CyberWire Daily - Big healthcare data breach. False civil defense alerts. Davos will take up cyber next week (among other topics). Exobot on the block. Satori in your wallet? Ponzi scheme or pump-and-dump?
Episode Date: January 18, 2018In today's podcast we hear that Norway's Southern and Eastern Regional Health Authority has suffered a breach. False civil defense alerts are mistakes, not hacks, but they're worth some attention. ...Davos will take up international conflict and cybersecurity next week. Banking Trojan Exobot holds a going-out-of-business sale. Satori botnet rifles cryptocurrency wallets. Emily Wilson from Terbium Labs, looking at the upcoming Olympics and midterm elections. Guest is Nadav Avital from Imperva on web application vulnerabilities. And was Bitconnect's collapse a Ponzi scheme, a pump and dump, or something else? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Norway's Southern and Eastern Regional Health Authority suffers a breach.
False civil defense alerts are mistakes, not hacks, but they're worth attention.
Davos will take up international conflict and cybersecurity next week.
Banking Trojan Exobot holds a going-out-of-business sale.
The Satori botnet rifles cryptocurrency wallets.
And was BitConnect's collapse a Ponzi scheme, a pump-and-dump, or something else?
I'm Dave Bittner with your CyberWire summary for Thursday, January 18, 2018.
The odd and apparently unrelated series of attacks against medical facilities and systems continues.
Norway's Southern and Eastern Regional Health Authority is reported to have been breached,
apparently by hackers after personal information. Data on about 3 million Norwegians are believed to have been breached, apparently by hackers after personal information.
Data on about 3 million Norwegians are believed to have been exposed.
Japan joined Hawaii with a false missile launch alert as North Korean nuclear sable rattling continues to put local civil defense teeth on edge.
Broadcaster NHK mistakenly issued, then quickly retracted, a missile warning on Tuesday.
Both the Hawaiian and Japanese cases are being put down credibly to operator error and not a cyber attack.
But as is normally the case with accidents and glitches,
people are now thinking about the possibility and implications of emergency warning system hacks.
Who would do such a thing and why, you may ask?
Popular Mechanics has a speculative piece up
that lays out several motives. There's no obvious ordinary criminal angle to this, criminal in the
sense of people executing this kind of hack for financial gain, but there are other kinds of
crimes too. Symantec mentions joyriding as one. Instead of stealing a car and racing to destruction
before you abandon it,
cyber joyriders hack a system in ways that will disrupt people's lives or frighten them,
and they're doing it just for the lulz. A disgruntled insider might hack an alert system,
or a hacktivist might think doing so would give them a big, big megaphone.
Or a nation-state could do it because they want to soak chaos and mistrust,
or in what would be a more sinister ploy, do it as a battle-space preparation so people would ignore warnings of actual attacks.
In any case, may operators of emergency alert networks look to their systems, and particularly their user interfaces.
Davos convenes next week, and discussion of global conflict and cyber risk are expected to figure prominently in the meetings of what the shatterbrokers would call the wealthy elite.
And where, we ask in passing, are the brokers these days?
Someone take away their deep-scanning security software?
At any rate, the World Economic Forum has issued a resiliency playbook for general consideration.
has issued a resiliency playbook for general consideration.
It comes in two parts,
a reference architecture for public-private collaboration and cyber policy models.
The playbook takes up 14 policy topics
and analyzes them in terms of their impact on five areas,
security, privacy, economic value, accountability, and fairness.
It's intended to be an approach any nation could adapt
to its own particular values.
Web application firewall provider Imperva recently published a report,
The State of Web Application Vulnerabilities in 2017.
Joining us to review their findings is Nadav Avital,
who leads the application vulnerability research team at Imperva.
2017 was a record year in terms of volume, of capacity.
There were much more vulnerabilities published during 2017 than recent years.
Looking at the numbers, you see a big spike.
And so what were some of the specific trends that you saw?
First of all, cross-site scripting is a well-known vulnerability. And so what were some of the specific trends that you saw?
First of all, cross-site scripting is a well-known vulnerability.
It has a big increase in terms of numbers.
The thing is that cross-site scripting is one of the most basic security vulnerabilities in web applications.
And it's very easy to test and to find. Most of the cross-site scripting vulnerabilities were found in open source products,
which of course makes it easier to dig inside the code and find these kind of vulnerabilities.
So this is a potential explanation to this that we saw.
And you also saw issues with IoT devices
as well as WordPress and PHP.
Can you take us through those?
Last year was a huge year in terms of IoT vulnerabilities.
I'm talking about the Mirai botnet.
So we wanted to know or to look into IoT vulnerabilities.
And what we saw that there's also a growing trend
of vulnerabilities published in the IoT landscape.
Most of them are coming from the family
of authentication bypass using default credentials
or easy-to-guess credentials in order to log into devices,
take over devices.
And this is actually kind of what happened with the Mirai botnet.
So as we head into 2018, 2018 being here,
what are your recommendations for folks to protect themselves?
The key finding is that vulnerabilities, web application vulnerabilities,
are always on the rise.
And it's very difficult for organizations to keep up with that. Most of the organizations, they don't have a dedicated person or team to stay on top of this.
very hard to patch your systems or to deploy, to upgrade your systems, especially in a production environment where you have or you don't have any downtime or maintenance windows. So essentially,
the best way to deal with this flood of vulnerabilities is to deploy external security
solutions that can solve the problem for you without any need for a change in
your systems. This is actually what web application firewall can do for you if you decide to use it.
That's Nadav Avital from Imperva. You can read their report,
The State of Web Application Vulnerabilities in 2017, on their website.
vulnerabilities in 2017 on their website.
Say, friend, interested in a banking trojan?
There's a going-out-of-business sale in the black market souks.
Yeah, step right up. Terms are available.
The Exobot Android Banking Trojan.
For the last few years, a popular rental in the criminal-to-criminal space can now be yours.
Divestments, sell-offs, spin-outs, and so on happen in criminal as well as legitimate markets.
In this case, it's not that the boss is on vacation and they've all gone crazy, just
that the authors feel they've made enough of a pile and are going to get out while the
getting's good.
Thus, the author of the Exobot Android Banking Trojan, initially called Marcher by some researchers,
has decided to cash out and exit the market by offering the source code for sale. author of the Exobot Android banking trojan, initially called Marcher by some researchers,
has decided to cash out and exit the market by offering the source code for sale.
The trojan, which is generally regarded as a particularly successful one,
has hitherto been leased to other criminals on a monthly basis.
This isn't particularly good news.
We can expect a fair bit of sloppy criminal activity
until Exobot finally sputters out.
Campaigns are expected to spike as the source code moves from a criminal-to-criminal to a wholesale market.
We know the Satori botnet as one derived from Mirai,
and we know that Mirai was initially used for distributed denial-of-service attacks.
Satori is now being used for more directly gainful crime.
A Satori botnet is actively and successfully stealing from cryptocurrency wallets.
But wait, friend, you say you want to be a Bitcoin billionaire?
Well, have you considered one of the other altcoins out there?
You, madam, do you want a better, more comfortable life?
You, sir, are you looking for a way out of the rat race?
Why, then, irresponsible speculation and dodgy cryptocurrency schemes may be just the thing
for you.
Here, take some brochures to read at that Jersey Shore timeshare you've invested in.
They're profusely illustrated.
But not so fast.
Actually, one of those opportunities for irresponsible speculation, BitConnect, the cryptocurrency
exchange widely derided as a Ponzi scheme,
has, as we know, closed.
And there's more.
People have looked back at what the Federal Reserve used to call
irrational exuberance in cryptocurrency markets last month,
and they're now wondering whether a certain YouTube star,
one Crypto Nick, might have made a significant contribution
to the speculative bubble.
Crypto Nick says he's a 17-year-old crypto millionaire,
and he's been flacking BitConnect for some time.
A lot of disgruntled YouTube watchers are now wondering
whether Mr. Nick was engaged in a pump-and-dump scheme.
In any case, he's as bummed as anyone.
Here's what he said after BitConnect imploded Tuesday.
Quote,
I honestly can't believe this happened, guys.
Like I said, it's been a great platform,
and it's officially coming to an end.
No more BitConnect to anyone
who's always hated on the platform.
I'm still shocked.
I'm still trying to take this all in.
I really don't have much to say.
Quote,
We think the best advice on this and related matters
was the disclaimer that accompanied
CryptoNIC's performances.
Quote, I am not a financial advisor, nor am I giving financial advice.
I am sharing my biased opinion based off speculation.
You should not take my opinion as financial advice.
You should always do your research before making any investment.
End quote.
Tell it, brother.
So there you have it, friends.
Act now.
Everyone's a winner.
Actual results may vary.
Nigerian Prince is not included.
You are unlikely to be invited to Davos.
Up or not valid in Alaska, Hawaii, and Fort Meade, Maryland.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you
know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Emily Wilson.
She's the Director of Analysis at Terbium Labs.
Emily, a couple of events on the horizon that are on your radar.
We've got the Korean Olympics coming up, and we've also got the midterm elections.
What is in common between these two things, and why do you have your eye on them?
Well, it is the beginning of the year, and we're all thinking about kind of what's going to happen.
I think we're going to see some cyber. I think we're going to see some security,
and I'm not sure yet what the ratio is going to be between those two. But I think these two events give us a chance to compare to similar events we saw a couple of years ago. Right. Back
in 2016, we had the Rio Olympics and we obviously had a pretty big presidential election here in the
U.S. So on the Olympic side, I think this is an interesting kind of regional comparison with
Brazil. We saw a lot of personal information
being leaked, both from citizens and from government employees. And that came out of a
lot of new actors popping up, a lot of economic unrest in Brazil leading up to the Olympics.
This was a big six-month campaign with a lot of information being leaked every day.
Korea, very different situation. We're seeing different kinds of threats. We're seeing different
kinds of actors involved, right? This is a lot less on personal information leaking and a lot more at
the nation state level. Oh, interesting. I remember also with Brazil, we saw lots of warnings about
carrying your personal devices, you know, getting your credit cards skimmed and things like that.
Yeah. And I think we've seen in a lot of reports and also just in some of the work that we do, right, there's a growing community in South America for these kinds of concerns, whether it's fraud or some of these more vandalism-style attacks.
I think we're just seeing different interests and different calculations in East Asia.
And how about the election?
election? The election is an interesting one because it is a midterm election. So we're probably not going to see leaked information from delegates, for example, like we saw during the
presidential election. You know, some of these factors have been removed. But I'm curious to
see kind of as we get into these campaigns, especially some of the more contested seats,
are we going to see information being leaked about candidates and their families? Are we going to see people leaking information about parties or maybe specific voters? We've heard a lot in the past
couple of years about voter databases being compromised. You know, recently, just in the
past month or so, we heard about another database in California. I'm curious to see how all of this
plays out and what we see kind of happening openly and what we see behind the scenes.
see how all of this plays out and what we see kind of happening openly and what we see behind the scenes. So what about this notion that when we talk about the Russians interfering with the last
presidential cycle, this notion that it really doesn't matter so much what they're doing as the
fact that they're doing it creates chaos and uncertainty. I think there's a lot to be said for
compromising trust in a system, whether that is the integrity of elections, whether that is the integrity of communications, the integrity of media sources.
I think it's not necessarily to your point what kind of chaos you create so much as that you create chaos.
I think all of us, regardless of politics,
are going into this midterm election with a few different things in mind,
maybe a few different expectations,
a few different biases,
and I think that changes the way these games are played.
Yeah, interesting times for sure.
All right, Emily Wilson, thanks for joining us.
Cyber threats are evolving every second, Come on, stay proud a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep
you informed. Listen for us on your Alexa smart speaker too. The CyberWire podcast is proudly
produced in Maryland out of the startup studios of DataTribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Thanks for listening.
We'll see you back here tomorrow. Thank you. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.