CyberWire Daily - Carbanak gang is back. GhostAdmin works on data theft. Trolling security researchers. M&A notes. Pardons, commutations, and extraditions.
Episode Date: January 18, 2017Carbanak is back, and in the cloud. GhostAdmin quietly assembles a few good bots. Malware writers troll security researchers on VirusTotal. Oracle issues a big patch; Apple is said to be preparing a s...maller one. M&A activity is in the news. Australia investigates fallout from the Yahoo! breaches. Experts warn European election officials and politicians to be on the lookout for Bears. Rick Howard from Palo Alto Networks seeks a unified theory of security. David Bianco from Sqrrl offers advice on threat hunting. And US President Obama issues some pardons and commutations—General Cartwright and Private Manning are on the list. Not so Mr. Snowden. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Carbonac is back and in the cloud.
Ghost Admin quietly assembles a few good bots.
Malware writers troll security researchers on virus total.
Oracle issues a big patch.
Apple is said to be preparing a smaller one.
M&A activity is in the news.
Australia investigates fallout from the Yahoo breaches.
Experts warn European election officials and politicians to be on the lookout for bears.
And U.S. President Obama issues some pardons and commutations.
General Cartwright and Private Manning are on the list.
Not so, Mr. Snowden.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, January 18, 2017.
Some developments in cybercrime appear at midweek.
The Carbonac financial fraud gang is back, and according to Forcepoint researchers,
it's quietly hiding its command and control within legitimate Google services.
The malware is embedded in a trojanized rich text file,
typically delivered as an image which the victim is invited to open with a double click.
Upon doing so, VBScript malware executes.
Once established, it sends and receives commands
via Google Apps Script, Google Sheets, and Google Forms services. Traffic to these legitimate
services is unlikely to trip warnings, and so lends stealth to the criminal campaign.
Karbanak hoods, working mostly from Russia, Ukraine, and China, are interested for the most
part in stealing data and credentials
from financial institutions, which they subsequently employ in fraud.
Some estimates place their cumulative take at around a billion dollars.
Its use of cloud services strikes many analysts as disturbing.
There's also some new bot-herding malware out and about.
Unlike the well-known Mirai malware, this code, called Ghost Admin, isn't targeting
the Internet of Things, nor is it optimized for distributed denial-of-service attacks.
Instead, it enables remote execution of commands on infected machines and aims at data theft
and exfiltration.
Malware Hunter Team has described Ghost Admin to Bleeping Computer, the researchers regarded as a descendant of the older crime scene malware.
Bleeping Computer has an interesting account of how malware authors are trolling security researchers on VirusTotal.
In addition to conventional abusive trolling and defamation, they're also voting malware samples harmless.
The object of their wrath is the aforementioned Malware Hunter team,
who've been at work, of course, on Ghost Admin.
Bravo to the researchers at Malware Hunter team.
May they prevail over the trolls.
In patch news, Oracle has released its first quarterly security update of the year,
and it's large.
Some 270 patches will keep Oracle admins busy and gainfully employed.
And Apple is said by ThreatPost to be working on patches for vulnerabilities in iTunes in the
App Store, disclosed Monday by Vulnerability Labs. The Yahoo breaches may or may not have
soured the deal with Verizon, which as far as we've heard is still proceeding, but they are
receiving attention from investigators in Australia. Prime Minister Turnbull has ordered an inquiry into the effects
of those breaches on members of his government. Many organizations consider threat hunting a
critical part of their cybersecurity strategy, going after malware that their automated systems
may have missed. We checked in with David Bianco from Squirrel,
a cleverly named company that specializes in threat hunting, for his take.
Some people think that hunting is actually the end goal,
like finding the bad guys is the end goal of hunting,
which makes perfect sense, but I think is actually not true.
The reason that I recommend organizations do hunting is not so that they can
really find bad guys in their network. It's actually so that they can drive the automation
to be better at finding bad guys. They find new ways to discover security incidents that they're
concerned about, and then they automate those ways. If you think about it, that makes even a
lot more sense because you don't want to tie up the human analysts doing the same hunts over and over.
So you find a useful hunt and maybe you found something that really was actually malicious data exfiltration.
You said, great, this technique works and I want to be able to run it every day, every week, however often. But you
don't necessarily want to tie up a human's time doing all that. So the correct thing to do with
that then would be to create more of an automated analytic that you can run on a schedule and review
the outputs rather than having spent somebody's time to do the data searching and the analysis technique manually, you automate all that.
And so that frees up your hunters to go and create new and different hypotheses or work on new and different or improved analysis techniques so that they can further their automated detections effectiveness.
My main advice when it comes to getting started with threat hunting
is don't be afraid to start small and build on that.
You can get benefits from hunting with not even having a dedicated hunting team,
just having some people doing it on a part-time basis.
The more organization and strategy you can bring into the process, the better that you will be.
But it doesn't mean that if you don't have a fully mature hunting team right off the bat,
that you shouldn't bother doing it.
You definitely should do hunting to the level that you're capable of doing now
and build on that over time so that you can build up that level of maturity.
That's David Bianco from Squirrel.
In other news involving mergers and acquisition, Bitdefender has bought French security partner
Profile, and Kodelsky is acquiring M&S Technologies.
Microsoft has announced its purchase of natural language processing shop Maluba,
and Hewlett-Packard Enterprise is buying hyper-convergence vendor Simplivity.
French security agencies warn that country's politicians to expect unwelcome attention in cyberspace.
Eugene Kaspersky is delivering a similar message,
telling the World Economic Forum to expect a range of cyber attacks during Europe's 2017 elections.
He expects this threat to grow worse and worse,
and says that candidates in German and French elections particularly should expect attacks and take steps now to upgrade their security.
Kaspersky declines to offer any attribution of the famous attacks on U.S. political targets.
Attribution, he says, is tricky, and his company wasn't asked to perform it in any case.
The prime animal of interest in the threat to elections, of course,
remains Fancy Bear, of DNC hack fame.
That's, roughly speaking, the conclusion of researchers
at ThreatConnect, CrowdStrike, and FireEye.
U.S. President Obama, in his last week in office,
pardons former Marine General Cartwright for his conviction of lying to investigators looking into Stuxnet leaks.
He also commutes the sentence of Private Manning, convicted of giving classified information to
WikiLeaks. Note that this form of clemency is a commutation, not a pardon. Manning will leave
prison in May after serving seven years of a 35-year sentence. The pardon and commutation, not a pardon. Manning will leave prison in May after serving seven years of a 35-year sentence.
The pardon and commutation both receive decidedly mixed reviews.
It's unclear whether WikiLeaks' Julian Assange
will honor his pledge to accept extradition to the U.S.
in the event of Manning's release.
Some sources are saying yes, others no.
Assange is currently under investigation by U.S. authorities.
Absent from the list of pardons is one for Edward Snowden,
former contractor at NSA and current resident of Moscow.
Mr. Snowden did send a congratulatory shout-out in private Manning's direction.
In any case, the Russian foreign minister has said that Mr. Snowden's temporary residency permit
would be extended for a few of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and
compliant. Joining me once again is Rick Howard. He's the CSO at Palo Alto Networks.
He also heads up their Unit 42 Threat Intel team.
Rick, you all have a white paper that you published.
It's called First Principles for Network Defenders,
a Unified Theory for Security Practitioners.
That sounds pretty serious.
Sounds like there might be a lot of math in there.
Yeah, I'm sorry.
But I will tell you that there is no math.
I just point to it a lot.
What's the paper about?
Well, I got inspired by this.
I was reading Elon Musk's biography last summer.
And regardless of what you think of Mr. Musk,
whether you love him or hate him,
one thing you can say about him
is he doesn't go after little bitty problems.
He goes after these giant, hairy, big problems
that nobody wants to touch,
you know, the electric car, solar panels, you know, put a person on Mars by 2025.
And his philosophy on dealing with these problems is he doesn't want to take the next incremental
step of what everybody else has done. He takes a blank whiteboard and says, okay,
or we're going to do this. We're going to figure out how to do it from scratch, and we're going to understand everything from the ground up about
how to do this. So in other words, he's a first principle thinker. So having been inspired by all
that, I said, I wonder what the first principles for network defenders are, and that's how we
started down this path with this white paper. And so what did you discover? What are security's
first principles? Well, I mean, I'm looking, I'm thinking about it and I got a blank whiteboard
now and I'm looking around. I don't want to do what anybody else has done. I'm saying, well,
what is the thing? If I boil everything down to what I should be doing, if I give you the elevator
pitch of what our security organization does, we do a gazillion things and every network defender in their day job does a gazillion things. But if you could boil it down to what is the essential thing,
the atomic thing that we do, and what would you say that is? And the conclusion I came up with is
our job is to prevent material impact to our organization. And that sounds really simple,
okay? But when you think about all the
things that we do and how we get distracted with, you know, kind of bright, shiny objects every day,
it helps to focus on those things. Because every organization faces many, many kinds of attacks.
I would say not, you know, 70% of them are material to the business. So, for example,
if somebody defaces my commercial website, yeah, that's embarrassing
to me, but it's not going to be material to my company. A more lucrative or more material impact
would be someone stealing our intellectual property. That's the thing I'm going to get
fired for. So I think we should focus on those kinds of things. And that would be the first
principle, I think, going forward. If your website was defaced, certainly there would be the first principle, I think, going forward. Wouldn't, if your website was defaced,
certainly there would be people in the organization, you know, screaming that we're having
reputational damage and things like that. They absolutely would. Okay. And, and yes,
in some organizations that might be a major disaster. In some organizations, it might not
have any influence at all. I'm just saying you have to decide what is material to your organization
and focus on those things.
And kind of you'd still have to deal with the other stuff, but I wouldn't put it in the top first priority queue.
All right. Rick Howard, the white paper is First Principles for Network Defenders, a Unified Theory for Security Practitioners.
Check it out. Thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.