CyberWire Daily - Actionable intelligence, and the difficulty of cutting through noise. Extortion hits Johannesburg. Criminal-to-criminal markets. Who’s more vulnerable to phishing, the old or the young?
Episode Date: October 28, 2019Actionable intelligence, culling signal from noise, and the online resilience of threat groups. Ransomware hits a legal case management system. The city of Johannesburg continues its recovery from an ...online extortion attempt. The Raccoon information stealer looks like a disruptive product in the criminal-to-criminal market: not the best, but good enough, and cheaper than the high-end alternatives. And who’s more vulnerable to scams: seniors or young adults? It’s complicated. Joe Carrigan from JHU ISI on Metasploit as a tool for good or bad. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/October/CyberWire_2019_10_28.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Actionable intelligence culling signal from noise
and the online resilience of threat groups.
Ransomware hits a legal case management system.
The city of Johannesburg continues its recovery from an online extortion attempt.
The raccoon information stealer looks like a disruptive product in the criminal-to-criminal market.
Not the best, but good enough and cheaper than the high-end alternatives.
And who's more vulnerable to scams, seniors or young adults?
It's complicated.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, October 28, 2019.
ISIS leader Abu Bakr al-Baghdadi died Saturday in Syria's Idlib province,
killing himself and, sadly, three of his children,
as U.S. special operations forces cornered the terrorist leader in a tunnel.
According to the Voice of America, U.S. Defense Secretary Esper said,
late-breaking actionable intelligence developed that morning enabled the attack to be executed within hours.
Reuters says al-Baghdadi was located with the assistance of captured ISIS leaders.
Whatever its accuracy, this report and others like it
will probably erode the terrorist group's relationships of trust.
One of al-Baghdadi's principal lieutenants, spokesman Abu Hassan al-Muhajir,
was killed in a U.S. airstrike hours after the Idlib raid,
the Times reports.
A Bloomberg op-ed argues that terrorist groups like ISIS have proven resilient to leaders' deaths.
Expect any regrouping to be foreshadowed by information operations.
What sort of late-breaking actionable intelligence Defense Secretary Esper referred to
is of course, and quite properly, left unclear.
But developing target indicators into targets can be a difficult process, and indicators are often missed.
One such set of indicators seems to have surrounded one of the last high-profile massacres El Baghdadi claimed for ISIS,
the Easter massacres in Sri Lanka this April.
for ISIS, the Easter massacres in Sri Lanka this April. A parliamentary select committee convened to review the attack concluded that Sri Lanka's intelligence leaders missed reports that should
have alerted them to an imminent attack. Those reports began arriving as early as April 4th,
17 days before the April 21st attack. Apart from direct observation of online terrorist chatter,
which can be notoriously noisy,
the security forces are said to have failed to act on domestic police warnings and alerts fed
to them by Indian intelligence services. Missing signal is an old problem. The U.S. certainly did
the same during the run-up to 9-11. This weekend, as the Diwali celebrations arrived, authorities in India raised the alert level in several cities as the Pakistan-based terror group Jaish-e-Mohammed threatened attacks against those celebrating the Hindu Festival of Lights.
Those attacks seem not to have materialized, and that's another instance of chatter being disruptive noise.
disruptive noise. A ransomware attack against TrialWorks, a widely used legal case management system, has caused disruption of trials and schedules as TrialWorks recovers and as the
law firms that use the product look for workarounds and alternatives. Bleeping Computer says the
ransomware strain involved is so far unknown, but the attack resembles in some respects August
incidents that involved Gancrab's successor,
our evil Sodinokibi.
TrialWorks says it's decrypting the affected files,
which has led to speculation that they went ahead and paid the ransom.
The city of Johannesburg sustained a breach Thursday that led it to suspend most online services.
The group claiming responsibility, the Shadow Kill Hackers,
has said they'll publicly dump all the stolen data if they weren't paid for Bitcoin by 5pm
Johannesburg time today. That was 11am US Eastern time, so the deadline has come and gone. We don't
have any word yet on whether the Shadow Kill Hackers have done what they threatened to do,
or whether Johannesburg has paid up.
Here's what Johannesburg City staffers told SC Magazine was in the note they received.
Quote, Hello, Joburg City. Here are Shadowkill hackers speaking.
All of your servers and data have been hacked.
We have dozens of backdoors inside your city.
We have control of everything in your city.
We can shut off everything with a button. We also compromised all passwords and sensitive data, such as finance and personal population information. We note in passing that their style is like a somewhat less over-the-top version of Shadow Broker Ease,
a scriptwriter's conception of
broken English we confess we continue to miss. The attack was initially described as ransomware,
but that may be misleading. There does indeed appear to be an extortion demand, but the
disruption to city services appears to have been largely a precautionary measure taken by the city
government itself, which tweeted that interruption of services were consequences of the investigation. The city said that customers will not be able to
transact on e-services or log queries via the city's call center or customer service centers.
Most services were restored over the weekend. The shadow kill hackers made two threats.
In addition to dumping the information online and telling everyone how they got it,
they also threatened to delete all the data permanently.
If that's more than an empty threat, it suggests they dropped a wiper into Johannesburg's network.
Researchers at security firm Cyber Reason have offered their take on the Raccoon information stealer
that's gaining black market share in the criminal-to-criminal markets.
It's not sophisticated, but it's relatively cheap and easy to use,
which makes it a classic example of a disruptive product.
Raccoon is available for $175 to $200,
and it's usually delivered via the Fallout or RIG exploit kits.
Raccoon's native home seems to be the Russian criminal underground.
It began as a
password stealer, but has expanded into other forms of data theft. And finally, who's most
gullible with respect to online scams? Specifically, which age cohort is likeliest to take the fish
bait, and who's more predisposed to spit the hook? Well, the U.S. Federal Trade Commission has
reached what will be for many a surprising, counterintuitive conclusion spit the hook. Well, the U.S. Federal Trade Commission has reached what will
be for many a surprising, counterintuitive conclusion on the matter. You may think that
the proverbial grandpa and grandma are likelier to fall victim to phishing scams than others.
But no. Actually, people over 60 are less likely to take the fish bait than are younger adults,
particularly millennials. The FTC's recent report on
protecting older consumers reached that conclusion. There is a downside, however.
While older adults are less likely to fall for scams than are the young adults,
when seniors do bite on the fraud, their losses tend to be higher. Those over 80 seem to take
the biggest hit per scam. So everyone, young or old, click with caution
and read with appropriate open-minded skepticism,
which is good advice at any age.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together. Head to
salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information
Security Institute, also my co-host on the Hacking Humans podcast. Joe, it's great to have you back.
It's good to be back, Dave.
Before we dig into today's story, you have a little bit of follow-up for us.
I have some correction.
Last week, I made the comment that I was considering not giving future healthcare providers my
actual birth date, and someone hit me up on Twitter, Franklin, thank you for pointing
this out, that if you do that, then your claims may not be paid
because that piece of PII is used to identify you with the insurance company.
So if the insurance company gets a different birth date, they're going to say this isn't the right Joe Kerrigan
and they're not going to pay my claim.
And I have to give them the correct birth date because I need to give my employer my correct birth date
who then gives it to my insurance company, who then asks my doctor for it.
I see.
So you could be shooting yourself in the foot.
Yep.
So don't do that.
If you've already done it, go out and correct it.
Okay.
Sorry.
Fair enough.
Fair enough.
Well, this week we're talking about a story that came by from Threat Post.
This is from Tom Spring, and it's titled, 15 years later, Metasploit Still Manages to Be a Menace.
A menace. I don't like that term.
And a useful tool for penetration testers.
Yeah, well, before we dig in here, just a quick overview on what is Metasploit
for folks who may not be familiar with it.
Metasploit is a framework. I'm not intimately familiar with it,
but it is a tool that you can use to penetrate networks.
It comes pre-bundled with a bunch of known exploits,
and if you discover an exploit or a vulnerability, then you can write your own exploits in Metasploit
and have them run, and you can distribute them as well so that other penetration testers can
use it as well. But just like any other tool, it can be misused and frequently is misused.
When you hear the term script kitty, these are generally people who are learning to use Metasploit and running very simple attacks against other targets that may not be protected against it.
And there is even a graphic user interface called Armitage for the Metasploit framework.
I see.
So it makes hacking very easy.
framework. I see. So it makes hacking very easy, but that's the intent of the tool was to make,
was it was designed by a guy who had, you know, was a network administrator and had to do all this other stuff along with have a test of security of his network. So we automated the
process of testing the security of his network. They built a tool to make his own job easier,
shared it with the community. And of course, any tool can be used for good or bad. So what are
they getting at here with their, with the notion that it could be a menace?
They're talking about a particular technique that Metasploit presents called Shikata Ganai, which is Japanese for nothing can be done.
And what it does is it makes your exploit polymorphic, so it's very difficult to see it when it's coming in through your network.
So it's very difficult to see it when it's coming in through your network.
So detection systems are less likely to find it.
And the exploit is more likely to be successful.
So it's doing some encryption, some scrambling of what your software would be looking for.
It uses something called XOR encryption.
It's a very basic type of encryption.
It is good, and actually,
it's technically unbreakable if you have a long enough random key. But those keys are one-time
use keys. It's effectively a one-time pad cipher. So XOR is a bitwise operator, which means that if
you go through a string of bits one at a time, you can encode them with a key. But the great thing about it is that you can
decode them with the same operation in the same key. So if I have a key that's exactly as long
as the message that has enough randomness, it imparts all of that randomness to the message.
And then that randomness is easily deciphered with the same key. But it pretty much requires
pre-shared keys or some way to share that key.
And those keys can only be used once.
If you use them multiple times,
it's very easy to break the encryption.
I see.
So that's a high-level look at XOR encryption.
And so as that applies to Metasploit here,
it's just a matter of making the scripts harder to detect?
Right.
What they're doing is they're using XOR to make the payloads harder to detect because they essentially look like random strings of bits.
And then once the payload is in the target system, it's trivial to decrypt it if the software has the key.
All right.
So, I mean, overall, Metasploit, valuable tool.
But just like any other tool, it's going to have bad uses and people that are very good at using it. And there are people out there that are remarkably good at using this tool. But just like any other tool, it's going to have bad uses and people that are very good at
using it. And there are people out there that are remarkably good at using this tool. A lot of them
are on the good guy side, but a lot of them are also on the bad guy side. Yeah. All right. Well,
Joe Kerrigan, thanks for joining us. My pleasure.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. Thank you. Thanks for listening.
We'll see you back here tomorrow. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.