CyberWire Daily - Breaches at AV companies? Pyongyang’s ElectricFish. Symantec’s CEO steps down. Calls to break up Facebook and regulate the pieces. US Federal indictments for leaks and breaches. Verizon DBIR reviewed.
Episode Date: May 10, 2019Fxmsp may have breached three anti-virus companies. US-CERT and CISA warn against a new North Korean malware tool being used by Hidden Cobra: they’re calling it “ElectricFish.” A changing of the... guard at Symantec. Former Facebook insiders call for breaking up the company and for more regulation. Facebook disagrees about the breakup, but says it likes the idea of regulation. Two indictments are unsealed--one for leaking classified information, the other for the Anthem breach. Johannes Ullrich shares some vulnerabilities involving tools from Google. Verizon DBIR coauthor Alex Pinto shares this year’s key findings. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
FXMSP may have breached three antivirus companies.
U.S. CERT and CISA warn against a new North Korean malware tool being used by Hidden Cobra.
They're calling it Electric Fish.
A changing of the guard at Symantec.
Former Facebook insiders call for breaking up the company and for more regulation.
Facebook disagrees about the breakup but says it likes the idea of regulation.
Verizon's head of security research joins us to discuss this year's DBIR.
Two indictments are unsealed, one for leaking classified information, the other for the Anthem breach.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, May 10th, 2019.
For those at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, May 10th, 2019.
Reports broke late yesterday that a criminal group, FXMSP, well known for selling access to data breaches,
had successfully penetrated at least three antivirus companies.
Researchers at the firm Advanced Intelligence say that FXMSP had stolen source code for antivirus agents,
analytic code based on machine learning, and security plugins for web browsers.
Not only was the code stolen, but FXMSP also offered reviews of the quality of different vendors' security products.
Adventel has notified the affected companies and law enforcement authorities,
but they're keeping the identities of the firms whose code was stolen quiet.
FXMSP is an interesting group.
It's described as Russian-speaking and English-speaking,
which either says something about its members' countries of origin or about their skill with languages,
or their skill at repurposing Anglophone and Russophone code.
U.S. CERT and CISA have new warnings out concerning the North Korean threat actor Hidden Cobra.
Pyongyang's attack group is deploying a piece of malware U.S. CERT is calling Electric Fish.
Electric Fish uses a custom protocol to funnel traffic between a source and destination IP address.
A funneling session can be initiated from either side.
Electric Fish can be configured with a proxy server port and proxy username and password,
which enables it to connect to a system inside a proxy server.
This allows attackers to bypass required authentication in compromised systems.
For more details, see the report at uscert.gov.
The prominent security company Symantec will be getting a new CEO. President, CEO, and board
member Greg Clark has stepped down from all of those roles. Board member Richard Hill,
former Novella Systems chairman and CEO, will serve as interim CEO as the search for a permanent replacement begins.
Clark, formerly CEO of Bluecoat, moved into the same position at Symantec when Symantec
acquired Bluecoat in 2016. His resignation was prompted by shareholder dissatisfaction,
an accounting probe, and a significant earnings miss.
Facebook's co-founder, Chris Hughes, who goes way back with Mark Zuckerberg,
back to when they were undergrads at Harvard,
published an op-ed in the New York Times yesterday in which he advocated breaking up Facebook.
Mr. Zuckerberg is still a great guy, Mr. Hughes writes, but the company is too powerful.
Mr. Zuckerberg's properties, Facebook, Instagram, and WhatsApp, have billions
of users. The company is publicly traded, but with 60% of the voting shares in Mr. Zuckerberg's hands,
other voices inside Facebook, including those of the board, are merely advisory. As Hughes puts it,
quote, Mark alone can decide how to configure Facebook's algorithms to determine what people
see in their news feeds,
what privacy settings they can use, and even which messages get delivered.
He sets the rules for how to distinguish violent and incendiary speech from the merely offensive,
and he can choose to shut down a competitor by acquiring, blocking, or copying it.
It's a very long piece, but in essence Hughes argues that Facebook should
be broken up under the Sherman Antitrust Act, the way Standard Oil was broken up at the turn of the
20th century, and the way AT&T was broken into the baby bells in January of 1984. This sort of
market correction is all that Hughes advocates. He wants a number of other things too, including a
U.S. privacy agency
with the power to not only protect the privacy of individuals' data,
but also to regulate their speech.
He acknowledges the First Amendment issues here,
but deals with them airily by assimilating speech
people view as hateful or harassing
to such exceptions to constitutional guarantees of free speech
as prohibitions against shouting fire in a crowded theater.
It's unlikely to be an easy case to make.
Indeed, Facebook, Google, and Twitter are already under considerable criticism
for what many perceive as ideological bias.
But in any case, Hughes wants the company broken up,
and he wants public servants and not corporations to lay down the guidelines for acceptable speech he sees as inevitable.
Hughes is not the only Facebook former insider to look upon their economic child with dismay.
Last month, one of the company's early investors, venture capitalist Roger McNamee, published
his book, Zucked, Waking Up to the Facebook Catastrophe.
McNamee, who not only provided funds but also served as a mentor to the young Mark Zuckerberg,
now feels that the social network's dependence on advertising was its original sin
and that it eventually became almost addictive,
pushing the most lurid content it could to keep users engaged and on the platform.
Facebook, needless to say, disagrees. They
released a statement that reads, quote, Facebook accepts that with success comes accountability,
but you don't enforce accountability by calling for the breakup of a successful American company.
Accountability of tech companies can only be achieved through the painstaking introduction
of new rules for the Internet. That is exactly what Mark Zuckerberg has called for. Indeed, That statement came from Nick Clegg, who you may remember from his career in British politics,
and who is now Facebook's Vice President of Global Affairs and Communications.
So in essence, it seems, everybody wants more government oversight,
and more government oversight,
and more government oversight everybody will no doubt get. That oversight will be international.
The French government has just announced its intention to introduce legislation that would create a duty of care for social media, with regulatory scrutiny and heavy fines for those
that permit objectionable content to cross their platforms.
For all of the attention Facebook has attracted lately, it does appear that the social network is on the right track in setting its face against what it calls inauthenticity, especially
coordinated inauthenticity, the kind of bot-herding and trolling the Russian government has so
vigorously deployed in its information operations around the world.
Those information operations are continuing in Ukraine, Kiev complains,
even though that country's elections have concluded.
Several significant legal actions have been announced.
Daniel Everett Hale, 31, of Nashville, Tennessee,
was arrested yesterday on U.S. federal charges of
obtaining and disclosing national defense information
and theft of government property. Hale worked as an intelligence analyst for the U.S. Air Force
and, after leaving the service, performed similar duties as a contractor for the National
Geospatial Agency. The government alleges that Hale provided highly classified information to
a reporter over a period of several years, beginning in 2013.
And you'll recall the very large Anthem breach of 2015, in which the health insurance company
was breached in an incident that affected the personal data of nearly 80 million people.
The U.S. Justice Department says it knows who's responsible, a highly sophisticated Chinese group.
Two Chinese nationals have been indicted,
Fu Zhai Wang, also known as Dennis Wang,
and a John Doe who went by the name Daniel Jack, Kim Young, and Zhao Jinghong.
The indictment says they also breached three other U.S. companies.
The document calls these simply victim businesses 1, 2, and 3,
but it does identify them by sector,
respectively technology, basic materials and communications.
The defendants are of course still at large and in China, probably in Shenzhen,
and are unlikely to appear in a U.S. court unless Wanderlust takes them abroad.
We hear Vancouver's beautiful this time of year.
Come for the shopping and fishing, Stay for the extradition hearing.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io. And joining me once again is Johannes Ulrich.
He's the Dean of Research for the SANS Institute,
and he's also the host of the ISC Stormcast podcast.
Johannes, it's great to have you back.
You've been tracking some malware that's been taking advantage of some tools from Google.
What's going on here?
Yeah, and what this malware is doing is it's written in Go or Golang.
That's a language that Google came out with.
It's a pretty neat language.
A lot of developers like it.
It's, I believe, sort of one of the top growing languages.
And what's really neat about it is it's very easy to write multi-threaded software.
It's also easy to write network connected software.
And in particular, the second part is, of course, something that malware authors like too. So we do actually see more and more malware being written
in Go. And so what are the ramifications of that? Well, first of all, there aren't really a lot of
tools to reverse this malware. So malware analysis, they're used to analyzing malware that's
sort of compiled Visual Basic.
So we have a lot of that stuff, of course, around and various C and C++ or.NET.
But so far, Go is sort of this odd language where it's really sort of hard to find good tools to reverse it.
Once you have the tools, it's actually not that difficult, not that much more difficult than other languages. But that's sort of part of it. Once you have the tools, it's actually not that difficult, not that much more difficult
in other languages, but that's sort of part of it. The other consequence of it is that
this malware is actually pretty big because they have to deliver basically Go as well
as the malware. So they have to deliver a lot of additional libraries and such. But
oddly enough, that doesn't seem to hinder the distribution of this malware,
even though it's usually like several megabytes in size.
Now, what's the upside for the malware developers to be working in this environment?
For the developer, it's much easier to actually code all the different network components that you need.
And like connecting back to a command control server
or even setting up a server.
That's actually probably the biggest strength of Go
is it's very easy to write little servers.
That's also where the multi-threading comes in.
What this allows you to do is have one server
that responds to multiple connection requests
at the same time.
So if you want to write, let's say, an SH server,
a web server
with a couple lines of code, then Go is sort of the language or the go-to language
to really use in these cases. And so as always, I mean, in terms of folks protecting themselves
here, what do you recommend? Well, Antivirus should catch up with this. Of course, they will
not trigger just on Go itself
because that's a legitimate language
and you find a lot of legitimate software being coded in as well.
But, of course, as the usual cat-cat-and-mouse game
with anti-malware, they have to get used to writing signatures
for malware written in Go.
All right. Well, it's something to keep an eye on.
Johanna Solrick, thanks for joining us.
The 12th Annual Verizon Data Breach Investigation Report
was released this week,
and my guest today is one of the report's co-authors.
Alex Pinto is head of Verizon Security Research.
So the DVR is in its 12th year right now, right?
We're joking that it's going to be a teenager next year
and hope it doesn't give us too much trouble.
This year we're working with 73 different partners.
So take us through, what was your approach to this year's report?
The report kind of writes itself, right?
We're actually collecting the data,
and then the data will tell us what are the important subjects, what are the important
things that are happening that we should be talking about, right? And this year was no
exception. Really, most of the narrative that we can craft from this year's report has to do with
attackers going for not only what's easiest, but also what's more valuable for them, right?
So we saw two of the most significant shifts that we saw, which are in a way headlining
our key findings notifications are about C-level executives being more frequently breached
by social attacks.
And by social attacks, I mean, the biggest representative of those are phishing because of the fact that, you know what, those individuals probably have the most valuable information or hold the most interesting power to get whatever the evildoers compromises, right, the BECs, we actually see things which go beyond
email, which also, quote unquote, hey, can you please send me the money? And then for some reason,
people just send the money, right? And yeah, I mean, it's sad, right? It talks a lot to how much
work, there's always continuous vigilance that's needed and how much work needs to be done on actually doing the proper security awareness work.
So it's interesting because that's kind of like bad news-ish as far as, oh, yeah, people are wiring money to strangers on request.
But on the other hand, we saw that the old practice of sending W-2s via email as well.
So people, instead of asking for money, they ask for, oh, can you give me the employee record
of such and such for tax return fraud
or things like that.
We saw it go significantly down, right?
We're not entirely sure why.
We asked all our contributors
that used to give us this data
and they said, no, no, it's really gone.
We haven't seen it anywhere.
So we're really believing that,
well, it happened a lot.
So people got smart with some policies in, right?
And it's not happening as much now.
And we can hope that by bringing awareness to the C-level and the business email account compromise,
this is also something that policy writers and security awareness folks can focus on.
What are some of the key take-homes for folks who are trying to plan out their own strategies?
What can they learn from this year's report?
So one of the other big shifts that we saw is around the use of the cloud, which again shouldn't be surprising anyone.
My take is that it looks like most of the people who haven't are starting to get the memo that they should be going to the cloud.
So there were two things that we saw a relatively sharp increase this year, right,
which is tied to cloud usage.
First of all is that we saw a three-times increase on compromises of cloud-based email accounts.
We're talking here about we classify on the report as user-stolen credentials,
and this is a little bit of conjecture, right?
This doesn't mean that cloud-based emails are more insecure
than your traditional run-of-the-mill host them inside, right?
The on-prem solution.
But because they're always available, there's always the web option.
It just becomes easier, right?
It's a little bit more low-hanging fruit for if you have compromised some sort of
credential to try it over there right most of the times the company itself is not monitoring right
it will be the cloud provider that's monitoring and they have to be a little bit permissive at
least if you're trying a few times one other cloud-based interesting shift to the cloud story
this has been growing a little bit over the years, but there was another sharp increase this year on the number of records leaked through
misconfiguration of cloud-based storage. So think about your
favorite cloud-based platform as a service provider. They will have an option where you
can just post files online. Some people are leaving them open for public
consumption, right? And there's a lot we had. We tracked over
60 million different records of multiple sources, multiple organizations
that were leaked this way. Just because someone failed to press
the keep this private checkbox could potentially have been easily avoided,
right? There was no work on anybody's part. There was no hacking,
no zero day, no nothing involved, just plain misconfiguration.
It was interesting to me reading through the report that it seemed as though cryptojacking had really fallen off the radar.
Is that accurate?
So, yes, it's important to understand the specifics around that statement, right?
Because we're specifically talking about malware, right?
So we don't have a measurement on websites hosting crypto jacking JavaScript.
We don't have a measure of, we do have, but it's not tracked there, of, oh, somebody's cloud-based
account was hijacked and somebody just spun up a bunch of servers and are mining your favorite
cryptocurrency there, right? We're specifically talking about malware whose functionality ties into crypto mining, right?
So a piece of malware is installed
and one of the things it does
is mine cryptocurrency for you, right?
And we saw that that just doesn't happen.
It's way more profitable.
It makes way more sense to just go
and put some ransomware in. It's way more profitable, so to speak.
Were there any surprises this year, things that popped up that you weren't expecting?
So the one that was most surprising was the
human resources story, right? We're not really used for things getting
in a way fixed so quickly, if you know what I mean. So the fact that
it really seems that this was a
trend and it was happening, and suddenly it's way less of a trend, right, gives us hope that
it's something that people are doing a good job. One of the other interesting ones,
not what's surprising in a good way, is some of the research that we've done with some of the
data that the FBI provided us, the FBI IC3,
which was specifically about the great work that they do on business email compromise return,
getting the money back. According to their data, over half of companies where they contacted, half of US-based organizations that contacted them,
can you assist us get the money back?
They were able to either retrieve or freeze 99% of that money for half of those companies. So it really ties into, well, something bad happened.
What should I do next?
It's really good to hear, surprising in a very good way, of how successful they have been in trying to counteract those kinds of attacks.
Well, I have to say my hat's off to you.
Not only is there a lot of interesting information in there,
it's actually a fun read, which you don't get to say about every report in this industry,
and lots of pop culture references and fun things like that throughout.
So congratulations to you and your team on a job well done.
Thank you. The team is really incredible.
The coaching that we have doing the report, some of those people have been with us since the beginning, right, for 12 years.
It's really fantastic to see.
It's a lot of work, I'm not going to lie, but it's really fantastic to see the report getting done,
how much care the team puts into making sure that not only it is a good report, right,
not only, like you said, it's fun to read, it's accessible, but that it's accurate.
And we can very clearly represent in a fair way and as correct as possible, right,
the data that those contributors have been providing us.
They're all volunteers, right?
Yeah.
And they provide us anonymized data to do this work.
If anyone who's listening, right, is interested about this, believe they have data that they could contribute, especially law enforcement, especially security vendors, please reach out to us.
We're not hard to find on Twitter.
We would love to work with you to make this report even better next year.
That is Alex Pinto.
We would love to work with you to make this report even better next year.
That is Alex Pinto.
He is one of the authors of the Verizon DBIR, the Data Breach Investigation Report for 2019.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity.
every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you.