00:04:06:23] As White House cybersecurity director, Robert Joyce, commented yesterday at the Billington CyberSecurity Summit, the assessment of risk is based on requirements in Russian law that companies cooperate with the FSB intelligence agency. Joyce agreed with the directive. "It was a risk-based decision and the right call. It's unacceptable that a company could move data to Russia, where law requires it to cooperate with the FSB."

Dave Bittner: [00:04:33:19] The Binding Operational Directive is perhaps not so final as it might appear. DHS says, at the end of its statement, that it's providing Kaspersky with the opportunity to submit a written response addressing or mitigating security concerns. Anyone else who has an interest in the matter will also be afforded the opportunity to comment. Watch the Federal Register for Notices affecting Binding Operational Directive 17-01.

Dave Bittner: [00:05:00:15] We've got an interesting cyber security story from Brazil to share today, Renato Marinho, is chief research officer at, Morphus Labs. A friend of his called about an interesting incident involving some social engineering. Someone with a good bit of specific knowledge about the friend's company called an employee and their finance department and told them that he was from their bank, and that unless they updated their system with some specific software they would lose access to their online banking system, which, of course, was important for their day-to-day operations. Mr. Marinho picks up the story from there.

Renato Marinho: [00:05:32:19] Their call was recorded, fortunately the employee didn't follow the instructions and ended the call. He suspected that it was a scam and talked to the person in charge of information security inside of the company, that was my friend. When he sent me the audio recording of that call, I became very impressed about how it was done. It was done in a very professional way, it seems that the attacker was calling from a Rio call center, because of the background noise. I received the URL that the guy was enticing the victim to access, and that was the moment that I perceived that the URL was pointing to the Google Chrome app store. I knew it was a very different way of attack and started to analyze the DeX Station code.

Dave Bittner: [00:06:28:11] And so what did you find?

Renato Marinho: [00:06:29:17] When I started to analyze the source code it was not difficult to reverse engineer it because it was written in JavaScript. The first thing I note was the extension was waiting for the user to access a specific banking URL, was waiting for the user to type their credentials and the website. It was prepared to capture the credentials and send to a remote server. The server, of course, was an attacker host and it was receiving the credentials the user was typing.

Dave Bittner: [00:07:06:00] What was the name of the Chrome extension? What was it disguising itself as?

Renato Marinho: [00:07:11:13] The name is very strange, it's Interface Online, it's nothing to see about the banking name. It was also strange that there was no screenshot. Another interesting point is that the Chrome extension, virus total hit was zero. It's interesting to note that it was not identified by the anti-virus solutions, it was installed by at least 30 victims.

Dave Bittner: [00:07:40:11] Is the extension still on the Google Chrome store? Has it been pulled?

Renato Marinho: [00:07:45:01] No, it isn't online anymore. After we reported to Google about the incident they removed the extension from their app store. After one day, we note that the extension came back with another name. We report to Google again and they removed the extension for the second time.

Dave Bittner: [00:08:06:07] What is your advice for organizations looking to protect themselves against this sort of thing?

Renato Marinho: [00:08:12:02] I think that it’s very difficult for a regular employee to detect this kind of attack because we are talking about extensions hosted at Google Chrome official store and we usually put much trust into these big companies. For example, user may suspect about the number of downloads of that extension, the extension name, there was no screen shot or information about the bank itself into the extension. The extension asking for much permissions aside of the browser; it asked you to read and to write any field inside any website. I think that at that point, Google could improve their security when an extension ask for read some field including sensitive information like passwords. The user should be alerted or could be asking for additional permission to do that.

Dave Bittner: [00:09:15:18] That's Renato Marinho, from Morphus Labs.

Dave Bittner: [00:09:20:05] Kromtech Security says it's found more than 4000 Elasticsearch servers hosting files related to Alina POS and Jack POS, both strains of point-of-sale malware. Both of the affected Elasticsearch servers are to be found in Amazon Web Services. Alina POS and Jack POS use the servers to collect, encrypt and transfer credit card information scraped from point-of-sale terminals or infected Windows machines.

Dave Bittner: [00:09:49:06] The BlueBorne vulnerability in Bluetooth, whose discovery Armis Lab announced Tuesday, may have been addressed by both Microsoft and Google in their most recent patches, but the estimated rates of susceptibility to attack through this vector are astonishingly high. More than five billion devices worldwide are thought to be vulnerable. As usual, patching them all will amount to another labor of Hercules. Until you're sure you're patched and up-to-date, experts are advising people to turn off Bluetooth when it's not in use.

Dave Bittner: [00:10:20:21] Equifax has cleared up the confusion over which vulnerability attackers used in their massive theft of the credit bureau's data. It was the earlier Apache Struts vulnerability, CVE 2017-5638, which was patched in April, some two months before Equifax sustained its attack. The credit bureau had earlier suggested that it was the victim of an attack that used either a much more recently patched Apache Struts vulnerability or some hitherto unknown zero-day. But no, it's the old bug after all.

Dave Bittner: [00:10:53:08] There's some piling on, okay, a lot of piling on. Rival credit bureau, Experian, complains that Equifax's clumsy disclosures have impeded Experian's ability to ensure the security of the data it holds. Tom's Guide reports that other credit bureau systems in India may have been vulnerable to the same Apache Struts bug that affected Equifax, although there are no reports of other data breaches similar to those Equifax sustained. And there's been unseemly schadenfreude over Equifax's choice of passwords for admin accounts in its Argentinian operations, username "admin", password "admin", which would seem easy enough to remember

Dave Bittner: [00:11:36:18] In industry news, AppGuard announces that it's closed a $30M round of Series B funding. Silent Circle is buying Kesala, and Thales announced its purchase of Guavus. Brocade's acquisition by Broadcom is proving rocky for employees, reports indicate, with several executives departing early over uncertainties as to when the deal will actually close.

Dave Bittner: [00:12:00:21] The annual Billington CyberSecurity Summit was held in Washington, and the industry and government leaders who spoke agreed that proliferation of the internet-of-things, designed for the most part with inadequate attention to security, has vastly increased the attack surface US critical infrastructure presents to adversaries. There was a great deal of clarity on the part of the Director of National Intelligence and others as to who those adversaries in cyberspace are: Russia, front and center, of course, and out to erode public trust; China, interested mostly in economic advantage; Iran, a dangerous, regional, junior version of Russia; North Korea, determined to secure survival of Mr. Kim by whatever means it deems necessary, and violent extremist groups, a euphemism for ISIS and competing jihadist organizations. These last have negligible hacking capability, at least so far, but they've excelled at information operations. We have further accounts of the Summit on our website, with more coming.

Dave Bittner: [00:13:02:05] And, to return to the Equifax breach, the US Federal Trade Commission has opened an investigation into the incident, and the US Senate is making noises about conducting its own inquiries. Even the robots are piling on. Most legal practice has yet to be automated, but there's an undercurrent of suspicion that the profession may be as ripe for disruption by robots as the long-haul trucking industry seems to be.

Dave Bittner: [00:13:25:23] DoNotPay, a robo-lawyer best known for helping drivers appeal and beat parking tickets, has apparently joined the plaintiff's bar. DoNotPay will provide aggrieved victims of the breach with the documents they need to sue Equifax in small claims court. You can apparently do this for damages of up to $25,000. And, if you don't like how your lawyer's dealing with you, just reboot.

Dave Bittner: [00:13:54:16] Time to share some information from our sponsor, Cylance. We've been following WannaCry, Petya, NotPetya and other forms of destructive ransomware for weeks. Cylance would like you to know that they can prevent Petya-like ransomware from executing in your system, and they'd also like you to know that they've been doing that since October of 2015. How's that for getting ahead of the threat? Their success against NotPetya demonstrates the benefits of their temporal predictive advantage. Cylance Protect stops both file and fileless malware, it runs silently in the background and, best of all, it doesn't suffer from the blindspots in legacy defenses that NotPetya exploited to such devastating effect. If you don't have Cylance Protect, and if you'd like to learn more about how it can defend your enterprise, contact them at cylance.com and find out how their AI driven solution can predict and prevent the unknown unknowns from troubling you, and we thank Cylance for sponsoring our show.

Dave Bittner: [00:14:56:01] Joining me once again is, Johannes Ullrich, he's from the SANS Technology Institute and also the ISC Stormcast Podcast. Johannes, welcome back, you wanted to give us an update today on the Mirai botnet. What do we need to know?

Johannes Ullrich: [00:15:09:10] Yes, the Mirai botnet really started to emerge about a year ago. That's when we saw the first wave of attacks that used this magic password that these security camera DVRs are vulnerable for. Now, what we really see is that it hasn't really let up. There are still probably 100,000 or more infected systems out there. They are constantly scanning the internet. I connected one of these DVR's to my standard small business cable modem connection and within two minutes, repeatedly it got infected with various versions of this matter. So, essentially, as an end-user, you have not a chance to download a patch or apply security settings if you're connecting a system like this to an open-ended connection these days.

Dave Bittner: [00:16:06:02] With these cameras, is there any way of using them safely or is it better just to avoid them altogether?

Johannes Ullrich: [00:16:12:07] The best thing it to avoid them altogether, there is no simple patch for them. Some of them supposedly have firmware updates but they're very difficult to find and to apply. You may be able to put them behind a firewall but then again, you're losing some functionality because now you're no longer able to remote access your security footage, which is one of the features people install them for.

Dave Bittner: [00:16:37:19] Is there a master database where, if you're in the market for a security camera, you can check to make sure it's not vulnerable to this?

Johannes Ullrich: [00:16:44:05] That's a real tricky part. There are some databases like this but the problem is that these cameras, or a lot of these DVR's that these cameras connect to, they are being sold under a large number of different brand names. There were only three, four different manufacturers but they're being sold under dozens of different brand names. For the end-user, it's very difficult to figure out if they're receiving a vulnerable model or not.

Dave Bittner: [00:17:10:15] All right, good information as always. Johannes Ullrich, thank you for joining us.

Dave Bittner: [00:17:17:03] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence visit, cylance.com.

Dave Bittner: [00:17:34:20] Thanks to all of our supporters on Patreon and, if supporting us on Patreon is just beyond your means, well, we understand but we hope you'll take the time to leave us a review on iTunes, it's another way you can help support the show and it really does help people find us.

Dave Bittner: [00:17:48:05] The CyberWire podcast is produced by Pratt Street Media, our editor is John Petrik. Social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.