CyberWire Daily - Bears sniff at Bellingcat. Magecart in spoofed domains. MyDoom is still active. Shipboard malware was Emotet. Hutchins sentenced. Digital assistants have big ears. Taxes owed on alt-coin gains.
Episode Date: July 29, 2019Bellingcat gets a look-in from the Bears. Magecart card-skimming code found in bogus domains. The MyDoom worm remains active in the wild, fifteen years after it first surfaced. Election security threa...ts. The US Coast Guard says the malware that hit a container ship off New York earlier this year was Emotet. Marcus Hutchins gets time served. Fresh concerns about digital assistants and privacy. And yes, you do owe taxes on those alt-coins. Joe Carrigan from JHU ISI on the availability of the BlueKeep vulnerability. Guest is Tom Hegel from AT&T Cybersecurity with thoughts on integrating threat intelligence. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/July/CyberWire_2019_07_29.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Bellingcat gets a look-in from the bears.
Magecart card skimming code's been found in bogus domains.
The MyDoom worm remains active in the wild 15 years after it first surfaced.
Election security threats?
The U.S. Coast Guard says the malware that hit a container ship off New York earlier this year was Emotet.
Marcus Hutchins gets time served.
Fresh concerns about digital assistance and privacy?
And yes, you do owe taxes on those altcoins.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, July 29th, 2019.
Bellingcat, the investigative group that's long followed the activities of Russian security
and intelligence services,
says its ProtonMail accounts were subjected to a hacking attempt by Russia's military intelligence service, the GRU.
ProtonMail says it successfully blocked the attempts.
An increased Russian op tempo may be expected in cyberspace,
especially given recent civil unrest in Moscow.
especially given recent civil unrest in Moscow.
Researchers at Sukuri have found Magecart card skimming script in faked Google domains.
The skimmer supports theft on several payment gateways.
Palo Alto Networks' Unit 42 reports that MyDoom, the old worm that surfaced in 2004,
is still out and actively used in phishing campaigns.
Its persistence is due in part to its self-sufficiency and to its aggressive utility.
Krebs on Security calls it the unsexy threat to election security.
It's the prospect that election officials might have their social media or email accounts spoofed or hijacked to spread disinformation immediately before,
during, and immediately after voting. A civil grand jury in San Mateo County, California,
the western part of Silicon Valley, warned that hijacked or spoofed accounts could be used to
suppress voting by distributing misinformation about polling or could be used to excite conflict
with false reports of results. Thus argues the report rendered by the California Superior Court for the County of San Mateo,
securing the email and social media accounts of election officials shouldn't be overlooked.
Secure voting machines by all means,
but don't neglect the meta-electoral role that official electronic communications play.
The U.S. Coast Guard last week released
further details on a cyberattack that hit a merchant vessel inbound for the port of New
York and New Jersey. The Wall Street Journal says the malware involved was an Emotet variant.
The Deep Draft Container Ship, U.S. flagged, reported a pervasive infestation of its internal
network. The vessel itself was probably not the target,
and the opportunistic infection, the Coast Guard said, was permitted by slipshod shipboard IT
practices. Marcus Hutchins, the accidental hero of WannaCry and the deliberate villain of the
Kronos banking trojan, has been sentenced to time served and a year of supervised release
for charges related to developing and
selling Kronos. The presiding judge cited Hutchins' youth and apparent reform when he passed sentence.
Hutchins will return to the UK and will be unlikely to be permitted back into the US,
at least not for some time. Hutchins himself tweeted thanks to the many who supported him
and expressed his gratitude to the judge for leniency and understanding. Some are surprised by the light sentence, as Kronos was neither a prank
nor a tool for victimless criminality. It was a banking trojan. Content moderation at YouTube,
Facebook, and Twitter is largely done in a very labor-intensive fashion, artificial intelligence remains, relatively speaking, in its infancy,
and training AI inevitably requires extensive and detailed human curation.
The pressure to moderate Internet traffic,
often motivated by well-intentioned concerns about radicalization,
criminal conspiracy, and abuse,
will continue to drive more intense inspection of online content.
Wired reports that Facebook alumnus Alex Stamos, now at the Stanford Cyber Policy Center, for example, is establishing the Stanford Internet Observatory, a SETI-like data collection and
analysis platform, except that unlike SETI, it's not looking for alien life.
Instead, it's designed to ferret out the dangerous or otherwise objectionable
stuff that crosses the web. The observatory seeks access to the data all the major online
platforms collect. Implementing a comprehensive threat intelligence program for your organization
may seem daunting, with countless information feeds available and many third-party providers
offering their own customized threat intelligence products.
Tom Hagel is a security researcher with AT&T Alien Labs, and he offers these insights.
Threat intelligence has really kind of evolved quite a lot over the last 10, 5, 10 years at least.
Things have changed quickly.
things have changed quickly. And in the private industry, information security industry, we've really kind of taken threat intelligence, the approach and methodology of that.
A lot of it has come from the government side or the military side of the threat actor and
adversary tracking type of world. Today, modern threat intelligence tends to be a bit of cyber threat intelligence with indicators and context and so forth.
You think of threat intelligence, it really kind of comes down to indicators of compromise, tracking adversaries that are relevant to your organization, and any sort of context around that.
And how does it differ for most folks when it comes to actually consuming actionable threat
intelligence versus plain old feeds? Yeah, absolutely. Feeds tend to lack a lot of the
context that would be considered true threat intelligence. For example, if I just give you
a feed of bad file hashes or bad domains, that doesn't give you or the consumer any context to why it's bad.
Should I be concerned? Maybe the confidence or severity of that? Threat intelligence is really
that context and knowledge that sits on top of it all. Comparison would be feeds up against a
finished intelligence report with all the context, including that it was coming from this actor,
it's relevant to these organizations, and maybe even this is how you would respond to it.
So feeds are kind of what was like an early concept of threat intelligence and still today
is almost an immature view at threat intelligence. Nowadays, we want to look at, you know,
finished intelligence in some fashion with all that context on top of it.
days we want to look at, you know, finished intelligence in some fashion with all that context on top of it. Now, in terms of organizations engaging with this and making sure that the
investments they're making in it are providing a good return, what advice do you have there?
Yeah, you know, really kind of comes down to initially when you build the program around
intaking or in some cases producing threat intelligence, you have to really know why and
where to consume and how to benefit from it most. So if your provider of threat intelligence is
supplying information that you are not able to even consume yet as a security program internally,
you're not going to get the value that you're paying for. So you need to prepare to understand exactly how to benefit
from it most. And that includes things like confirming intake capability, such as integrating
with your other security platforms inside your organization, and then the ability to even respond
to threat intelligence actions placed inside your network. If you trigger one of those bad domains
from some APT group out there inside your network, do you have one of those bad domains from some APT group out
there inside your network, do you have the skill sets, the processes, or even the technical
capability to respond to that? So you need to kind of get some foothold before that you start to
intake threat intelligence. And there's a lot of stuff that you should be trying to knock out before
you start taking in and focusing on threat intelligence on these advanced actor groups or anything like that.
We should try and focus on first knocking out some of the almost baselines of information
security programs that are kind of standard nowadays, such as antivirus or access control
basics and things like that before you really start to take into account
threat intelligence benefits.
Yeah, it seems to me like there's a potential there
for folks to become overwhelmed by the information
that comes at them.
Oh, absolutely.
And that's one of those key pieces that really is necessary
for that planning process is determining what's relevant
and focus on the highest value pieces
of threat intelligence, something that has the most likelihood to occur and has the greatest
potential impact against your organization. You don't really want to try and intake every piece
of threat intelligence out in the world just to get started. Perhaps it's a good time to first
focus on things that are relevant to your industry or maybe your location in the world just to get started, perhaps it's a good time to first focus on things
that are relevant to your industry or maybe your location in the world or the type of business you
do with certain customers. That'll help focus you on certain threat adversaries that may be
most likely to go after your organization. So in that case, you're producing the most value right
from the start without having to distract and take away too many resources from your program.
That's Tom Hagel from AT&T Alien Labs.
The Guardian reports that Apple contractors regularly hear stuff people would rather keep private.
The report lists medical discussions, drug deals, and conversations,
and other sounds of shared intimacy,
as figuring in the material those human contract trainers,
human helpers as Apple calls them,
used to improve Siri's performance.
9to5Mac reports Apple's response.
Cupertino explains that such material, quote,
is used to help Siri and dictation understand you better and recognize what you say, end quote. And finally, it's altcoin, so no income tax, right?
Has that occurred to you?
Probably not, because you're conscientious, prudent, and law-abiding,
always erring on the side of good citizenship.
But we're pretty sure that thought has crossed more than a few minds.
Among the minds are those over at the United States Internal Revenue Service.
The IRS is reminding cryptocurrency users that, yes, money they earn in the form of altcoin is indeed subject to taxation, just like regular coin.
coin is indeed subject to taxation, just like regular coin. The IRS has sent out about 10,000 letters to people whose responsibility to alt-render onto Uncle Sam may have slipped their minds,
CNBC reports. We expect the next wave of scam phone calls to be from the IRS police, telling us
that our social security has been compromised, and offering us the chance to make the IRS whole with a credit card payment over the phone.
That will be hooey and malarkey, something you say to Fetchum in Arkansas.
But the taxability of cryptocurrency gains is very real.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their
controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information
Security Institute, also my co-host over from the Johns Hopkins University Information Security Institute,
also my co-host over on the Hacking Humans podcast.
Joe, great to have you back.
It's good to be back, Dave.
Article over on ZDNet.
This is written by Caitlin Simponiu for Zero Day,
and the title is U.S. Company Selling Weaponized Blue Keep Exploit.
Describe to us what's going on here.
So last time we talked, we were talking about there's a proof-of-concept exploit out there that wasn't actually a real exploit.
It's just a demonstration of the vulnerability.
Since then, a couple things have happened.
One, there's been a slide deck released about how you could exploit Blue Keep in the wild.
Right.
And additionally, just like you said earlier, Immunity is now selling an exploit. This is a penetration testing kit that contractors will use to test somebody's network and to find the vulnerabilities in it.
And so by having this functional exploit in their database, that allows them to do a better job of that.
Right, right.
It is only a matter of time.
And when I say a matter of time, I mean weeks before this is available in the Metasploit framework for anybody to download. It's going to be out there. So we've talked about this before about how important patching is on these systems that are vulnerable to it.
an unsupported operating system anymore. And the NSA has come out and said that patching this vulnerability is critical. You have to do it because these things are going to start getting
exploited. And the folks at Immunity have said that their version of this tool is not self-propagating.
It's not a worm. Right. I don't fault Immunity for coming out with this exploit. Your customer
base are people that have very
specific instructions from companies on what they can and cannot attack.
I guess I can't help wondering, you know, we've seen that folks are out there scanning
the internet to look for systems that are likely vulnerable to Blue Keep.
Right. They've been scanning coming out of Tor nodes.
Right. So why not just do that? Why not
just scan your customers? In other words, I'm the pen tester. Why not just scan for the
vulnerability rather than having the actual active exploit? What is that? Is that just another level
of verification? Well, in the course of a penetration test, you're trying to get network
access and you might be looking for places and ways that you can elevate your privileges, right?
Right.
If, as a penetration tester, I can't find any way into your network, or actually I'm
going to use all the tools at my disposal, and if this gets me into your network and
lets me pivot around and move, then I'm going to use it, because that's what attackers are
going to do.
I see.
So as a penetration tester, this may be the first step or one of many steps along the way in the course of my testing all sorts of things within your network.
Correct.
Right. So merely a scan of whether you might be vulnerable to this, that's only part of the job you've given me as a penetration tester.
Yes.
All right. So as things stand now, what are the mitigation options?
The best thing to do is to patch the vulnerability.
Right. Right.
Right.
And Microsoft has had a patch out there since May 14th.
Now, that is not always possible.
And I was talking just, I think, yesterday about this case, this use case.
For example, if a hospital goes out and they buy a $10 million MRI machine, right,
and that MRI machine is controlled by a
Windows XP computer because they bought it 20 years ago. The vendor may have said to them,
do not update this machine because if you update this machine, that's an unsupported change,
okay? You may not actually be able to update a machine that's vulnerable to BlueKey, but there are other mitigations you can do.
One of them is if you can enable network-level authentication for remote desktop protocol, that eliminates the vulnerability.
You can also just disable remote desktop protocol and say we're not going to be able to remote desktop into these machines.
We're just actually going to have to go down there and connect to them physically. Or you can make it so you can't RDP any of these machines unless you're coming in
from the network or through a VPN. In other words, keep RDP off the internet. It's generally a bad
idea. I think that having RDP on the internet is just generally a bad idea. The only way you
should be letting people remotely RDP into your system is if they come in
through a VPN. I see. All right. So we keep beating this drum. This is a serious one. Do what you can
and do not hesitate. Do not pass go. I'm going to make a prediction, Dave. In the next month or two,
we're going to see a huge infestation of a worm that uses this vulnerability to propagate around
the internet. Now, that's the
easiest part of my job is making these kind of predictions. Yeah, okay. All right. Well,
very good. Joe Kerrigan, thanks for joining us. My pleasure.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and
securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe
and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, Thank you. Thanks for listening.
We'll see you back here tomorrow. Thank you. innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.