CyberWire Daily - Bears sniff at Bellingcat. Magecart in spoofed domains. MyDoom is still active. Shipboard malware was Emotet. Hutchins sentenced. Digital assistants have big ears. Taxes owed on alt-coin gains.

Episode Date: July 29, 2019

Bellingcat gets a look-in from the Bears. Magecart card-skimming code found in bogus domains. The MyDoom worm remains active in the wild, fifteen years after it first surfaced. Election security threa...ts. The US Coast Guard says the malware that hit a container ship off New York earlier this year was Emotet. Marcus Hutchins gets time served. Fresh concerns about digital assistants and privacy. And yes, you do owe taxes on those alt-coins. Joe Carrigan from JHU ISI on the availability of the BlueKeep vulnerability. Guest is Tom Hegel from AT&T Cybersecurity with thoughts on integrating threat intelligence. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/July/CyberWire_2019_07_29.html  Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript
Discussion (0)
Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.
Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.
Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.
Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Bellingcat gets a look-in from the bears. Magecart card skimming code's been found in bogus domains. The MyDoom worm remains active in the wild 15 years after it first surfaced. Election security threats?
Starting point is 00:02:10 The U.S. Coast Guard says the malware that hit a container ship off New York earlier this year was Emotet. Marcus Hutchins gets time served. Fresh concerns about digital assistance and privacy? And yes, you do owe taxes on those altcoins. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, July 29th, 2019. Bellingcat, the investigative group that's long followed the activities of Russian security and intelligence services, says its ProtonMail accounts were subjected to a hacking attempt by Russia's military intelligence service, the GRU.
Starting point is 00:02:52 ProtonMail says it successfully blocked the attempts. An increased Russian op tempo may be expected in cyberspace, especially given recent civil unrest in Moscow. especially given recent civil unrest in Moscow. Researchers at Sukuri have found Magecart card skimming script in faked Google domains. The skimmer supports theft on several payment gateways. Palo Alto Networks' Unit 42 reports that MyDoom, the old worm that surfaced in 2004, is still out and actively used in phishing campaigns.
Starting point is 00:03:30 Its persistence is due in part to its self-sufficiency and to its aggressive utility. Krebs on Security calls it the unsexy threat to election security. It's the prospect that election officials might have their social media or email accounts spoofed or hijacked to spread disinformation immediately before, during, and immediately after voting. A civil grand jury in San Mateo County, California, the western part of Silicon Valley, warned that hijacked or spoofed accounts could be used to suppress voting by distributing misinformation about polling or could be used to excite conflict with false reports of results. Thus argues the report rendered by the California Superior Court for the County of San Mateo, securing the email and social media accounts of election officials shouldn't be overlooked.
Starting point is 00:04:15 Secure voting machines by all means, but don't neglect the meta-electoral role that official electronic communications play. The U.S. Coast Guard last week released further details on a cyberattack that hit a merchant vessel inbound for the port of New York and New Jersey. The Wall Street Journal says the malware involved was an Emotet variant. The Deep Draft Container Ship, U.S. flagged, reported a pervasive infestation of its internal network. The vessel itself was probably not the target, and the opportunistic infection, the Coast Guard said, was permitted by slipshod shipboard IT
Starting point is 00:04:51 practices. Marcus Hutchins, the accidental hero of WannaCry and the deliberate villain of the Kronos banking trojan, has been sentenced to time served and a year of supervised release for charges related to developing and selling Kronos. The presiding judge cited Hutchins' youth and apparent reform when he passed sentence. Hutchins will return to the UK and will be unlikely to be permitted back into the US, at least not for some time. Hutchins himself tweeted thanks to the many who supported him and expressed his gratitude to the judge for leniency and understanding. Some are surprised by the light sentence, as Kronos was neither a prank nor a tool for victimless criminality. It was a banking trojan. Content moderation at YouTube,
Starting point is 00:05:39 Facebook, and Twitter is largely done in a very labor-intensive fashion, artificial intelligence remains, relatively speaking, in its infancy, and training AI inevitably requires extensive and detailed human curation. The pressure to moderate Internet traffic, often motivated by well-intentioned concerns about radicalization, criminal conspiracy, and abuse, will continue to drive more intense inspection of online content. Wired reports that Facebook alumnus Alex Stamos, now at the Stanford Cyber Policy Center, for example, is establishing the Stanford Internet Observatory, a SETI-like data collection and analysis platform, except that unlike SETI, it's not looking for alien life.
Starting point is 00:06:21 Instead, it's designed to ferret out the dangerous or otherwise objectionable stuff that crosses the web. The observatory seeks access to the data all the major online platforms collect. Implementing a comprehensive threat intelligence program for your organization may seem daunting, with countless information feeds available and many third-party providers offering their own customized threat intelligence products. Tom Hagel is a security researcher with AT&T Alien Labs, and he offers these insights. Threat intelligence has really kind of evolved quite a lot over the last 10, 5, 10 years at least. Things have changed quickly.
Starting point is 00:07:06 things have changed quickly. And in the private industry, information security industry, we've really kind of taken threat intelligence, the approach and methodology of that. A lot of it has come from the government side or the military side of the threat actor and adversary tracking type of world. Today, modern threat intelligence tends to be a bit of cyber threat intelligence with indicators and context and so forth. You think of threat intelligence, it really kind of comes down to indicators of compromise, tracking adversaries that are relevant to your organization, and any sort of context around that. And how does it differ for most folks when it comes to actually consuming actionable threat intelligence versus plain old feeds? Yeah, absolutely. Feeds tend to lack a lot of the context that would be considered true threat intelligence. For example, if I just give you a feed of bad file hashes or bad domains, that doesn't give you or the consumer any context to why it's bad.
Starting point is 00:08:07 Should I be concerned? Maybe the confidence or severity of that? Threat intelligence is really that context and knowledge that sits on top of it all. Comparison would be feeds up against a finished intelligence report with all the context, including that it was coming from this actor, it's relevant to these organizations, and maybe even this is how you would respond to it. So feeds are kind of what was like an early concept of threat intelligence and still today is almost an immature view at threat intelligence. Nowadays, we want to look at, you know, finished intelligence in some fashion with all that context on top of it. days we want to look at, you know, finished intelligence in some fashion with all that context on top of it. Now, in terms of organizations engaging with this and making sure that the
Starting point is 00:08:49 investments they're making in it are providing a good return, what advice do you have there? Yeah, you know, really kind of comes down to initially when you build the program around intaking or in some cases producing threat intelligence, you have to really know why and where to consume and how to benefit from it most. So if your provider of threat intelligence is supplying information that you are not able to even consume yet as a security program internally, you're not going to get the value that you're paying for. So you need to prepare to understand exactly how to benefit from it most. And that includes things like confirming intake capability, such as integrating with your other security platforms inside your organization, and then the ability to even respond
Starting point is 00:09:37 to threat intelligence actions placed inside your network. If you trigger one of those bad domains from some APT group out there inside your network, do you have one of those bad domains from some APT group out there inside your network, do you have the skill sets, the processes, or even the technical capability to respond to that? So you need to kind of get some foothold before that you start to intake threat intelligence. And there's a lot of stuff that you should be trying to knock out before you start taking in and focusing on threat intelligence on these advanced actor groups or anything like that. We should try and focus on first knocking out some of the almost baselines of information security programs that are kind of standard nowadays, such as antivirus or access control
Starting point is 00:10:21 basics and things like that before you really start to take into account threat intelligence benefits. Yeah, it seems to me like there's a potential there for folks to become overwhelmed by the information that comes at them. Oh, absolutely. And that's one of those key pieces that really is necessary for that planning process is determining what's relevant
Starting point is 00:10:44 and focus on the highest value pieces of threat intelligence, something that has the most likelihood to occur and has the greatest potential impact against your organization. You don't really want to try and intake every piece of threat intelligence out in the world just to get started. Perhaps it's a good time to first focus on things that are relevant to your industry or maybe your location in the world just to get started, perhaps it's a good time to first focus on things that are relevant to your industry or maybe your location in the world or the type of business you do with certain customers. That'll help focus you on certain threat adversaries that may be most likely to go after your organization. So in that case, you're producing the most value right
Starting point is 00:11:22 from the start without having to distract and take away too many resources from your program. That's Tom Hagel from AT&T Alien Labs. The Guardian reports that Apple contractors regularly hear stuff people would rather keep private. The report lists medical discussions, drug deals, and conversations, and other sounds of shared intimacy, as figuring in the material those human contract trainers, human helpers as Apple calls them, used to improve Siri's performance.
Starting point is 00:11:53 9to5Mac reports Apple's response. Cupertino explains that such material, quote, is used to help Siri and dictation understand you better and recognize what you say, end quote. And finally, it's altcoin, so no income tax, right? Has that occurred to you? Probably not, because you're conscientious, prudent, and law-abiding, always erring on the side of good citizenship. But we're pretty sure that thought has crossed more than a few minds. Among the minds are those over at the United States Internal Revenue Service.
Starting point is 00:12:34 The IRS is reminding cryptocurrency users that, yes, money they earn in the form of altcoin is indeed subject to taxation, just like regular coin. coin is indeed subject to taxation, just like regular coin. The IRS has sent out about 10,000 letters to people whose responsibility to alt-render onto Uncle Sam may have slipped their minds, CNBC reports. We expect the next wave of scam phone calls to be from the IRS police, telling us that our social security has been compromised, and offering us the chance to make the IRS whole with a credit card payment over the phone. That will be hooey and malarkey, something you say to Fetchum in Arkansas. But the taxability of cryptocurrency gains is very real. Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Starting point is 00:13:28 Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers to learn more. Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security,
Starting point is 00:14:00 but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
Starting point is 00:15:04 bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io. And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information
Starting point is 00:15:44 Security Institute, also my co-host over from the Johns Hopkins University Information Security Institute, also my co-host over on the Hacking Humans podcast. Joe, great to have you back. It's good to be back, Dave. Article over on ZDNet. This is written by Caitlin Simponiu for Zero Day, and the title is U.S. Company Selling Weaponized Blue Keep Exploit. Describe to us what's going on here.
Starting point is 00:16:01 So last time we talked, we were talking about there's a proof-of-concept exploit out there that wasn't actually a real exploit. It's just a demonstration of the vulnerability. Since then, a couple things have happened. One, there's been a slide deck released about how you could exploit Blue Keep in the wild. Right. And additionally, just like you said earlier, Immunity is now selling an exploit. This is a penetration testing kit that contractors will use to test somebody's network and to find the vulnerabilities in it. And so by having this functional exploit in their database, that allows them to do a better job of that. Right, right.
Starting point is 00:16:40 It is only a matter of time. And when I say a matter of time, I mean weeks before this is available in the Metasploit framework for anybody to download. It's going to be out there. So we've talked about this before about how important patching is on these systems that are vulnerable to it. an unsupported operating system anymore. And the NSA has come out and said that patching this vulnerability is critical. You have to do it because these things are going to start getting exploited. And the folks at Immunity have said that their version of this tool is not self-propagating. It's not a worm. Right. I don't fault Immunity for coming out with this exploit. Your customer base are people that have very specific instructions from companies on what they can and cannot attack. I guess I can't help wondering, you know, we've seen that folks are out there scanning
Starting point is 00:17:35 the internet to look for systems that are likely vulnerable to Blue Keep. Right. They've been scanning coming out of Tor nodes. Right. So why not just do that? Why not just scan your customers? In other words, I'm the pen tester. Why not just scan for the vulnerability rather than having the actual active exploit? What is that? Is that just another level of verification? Well, in the course of a penetration test, you're trying to get network access and you might be looking for places and ways that you can elevate your privileges, right? Right.
Starting point is 00:18:08 If, as a penetration tester, I can't find any way into your network, or actually I'm going to use all the tools at my disposal, and if this gets me into your network and lets me pivot around and move, then I'm going to use it, because that's what attackers are going to do. I see. So as a penetration tester, this may be the first step or one of many steps along the way in the course of my testing all sorts of things within your network. Correct. Right. So merely a scan of whether you might be vulnerable to this, that's only part of the job you've given me as a penetration tester.
Starting point is 00:18:38 Yes. All right. So as things stand now, what are the mitigation options? The best thing to do is to patch the vulnerability. Right. Right. Right. And Microsoft has had a patch out there since May 14th. Now, that is not always possible. And I was talking just, I think, yesterday about this case, this use case.
Starting point is 00:18:58 For example, if a hospital goes out and they buy a $10 million MRI machine, right, and that MRI machine is controlled by a Windows XP computer because they bought it 20 years ago. The vendor may have said to them, do not update this machine because if you update this machine, that's an unsupported change, okay? You may not actually be able to update a machine that's vulnerable to BlueKey, but there are other mitigations you can do. One of them is if you can enable network-level authentication for remote desktop protocol, that eliminates the vulnerability. You can also just disable remote desktop protocol and say we're not going to be able to remote desktop into these machines. We're just actually going to have to go down there and connect to them physically. Or you can make it so you can't RDP any of these machines unless you're coming in
Starting point is 00:19:48 from the network or through a VPN. In other words, keep RDP off the internet. It's generally a bad idea. I think that having RDP on the internet is just generally a bad idea. The only way you should be letting people remotely RDP into your system is if they come in through a VPN. I see. All right. So we keep beating this drum. This is a serious one. Do what you can and do not hesitate. Do not pass go. I'm going to make a prediction, Dave. In the next month or two, we're going to see a huge infestation of a worm that uses this vulnerability to propagate around the internet. Now, that's the easiest part of my job is making these kind of predictions. Yeah, okay. All right. Well,
Starting point is 00:20:30 very good. Joe Kerrigan, thanks for joining us. My pleasure. Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and
Starting point is 00:21:06 securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Starting point is 00:22:11 The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, Thank you. Thanks for listening. We'll see you back here tomorrow. Thank you. innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.