CyberWire Daily - Clouds, crooks, cheats, and cryptocurrencies. Vault7 leaks liaisonware. Rumors about FSB officers charged with treason. FBI arrests Chinese national in OPM hack. Extremism online flows more than it ebbs.
Episode Date: August 25, 2017In today's podcast we hear about how the four C's have come together: clouds, crooks, cheats, and crypotcurrencies. Locky continues to circulate in evolved forms. WikiLeaks dumps some curious all...eged liaisonware documents from Vault7. Russian sources report that FSB officers facing treason charges in Moscow may have given up some connected hackers to the Americans. The FBI makes an arrest in the OPM breach. The Daily Stormer is way offline, but ISIS and its parasitic slave-trading gangs are decidedly online. Dale Drew from Level 3 Communications with some threat intelligence on phishing and malware. Guest is Nicole Eagan, CEO of Darktrace. And another consequence of NotPetya seems to be a pet food shortage. Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper. Your patient data depends on incident response plans. Prepare with DeltaRisk's webinar. JHUISI & partner COMPASS Cyber present Cyber Security Conference for Executives on September 19th in Baltimore. Register for the event. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The four Cs come together.
Clouds, crooks, cheats, and cryptocurrencies.
Locky continues to circulate in evolved forms.
WikiLeaks dumps some curious alleged liaisonware documents from Vault 7.
Russian sources report that FSB officers facing treason charges in Moscow may have given up
some connected hackers to the Americans.
The FBI makes an arrest in the OPM breach.
The Daily Stormer is way offline, but ISIS and its parasitic slave-trading gangs are
decidedly online.
And another consequence of NotPetya seems to be a pet food shortage.
I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, August 25, 2017.
As the week comes to a close, there's been a kind of convergence of some large cyber themes,
the clouds, the crooks, the cheats, and the cryptocurrencies. Some criminals, security firm
Trend Micro reports, are exploiting online games with malicious Chrome extensions, thereby stealing
in-game currency. The malware takes cookies from running Roblox processes. Roblox is the popular massively multiplayer social media gaming platform,
but it could be adapted to pull information from any website.
If you install it, you're giving it a hunting license for your information.
The malicious extension is available for sale in the Dream Market underground forum
for the low, low price of just 99 cents.
Trend Micro uses the occasion of their discovery to offer a useful reminder.
Quote,
This is a good time to remember to always verify the permissions required
before any Chrome extensions are installed.
If you are unsure about these permissions,
it's better not to install the extension in the first place.
This particular malicious extension requires the
read and change all your data on the websites you visit permission, which should be a hint of its malicious behavior.
End quote.
A hint, like a hangover, is a hint you shouldn't drink so much.
Why would someone want to steal in-game currency?
To sell it to gamers, undercutting the prices charged by legitimate games.
There's also the issue of cheating.
charged by legitimate games.
There's also the issue of cheating.
Cheats, as gamers will tell you,
offer an advantage over the sometimes difficult and frustrating rules of play.
Researchers at security company SentinelOne have discovered that some cheats for the popular Counter-Strike global offensive game
are installing cryptocurrency miners on victim machines.
This particular miner goes after Monero,
and it's called OSXPonnet.A.
The miner is working for a guy who seems to go by the name of Finn. Sentinel-1 seems to be on to
him. For one thing, they seem to be insinuating that the gentleman is a brony. Make of that what
you will. Unwelcome cryptocurrency miners are being distributed in other ways, too.
you will. Unwelcome cryptocurrency miners are being distributed in other ways too.
Netscope Threat Labs has found the Zminer malware hosted in an Amazon S3 bucket.
They say, the kill chain begins with the delivery of a drive-by downloader Zminer executable that downloads payloads from Amazon S3 cloud storage to a victim's machine and then uses the machine's
computing resources to perform coin mining.
They note that the miner helps ensure its own smooth operation
by disabling Windows Defender on infected machines.
And cryptocurrency wallets themselves are under attack.
Researchers at Duo Security note that criminals are exploiting some of the weaker forms of two-factor authentication,
notably SMS and email authentication,
to get into the wallets. They advise adopting more cryptographically secure forms of multi-factor
authentication. Locky ransomware continues to circulate in its newly evolved forms.
As always, the best advice to prepare for recovery should you be infected is to securely
back up your files so you can be ready to resume work.
Turning to espionage and conflict, WikiLeaks has resumed its leaks of alleged CIA documents from Vault 7.
This week, the documents describe Express Lane, unusual in that it appears to have targeted partner organizations,
most of them U.S. organizations like the National Security Agency, the FBI, and the Department of Homeland Security.
The program is alleged to have worked by requiring installation of a software update as a condition of doing business with Langley,
and, says WikiLeaks, those updates also installed backdoors.
Russian sources are reporting the reason behind the arrest in December of last year of three men on charges of treason.
Arrested were Deputy Head of Information Security Center, CDC, of the FSB, Sergei Mikhailov, and two associates.
It's believed they were instrumental in giving up prominent wanted hackers to the CIA,
which then presumably turned the information over to the FBI and U.S. Secret Service.
The FBI has made an arrest in the OPM breach.
The suspect is a Chinese national, Yu Pinyan of Shanghai, who was picked up Monday when
he arrived at Los Angeles International on his way to attend a conference in the U.S.
On Wednesday, he appeared before the federal court for the Southern District of California
on charges of having written the Sakura malware believed to have been used by the Chinese government to
accomplish the breach. Even as core territory in Iraq and Syria shrink to insignificance,
ISIS posts a Spanish-language video promising to reconquer Al-Andalus, the Iberian Peninsula,
lost to the Ummah in the 15th century.
Another ISIS inspirational video receiving wide circulation purports to show a 10-year-old American boy threatening President Trump.
ISIS killing has been a leading cause of the Middle Eastern refugee crisis,
which has spawned human trafficking on a large scale.
Some traffickers, slave-trading gangs, as the Times of London calls them,
are posting torture images to Facebook in an attempt to extort ransom money from their captives' families.
These posts and the most recent wave of hacked celebrity pictures are inducing some observers, UN agencies among them, to ask why tech companies aren't addressing such incidents
with the focus and alacrity they brought to booting the loathsome daily stormer from their services.
Is the outrage selective, the decisions arbitrary, or is the problem simply more complex than it seems?
And finally, turning to less unpleasant matters, there's another consequence of not-Petya in the UK.
Cat food shortages in London and the home counties.
Petya in the UK, cat food shortages in London and the home counties. Mars subsidiary Royal Canin was affected, and deliveries of cat food have lagged, with some customers waiting two weeks.
Another Mars pet food brand, James Well Beloved, is also thought to have been affected, but they're
more in the dog food line, and there have been fewer complaints. Perhaps it's just that the dogs what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Joining me once again is Dale Drew. He's the Chief Security Officer at Level 3 Communications.
Dale, welcome back. You have some updates for us, some new threat intelligence on phishing and malware.
What do you have to share with us today?
So Level 3 maintains a threat intelligence system that monitors its global backbone and Internet traffic going through our backbone.
its global backbone and internet traffic going through our backbone.
And we see a pretty significant amount of total internet traffic that we sort of categorize and analyze for potential threats.
We recently added industry data.
So every IP address we analyze, we sort of build a behavior profile for it and categorize
it on malicious or potential malicious activity.
and categorize it on malicious or potential malicious activity.
And that's been pretty insightful for us to be able to identify bad actors on the network. But we recently added industry data to that to be able to get sort of early warning indicators
about when people are attacking specific industries.
And the trend data that we're starting to accumulate from that is pretty interesting.
So I'll give you an example. We
identified the top five industries that are getting hit with malware on a rolling average 30-day
and phishing attacks. On the malware side, the five leading industries that are getting
just clobbered with malware attacks are tech services. These are consulting firms that provide support
for other organizations. Educational, so schools, colleges, and such. Manufacturing,
retail food services, retail trade, like your clothing stores and your hardware stores and so on. And then healthcare.
We've seen this pretty consistently over the past 30 to 60 days.
What we think it means is two things.
We think it means that because we don't see a corresponding phishing attack associated with this.
So we think that these industries tend to have more infrastructure exposable on the network
and they're getting compromised via their exposed infrastructure.
And they also have high-value targets, whether it's infrastructure or data.
What about on the phishing side?
Yeah, and then on the phishing side, it's pretty much the same sorts of things.
And I was pretty surprised by this as well.
I would normally expect to see a pretty strong correlation
between phishing and malware. And that just wasn't the case. And so what we saw in phishing
is the top five industries were your information firms, your construction firms were number two,
utilities, power was the top one, supply chain management. And so organizations that provide supply chain services
to other companies. And then entertainment. This to us meant that they may not have as much
public-facing infrastructure or have more secure public-facing infrastructure. So they're going
after the weaker link, which is the employees. They're sending emails to those employees in an attempt to gain
unauthorized access to those systems, so they then have access to that enterprise.
So again, our advice is, if you're in any one of those industries, educate your employees on
phishing email. Do things like mark email as external when it comes from the public internet,
and protect against phishing attacks.
Was there anything on either of these lists that surprised you, I guess by not being on the list?
Anything you expected to be there that didn't show up?
You know, I expected more critical infrastructure organizations to be on these lists, frankly.
We've definitely seen a shift of the more sophisticated attacks,
where the bad guys are targeting supply chain management, So supply chain was not a surprise to me, as well as targeting large pieces of
infrastructure, DNS hosting, web hosting, telecommunications, power, transportation,
and so on. And so going after that major piece of infrastructure so they either get access to
confidential data, personally identifiable information, or capability with regards to the reach and scope of some of those global infrastructure providers.
And didn't see a whole lot of that on the malware or even the phishing side with these.
We did see attacks against utilities going fairly high, but not other infrastructure organizations that I would expect.
All right. Interesting stuff as always. Dale Drew, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
My guest today is Nicole Egan.
She's Chief Executive Officer at Darktrace, a fast-growing cybersecurity firm
that in July of this year raised $75 million in a Series D round of funding.
The company was founded in 2013 by former University of Cambridge mathematics and machine learning specialists,
as well as intelligence experts from MI5 and GCHQ.
When we started the company in 2013, we really felt that a different approach was necessary,
and we took what I'd say is an inside-out view.
So regardless of the attack vector, it doesn't matter if it's spear phishing, malware, or an APT,
the goal of the attacker is always to get inside the network. And so we felt
if we could learn what was normal and not normal inside the network and then detect that which was
unusual, that would change the dynamic and give companies and organizations a better shot at early
threat detection.
And so you all are really all in when it comes to artificial intelligence and machine learning.
You know, if you walk around the show floor of any of the cybersecurity trade shows,
there's no shortage of companies who are offering AI and ML, and to the point where I think it's hard for people to sort through it sometimes. What is your take?
What is your approach to AI and ML?
Yes, as you said, we are absolutely all in when it comes to AI and ML.
In fact, if you go back to 2013, I think we were one of the first companies to actually come out and really embrace machine learning for cyber defense.
And there's a couple of really interesting ways that we use AI and ML.
The first way we use it is we use unsupervised machine learning.
So in other words, self-learning in real time inside a network, as opposed to other methods that might look at historical attack data, for example.
So we're self-learning inside the network, no prior knowledge. And the way we use that machine learning is to understand
the pattern of life of every user and every device inside the network. And we refer to that as
working very much like the human immune system. So we call it the enterprise immune system.
Subsequently, we came up with another interesting use case, which was not only to use the machine learning to detect threats,
but to autonomously respond to those threats. We rolled out a module called Antigena, which
does basically do autonomous response. So in other words, even if it's an unknown attack that the
security team has never seen before, or maybe it's something like ransomware, similar to WannaCry, that just moves at machine speed,
the machine learning can automatically take action.
Now, what was interesting as we rolled out that type of machine learning autonomous response
is whether or not human security teams were really ready for it.
And what we learned there is that in many cases, the human security experts wanted to see the recommendation,
the action that the artificial intelligence was recommending that it would take before it
responded. So we've done a lot of work in actually adding what we call a human confirmation mode
to the AI. The third way that we're using machine learning is really part of our R&D roadmap,
and that is to actually have the supervised machine learning watching our world-class team
of security experts, learning from them and figuring out how they actually investigate
and research remediation steps. And so that's kind of the next phase that you'll see coming
from Darktrade. Looking towards the horizon, that's kind of the next phase that you'll see coming from dark trade.
Looking towards the horizon, what are some of the specific challenges that you think we're going to be facing in the immediate future? Things that perhaps we're not dealing with today?
I think one of the biggest challenges we see is IoT devices. I think a lot of enterprises we walk
into underestimate the amount of IoT that's already in their environment.
A lot of times, as IoT devices similar to shadow IT, no one's telling the IT or security team that they're bringing them in.
We've seen everything from Internet-connected cappuccino makers.
We even had an Internet-connected fish tank in a casino that was used as a jumping on point into the network to attempt to
data. That's more common than you would think. In fact, when we drop dark trace into an average
enterprise network, we usually see 20% to 30% more devices than the IT and security teams
thought they had. And all of those things can be kind of the low-hanging fruit or a jumping
off point into the corporate network. I want to switch gears a little bit and talk about you and
your executive team. Certainly at the size of the company that Darktrace is and the level that you
are at, there are very few women holding chief executive officer positions at companies with the size and success of yours,
but when I look at your executive team list, you have several women in high positions. I'm curious,
for the women in the cybersecurity industry who are coming up through the ranks,
do you have any advice for them? Do you have any words of wisdom from the things that you've
learned on your journey to be the head of a successful company like Dark Trace?
Yeah, we do, as you mentioned, have, actually, we have several women on our board of directors.
We have quite a few women at the executive level.
And interestingly enough, throughout our company, we actually are a 50-50 split of men and women.
a 50-50 split of men and women. And in many cases, those women are in positions in development,
our mathematician group, our machine learning or deep learning team, you know, in addition to other roles across, you know, groups like sales, marketing, and others. So, you know, in terms of
advice, pay attention to the company culture of the company you're joining. So if you're a recent
college graduate and you're evaluating opportunities, you know, pay attention to the
cultural issues. Ask the questions about the company culture. And as you did with Darktrade,
take a look at the website and try to determine, you know, what are the most senior positions that
women have been able to achieve within that company and make sure that you have an environment where your mentors and your coaches may include, you know, a mix of both men and women.
So I think that that's really an important criteria when women are starting in their career or even evaluating making a career change.
That's Nicole Egan. She's the CEO at Dark Trace.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Thank you.