CyberWire Daily - Andromeda takedown (with an arrest in Belarus). Mirai is back; Reaper still threatens. PayPal phishing. Tech support scam evolves. Cryptowars notes. SEC goes after an ICO.
Episode Date: December 5, 2017In today's podcast, we hear how an international police operation took down Andromeda, and possibly the criminal mastermind known as Ar3s. Mirai is back, and so are warnings about Reaper. There's a�...�PayPal phishing expedition in progress (don't let yourself be a wild-caught sucker). A new variant of the familiar tech support scam features a bogus blue screen of death. Germany's Interior Minister considers backdooring the IoT. The US Securities and Exchange Commission is going after dodgy ICOs. Justin Harvey from Accenture on cyber ranges. Adam Meyers from CrowdStrike on supply chain attacks. And we're not going to talk about the Internet of Those Kinds of Things. (Don't act so innocent—you know who you are.) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
An international police operation takes down Andromeda,
and possibly the criminal mastermind known as Ares.
Mariah's back, and so are warnings about Reaper.
There's a PayPal phishing expedition in progress.
A new variant of the familiar tech support scam features a bogus blue screen of death.
Germany's interior minister considers backdooring the IoT.
The U.S. Securities and Exchange Commission is going after dodgy ICOs.
And we're not going to talk about the Internet of those kinds of things,
so don't act so innocent.
You know who you are.
I'm Dave Bittner with your Cyber Wire summary for Tuesday, December 5th, 2017.
An international police operation has taken down the Andromeda botnet.
Police in Belarus working with the FBI, Europol's European Cybercrime Center,
Joint Cybercrime Action Task Force, which is JCAT,
and the Lundberg Central Criminal Investigation Inspectorate in Germany
have dismantled the long-running Andromeda malware ring.
Authorities worked closely with both Microsoft and security firm ESET in executing the takedown.
Traded freely in the dark web souks, Andromeda, also known as Gamaroo, Avalanche, and Valkos,
disseminated malware through a widespread set of botnets. Andromeda has been active for about
six years, and it was a troublesome criminal operation. As with most such takedowns,
it's always possible that the botnets could resurface
at some future time in a revenant form,
but for now at least, they're out of commission.
So good work, officers.
There's been one fairly high-profile arrest in the case.
The investigative committee of the Republic of Belarus
said it's charged one man and taken him into preventative detention,
where he's said to be cooperating with investigators.
They don't give his name, but they do say he was a resident of Gomel.
Recorded futures researchers indicate that the gentleman is a very big fish in the cybercrime pond,
a criminal mastermind whose nom de hack was Ares, spelled with the E represented by a numeral 3.
Ares developed the Andromeda bot software in 2011,
but he's thought to have been a serious player in the underworld since about 2004.
He was fingered in an FBI sting.
Undercover operators bought crimeware from him,
made the identification, and then dimed him out to their Belarusian colleagues.
An interesting side note on Andromeda,
the malware was designed to determine during reconnaissance whether a prospective target machine's keyboard linguistic settings were for Russia, Belarus,
Ukraine, or Kazakhstan.
If they were, then the malware wouldn't install.
This is suggestive in the light of recent FBI warnings that cybercriminals are increasingly
operating with the connivance of
host governments. It's not dispositive, of course, but it is suggestive. The Mirai botnet has
resurfaced. Attacks were reported over the weekend in North Africa and South America,
with Argentina particularly affected. Reaper, the evolved botnet based on Mirai code, has yet to
live up to its much feared potential,
but researchers at CenturyLink and reports at Cybrary warn that Reaper is a loaded and cocked weapon,
ready to fire at large swaths of the internet.
One hopes, of course, that Reaper will continue to over-promise and under-deliver for its botmasters,
but prudence dictates keeping an eye on it.
It's an ongoing game of cat and mouse between attackers and defenders.
As tools and techniques develop to defend against a particular type of attack,
attackers move on and find another way in.
Lately, we've been seeing more incidents of attacks
on the software supply chain.
Adam Myers is VP of Intelligence at CrowdStrike,
and he explains.
They started looking for software packages
that companies and enterprises
that the attackers were interested in
were reliant on.
And there's a whole kind of slew
that we've published in a blog post recently
where the attacker identified
either an open source or a closed source software package,
and they backdoored that package
and used that to then deploy
their remote access toolkit or whatever tool they would like to deploy against the targeted victim.
Really notable case of this recently that everybody kind of tracked was NotPetya.
We saw NotPetya being deployed via a software update mechanism in a particular Ukrainian
software product.
And so I think for most people, when they think about supply chains, you know, in the physical
world, they think, well, how would someone, you know, sneak in something into my manufacturing
process? But on the software side, it's a bit different.
Right, exactly. So as you say, you know, you think about a complex supply chain attack,
it's somebody putting a backdoor in a piece of hardware that you're going to, you know, you think about a complex supply chain attack. It's somebody putting a backdoor in a piece of hardware that you're going to install on a sensitive network or something like that.
In the case of these more recent attacks, they're finding software packages that people are reliant on for lots of different things.
There was a pretty well-known case that was dubbed the shadow pad by security researchers. And that was focused on
a software package by NetSarang. And it was a whole host of different enterprise tools that
various enterprises would be using. We've seen this targeting Windows. We've seen this targeting
Mac as well. There was two incidents where ProtonRat was deployed via a supply chain attack
against various multimedia related tools. So help me understand and forgive me for the simplicity
of this question, but in a world where we have things like checksums, how can someone monkey
with some software without it being noticed? That is a great question. What they're actually
doing is they're getting into the software build process at the vendor. They're not just backdooring the already built
tool. They're backdooring inside of the build process, which is something that if these vendors
are not very focused on trying to detect, they're not going to be able to identify that there's a
backdoor in the product that they then compile and then distribute. I see. All right. So it gets in before the
checksumming would even take place. That's right.
So what's to be done here? How can people protect themselves against these things?
Well, I think, you know, the first step is identifying that you have a problem. You know,
I think raising these issues and getting some of the IT security
personnel and the compliance people and the CISO and the CIO to understand the risk and the threat
from some of these software packages is step one. Step two is identifying what software packages
you're dependent on as an organization. Lots of companies that we talk to, if we ask them,
what software do you have running? What versions are running? They don't really have a good answer
for that. In many cases, they don't even tell you how many systems are on their enterprise.
So having that kind of visibility into what systems and software you're using across the
enterprise are critical as well. And then from there, you know, that's where you
have to start doing some risk based decisions around those software packages and understanding
what kind of testing goes into it, understanding that vendor's development process and do they
adhere to various standards or are they just kind of building software and shipping it whenever they
get the chance? And then, you know, really identifying critical assets on the enterprise and ensuring that they've been walled off so that, you know,
if it's a if it is a critical system that's running some software package that you have maybe no understanding of or a low degree of trust in,
then making sure that it doesn't need to talk to other systems or even necessarily to the internet in many cases. So
that's kind of where you have to really start looking at each product and coming up with a
risk analysis around each individual product. That's Adam Myers from CrowdStrike.
PayPal users are receiving phishing emails warning them that their payments aren't going through.
Those who swallow the bait will be directed to a page that asks them to enter their PayPal credentials and user information.
A variant of the familiar Microsoft tech support scam displays a phony blue screen of death
and then offers to sell you a cut-rate security product that won't solve your problem because
you really don't have a problem in the first place.
Google is working to clamp down on applications and websites that ask for too much information.
At the end of January, Mountain View will warn proprietors of apps and sites that violate
Google's privacy-related terms of service.
How violators will be punished beyond this good talking to remains unclear.
A volley in the crypto wars comes from Berlin, where Germany's interior minister,
Thomas de Meiziera, wants essentially all IoT devices backdoored so government investigators
could access them at need. He's also mulling asking that kill switches be installed in certain
devices to yank them from the internet, also at need. While one can imagine investigatory and
incident response use cases for
both proposals, it's difficult to see them attracting much favor from the backdoor skeptic
tech sector. Cryptocurrencies have for some time now been regarded as the wild west,
and called that by headline writers who like to write stuff they've read before.
We're not hating when we say this, brothers and sisters. Hey, we've been there before.
Well, partner, there's now some law west of the Pecos.
It's not wearing a badge, not exactly,
because the feds, like the federales, don't need no stinking badges.
And it's also not wearing a hog leg, neither,
because this law doesn't need to carry a six-shooter.
We're not talking about Tom Destry Jr., either.
This law is the U.S. Securities and Exchange Commission.
The SEC is cracking down on fraudulent initial coin offerings, or ICOs.
It's been moving cautiously in this direction since early summer,
and yesterday it opened a complaint in a New York federal court against one Dominic LaCroix.
The SEC calls Mr. LaCroix recidivist securities law violator,
and they think his offering, PlexCoin, to be just a scam,
a fast-moving initial coin offering fraud that raised up to $15 million from thousands of investors since August
by falsely promising 13-fold profit in less than a month.
PlexCoin says it will do lots of things for you if you invest,
including giving you a place where you can invest for, quote, guaranteed returns, end quote. And in fairness, who's to say they're not
right? Our financial desk points out that you could guarantee zero return or even a negative
return, right? Most ICOs don't share this appearance of alleged fraudulence, but all
investors should take heed. And if they're the desperado kind,
just keep moving west until you run out of frontier. We've heard California's pretty wide open.
And finally, some of you have written in to ask why we haven't been talking about a vulnerable app that interfaces an Android phone with a Bluetooth-connected small electromechanical
device. After all, it's said to be potentially leaky across the network,
and leaky in an unusually personal way. And the warning came from NIST itself, the National Vulnerability Database.
We aren't talking about this because we're a family show
and don't have much to say about the IOTKOT,
the internet of those kinds of things.
And CERT, NIST, MITRE, We're surprised at you. Especially that whole awaiting
analysis part. Yeah, you're not blinding anyone with science just by writing CVE 2017-14487.
Look it up.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform Thank you. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Justin Harvey. He's the Global Incident Response Leader at Accenture.
Justin, welcome back. We wanted to talk today about CyberRanges. Why don't you start at the beginning here? Tell us, what are we talking about? Well, the cyber range is a platform that is designed to essentially contain threats in a
simulated environment. The trouble that a lot of security operations centers and incident response
teams are running up against is that they don't have a means to practice the craft.
They only have to essentially respond to threats in real time in order to know if they have
what it takes in order to defeat the adversary or to remediate or respond or what have you.
And what a cyber range does is it's typically a virtualized system that mimics the existing environment that you have
today in a contained and enclosed area with all the same tools that you use with Active Directory,
with Exchange. And by utilizing the cyber range, your team or your incident response team,
your security operations team can essentially drill their skills and test out their processes
and procedures on these cyber ranges. So is this kind of, to use a sports analogy,
is this kind of a, you know, you practice like you play scenario?
Exactly. And imagine if you needed to practice like you play and you don't have a batting cage
or you don't have the ability to scrimmage. So that's really what the design of the Cyber Range has.
Now, is this an expensive thing to spin up?
Like many technologies and platforms in the industry today,
there's the bare-bones systems that are relatively easy to kind of cook on your own and get them up and running,
kind of cook on your own and get them up and running. And the prices can go up higher, depending on the complexity, depending on the campaigns or the types of threats that you want
to simulate, as well as how realistic do you want your cyber range or reflective of the enterprise
you want it to be. So if someone's looking to explore this, what's the best way for someone
to get started? Well, the best way to get started is to have your incident response teams and your security
operations centers doing what they do best, having their processes and procedures and
their technology down to a science, and then getting started by interfacing with numerous
vendors out there that have CyberRange products for sale.
Justin Harvey, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of Thank you. to see how a default-deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI
and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.