CyberWire Daily - AMCA breach extends to LabCorp. Still no EternalBlue in Baltimore ransomware attack. Frankenstein malware. Real hacking isn’t like the movies. Huawei’s no-spy deal. US Data Strategy. Patch BlueKeep.
Episode Date: June 5, 2019Another medical testing firm is hit by the third-party breach at AMCA. More officials say there’s no EternalBlue involved in Baltimore’s ransomware attack. (And that attack may have involved some ...doxing, too--investigation is underway.) Real hacking isn’t like the movies. It’s alive: Frankenstein malware, that is. Huawei offers a no-spy agreement. The draft US Data Strategy is out. Really, you should patch for BlueKeep. A university’s donor list exposed online. Ben Yelin from UMD CHHS on secret tracking pixels in emails to the Navy Times in a controversial legal case. Tamika Smith speaks with Ariana Mirian from UC San Diego on research on the Hacker for Hire market. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_05.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Another medical testing firm is hit by the third-party breach at AMCA.
More officials say there's no Eternal Blue involved in Baltimore's ransomware attack.
Real hacking isn't like the movies. It's alive Frankenstein malware, that is.
Huawei offers a no-spy agreement. The draft U.S. data strategy is out. Really, you should
patch for Blue Keep. Researchers from UC San Diego team up with Google to explore the Hacker
for Hire marketplace. and a university's donor
list has been exposed online. From the CyberWire studios at DataTribe, I'm Dave Bittner with your
CyberWire summary for Wednesday, June 5th, 2019. Medical testing firm LabCorp has disclosed that
it too was affected by the breach at third-party collection services provider American Medical Collection Agency.
At the beginning of the week, Quest Diagnostics said that about 12 million people were affected by data AMCA held that were accessed by some unknown, unauthorized party.
LabCorp puts the tally of those affected and its part of the incident at 7.7
million. A second member of Congress, Maryland Senator Van Hollen, has joined his House colleague,
Representative Ruppersberger, to announce that the government is confident Eternal Blue wasn't
involved in the Baltimore ransomware attack. Baltimore's systems remain a mess, but the city thinks it will have things
more or less 90% cleaned up by the end of the weekend. Investigators are trying to make sense
of various tweets and social media comments that suggest the attackers might have done at least
some doxing in addition to the encryption they inflicted on those poorly protected servers.
The projected cost to the city is estimated at more than $18 million,
but the night is still young. Different victims of ransomware show different results in their
recovery. In contrast with the ongoing Baltimore horror show, Norsk Hydro was fairly well prepared
and quick to respond to its own ransomware incident. The company reported its first quarter results today,
and underlying profits are down 82%.
That sounds bad, but it's actually good.
The hit from the ransomware turned out to be bad,
but not nearly as bad as it might have been.
We've all seen the Hollywood hack, right?
The hacker, properly pierced and tattooed and behoodied,
taps vigorously on the keyboard and snarls,
I'm in.
And then sure as shootin' the hackers in, as you can see, when they cut to a kernel panic on the victim's screen,
as the victim's boss screams,
Huh? What? No!
Like that, right?
Well, no, not right.
That's ZDNet's take on the results of a Bitdefender study of how the Carbonac gang works
anyway. They take months of preparation before they hit a bank, so it's more Ocean's Eleven than
it is War Games. Cisco's Talos Group describes a threat campaign they're calling Frankenstein
because the hoods behind it stitched their effort together from a bunch of disparate open-source
tools. Active between January and April of this year,
Frankenstein's operators gained entrance into their targets by fishing with Trojanized documents.
The attack they've sewn together uses at least these open-source items.
First, a component that detects if the sample's being run in a virtual machine.
A project from GitHub that leverages MSBuild to execute a PowerShell
command, another component from GitHub project FruityC2 for building a stager, and yet another
GitHub project, PowerShell Empire, for its agents.
They may be derivative, but they are by no means stumblebums.
Talos calls them moderately sophisticated and highly resourceful,
and thinks that more threat actors will do likewise in the future.
Suppose you want to do some cybercrime, but your own technical skills aren't quite up to the task.
There's a growing market for hackers for hire who would be more than willing to assist you,
for a price. The Cyber Wire's Tamika Smith has the story.
to assist you for a price? The Cyber Wire's Tamika Smith has the story.
Google and University of California, San Diego conducted a study analyzing and testing out the hacker for hire market. They created email accounts solely using Honeypot Gmail accounts,
created buyer personas, and started their search to solicit hackers. Here to talk more about this
is Ariana Mirion. She's a PhD student at UC San Diego,
where her research is on security and systems,
and she served as the first author
and lead researcher on this team.
Thanks for joining the conversation, Ariana.
Thanks for having me, Tamika.
I'm glad to be here.
So let's get into this study.
How was it set up?
We were interested in looking at the hack for hire market,
and so that required us to go and find these underground advertisements and somehow solicit their service.
And so what that essentially means is we needed to act as both the buyer and the victim.
So we created fake online personas because we wanted to make sure that no researchers were harmed in the making of this study in order to solicit this research.
So as the buyer, I created an online persona,
which consisted of a Gmail address. And so we communicated with the services as the buyer,
either by emailing them or submitting an online form. Really, it was however the service advertised
we should reach them. And then we created a victim persona. So the person who we wanted to
hack into, or whose Gmail account we wanted to hack into. And so the victim
persona, it was a bit more intricate because we didn't know what these attackers would do. We
didn't know what pieces of information they would use. And I have an online footprint. Most people
who use the internet have an online footprint. And so we wanted to create this online footprint
for these fake victims.
We created a Gmail address for them, but we also created a website, for example,
that they purported to own or work at where we linked the Gmail address. On the website,
we also linked an additional Gmail address of an associate, which was another fake persona,
because we didn't know if the attackers would use the associate to get to the victim.
And then we also created a Facebook profile for the victim where everything was private except the About Me section. And on the About Me section, we linked the website of the victim persona.
And so we engaged with them as the buyer. And then at UCSD, we had set up some monitoring on each of the Gmail accounts
to record any changes. And also our Google colleague was able to see from the Google
monitoring that they have what was happening in the Gmail accounts.
So this is very interesting. You guys set out to catfish the hackers.
Basically, yeah. We really wanted to characterize this market and the best way to do that was to engage with them.
So to see not only what attacks they would deploy on the victims, but also how do they engage with the buyers?
Is this a legitimate business or would they just take our money and run?
So let's talk a little bit about how you engaged with them.
You set out and created personas, but one thing I thought was very interesting, you did so in various languages. It turns out a lot of those underground markets are not solely in English. And so actually
a lot of the advertisements that we found were in Russian. So we had 27 services that we ended
up contacting. I believe three of them were English advertisements. One was a Chinese
advertisement and the rest were Russian. In order to engage with them, we wanted to make sure that our messages seemed realistic.
And so we essentially asked folks in our community who were native speakers of that language,
so a native Russian speaker, to help us craft emails in response to whatever they were telling us.
So let's talk a little bit more about the technical side.
How did you set it up, set up the Honeypot accounts so that you would be able to track what was going on and that they
couldn't detect that they were being tracked? Yeah, so for each Gmail account
that we created, we essentially added this entity called a Google Apps Script.
Whenever there was a change in the Gmail accounts, it would trigger a notification to a
server that we controlled at UCSD. The thing about these Google Apps Scripts is Whenever there was a change in the Gmail accounts, it would trigger a notification to a server
that we controlled at UCSD.
The thing about these Google Apps Scripts is that in order to create them, you actually
open up a Google Doc, essentially, that's associated with the Google Drive that is part
of the Gmail account.
And then on one of the dropdowns, there is this little script button, and then that takes
you to a pop-up where you can put in this script, and it's JavaScript.cript so it's a language that a lot of folks know and can program in or at least learn
is this market viable in any way yeah that's a great question this is a market that is accessible
to a lot of you know average folks uh the contracts that we hire were anywhere from the 100 to 400
range since the end of our study,
actually, some of those prices have increased, but they are still viable for someone who really
wants to get into the Gmail account of whoever they target. However, since these are targeted
attacks, these don't necessarily scale as well. They don't scale as much, I should say, as other
attacks. I don't think it's a large-scale threat. It is definitely a threat to some users out there.
But it's not a large-scale threat yet.
There is definitely the possibility,
and this is all hypothesis, that the attacks could change.
So right now, the main attack vector that we saw was phishing,
really well-crafted emails that would then
capture our password and our two-factor code.
And Gmail has introduced some additional defenses
to try and prevent against this sort of targeted attack. But it's possible that in the future,
these markets will change to adapt to the new defenses. So instead of phishing,
maybe they'll deploy more malware. Thank you again, Ariana, for joining the conversation.
Thank you, Tamika. I really appreciate it. That's Ariana Mirian. She's a PhD student at
UC San Diego, where she's researching security and systems.
And on this specific research team, she serves as the first author and lead researcher.
That's the Cyber Wire's Tamika Smith.
Huawei's chairman, Ling Hua, accused the U.S. of acting inappropriately toward his company, NPR reports.
But then proffered Dove with an olive branch,
the same kind of no-spy deal Shenzhen has dangled before Germany and the UK.
This Dove seems unlikely to fly in Washington,
given Huawei's reputation with respect to non-disclosure agreements and partner's IP.
Don't believe Microsoft about the importance of patching legacy versions of Windows against the Bluekeep RDP vulnerability?
Well, maybe you'll believe NSA's Central Security Service.
They think you should patch too.
The U.S. government has released its draft data strategy.
Federal agencies have until July 5th to submit comments.
The strategy emphasizes three overarching principles,
ethical governance, conscious design, and a learning culture.
The strategy seems concerned to identify relevant data
and ensure their accuracy, integrity, and availability.
Transparency and an effort to restrain agencies
from collecting information without a need to do so
appear to be important points of emphasis.
University of Chicago Medicine has apparently left data
of almost 1.7 million donors and prospective donors exposed online,
Security Discovery says.
The university secured the database and thanked the discoverers for the tip.
And we close on a serious note.
America has lost another of the Navajo code talkers
who served in the Pacific during the Second World War.
William Tully Brown passed away Monday in Winslow, Arizona at the age of 96.
Our condolences to his family and friends.
As he's laid to rest tomorrow, we'll join the Marine Corps in its farewell. Semper Fidelis, Marine.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals
to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive
protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Joining me once again is Ben Yellen. He's a senior law and policy analyst at the University
of Maryland Center for Health and Homeland Security. Ben, it's great to have you back.
We had an article come by. This is from Military Times. It's titled, Secret Tracking Device Found in Navy Email to Navy Times Amid Leak Investigation Raises Legal and Ethical Questions.
There's a lot to unpack here.
Help us understand what's going on.
So there's been this high-profile court-martial case about a Navy SEAL being accused of potential war crimes arising out of an incident that took place in 2017, I believe.
The profile of this case has been risen significantly because the President of the
United States has weighed in on this case publicly. What this article uncovered is that one of the
prosecutors working for the United States Navy sent an email to the Navy Times, which has readership among members of the Navy and
other members of the military branches.
And this is journalism.
Right, right.
So to a journalism outfit.
Right.
And that email was embedded with a secret digital tracking device.
So it's unclear.
It doesn't seem like this device was any sort of type of malware.
It didn't reveal any personal information that was on the computers of the journalists who work for the Navy Times.
But it did try or at least attempted to collect metadata from those devices.
It was attempting to identify potential leaks arising out of this case.
And to do so, it was trying to identify the IP addresses being used by Navy Times accounts.
It was transmitting that information to a Navy database in California.
This causes a lot of potential legal problems from my perspective.
requires generally either a warrant or some sort of legal subpoena to use any type of device electronic or otherwise that would reveal metadata from a
private individuals account again these people are not members of our when we're
talking about journalists they're not members of the Armed Forces they are
private individuals subject to our constitutional rights. Now, because this is the
military, it's being conducted from the Navy prosecutor's office. We're not privy to a lot
of the information that's gone into this investigation. And from what they're saying,
the prosecutor has complied with all laws and statutes regarding electronic communications
and privacy. This, at least to my eye, you know,
it's not something that you could prove one way or the other without additional information.
And there's always the risk, I'm not sure how this would play out in military court,
that the conviction of this individual accused of war crimes could be jeopardized if some of the information used in a potential trial or in the prosecution was obtained through illegal means. That evidence
could potentially be suppressed. And then, as we see in millions of other criminal cases,
that could be the factor that causes the acquittal of that criminal suspect. So engaging in these
techniques presents really a dangerous risk for
the general public and for the prosecutors who are trying to secure the conviction.
When this was brought to their attention, to the folks who had installed this email tracker,
what was their response? So the prosecutor himself through through his office, declined to comment, but the Navy, through its spokesman, said quite vociferously that all investigations coming from this prosecutor's office are conducted, quote, in accordance with applicable laws, properly coordinated, and executed with appropriate oversight.
Navy is saying that they're complying with all laws and regulations, even though the prosecutor's office itself, which is the one that sent emails with these tracking devices, and they not only sent them to media sources, but also to members of the defense's legal team, that prosecutor is inclined to comment. Yeah, it seems like an unfortunate distraction as we have this serious case that could be taken off the rails potentially
by this issue. Right. We're talking about something that's literally life and death,
and the defense has already filed motions to have the entire case dismissed based on this
unlawful surveillance, which would be an absolute disaster from the perspective of the Navy
prosecutor. The reason we have the exclusionary rule in place in our
court system is to prevent law enforcement, to give them a disincentive to break laws and how
they conduct investigations and surveillance. So if they haven't dotted the I's and crossed the T's
in terms of making sure that these techniques are legal, and there are certainly questions
as to whether they've done that, then they're not only jeopardizing this particular prosecution,
but the reputation itself of this prosecutor's office.
And that could have very damaging effects down the line.
All right. Well, Ben Yellen, thanks for joining us.
Thank you.
A quick update. Since Ben and I recorded this segment, a military judge removed that lead prosecutor from the case. The defense
had asked the judge to dismiss the case or remove the prosecutors because of the email tracking,
and the judge had the prosecutor removed.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow. Thank you. into innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.