In the film “Ocean’s 11,” Danny Ocean and his team of expert cybercriminals execute a daring casino heist in glitzy Las Vegas.
This past summer at the Black Hat and DEF CON conferences in Sin City, the editorial staff at SC Media attempted to pull off a less ambitious – and decidedly more legal – caper of its own. With far less success.
The job: Complete a full series of video interviews with leading cyber experts, all while riding the world’s largest ferris wheel.
As a bonus, we even invited a pair of wireless researchers from the DEF CON Wireless Village to accompany us on the ride and use their equipment to sniff out whatever devices and signals they could detect along our 360-degree journey.
Our crew was set: one reporter + one cameraman + two wireless researchers + five experts + two PR associates for logistical support = SC’s 11.
As it turned out, Ocean’s 11 would have a much easier time of it.
The first challenge was getting on the ride in the first place, without breaking any rules. Ferris wheel policy didn’t allow professional video cameras, so we steered clear of this problem by filming only with an iPhone. Meanwhile, wireless researchers Rick Farina and Rick Mellendick inquired in advance to make sure nothing they would bring on board was forbidden and were given a thumbs up that all was well.
Still, it was tempting fate when, for dramatic effect, Mellendick decided to handcuff himself to the protective case carrying his equipment. Surely, even in Vegas, this odd sight would cause a scene once we reached security, wouldn’t it? But after a few curious questions from the guards at the metal detectors, we were sent on our way.
The next phase of the plan was to perform four interviews with our five experts (two were a duo who were interviewed together) in 30 minutes of ride time, before we quite literally came full circle. Mission accomplished there – just barely – as we finished our final interview right as it was time to disembark. Feeling victorious, we hurriedly gathered our belongings and stepped out of the cabin.
That’s when we ran into a woman in charge of security. And she was not happy.
The security manager began interrogating our group, insisting that we should never have been allowed to board the ferris wheel while carrying electronic equipment – especially during DEF CON week. But since we didn’t actually bring any officially prohibited items, she let us pass. But not before making an ominous statement along these lines: “Excuse me, I have to go fire some people.” (We certainly hope no one was actually fired when it appears everyone had followed the rules.)
Whew. That was a close one. But at least we got our footage, right? Well, not exactly. The next morning, we discovered that the audio did not record correctly. Nothing but static. It was the equivalent of the Ocean’s 11 crew escaping the casino with bags of loot, only to find they were filled with Monopoly money.
But we weren’t about to let that stop us. So, nearly three months later, SC Media is finally pleased to present a photo essay of our Las Vegas (mis)adventure, featuring Q&A commentary from our guests, who were kind enough to recreate some of their talking points from the ride.
Who would have thought that a slow, scenic trip on a ferris wheel would turn into such a roller coaster ride?
See our interviews, below:
Our first guest passenger was Sherrod DeGrippo, senior director of threat research and detection at Proofpoint.
SC: Sherrod, during our ferris wheel interview you described some of the recent activity of the cybercriminal threat group TA505, which historically has been associated with the Dridex banking trojan and Locky ransomware. What are the latest developments with this actor?
SD: This summer, we observed TA505 introduce a new downloader malware, AndroMut, which has some similarities in code and behavior to Andromeda, a long-established malware family. Our researchers identified two distinct campaigns by TA505 that used AndroMut to download [the remote access trojan] FlawedAmmyy. These attacks appeared to be targeted carefully by geography and somewhat targeted by industry, especially in Singapore and the UAE, where attacks were dramatically skewed towards financial services organizations.
Our research has followed TA505’s evolution over the last few years from an extremely high-volume actor dealing in global ransomware and banking Trojan campaigns to a targeted actor focused on regional campaigns and malware ranging from downloaders to sophisticated remote access trojans. This group is both adaptable and adept at following the money. They tend to set trends across the malware landscape, so, at this point, it appears that they are adapting to changing conditions based on regional and vertical targeting, as well the types of malware they are distributing. Some of these conditions may relate to cryptocurrency volatility and adaptations of defenders to previous malware strains they distributed en masse.
SC: During the interview, we noted that you are from Georgia, which has been hit repeatedly by ransomware attacks on a local and city level. Please explain why municipalities have become such an appealing target. Also, you mentioned that you may have even been indirectly affected by the SamSam ransomware attack on Altanta. Please explain.
SD: Threat actors recognize that municipalities typically have outdated information security protections and lack the resources necessary to recover quickly from an attack. These factors, along with their broad swath of responsibilities and relatively deep pockets, have made them more attractive targets in recent years. Additionally, ransomware actors look for the best, highest payout potential and focus their efforts there. A municipality has access to funds in excess of what consumer users or most small or medium businesses would have available that they can relatively easily divert to regain access to their systems, making them a lucrative target.
I was actually pulled over by a police officer in Atlanta during the city’s SamSam ransomware attack. Because the police department’s systems were down, I was let go without a ticket.
SC: You also mentioned the most paranoid thing you’ve seen someone do to keep secure at Black Hat and DEF CON. Is there such a thing as being too paranoid?
SD: I don’t think there is such a thing as too paranoid. Everyone should take every possible precaution to protect themselves and their digital identities. However, I have seen extreme acts taken at Black Hat/DEF CON that don’t have any impact on security, like tinfoil-wrapping an entire hotel room. That’s probably more for fun than actual security. I’ve seen people handcuff their tech to their wrist. That’s pretty paranoid, but also important if you’re forgetful.
As we climbed toward the apex of our ascent, we were joined by a duo from Webroot: Tyler Moffitt, senior threat research analyst, and Jason Davison, advanced threat research analyst.
SC: Last year, the big ransomware threat was GandCrab. That changed following the developers’ supposed retirement. Now there’s a new threat, Sodinokibi, which also uses a ransomware-as-a-service model. Based on your observations, what makes this threat unique and dangerous? And what has led experts to conclude that Sodinokibi was created by GandCrab’s developers?
TM and JD: GandCrab was one of the most successful RaaS (Ransomware as a Service) operations we’ve seen to date. Due to their success, they [GandCrab’s developers] received attention from researchers and the media alike. It’s not uncommon for successful threat actors who receive a lot of attention to try and start new projects in an attempt remain successful. There are extremely strong ties between Gandcrab and Sodinokibi. We even found an early decryptor binary listed as “gc6” (assumed to be GandCrab 6, since the last known distributed version of GandCrab was version 5.2) in the PDB path.
SC: You’ve also been following several DNS hijacking campaigns in which malicious actors, perhaps government-sponsored, are altering internet records to reroute website visitors to attacker-controlled sites. Explain how this scheme works and explain why this is such a serious threat to the integrity of the internet’s infrastructure?
TM and JD: DNS is an older, fundamental part of networking that didn’t really account for security too much when it was initially designed. Attacks have been reported targeting mainly government and military organizations in the Middle East and North Africa regions. At a high level, the attack is to manipulate DNS name records to then redirect to hacker-controlled servers. This is critical because attackers are leveraging the trust placed on DNS systems to successfully attack users.
SC: We also talked about DEF CON being famous for hackers trying to hack into everything – elevators, hotel rooms, ATMs, etc. What’s the most unusual device/system hack you’ve researched or witnessed, at DEF CON or elsewhere?
TM and JD: I haven’t seen anything too crazy with my own eyes other than construction signs hacked to say “ZOMBIES AHEAD.” Also, all the speakers at the Bellagio casino were once hijacked to play Rick Astley’s “Never Gonna Give You Up.”
Halfway home! Our next guest was Dr. Richard Gold, director of security engineering at Digital Shadows.
SC: Over the summer, the Senate Intel Committee released volume one of a report detailing Russian interference in the 2016 U.S. elections. You have followed reputed Russian APT actor APT 28/Fancy Bear closely. What were your reactions to the report?
RG: The report really lays out how the Russian intrusion groups took an “offense in depth” approach to their activities; that is, they conducted a very broad campaign against a number of targets using a wide variety of methods. The report goes into detail on the activity around the election infrastructure in a number of states. This is all in addition to the intrusions into the DNC [Democratic National Committee] and the DCCC [Democratic Congressional Campaign Committee] and the misinformation campaigns that have also been attributed to Russian groups. With the 2020 election looming large, the report clearly indicates the need for shoring up the security of any systems around elections and political campaigns.
SC: How great is your concern that Fancy Bear is willing and able to take more extreme measures next year and actually alter voter information (to cause chaos or disqualify certain voters) and/or change vote tallies?
RG: It is certainly possible. However, they had this access in 2016 and they did not use it, indicating that they didn’t need to use this access in order to achieve their goals. That does not mean that they will not use this access in 2020 as the target environment for these groups has changed in the last four years. There is more awareness of the threat posed by foreign interference than there was in 2016 so it may require hostile groups to go further in order to achieve their goals.
SC: You also have closely followed Hidden Cobra/Lazarus Group. During Black Hat, news broke that the reputed North Korean ATP group has collected $2 billion in illegal funds. What has made Lazarus Group so effective and lucrative over the years?
RG: Lazarus/Hidden Cobra is adept at “following the money,” to use a well-known phrase. They have consistently targeted organizations that handle large sums of money but do not necessarily have the same level of security as some more mature organizations. They have targeted cryptocurrency exchanges and financial institutions where the attackers had uncovered security weaknesses. This increased the likelihood that their intrusions would be successful, that they would be able to steal substantial amounts of money, and would be unlikely to be detected.
Our final on-board guest was Ben Seri, vice president of research at Armis. Ben took us through the Armis team’s discovery of URGENT/11, a series of vulnerabilities found in the real-time operating system (RTOS) VxWorks. More than 2 billion devices operate on VxWorks, about 200 million of which were judged to be affected by the flaws.
SC: Ben, please summarize your URGENT/11 presentation at Black Hat, and the nature of the vulnerabilities you discovered.
BS: At Black Hat, we presented our findings, and did a deep dive on some of the most interesting of the discovered vulnerabilities. Many of the discovered vulnerabilities were found in esoteric features of the TCP and IP protocols, that are rarely used but nevertheless implemented, even in modern TCP/IP stacks. These esoteric features tend to be overlooked by both developers and pen testers, and therefore might end up containing very critical vulnerabilities.
SC: We talked about how vulnerability researchers have largely overlooked real-time operating systems. Why is this the case?
BS: There are a couple of reasons researchers overlook real-time operating systems. First of all, researching RTOSs is challenging – many of these operating systems are closed-source, and not easily debuggable. So to start hunting for vulnerabilities in such systems, a researcher would first need to invest significant time in preparing tools. Other reasons might be the competitive nature of researchers, who are mainly focused on the security of their personal devices – PCs and mobile phones. In addition, researchers have a much greater incentive to search for vulnerabilities in devices of companies that have bug bounty programs, for instance.
SC: I understand that since we last spoke in Vegas, it was determined that other RTOSs are similarly affected by the vulnerabilities because they share the flawed TCP/IP stack component known as IPnet. Please elaborate.
BS: The IPnet TCP/IP stack was indeed a standalone product that was licensed to users of various RTOSs in the past. Armis actually discovered this through the BD Alaris Infusion pump, a widely used Infusion pump that was detected as running the IPnet stack in a hospital environment where the Armis solution is used. The surprising factor was that this device is not based on VxWorks. That fact led us to further investigate the reach of these URGENT/11 [vulnerabilties]. It is surprisingly difficult to determine the OS used by medical devices, and embedded devices in general, let alone the TCP/IP stack that powers the network connectivity function of these devices. A vulnerability in a widespread component, such as the IPnet stack, is a case of a software supply chain vulnerability that unfortunately affects any device or operating system that uses it.
With our feet firmly planted back on earth, we finally turned to our wireless detectives Rick Mellendick, chief security officer at PI Achievers, and Rick Farina, senior product manager with Aruba, a Hewlett Packard Company. The two Ricks ran this year’s Def Con Wireless Village, and so we had asked them to bring some special equipment aboard the ride to passively – and legally – monitor the local environment for notable device activity. (You might remember them from our 2019 Trolley Talk segment at the RSA conference.)
SC: Explain your point of view of what happened at the end of the ride with ferris wheel security.
RF: The most likely explanation? The manager saw what appeared to be an interview and accosted the people who looked like they were carrying camera equipment. When she realized we didn’t have professional camera equipment, she claimed DEF CON attendees aren’t allowed to bring any electronics, which seems reductio ad absurdum. In truth, their physical security was about what would be expected at most places. We had a briefcase full of stuff, we showed them inside, it wasn’t dangerous or otherwise prohibited, so they let us through (despite the silliness with the handcuffs). Once we were past main security, and we powered up the kit, I am a bit surprised no one cared that Rick and I were tethered together. Again, all of our stuff was already checked, but I would say we behaved sufficiently atypical in a manner that would have easily justified additional scrutiny.
SC: Describe the equipment you brought with you for this particular mission, and what you were looking for.
RF: We brought a hard case full of wireless monitoring equipment; specifically, a small Intel compute stick, four general purpose software-defined radios for looking at different types of standard sensors and wireless remotes, one ADS-B-specific SDR (Software Defined Radio) for tracking airplanes, three Wi-Fi cards for monitoring Wi-Fi traffic, one Bluetooth dongle for monitoring Bluetooth and Bluetooth smart, two 802.15.4 (Zigbee) dongles for monitoring 802.15.4 in 900 MHz and 2.4GHz, and 2 Crazyradio PA dongles for monitoring wireless keyboards and mice. Basically, our goal was to see everything we could easily see passively, specifically using a free open-source tool called Kismet.
SC: Did the height of the ferris wheel present any unique opportunities to capture data? Also, did the ferris wheel present any unique challenges or obstacles that hindered data collection?
RF: The overall design of a ferris wheel does obviously lend a great opportunity for gaining some altitude, which removes the lower height obstructions like buildings and lets us pick up signals from farther away. Being Vegas, however, the pods of the ferris wheel likely use nice expensive low-e glass, which works as a shielding against much of the electromagnetic spectrum, as it is specifically designed to block out things such as infrared light. While these two things balanced out quite a bit, being in an enclosed space that was moving around (a ferris wheel in our case, but it could be a subway or a train or a bus) gave us the unique opportunity to really “get to know” everyone around us. We profiled how many phones we saw, and based on signal strength and duration seen it was obvious who was in the pod with us and who was not. While we only acted passively, there was more than enough time to consider a targeted attack against our fellow ride enthusiasts, which remained purely theoretical. The same thing could easily happen every day on the yellow or blue metro lines in Washington DC, or anywhere else where it may be interesting to profile people via their electronics.
SC: Ultimately, what did you find? Give us some specific examples of interesting observations, and then share with us your total statistics!
RM: We saw seven wireless mice and keyboards, as well as hundreds of active Bluetooth radios (both associated and probing). We saw a typical amount of Wi-Fi, and many other associated signals.
* 1,496 Bluetooth devices
* 1,286 Wi-Fi devices including both clients and access points
* two temperature sensors
* seven wireless mice and/or keyboards
* 65 aircraft
RF: So here’s how I broke it down and my assumptions: Wireless keyboards and mice have a fairly short range. The low-e glass also limits our range. As such, it’s extremely likely that the wireless keyboards and mice were in use on the [cocktail] bar-equipped ferris wheel cars.
The temperature sensors are also pretty short range typically. We saw one that was an appropriate temperature for a refrigerator, and one that was the current outside temperature. Range is a bit further on these things, but I wouldn’t be surprised to learn that one was in a refrigerator and one was monitoring outdoor temperature for some monitor system or a sign with the temperature.
SC: Finally, a question for Rick M.: Explain why you handcuffed yourself to the equipment and, since you didn’t have a key, how long did it take to pick yourself out of it?
RF: I’m not Rick M, but I’m going to go out on a limb and say “because it was funny.” It does prevent security from attempting to confiscate things if they don’t like something, but we did unlock the case and show them everything inside before gaining entry. As for the picking, I think it was about 20 seconds for the first cuff and 10 for the second. Don’t let him convince you he did both cuffs in 10 seconds.
RM: The handcuffs were just for show, and to be different. It forced questions, and allowed for us to possibly have some teaching moments. If we just had backpacks, no one would have asked much of anything. And I think Rick’s estimation of the time to get out is a bit high, but it was very quick and during a discussion, while talking to a colleague.
* Q&A responses were minimally edited for content and clarity.