CyberWire Daily - Brokerages in Taiwan face DDoS extortion. Polish banks hit in watering hole attack. Cyber vigilantes. Information operations. ShadowBrokers update?
Episode Date: February 7, 2017In today's podcast, we hear about brokerages in Taiwan being extorted with threats of DDoS. Polish banks compromised in watering hole campaign. Criminals turn from JavaScript to less obviously suspici...ous kinds of files. Cyber vigilantes poke at unsecured printers and dark web hosting. China ratchets up its efforts to control its Internet. The US shares classified intelligence on Russian influence operations with European allies, and works on its own information operations capability. Dale Drew from Level 3 Communications takes note of the increase in ransomware. Rami Essaid from Distil Networks describes efforts to combat ticket scalping bots. And a former NSA contractor will probably face espionage charges related to the ShadowBrokers. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Brokerages in Taiwan threatened with DDoS.
Polish banks compromised in watering hole campaign.
Cyber vigilantes poke at unsecured printers and dark web hosting.
China ratchets up its effort to control its Internet.
The U.S. shares classified intelligence on Russian influence operations with European allies
and works on its own information operations capability.
And a former NSA contractor will probably face espionage charges related to the shadow brokers.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Tuesday, February 7, 2017.
Authorities in Taiwan are investigating extortion threats made against five brokerages.
The extortionists, who claim to represent the Armada Collective, a group that's been active elsewhere, say they'll subject the brokerages to distributed denial-of-service attacks if they're not paid some $9,700. The brokerages
haven't paid. The Armada Collective has been observed intermittently at least since October
2015, with much of the research on the criminal group being done by
DDoS protection shops Cloudflare and Akamai. Many of their earlier attacks have been largely bluffs,
and the group has never come close to mounting the one terabyte per second attack traffic they
claimed. Whether this group is the familiar Armada collective or not, the Taiwanese shops
are wise to have refused payment. Other earlier victims have
been too easily spooked. Payments totaling more than $100,000 have been observed headed for the
Armada Collective. Several Polish banks suffered a malicious JavaScript infestation after employees
innocently visited the Financial Supervisory Authority, a Polish government regulatory agency.
The infection could lead to installation of a remote-access Trojan.
Polish media are generally attributing the incident to a foreign intelligence service,
read, of course, Russia,
but many observers aren't so sure
and believe this could have been the work of a criminal gang instead.
Sometimes it's difficult to make the distinction.
It doesn't appear that any depositors' accounts were looted.
We heard from HitechBridge's CEO Ilya Kolachenko,
who tells us that this is another example of hackers finding creative ways
to compromise financial institutions, and not just in Poland either.
Quote,
We should expect that cybercriminals will find more creative and reliable ways
to compromise their victims.
Trustworthy websites, such as governmental ones,
represent great value for cybercriminals,
even if they don't host any sensitive or confidential data.
In this case, we note the compromised government website
was useful as a watering hole to infect visitors.
The use of JavaScript in the Polish attacks is becoming something of an outlier.
It's not that JavaScript has become noticeably more secure, but rather that criminals are turning to file types less
likely to arouse suspicion. Researchers at Microsoft and Intel Security find attacks
increasingly based on LNK and SVG attachments. Cyber vigilantes have been at work recently.
One of them, who goes by the nom-de-hack Stackover Flowin,
has caused vulnerable networked printers to push out old-style ASCII art
and what looks like a picture of Frankenstein's monster,
and the warning that the printer had been roped into a botnet.
Stackover Flowin, who claims to be a secondary school student in the UK,
has said, according to CSO Magazine, that there really isn't a botnet, he's just trying to raise awareness of vulnerabilities.
Young master Stack Overflowen, we think, is skating on thin legal ice.
On Friday, another vigilante, this one unnamed, compromised, doxed, and defaced Freedom Hosting 2.
Freedom Hosting 2 is a dark web service that caters to people who wish to have an anonymously hosted site
accessible through Tor, but who lack the know-how to set one up.
The hacker claimed to have found large quantities
of illicit information in Freedom Hosting 2.
Does this sound familiar?
Your favorite band announces tour dates,
and you sit by your computer ready to buy tickets
the moment they become available online. And in what seems like nanoseconds after they go on sale, boom, they're
sold out. Or at best, you may be able to get a seat in the nosebleed section. Well, those tickets
were probably scooped up by bots. And recently, Congress tried to crack down on ticket buying bots.
We spoke with Rami Asad from Distill Networks for the details.
The Bots Act is a new piece of legislation that was introduced in Congress and passed
through both chambers and was signed. And the point of it was to eliminate ticket scalping
online. People like Lin-Manuel, who is the of Hamilton and, you know, a lot of different artists were getting tired of ticket scalpers making more money on their shows than they were. And at the same time,
consumers felt like they couldn't afford to go to shows anymore, whether it's a concert like Taylor
Swift or a play. The ticket industry, there was so much demand that middlemen were coming in, buying up tickets and marking them up significantly.
So Congress got involved to pass a law that said it was illegal to buy tickets using bots.
Ticket scalping has been a thing forever, right, before we even had the Internet.
But when you had one person that was going to go manually and buy the tickets and then manually stand outside and sell them, it was manageable.
Now that you have bots and you buy and sell these tickets online, the scale at which these scalpers are operating made it really hard to manage and made it improbable that real users and fans are going to get the tickets at a fair price.
And so the Bots Act said we can fine you up to an X amount per ticket that you buy if you use bots.
In New York, there was state legislation that said we can even send you to jail for it.
And so is the act in effect and is it having any success?
It is in effect. It is not having any success that we've seen.
They have not prosecuted anybody under this act.
Now, the New York Act, the state attorney has prosecuted some people under that.
So there was some significance there.
But I think it was like whack-a-mole.
One company gets squashed down and another one springs up.
We haven't seen it really make a big difference in online ticket sales and resales and scalping.
We're seeing it be just as prevalent as ever before.
How can they protect themselves against these kinds of attacks?
Well, there's companies like us, and I don't mean to just pitch us,
there's several companies out there that have realized that this needs to be a purpose-built solution
and offer a product or a service to help companies mitigate bots.
This problem has gotten enough awareness that there are competing solutions out there
to help companies solve this problem.
And without giving away too much of your secret sauce,
what are the things that you look for to identify that something is indeed a bot?
Well, we have a multi-layered approach.
We fingerprint every connection coming in, any device coming in,
and based off of tracking every device, we look at the behavior and we say, we profile a website using machine learning and identify what normal
user behavior looks like and find anomalies to that. At the end of the day, the bad guys,
what they're doing is spoofing each of these different signals, and we've layered in dozens
and dozens of signals to hopefully find one that they have not spoofed, which allows us to then
identify them as potentially malicious. That's Rami Asad from Distil Networks.
China continues its long march toward exerting national control over its internet,
establishing an interdepartmental authority that will check and vet internet hardware and services.
Foreign observers see this as both a means of social control and, arguably more importantly,
an anti-competitive regime designed to freeze foreign businesses out of the Chinese market.
Chinese authorities say no, the latest measures are designed to remedy the
disordered development they say the country's Internet services have exhibited.
As fears of election hacking and influence operations rise in Europe,
the United States moves to share intelligence developed during the last election cycle
with officials in France, Germany, the Netherlands and Norway.
The intelligence being shared includes the classified version of the U.S.
intelligence community's investigation of Russia's information operations.
The U.S. is also said to be preparing its own information operations capability to be
wielded by the State Department's Global Engagement Center.
Yesterday, the U.S. House of Representatives passed by voice vote email privacy legislation
that would restrict law enforcement access to stored emails.
And finally, Hal Martin, the former NSA contractor arrested when investigators allegedly found
very large troves of highly classified material at his Glen Burnie, Maryland home, will probably
be charged with espionage.
Martin's lawyers have portrayed him as a zealous patriot who took material home to study so
he could do a better job at the agency.
a zealous patriot who took material home to study so he could do a better job at the agency.
But prosecutors are said to be seeing a significant overlap between what Martin is alleged to have taken and the NSA tools purveyed by the shadow brokers.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber. That's vanta.com slash cyber
for $1,000 off.
In a darkly comedic look
at motherhood and society's expectations,
Academy Award-nominated Amy Adams
stars as a passionate artist
who puts her career on hold
to stay home
with her young son. But her maternal instincts take a wild and surreal turn as she discovers
the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a thought-provoking
and wickedly humorous film from Searchlight Pictures. Stream Night Bitch 24, only on Disney+. Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and compliant.
Joining me once again is Dale Drew. He's the Chief Security Officer at Level 3 Communications.
Dale, you all are seeing a big uptick in ransomware, yes?
We are seeing an explosion in ransomware. Ransomware is becoming probably one of the more popular mechanisms of bad guys getting quick cash as well as wreaking havoc against their victims.
And is this the old adage of why do you rob banks? That's where the money is?
That's exactly right. And it's loading malware on your machine that will record your keystrokes to get access to your bank password or your credit card numbers.
But ransomware is probably the most express way for bad guys to get access to quick money right now is because not only do they load malware the same way that they load malware traditionally.
You get an email, you click on it, and that malware is loaded on your system,
but they encrypt critical files relatively rapidly,
and then they ask you for a ransom to unencrypt it.
And once a user pays, we've seen situations where the bad guy will then ask for another ransom
because now he knows what your tolerance levels are.
And then when the bad guy gets as much money as he possibly can, in a lot of cases, the bad guy does not provide the password to unencrypt.
And, you know, we see conflicting stories about that.
I see reports where many people are paying the ransomware.
Some of them do get their files back.
And yet law enforcement is pretty much in agreement that you shouldn't pay the ransom.
Yeah, and I'd say it's twofold.
I'd say we see a lot of password recovery happening on the consumer side more than we're seeing it on the business side.
But more importantly, the primary reason that you hear from law enforcement and from industry not to pay ransom is because when you pay ransom, you're also placed on a
list of people who will pay ransom. And that's the same thing for people who pay ransomware for
DDoS. Once a particular bad guy has realized all of the money that he'll be able to make
on you from a ransomware perspective, he's able to sell your name to a list of people who pay
ransom for other bad guys to
find out what your tolerance level is for future ransom. So keep those backups up to date. Yeah,
the most effective measure in protecting against ransomware is to backup your systems. Patch your
systems so you cannot be susceptible to malware in the first place. But no matter what, backup
your systems on either a USB drive or a
cloud provider so that if your files are encrypted, you can easily wipe your system
and reload your backup. Dale Drew, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of
new members discover they've already been breached. Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you.