CyberWire Daily - Commodity credential stuffing gets four new collections. Google was also doing a pay-to-pwn, like Facebook. Russian trolling. FaceTime bug investigation. Joanap botnet. Other online scams.
Episode Date: January 31, 2019In today’s podcast, we hear that Collections #2 through #5 have joined Collection #1 in hacker fora. Google is found to be collecting data from devices in much the same way its advertising peer Face...book was. Russian trolls seek to discredit the Special Counsel’s investigation of influence ops. New York State opens an investigation into Apple’s response to the FaceTIme bug. The US Department of Justice aims to disrupt a North Korean botnet. And a rundown of some current online scams. Mike Benjamin from Century Link with information on TheMoon botnet and how it targets websites. Guest is Lewie Dunsworth, CISO & Executive Vice President of Technical Operations at Herjavec Group on projected increases in ransomware aimed at hospitals. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/January/CyberWire_2019_01_31.html  Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeletete me.com slash N2K, code N2K.
Collections number two through number five join collection number one in hacker forums.
Google is found to be collecting data from devices in much the same way its advertising peer Facebook was.
Russian trolls seek to discredit the special counsel's investigation of influence ops.
New York State opens an investigation into Apple's response to the FaceTime bug.
The U.S. Department of Justice aims to disrupt a North Korean botnet and a rundown of some current online scams.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, January 31st, 2019.
You will recall Collection No. 1, the big aggregation of old breaches that was released earlier this month, to much discussion.
A great deal of the hype surrounding Collection No. 1 quickly came to be regarded as just that, hype,
since the material had been known to be out in the wild for some time.
Well, Collections No. 2 through No. 5 are now in circulation,
and Wired reports that the five datasets now include some 2.2 billion records.
That's even bigger, to be sure, but it's still much the same,
the result of old compromises.
This time, the usernames and passwords aren't being hawked in the dark web markets, where they've already, for the most part, been on offer.
Instead, they're being dumped into various hacker forums and shared in torrents.
How consequential this sort of information will prove to be remains to be seen.
Researchers at Germany's Hasso Plotna Institute told Wired
they'd seen signs that some of the combinations, a lot of them actually,
don't appear in common lists of hacked credentials,
which suggests to them that they may
have been harvested in little-known subsidiary attacks. In any case, you don't have to believe
that quantity has a quality all its own to find yourself troubled by the collections.
The principal risk here seems to be that of commodification. Collections number one through
number five are likely to make it possible for
poorly skilled skids to conduct low-end but still threatening credential stuffing attacks.
So don't reuse passwords and change any of yours that might have been collected
in the collections. Number one through number five. Don't underestimate the danger of compromised
accounts. They're always a problem.
A new report by Agari Research, for example,
estimates that one in five advanced email attacks were sent from compromised accounts.
Google has joined Facebook in acknowledging that it paid users to allow access to their phones, TechCrunch says.
What Mountain View was up to did indeed look a lot like what their Silicon Valley neighbors were doing with the Facebook research app. TechCrunch says. by sideloading a VPN that gave Google comprehensive insight into essentially everything they're doing online.
As Fortune notes, Apple may be Facebook's toughest regulator.
Cupertino is not happy with what it takes, with some reason,
to be violations of its terms of service,
and that may count for more in the short term at any rate
than any legal or regulatory action from government bodies.
The Washington Post, The Telegraph, and Wired all observe that, public expressions of contrition
aside, Facebook seems to be shrugging off its string of bad news, at least in terms of the
results it reports, but big tech as a whole is increasingly looking like the steel industry
near the end of the Gilded Age.
While ransomware may have fallen off in prominence in 2018, there are some sectors where it's expected to increase over the next few years, and one of those is healthcare.
Hospitals, in particular, have a delicate balance to strike between effective cybersecurity
and not getting in the way of doctors, nurses, and caregivers.
Louis Dunsworth is Chief Information Security Officer
and Executive Vice President of Technical Operations at Herjavec Group.
It really comes down to patient care, in my opinion.
You have a lot of doctors that are trying to provide care to their patients. And the priority to secure data, good, bad, indifferent,
is usually secondary. It's a delicate balance. I think it's the best way you can describe it.
And there's just natural friction between the two. Yeah, it's an interesting tension, isn't it? I
mean, because as you say, the doctors rightfully have the number one priority,
of course, of treating their patients and protecting lives and health and so forth. But
when a ransomware attack happens, then you've got that very same problem. When those systems go
down, that can be a threat to life and limb. Exactly. It's a chicken and the egg scenario, right? Which do you focus
on first? And I think is that when you deal with security on a day-to-day basis, a lot of what you
deal with and what you know is very intuitive to you, meaning that that's the world that you live
in. You're trying to secure environments, et cetera. But on the flip side with a doctor,
what is very intuitive to them is how do you make sure that you're able to provide the appropriate level of
care to your patients? And I think to get them to understand, number one, what you're trying to do
and why you are trying to do it is counterintuitive to everything that they focus in on a daily basis. You almost become a salesman of sorts within these organizations to help them understand
that if you don't do X, Y, and Z, it's going to impact your ability to provide the appropriate
level of care to your patients.
And if you're in an environment that hasn't seen that type of breach activity before or been impacted in a negative way, it's very difficult for them to understand the potential impacts.
How do I develop a plan that I can show over time will improve the security posture of my environment?
I mean, as an example, you know, when I was at one point in time, I worked for Cerner, which is a very large healthcare IT provider across the globe.
And we had this Cerner Healthcare Leadership Program that as a process or part of the process of going through that program,
you had to physically go out on site and work in a provider's environment for a day, just so you could understand how they use
their systems, how they operate, the pain points they have, etc. And what you found was a few
different things that were very interesting. Number one, a lot of the frustration with the providers
were usually less about security and just the fact that you had to deal with technology.
So having to put stuff into a system that they didn't quite understand or wasn't intuitive to
them, all the way to, you know, being able to connect with a wireless device on a wireless
network that just wasn't as reliable as a pen and paper. And you layer security on top of that and you say,
okay, I'm going to put more restrictions on top of that
to protect the environment.
And they're at a point already where they're saying,
well, you're trying to protect an environment
that I can't even operate or function in right now,
or it's very difficult or painful for me
or whatever it may be.
So you flip the script to the point to where
you communicate in their terms. So the outcome that you're trying to get to is to prevent a
ransomware attack that would prevent them from being able to provide healthcare to their clients.
So once you start to articulate it in a way to them that is very patient focused, at that point in time, they kind of bring down the walls a little bit and start to want to understand more, you know, educate me more on what you're trying to do, et cetera.
And as soon as you get to that point and they're having that dialogue with you to help or to try and understand why you're doing what you're doing, at that point in time you know you have a small success
and you can at least push the bar forward.
The fundamentals are the same.
It's the approach and execution of how you enable an environment to be more secure.
That's Louis Dunsworth from Herjavec Group.
With information operations, lies usually receive a bodyguard of truth.
Witness the story, as reported by the Washington Post,
of Russian claims that Special Counsel Mueller's office has been hacked.
That's the lie.
The truth that guards it is a set of documents
involving the Special Counsel's case against a Russian firm,
genuine documents that were obtained through regular legal disclosure
and not by hacking. The documents were altered and then released by a now-suspended Twitter account
at Hacking Redstone, which was also pushing memes associated with the well-known St. Petersburg
troll farm, the Internet Research Agency. The altered documents were released through proper
disclosure to counsel representing
Concord Management and Consulting, a firm owned by Yevgeny Progozin that's accused
of funding the Internet Research Agency.
The special counsel says the apparent intent of the documents release was to discredit
the investigation into Russian trolling.
The U.S. Department of Justice says that it's preparing to disrupt
North Korea's JONAP botnet and has the necessary court orders to do so. It will do so, the DOJ says,
by mapping the botnet and notifying its victims. The operation follows the indictment of North
Korean citizen Park Jin-hok, whom the Justice Department identified last year as a member of the Pyongyang-backed
conspiracy to carry out computer intrusions using Bramble malware. Among Bramble's functions
was propagation of the JoanNap botnet.
New York's Attorney General has announced that it's opening an investigation of Apple
for the company's alleged tardy reaction to the FaceTime bug.
This seems a bit starchy since it's not clear that Apple was really all that unreasonably tardy.
Sure, it took them a week, but on the other hand, it was a bit of a slanted disclosure.
Righteous disclosure, but a little outside the ordinary.
In any case, the Empire State is cutting Cupertino. No slack.
New York issued a consumer alert on Monday
and has opened up a 1-800 line for any irate customers who wish to pile on. We'd be remiss
if we didn't point out the number of new ransomware and other mal-spam capers in circulation.
You can find links to stories about all of them in today's CyberWire Daily News Briefing,
which you can find at thecyberwire.com. Here are some of them in today's CyberWire Daily News Briefing, which you can find at thecyberwire.com.
Here are some of them, in brief.
First, Altran Technologies has shuttered its network and applications
to protect its assets and its customers' data
after Altran was hit with a new variant of Locker-Goga ransomware.
Sophos offers a close and instructive look at a bit player,
the niche ransomware strain Matrix.
If you're in Japan, watch out.
LoveYou Malspam is getting a makeover for a campaign that's got Japan in its crosshairs.
ESET warns that LoveYou has been distributing gandcrab ransomware and the 4PiX worm,
malware that will change system settings and, of course, a crypto jacker.
TrickBot is out and about again.
My Online Security reports that it's being distributed by spam
that misrepresents itself as a JPMorgan Chase confirmation notice.
And finally, those YouTube stars are back, but this time it's really not their fault.
Grifters, posing as people with lots of
YouTube followers, are offering bogus reward scams that hoodwinked about 70,000 victims in less than
a month. Security firm Risk IQ reports that followers of Philip DeFranco, James Charles,
and Jeffree Star, you know who you are, received direct messages inviting them to claim their reward. Those who did,
did to their sorrow. If you're tempted, remember, you're probably better off investing in lottery
scratch-offs. Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their
families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Mike Benjamin.
He's the Senior Director of Threat Research at CenturyLink.
Mike, great to have you back.
We wanted to touch on another one of the botnets that you all are keeping track of.
This one is called The Moon.
What do we need to know about this one?
Yeah, thanks, Dave. So The Moon is particularly interesting because it's following a trend that we're seeing towards targeting websites.
following a trend that we're seeing towards targeting websites.
And so the moon is, from an infection perspective,
it is installing itself on IoT devices, embedded Linux devices.
Big shocker.
We're seeing a lot of malware families out there doing that. But in this case, the actor is targeting those
because their goal is to deliver a SOX proxy
that they can use against valid websites.
And what better way to hide yourself
from a major website operator than actually proxy the attack commands through a real user
in a real home? That's a great way to hide yourself as an actor. And so the, like I said,
embedded Linux targeted malware installs itself, downloads a module, which is really a SOX proxy.
targeted malware, installs itself, downloads a module, which is really a SOX proxy. And the SOX proxy is then used to allow things, and I'll describe more of what I mean in a second, to proxy
through the tens or hundreds of thousands of infected hosts to carry out what they're seeking.
When you say things, what are you describing here?
We have seen the actor behind this actually selling their service to other
people. And so the actor has sold it to people that we've seen trying to brute force credentials
on certain websites, you know, very popular ones that we've all heard of and all use on a daily
basis. We've also seen it using, using the soft proxy footprint to validate leaked credentials,
phished credentials, credential reuse.
And so by sending hundreds of thousands of login attempts, they can actually clean a data set to discern what can be used against a particular target website.
But one of the more fascinating ones that we saw was that the actor had sold their SOX proxy service to a video ad fraud network.
their SOX proxy service to a video ad fraud network. And so the actor who was buying the SOX service was actually using it to click on video ads in an automated fashion. And the way
we knew that was by analyzing the network data that we utilize, we were able to see a particular
host that was interacting with a ton of the SOX proxies. And so in investigating it, we saw that
it had an open port where the ad
fraud network was actually logging in real time, in plain text, with no authentication,
all of the fraud that they were committing. Every log of every event there for the world to see.
And so by taking that data set and its logs and looking at our SOX proxy network, we were able
to see that they were using almost the entire network for their ad fraud. And so that the actor is selling it to multiple things. That's fascinating. And so in terms of
folks protecting themselves against this, what are your recommendations? So it goes back to,
unfortunately, the basic blocking and tackling of security. And I say unfortunately, because
we've all known this for, in some cases, 20 years. Don't deploy equipment with default usernames and passwords.
Make sure you stay up on patches.
Don't expose services you don't need to.
Minimize the attack surface.
And so just like any other IoT attack, those are the primary vectors.
They are known exploits.
They are known default configurations.
Most of these attackers are not doing anything particularly advanced.
From time to time, they are.
But it is typically pretty simple to remove and eradicate the infection if they were to do anything,
because very quickly through the volume of their attack, folks like ourselves are able to share with the Internet community what's going on and describe what the attack vector is,
and the vendors are able to patch their equipment pretty quickly.
Yeah, and it really strikes me with so many of these botnets that it's really, you know, it's volume, volume, volume. Absolutely. And if you think in this case,
the ability to send more login attempts from more places means they can obfuscate and hide
themselves over a longer time period, especially if they're able to be calm and be very patient
in their attacks. In many cases, the folks at the other end of this,
those that are attempting to eradicate it on the website end,
this is a very hard area to work on.
We know that because through the data sets we have,
we've worked with multiple of them.
This is something that they're left battling every day right now
and is a very common attack against their websites.
All right.
Well, Mike Benjamin, thanks for the update and thanks for
joining us. Cyber threats are evolving every second and staying ahead is more than just a
challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity
solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep
your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. needs AI solutions that are not only ambitious, but also practical and adaptable. That's where
Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.