CyberWire Daily - APT10's Operation TradeSecret. BrickerBot may be vigilante PDoS. Amnesia and Sathurbot exploit known vulnerabilities in, respectively, DVRs and WordPress. Ransomware, surveillance, and info ops updates.
Episode Date: April 7, 2017In today's podcast, we hear about how Operation TradeSecret collected intelligence on US trade policy during the run-up to the Sino-American summit at Mar a Lago. BrickerBot is out, a PDoS campaign th...at looks like nasty vigilante work, so close your Telnet ports and change your IoT device default passwords. The Amnesia campaign is after unpatched DVRs. Sathurbot exploits unpatched WordPress instances and infects Torrent users. Lancaster University’s Awais Rashid has concerns over IoT devices limited interfaces. Endgame’s Andrea Little Limbago shares her story from the Women in Cybersecurity Conference. Surveillance and influence operations allegations in the last US Presidential campaign have their counterparts in the current French one. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Operation Trade Secret looks for intelligence on U.S. trade policy
during the run-up to the Sino-American summit at Mar-a-Lago.
Brickerbot is out a PDOS campaign that looks like nasty vigilante work.
The Amnesia campaign is after unpatched DVRs.
Sotherbot exploits unpatched WordPress instances and infects torrent users.
Surveillance and influence operations allegations in the last U.S. presidential campaign have
their counterparts in the current French one.
I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, April 7, 2017.
This week, Fidelis Cybersecurity released a timely report on APT10, a Chinese cyberespionage threat actor that's been active for some time.
Fidelis is calling the campaign they've unearthed Operation Trade Secret.
Like Operation Cloudhopper, another related APT10 action being tracked by BAE and PwC,
Operation Trade Secret works its way to the targets by getting through cloud and managed
service providers. While most of the targets being prospected in CloudHopper are European,
for the most part UK businesses,
TradeSecret is going after US organizations.
The goals of both campaigns appear to be intellectual property
and other economic intelligence.
TradeSecret, however, seems to be taking a particularly close look
at emerging US trade policy,
collecting against US.S. trade
lobbying shops like the National Foreign Trade Council. This, of course, is timely, given the
Sino-American summit now underway at Mar-a-Lago. Presidents Trump and Xi will be discussing such
matters of mutual urgency as North Korean nuclear and long-range missile programs,
for which U.S. patience has reached an announced end.
U.S. observers and policy analysts hope they take up cooperation and confidence-building in cyberspace.
President Xi is said to be anxious to avert a trade war between the two large trading partners,
which would explain APT10's interest in industry groups and lobbyists.
There are concerns expressed by NSA officials to Defense One
that the PLA could be at work weaponizing a supercomputer
for use in espionage campaigns.
President Trump has so far struck an optimistic note
in his remarks about the meetings, as has President Xi,
but it will be worth watching whether bilateral relations in cyberspace
prove amenable to diplomatic confidence-building.
There are signs they have in the past.
A strange campaign in the wild that's being called Brickerbot is looking for insecure IoT devices
and then bricking them, that is rendering them incapable of operation.
Discovered by security firm Radware when the malware began hitting honeypots on March 20th,
Brickerbot is
baffling because its motive is unclear. It doesn't appear to serve any obvious criminal,
hacktivist, or nation-state purposes. Many observers suspect that Brickerbot is a vigilante
action conducted by a gray-hat hacker who's trying to kill IoT devices before they can be
herded into a botnet. As usual, vigilante action, particularly destructive action, doesn't draw rave reviews.
Brickerbot is being called a PDoS as opposed to a DDoS attack,
permanent denial of service, which suggests the seriousness of its effects.
Two strains of Brickerbot have been observed,
and both appear bent on punishing users whose IoT installations are insecure.
Two other recent campaigns are worth mentioning.
Palo Alto's Unit 42 reports on what they're calling Amnesia,
a campaign to exploit vulnerable DVRs as bots.
Amnesia is a variant of the Tsunami IoT Linux botnet reported in March of 2016.
It affects unpatched DVRs manufactured by TVT Digital and related products
sold by more than 70 other vendors. Its effects could be serious. Palo Alto thinks the coder
behind Amnesia was trying to defeat malware analysis sandboxes, and that in some cases
the malware could infect Linux servers in ways that wiped the server. Obviously, Palo
Alto adds, that could be catastrophic if
backups were not available. The other botnet of current interest has been around for a while,
but it's becoming troublesome as it continues to find and compromise insecure WordPress sites.
It's called Satherbot, and it uses torrents, those favorites of cheapskates who wish to get
software without paying for it, as its vector. The criminals
behind it appear to be establishing an infrastructure that could be used to sell
services to other criminals on the black market. Sotherbot currently contains some 20,000 devices.
Security firm ESET, which is tracking and working against the campaign, advises users to protect
themselves by not running executables downloaded from sources other than respected developers.
ESET also warns against downloading files from sites not primarily in the legitimate file-sharing business.
Taking a quick look at our CyberWire event calendar,
on Wednesday, April 19th, the Cybersecurity Association of Maryland, which you may know by their acronym CHEMI,
has organized a program on cyber warrior women
blazing the trail. It will meet
at the Community College of Baltimore County's
Center for the Arts in Catonsville, Maryland.
Join them in person or online
from 9.30 a.m. to noon
for stories of triumph and tribulation,
advice and inspiration from some of
Maryland's diverse and dynamic female
cybersecurity professionals.
To register, you can click on the linked banner at our site, thecyberwire.com slash events.
Cami notes with gratitude, by the way, the support of Exelon in making the event possible.
Concerns about influence operations and allegedly improper surveillance persist in both the U.S. and now France.
U.S. congressional investigations, now on hiatus during the two-week recess,
which begins at close of business today,
are looking into both allegations of improper surveillance
and allegations of collusion with Russian influence operations.
France's presidential election is being roiled a bit by both as well.
The candidate of the center-right Republican Party, François Fillon,
alleges that President Haaland has used police to dig up discreditable information on him,
information the truth of which Fio denies.
It is perhaps noteworthy that RT, also known as Russia Today,
has given the allegations prominent coverage in its French language service.
News needn't be fake to be influential, or so
we've heard.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation
isn't a buzzword. It's a way
of life. You'll be solving
customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Joining me once again is Professor Avas Rashid.
He heads up the Academic Center of Excellence in Cybersecurity Research at Lancaster University.
Professor, you maintain that one of the issues we have with IoT devices is not just their vulnerability, but the fact that their actual interfaces are in many cases extremely limited.
Absolutely. This is a big challenge. Securing regular systems is hard as it is.
And we do quite a lot of work as a wide community on that.
However, users already find it very difficult to make sense of the security controls or features that are available to them on regular devices like laptops and computers where they can have a lot of information.
They also find it very hard to make sense of that information.
And in the case of IoT, the problem is much harder
because you do not have those traditional screen-based dissemination mechanisms
that can provide additional information.
A lot of the users' interaction with IoT tends to be implicit,
which leads us to really interesting challenges
as to how do we convey information about security to be implicit, and which leads us to really interesting challenges as to how do we convey
information about security to the users, but on the other hand, how can we make it easier for them
to, for example, configure these kind of IoT devices for security purposes?
So what kind of approach should we be taking?
I think there are multiple ways that this can be tackled. One issue is that of how IoT devices are designed, and they should
probably be designed to be secured by default. So one of the issues that we saw in the Mirai
botnet attack, which was made up of a lot of IoT devices, or at least used a lot of IoT devices,
amongst others, was that people hadn't changed, for example, default passwords or these kind of default settings
were available.
And on the one hand, it's quite easy to blame the users
that they didn't change these passwords
or these default settings.
But equally, perhaps we can be hardening these devices
before they are actually shipped.
The big challenge there, of course,
is this balance between usability and security.
And really, I think we need more of a shift in our approach.
We need to stop thinking about it in terms of usability in a traditional human-computer interaction sense because the computers are no longer these screen-based devices that we used to use or still use quite a lot.
I think we need to move from usability to a notion of some kind of security ergonomics,
which basically makes it easier for the user to understand and make sense of what goes on within
an IoT device and its interaction with other devices. And there are really very fundamental
challenges here in terms of how we design these devices, how we convey information, but also how easy it is for a regular person in the world to configure security and manage their security and privacy in these kind of devices.
Avas Rashid, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
All this week, we've been hearing from some of the people we met at the 2017 Women in Cybersecurity Conference.
My guest today is Andrea Little-Limbago.
She's Chief Social Scientist at Endgame.
I do a lot of research into the geopolitics of cybersecurity,
which over the last year, as everyone knows, has been on everyone's radar much more so than it was before.
So that has evolved a lot as far as the interest in it.
And then I also work a lot with our data scientists, our malware researchers,
our vulnerability experts, and bring together their research
into something that's consumable for a larger audience.
What do you think people should know when it comes to the geopolitical world
of cybersecurity at this point in time?
One is not to look at it as its own stovepipe.
It's integrated into foreign policy, national security.
So we need to stop looking at it as just within the cybersecurity realm.
It's integrated into all of the aspects of foreign policy at this point.
And so we need to really look at it from that larger, more holistic view.
As far as how it integrates with other military operations, we've seen that over the last
year integrate into certain countries' military operations.
We've seen it as part of diplomatic operations.
It's impacting economics.
So really it crosses the board in that area, and so that's what we're really starting to see that.
And it's only going to become more and more integrated across the entire spectrum.
Is it fair to say that a certain amount of chaos has been injected into things lately?
I think the chaos has been there.
I think it's becoming more visible, and it's also becoming, it's escalating,
is the other thing that we're seeing.
We just recently wrote about some of the wiper malware going on,
and so you see between Iran and Saudi Arabia, for instance,
and so those tensions have been there.
Those are regional rivalries that have been going on decades, if not centuries.
But what we're seeing now is more of a, some of it behind
the scenes, some of it very overt as far as the destructive aspects of their interstate
relationship. And so we're seeing that in addition to some of the other aspects of their rivalry.
And so it's escalating a bit more in that area. I think certain countries are becoming more
adventurous in what they're doing, and they're pushing the envelope a bit more to see what can
be done in this realm. At the same time, other countries are also cooperating. So we're seeing
sort of this double movement of conflict in one area, but also countries moving towards cooperation
and looking for ways to maintain privacy and security at the international level.
So does cyber give countries the opportunity to engage and yet still not have to drop bombs, not have to
send missiles, not have to send soldiers.
Right.
And that is what's going on right now, and that's some of the debate that's going on
in the legal and more diplomatic global area.
And so they're falling short of what the law of armed conflict.
So certain behavior so far is falling short of that.
But at the end of the day, it's going to be up for each country to actually define where that red line is.
And so especially if it becomes integrated with other aspects,
it does become actual parts of war.
And so when we look at some countries actually moving their military forces
into a country, they're also incorporating some cyber aspects to it,
shutting out cities and so forth.
And so it hasn't happened much.
We've got only one or two instances of that.
But it's one of those things, now that Genie's out of the bottle,
and it's going to be hard to put back.
And so we do see more and more countries creating their versions of cyber commands
and looking at information operations policies and strategies and so forth.
And so it is something that is growing.
It's not just something for the major powers anymore.
If you were looking back,
what would the advice that you would give
a younger version of yourself,
knowing what you know now,
what would you tell a younger version of yourself
who's just starting out?
Yeah, that's interesting.
Part of the reason why I come to this conference
is I talk to a lot of the younger women here
and help encourage them
because we do need women to keep pursuing this field
and want to stay in it.
Because the mission's essential.
I mean, you're getting back to the geopolitical aspect of it.
This is one of the most challenging fields of our time and impactful.
So the thing that probably, you know, own your experience and own your expertise.
I think that women especially, even if they've gone through however many years of education,
will still portray it like other people may know more in the room.
And so own your expertise.
Be more vocal about some of those aspects of it.
Do all those things.
You sit at the table.
It's some of the basic things that we hear.
But also you reach out and network more and don't be afraid to do that.
That's especially hard for introverts, which a lot of us in this field are.
It's not natural for us to just naturally go up and talk.
But networking is almost underrated.
Everyone talks about networking and the importance of that.
I feel like they think about it that way more from, I guess, sales or something like that.
But networking is really important for just building a community so that when you do struggle or when you hit some roadblocks,
you've got that community to actually help build you up and help keep you within the field.
And so for me now, over the last year, one of the things I've been focusing on is expanding out and building up my network
of both men and women that I know who work in various domains, industry, academics, government,
so that when any of us do actually start, hit one of the challenges that we're all going
to hit, and we heard that in the keynote, you have a community there to support you.
And so that's really, really important.
But we need to be more vocal.
I wish I'd started going out speaking and writing a lot
sooner. Too often, the women's cybersecurity issue becomes something that is a problem for
women to solve. It's also a problem for men to solve. Especially in this field, most of the
executives are men. We need men at all levels to be allies, which doesn't mean just saying,
okay, of course, we support diversity, we support women, and kind of stopping there.
You need to actually do more than that. And being an ally can be anything from, you know,
on social media, like if you're retweeting something that someone else does as far as
helping show their expertise in that area. So being a sponsor of them. If you're in meetings,
you know, all the data shows that, you know, when women have an idea, usually it tends to be taken
over by someone else and they get the credit for it. Instead of that, if you see that happening,
step in and say, well, you know, that idea that Lindsay said, you know, she's the one who actually, you know, and
be vocal in that area and helping sponsor and promote the women. And that it doesn't mean
you're not lowering the bar. We're not expecting to be treated differently, but just help be a much
more explicit sponsor in that area. And it really, it's amazing. Just those little aspects like that
can really go a long way to help elevate and amplify the voice of the women. And that's really what we need. Because again,
we're only 10% of the workforce. We can't do it alone. We need that 90% to also help advocate.
And I think that's in many places where we've been lacking so far. And there are a lot of
male allies, a lot of great male advocates. We need more. That's Andrea Little-Limbago from Endgame.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team
of editors and producers. I'm Dave Bittner. Thanks for listening. and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.