CyberWire Daily - Charlottesville hacking. Operation #LeakTheAnalyst. Dissatisfied customer calls ShadowBrokers a "ripoff." More HBO leaks. Google purging SonicSpy. Collusion attacks. Marcus Hutchins in court.
Episode Date: August 14, 2017In today's podcast, we hear about online reactions and hacks in response to the Charlottesville rioting and homicide. Operation #LeakTheAnalyst releases another, smaller, set of documents. The Shado...wBrokers get some poor customer reviews for their Exploit-of-the-Month Club. Reputation matters in the dark web souks. More HBO leaks (but no new messages). Google ejects SonicSpy-infected apps from the Playstore. Oxford researchers describe Android library collusion attacks. Robert M. Lee from Dragos on recent incursions into the Irish and UK power grids. And fellow security researchers can't believe Marcus Hutchins would wittingly do what the Feds accuse him of. Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper. Your patient data depends on incident response plans. Prepare with DeltaRisk's webinar. Domain Tools leverages both human and machine intelligence to expose malicious infrastructure. Learn more in their white paper. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash Analyst releases another smaller set of documents.
The shadow brokers get some poor customer service reviews for their exploit of the month club.
Reputation matters in dark web markets.
Google ejects sonic spy infected apps from the Play Store.
More HBO leaks, but no new messages.
Oxford researchers describe Android library collusion attacks.
And fellow security researchers can't believe Marcus Hutchins
would wittingly
do what the feds accuse him of.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Monday, August 14, 2017.
The weekend sad riot and homicide in Charlottesville, Virginia reverberate in social media with outing
of rioters and so on. Anonymous has protested the neo-Nazi rally that prompted the disturbance.
They did so with a distributed denial of service attack against Charlottesville municipal websites
in what they're calling Operation Domestic Terrorism, which seems wayward in its choice
of target since the Charlottesville city
government certainly had nothing to do with welcoming or encouraging neo-Nazis.
GoDaddy has ejected the Daily Stormer from its hosting service, telling the neo-brownshirt
site to find itself another place on the web.
The hackers working the Leak the Analyst campaign, afflicting minor pain on FireEye, released another small cache of material, only a fraction of which alludes to the company.
Motherboard puts the total size of the dump at just 3 megabytes, but the hackers represent it as an expose that FireEye's account of the incident is hooey.
The hackers' diction has grown more shadowbrokerish, although in fairness the brokers are in general less obscene.
They explained on Pacebin, quote,
There's a bit more, including a motto, In Black Hats We Trust,
some reviews of various journalists who've covered the campaign, mixed reviews,
but more thumbs down than thumbs up, and in a kind of credit reel, the hackers give special
thanks to APT28 and the Shadow Brokers.
APT28, of course, is the group also known as Fancy Bear, by consensus, Russia's GRU
Military Intelligence Agency.
FireEye most recently reported on APT28 in a blog post last week
in which they outlined the group's operations against hotel Wi-Fi systems in Europe and the
Middle East. Their conclusions, among others, noted APT28's use of EternalBlue exploits
to propagate spyware across hospitality networks. EternalBlue is the equation group code leaked
this spring by the shadow brokers.
FireEye is investigating this latest round of doxing operation Leak the Analyst.
Their response is expected soon. Speaking of the shadow brokers, they themselves haven't been heard
from much so far this month, but of course it's still early. They should resurface with the
approach of September, but their wares are getting some poor reviews on Steemit.
A rip-off, one dissatisfied customer writes with dismissive disgust.
His review pertains to the June Exploit of the Month delivery.
The shadow brokers ripped me off.
I paid 500 XMR for their Wine of the Month Club,
and only they sent me a single tool that already requires me to have a box exploited.
A tool, not even an exploit.
The tool also looks to be old,
and not close to what the shadow brokers said could be in their subscription service.
So there you go.
Caveat emptor.
Spend your money elsewhere, kids.
The brokers may not really need all that cryptocurrency anyway.
Whatever wolf tickets they may be passing out on dark web markets.
If the shadow brokers were seriously in the money-making business, which they actually may be,
all appearances to the contrary and unlikely as that seems, they might be concerned about the low
degree of customer satisfaction such reviews might indicate. A team of sociologists' study concludes,
in illegal markets, reputation is everything.
Negative reviews in dark web markets may be one way of hitting otherwise inaccessible dealers.
The research, which is being reported in the Journal of Quantitative Criminology,
looked at illicit transactions in opioids conducted over dark net marketplaces.
The transactions involved 57 sellers and just over 700 buyers.
First-time buyers, and those were 82% of the buyers over the course of the six-month study,
were found to value the sellers' trustworthiness,
as measured by the uncertain yardsticks of buyer reviews and scores,
even more than they valued a bargain.
So reputation in the dark web equivalent of Yelp mattered more than low prices.
There's some suggestion that law enforcement might seek to manipulate ratings to disrupt illegal markets.
It's an open question whether buyers of malware or cyber attack services are motivated in the same ways opioid buyers are.
The question seems worth asking.
Mr. Smith has leaked more stolen HBO material.
No Game of Thrones this time, but episodes from Ballers, Barry, Curb Your Enthusiasm, Insecure, Latino Shorts, Room 104, and The Deuce.
There are also some apparent HBO internal documents in the leak.
Unlike the first two rounds of HBO leaks, there were no boasts, demands, or other special messages from Mr. Smith.
Google has purged a number of Sonic spy-infected apps from the Play Store.
Researchers at the security firm Lookout last week reported finding about a thousand such infestations, and cleanup proceeds.
Oxford University researchers are describing collusion attacks in a proof-of-concept
that shows Android libraries could be exploited
to reveal data to unauthorized services when libraries are shared among several apps.
In industry news, two startups announced new funding.
Wicker has raised $8.8 million, Dragos $10 million.
And finally, Marcus Hutchins, the accidental hero of the WannaCry kill switch, is due to appear in a Milwaukee court today
Hutchins continues to receive widespread support among security researchers
Mostly on the ground that those who know him, and a lot of people do
Simply can't believe he'd wittingly and intentionally be involved with the sale and distribution of the Kronos banking trojan
involved with the sale and distribution of the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility
is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Robert M. Lee. He's the CEO at Dragos.
There was a recent incursion into some Irish and UK power grids.
But there was some particularly interesting details about these attacks.
So what can you tell us about that?
Yeah, absolutely.
So the intrusions that were reported specifically talked about intrusions into the power companies themselves.
We don't know if it made it into the industrial control system environments yet, which would give us even more pause.
But there was discussion about targeting the integration firms, the engineering firms. And
as we talked about last time, that is the type of information that we don't want to see stolen
because it could help adversaries potentially move into a stage two type ICS attack.
What that really means to sort of break that down further is in
the industrial control system environments, these are very weird and different environments than IT.
They're very different from each other as well. There's no real ICS community. There's all sorts
of little sub communities inside of that. And one substation of the power grid compared to another
substation, even of the same company in that same
region, could be vastly different, not only in vendors, but integration and physical equipment
and physical process and how they're producing or distributing electricity. And so for an adversary
to really do disruption or damage inside one of these environments, they've got to capture
the understanding of that specific industrial process they're going after.
Scalability is possible, as we saw with the crash override case in Ukraine 2016, but it's not trivial.
And the more you scale it, the less disruptive or damaging it's going to be by resource expenditure.
So going back to this third-party concept, it's important for industrial asset owners and the community members to understand
some of the most sensitive information about their industrial environments aren't contained
in the ICS itself.
Your IT networks probably have very sensitive information around how you're using the ICS,
like billing and how you identify how much power you're distributing to your local neighborhoods
or how many cookies you're pulling off the manufacturing line.
But at the same time, your integration firms and engineering firms and third-party folks
have all your technical details around how the network was built.
So if you combine the IT knowledge that has some ICS impact in it,
you combine the integration in these third-party firms,
and you combine what's going on inside the ICS and what's sort of ground truth,
with those three data sources,
you could start designing some attacks. So I usually recommend to folks for those third-party assessments, really the ITOT piece, you just got to get that bridge built inside your own
organization. But for those third-party sources, that's where we need to start seeing things like
better service level agreements and an understanding that if breaches occur in an integration or
engineering firm, that their customers need to be immediately notified.
And they should already have good forensic practices set up in their environment to understand what was taken and who might be at risk.
All right. Interesting stuff. Robert M. Lee, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge
it's a necessity that's why we're thrilled to partner with threat locker the cyber security
solution trusted by businesses worldwide threat locker is a full suite of solutions designed to
give you total control stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com That's ai.domo.com