CyberWire Daily - Cyberespionage in South Asia. NHS hack confirmed as ransomare. Notes on Hancitor. WireX Android botnet taken down. Fat-fingering BGP. Topical phishbait.
Episode Date: August 29, 2017In today's podcast, we hear reports of cyberespionage against both India and Pakistan—some unknown third nation-state is said to be responsible. NHS Lanarkshire hack confirmed as ransomware. Notes... on Hancitor malware, WireX Android DDoS botnet discovered and taken down by an industry consortium. BGP fumble hit Japan's Internet, not hackers. Hurricane Harvey and Game of Thrones phishbait in circulation. Justin Harvey from Accenture on open source threat intelligence. Avi Reichental from XponentialWorks on security issues with implantable data devices. And no, not that GPS. Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. Check out & subscribe to Recorded Future’s free intel daily. We read it every day. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper. JHUISI & partner COMPASS Cyber present Cyber Security Conference for Executives on September 19th in Baltimore. Register for the event. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Reports of cyber espionage against both India and Pakistan.
Notes on Hansator malware.
The WireX Android DDoS botnet is discovered and taken down by an industry consortium.
A BGP fumble hit Japan's internet, not hackers.
Hurricane Harvey and Game of Thrones fish bait are in circulation.
And no, not that GPS.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Tuesday, August 29, 2017.
Symantec reports that sites in India and Pakistan have been the targets of a sustained cyber espionage campaign using Endor spyware.
The spying goes at least as far back as October 2016 and seems to have focused on collecting information on
regional security matters.
Symantec says the campaign looks like the work of a single nation-state, but it doesn't
specify which one.
Other observers note that India has been experiencing a heightened state of tension with China,
but that's merely an indicator, and doesn't rise even to the level of circumstantial evidence.
The spyware was installed via a phishing campaign.
The fish bait used represented itself as links to stories on South Asian security matters,
maliciously altered reports from Reuters, The Hindu and Zee News.
The stories covered military affairs, issues surrounding Kashmir,
and news of Indian secession movements.
These topics would be of interest to targets in both India and Pakistan.
Since both countries were targeted, it seems likely the threat actor represented some third nation.
Some observers are reminded of the back doors installed in an earlier espionage campaign mounted against Qatar.
Those back doors were known as Spynote and Revokery.
They're different from Endor,
but they worked in a similar fashion. The NHS Lanarkshire attack has been confirmed as ransomware.
It's not one to cry, but exactly which ransomware variant hit the NHS systems remains unclear.
Healthcare services continue to experience interruptions in parts of Scotland,
with patients asked to defer non-urgent care and some operations cancelled.
Observers note that ransomware is playing an increasingly important role in attacks intended to disrupt as well as extort.
For now, this incident seems motivated by extortion, but the story is still developing.
Cylance research on Hansator exposes how the malware's three-step exploitation of low-level
Windows vulnerabilities enables it to accomplish its work.
Hansator is being used by the Man1 threat group.
It's distributed in maliciously crafted macros contained in Microsoft Word documents.
Man1, whoever they are, don't use commodity malware, and Hansator was put together
with some care. Recently, there was a good bit of hubbub surrounding a Wisconsin tech company's
decision to give employees the option of using an implantable RFID chip to allow building access
and to purchase food at work. Some feared ubiquitous tracking, while others see an
inevitable shift toward a more effortlessly connected future.
Avi Reikenthal is CEO at Exponential Works, a venture investment, advisory and product development company with a focus on connected devices, and he offers his perspective.
The reality is we are going to become more connected. We are already, I mean, we have the most rudimentary human-to-machine
interface today that puts our brain online. We call it a smartphone or a cell phone.
Rudimentary in the sense that we need to use fingers and eyes to put our brains online.
One can see very rapidly the advent of more sophisticated human-to-machine interfaces that would put our brains online. of entertainment without the unintended consequences of losing privacy, losing identity, losing safety,
and basically being violated as a human being in the sacred space that is you.
And yet time and time again we've seen, even with social media,
that people seem to be remarkably willing to trade privacy for convenience. That's how we see now that the rate and pace of technological disruption and convergence far exceeds the ability of society to comprehend and think through it and completely outstrips the capacity of our legislative and regulatory bodies, governing bodies, to not only comprehend, but to put
the proper checks and balances in place. And so where do you see those different forces converging?
I think first and foremost, we really need to remember that companies that are introducing this incredibly powerful yet invasive technology
have a responsibility to make it as safe as possible
and have a responsibility, Dave, to also educate the users
and the various legislative and regulatory bodies
about all of the amazing applications,
but also about all the unintended consequences.
I think that it's particularly when the companies that are enabling the technology have the deep pockets to do it.
And then, of course, we need to think of how to disrupt government as we know it in a good sense,
government as we know it, in a good sense,
good disruption that begins to make our legislative bodies and law enforcement and regulatory
bodies more tech savvy and part of the conversation
from the get-go, not from a point of view of fear,
intimidation, but to embrace technology.
Technology is here to stay. Technology on the whole creates a
lot more good than bad. But in every new chapter of technological advancements, we have just as
many capable, smart people working on the bad side of it than the good.
That's Avi Reikenthal from Exponential Works.
Collaborative work by several security companies appears to have contained an Android distributed denial-of-service botnet.
WireX was detected on August 17th,
hitting hospitality, adult and gambling sites as well as some domain registrars.
hitting hospitality, adult, and gambling sites as well as some domain registrars.
The botnet was disabled by Akamai, Cloudflare, Flashpoint, Google, Oracle, RiskIQ, and Team Kimri.
So bravo to them all, but beware.
The appearance of an Android DDoS botnet is a relatively novel phenomenon and bears watching going forward.
Fishbait currently chumming the internet attracts both the noble,
that would be Hurricane Harvey relief scams,
and the base, that would be bogus Game of Thrones unreleased episode come-ons.
So unfortunately, you'll have to take care before you donate to hurricane relief efforts in Houston.
By all means give, but don't trust the begging emails.
And Game of Thrones, well, if you're bent on streaming pirated video,
you're on your own, and you've been warned.
A BGP fumble, that's Border Gateway Protocol,
briefly shut down Japan's internet last Friday.
The outage lasted a couple of hours,
but threw a scare into authorities as well as ordinary Janes and Joes.
The register characterizes it as being caused by someone fat-thumbing a Border Gateway Protocol advertisement. And finally, to return for a moment to Scotland, you may have found some of the
coverage of the NHS Lanarkshire ransomware confusing, as it reported global positioning
system hacking. Some headlines
even called out global positioning system outages. Be reassured, that seems to have been verbal
confusion. The GPS that's known to have sustained disruption was general practice surgeries,
not global positioning system. Americans in particular may have been puzzled by the acronym,
Americans in particular may have been puzzled by the acronym,
unless, of course, they watched Doc Martin on BBC America,
in which case it made perfect sense.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams
stars as a passionate artist
who puts her career on hold
to stay home with her young son.
But her maternal instincts
take a wild and surreal turn
as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Joining me once again is Justin Harvey.
He's the Global Incident Response Leader at Accenture.
Justin, welcome back.
You know, we talk a lot about threat intelligence,
and today you wanted to take us through some things that teams can use when it comes to open-source threat intelligence.
Yes.
The principle behind open open source threat intelligence? Yes, the principle behind open source threat intelligence monitoring
is to harness the collective power of the internet, I guess,
or the globe of all of these security researchers out there.
There's a big parallel between the war or the battle that we are fighting
on the cyber level and real world war or kinetic warfare.
And with kinetic warfare, there's an intelligence component, people in the ground, people in the air,
analysts back in intelligence centers that are essentially synthesizing in real time all of the
battlefield data. In the cyber arena, we still have to fight the same war. Just like with
kinetic warfare, we have a battlefield, we have real adversaries, and we have threat intelligence.
The only difference is every company cannot afford or they're not able to have a threat
intelligence component. So one of the things that many organizations are doing, they are leveraging
the collective power and knowledge of the open source. And the best way to pipeline and to
analyze that information or collect that information is to utilize Twitter. And the unique thing about
Twitter is that all of the security researchers, all of the companies like Accenture, and even
many organizations that have been hit by cyber attacks
are sharing that data and it's not just tactical threat intelligence it's not just indicators that
you need to know to grab to put into your systems it's also strategic threat intelligence so it's
the tactics the techniques the procedures that the adversaries are using we're also using open source intelligence monitoring to see emerging attacks.
So soon as we heard about WannaCry, as soon as we were hearing about Petya, not Petya,
we were starting to see all of the reports coming in via Twitter. Now, clearly, you still need to
have someone on your team. Typically, it's one or two people that are curating that information and
seeing if it's relevant or actionable by your organization. But as with emerging cyber attacks
around malware and destructive malware, ransomware, whatever, you can also get ahead of zero days. So
even if a zero day has been announced, there's still a period of time between when the zero day is
announced and there's a vendor patch. And being able to know about that vulnerability or cyber
attack much earlier in the process, so those precious hours and or days could really make
the big difference between whether your environment is taken completely down or
whether you're able to survive it.
All right. Interesting information as always. Justin Harvey, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.