CyberWire Daily - Daily: All your attack code are belong us. Guccifer 2.0 suddenly more fluent.
Episode Date: August 16, 2016In today's podcast we learn about claims made by hackers calling themselves "the Shadow Brokers." They say they've pwned the Equation Group, and obtained NSA attack code which they're now selling for ...one million Bitcoin. Guccifer 2.0 gets a lot more polished and even leakier. A bogus QuadRooter patch is serving malware in Google's Play Store. Fidelis tells us about Vawtrak's evolution. Someone's watching the Veracrypt audit. Iran looks into possible cyber causes of oil-and-gas facility fires. Fake Pokémon installers have trainers choosing ransomware. No more Pokéstops allowed in Germany's Flughafen. Vikram Sharma from Quintessence Labs outlines the challenges and opportunities of combining cutting edge science with market realities. Hardik Modi from Fidelis Cybersecurity expains changes they're tracking in the Vawtrak banking trojan. And British lawyers get a license to hunt hackers. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The shadow brokers say they've pwned the equation group and with it NSA attack code.
Guccifer 2.0 gets a lot more polished.
A bogus quad-router patch is serving malware in Google's Play Store.
Valtrak's evolution.
Someone's watching the Veracrypt audit.
Iran looks into possible cyber-causes of oil and gas facility fires.
Fake Pokemon installers have trainers choosing ransomware.
No more Pokestops in the Flughaven.
And British lawyers get a license to hunt hackers.
I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, August 16, 2016.
A group calling itself the Shadow Brokers has placed files online they say they obtained by hacking the Equation Group,
widely believed to be associated with the US NSA. To review some history, Kaspersky Labs described
the Equation Group in February 2015. Most of the Equation Group's targets were reported to be in
Afghanistan, India, Iran, Mali, Pakistan, Russia, and Syria. The actor was believed to be associated with both Stuxnet and Flame.
Kaspersky was and remains circumspect about attribution,
but F-Secure has in the past offered the opinion
that Equation Group's firmware exploits were NSA products.
The shadow brokers offer what they characterize as NSA malware for 1 million Bitcoin,
about $568 million,
which is an outrageously high price.
The samples they posted strike researchers as interesting and even possibly genuine,
but analysts are a long way from reaching firm conclusions about either the shadow brokers
or the equation group, or indeed about the files in question.
The posted files don't appear, at least on quick inspection, to be recent.
Their date stamps are no later than 2012,
but of course that's not yet dispositive.
Date stamps can be manipulated.
Security researchers are looking closely at the files
and will be sharing their conclusions, insights, opinions, speculations,
and so on as the story develops.
The Shadow Broker's blog was offline as of this morning,
but Hack Read captured some representative prose before it vanished.
We read it verbatim, but you will have to imaginatively supply the accent yourself.
Quote,
We follow Equation Group traffic.
We find Equation Group source range.
We hack Equation Group.
We find many, many Equation Group cyber weapons.
You see pictures. We give you some Equation Group files free, you, many Equation Group cyber weapons. You see pictures.
We give you some Equation Group files free, you see.
This is good proof, no?
You enjoy.
You break many things.
You find many intrusions.
You write many words.
But not all.
We are auctioned the best files.
End quote.
So there you are.
The best files would have to be very good indeed to fetch the asking price.
The prose is noteworthy if only because it reads like a screenwriter's conception of the way a hacktivist would talk.
To fill out the scene, all that's needed is a figure in a hoodie crouched over a keyboard,
tapping vigorously and saying, I am in, or better yet, all your attack code are belong to us.
It's worth noting that another high-profile hacker, Guccifer 2.0,
now almost universally regarded as a Russian sock puppet vigorously waving a Romanian false flag,
has recently shifted his or her or their persona away from hacktivist and toward sophisticated
leaker. He or she or they has released more documents related to the compromise of U.S.
Democratic Party networks, specifically some related to the compromise of U.S. Democratic Party
networks, specifically some belonging to the Democratic Congressional Campaign Committee.
As Motherboard notes, Guccifer 2.0 has evolved from a stage hacktivist, complete with broken
English, something between Ensign Chekhov's dialect and that of the Hekowe tribe from
F-Troop, into a polished, fluent leaker without any of the linguistic stigmatic
earlier on display.
The FBI has expanded its inquiry into political season hacking as leaks show that many more
accounts were compromised than just a few at the Democratic National Committee.
Quadrooter might not be as much of a threat to Android users as some of the initial scare
stories made it out to be, but one fix is snake oil, and not only snake oil, but venomous snake oil at that.
Someone has posted a bogus quad-rooter patch in the Google Play Store.
Don't go there. It's malware.
One continuing threat that should be taken seriously is Valtrak,
recently found in newly virulent forms out in the wild.
We spoke with Hardik Modi, Director of Threat
Research at Fidelis Cybersecurity. He told us what Fidelis has discovered about VATRAC and
its most recent evolutions. So VATRAC is highly regarded banking trojan, which means essentially
when you have an infection, it's monitoring for access to mainly banking sites. For the victim, what it's doing is monitoring access to such sites,
and when it sees an access, it grabs the credentials from the browser.
So there's a web inject, and it looks in the browser,
sees that the credentials have been entered,
it captures a copy of that and transfers it up to the command and control server.
It's fairly trivial to go capture the user ID, the password,
get that to their central location,
and then after that they essentially wreak havoc by stealing money
and doing the thing that criminals do.
And so you all have been tracking the evolution of this,
and there's some changes that have happened recently that caught your attention.
That's right, That's right. The first of those updates is in how it discovers the
command and control infrastructure. In particular, what it has done is now introduced dynamically,
you know, domain generation algorithm, a DGA, into the code base so that it now, you know,
instead of trying to reach out to a specific site to conduct command and control, it walks through a dynamically generated list of domains,
you know, tries to connect to each one of them.
When it succeeds at a connection, you know, that's when it recognizes that there's active
command and control and it kind of proceeds from there.
So after it has a successful connection to the DGA kind of generated site, it downloads
a static configuration list of further domains to go connect to. So by doing this, the adversary
ensures that it is difficult for law enforcement and for researchers such as ourselves to go and
confiscate their infrastructure since it could be located at any of the domains that are generated
that are part of the list. The second change that we saw was that they've started using SSL
to encrypt communications to the command and control server. Now, this is mildly interesting,
but what really caught our attention was the fact that it actually checks the SSL certificate that
is returned from the server, and it knows what certificate to expect. And in instances where command and control,
maybe there's a man in the middle, an SSL interception that's been conducted either
through like authorized devices inside the enterprise or through maybe a researcher like
us kind of trying to use a fake network to look at the
traffic, it will recognize that this has occurred and it will actually seize communication at that
point, basically go to sleep and wait until the next attempt to retry the connection. And so in
this way, it can evade detection inside enterprise environments where somebody might be trying to
inspect the SSL traffic. This certificate checking is also known as certificate pinning, SSL pinning,
and it's the first time that we've seen SSL pinning in the context of a malware family in the crime domain.
That's Hardik Modi from Fidelis Cybersecurity.
They've got a blog post with more information on the Vautrec Trojan online at threatgeek.com.
Parties unknown seem to be monitoring communications related to the ongoing VeriCrypt security audit.
The Open Source Technology Improvement Fund, OSTIF, says, We have now had a total of four email messages disappear without a trace, stemming from multiple independent senders.
Not only have the emails not arrived,
but there is no trace of the emails in our sent folders. In the case of OSTIF, this is the Google
Apps business version of Gmail where these sent emails have disappeared. This suggests that outside
actors are attempting to listen in on and or interfere with the audit process, end quote.
OSTIF regards these attentions as a badge of honor along the lines of
if nation-states are interested, we must be doing something right, which is one way of looking at it.
Iranian authorities investigate the possibility of a cyber attack, or at least a skate of failure,
in recent fires at oil and gas facilities. This seems so far on the strength of sketchy
reports to be a judgment of theoretical
possibility as opposed to one based on clear evidence. We're sure that you, like us, would
feel bereft if there were nothing about Pokemon Go and security news, but there are two stories
today. Bleeping Computer has found ransomware representing itself as a Pokemon Go installation
app, and German civil aviation authorities are trying
to get Pokestops removed from the secure areas of airports.
And finally, they may not be issuing letters of mark and reprisal, but London's Metropolitan
Police seem to have taken a step in that direction.
They'll be experimenting with a program in which they'll turn evidence of cybercrime
over to lawyers, encouraging them to sue the hackers.
The lawyers will be able to keep what they win.
This would remove some cybercrimes to the sphere of civil law.
So good hunting, solicitors, we guess.
But we're also surprised that the plaintiff's bar in the United Kingdom
needs encouragement to sue.
Maybe things are different over there?
different over there? Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this. More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And I'm joined once again by Dr. Vikram Sharma. He's the founder and CEO of Quintessence Labs.
They're one of our academic and research partners.
Dr. Sharma, I know you at Quintessence are kind of at the leading edge of blending cybersecurity with advanced physics,
with all of the work that you do with quantum technology.
And so tell me, what are some of the challenges and what are some of the opportunities
when you're right at that leading edge of both security and physics?
Yes, indeed.
The seed technology on which Quintessence Labs was founded
was some research that came out of the Australian National University
in the area of quantum key distribution.
The capability or the science was about harnessing some quantum effects on highly tuned lasers to transport encryption keys securely between two locations. of quantum key distribution, which was on an optical table, something like about six feet by three feet,
and translate this into a product that would operate in a commercial environment.
This certainly meant some further work on the science, but equally and perhaps even more so on the engineering side, as some of the capabilities and the techniques required to translate this science into product had to be developed for the first time in our labs.
is to see that the science in and of itself was interesting and provide some unique capabilities,
but to develop products that would make sense for the market meant a blending of that science with conventional cybersecurity capabilities. The opportunity that we saw was to come up with a synthesis of key management capabilities
with the true random number generation coming from the quantum source.
All right, Dr. Vikram Sharma, thanks for joining us.
Thank you.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com