CyberWire Daily - Daily: Hacktivism or denial-&-deception? (Smart money's on D&D.) LizardStressor herds CCTV bots.
Episode Date: June 30, 2016In today's podcast we hear about DarkOverlord and the data he's selling online. Guccifer 2.0 returns to blogging, and says he's not working for the Russians, but CrowdStrike, ThreatConnect, and Secure...Works present evidence to suggest otherwise. Thompson-Reuters says it's contained the World-Check database leak. Oculus' Twitter account is briefly hijacked (now restored to company control). Point-of-sale breach disclosures are confirmed. Why hackers hack when they do. Some governments' efforts to control information online seem to be having greater than expected success. Level 3's Dale Drew explains the season nature of cyber attacks, and Cytegic's Dan Pastor offers his view on the recent SWIFT banking attacks. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Is the dark overlord playing the media about stolen healthcare data?
Guccifer 2.0's story gets more complicated,
but the details aren't lending verisimilitude to what remains a bald and unconvincing narrative. Thank you. the internet.
I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, June 30, 2016.
The dark web still has the purported millions of healthcare records for sale, but the purported hacker Dark Overlord has changed his barking in ways that lead Motherboard, for one, to
conclude that he's gaming the media,
and really interested in profiting by extortion,
as opposed to wholesale data sale.
I have a reputation with this handle now, says the Dark Overlord.
Another step accomplished.
Every time I put up a new listing, it gets reported without hesitation now.
There are suggestions that Mr. Overlord is posturing before the media in the
hopes of inducing victimized organizations to pay for the return of their data. And of course,
the quality and provenance of the data being offered in the real deal market remain largely
a matter of conjecture. After several days of silence, Guccifer 2.0 has resurfaced with a blog
entry deriding the many people who've attributed the DNC hack
to Russian intelligence services. He's even included a fact page. In brief, he and Guccifer
2.0 specifically identifies himself as a man. He calls the DNC hack a personal project and
dismisses CrowdStrike as an outfit that would finger anyone as a Russian hacker.
Few seem to be buying this story, however.
Its details are hazy, and the romantic chatter about self-preservation and the need for anonymity strike most as unconvincing misdirection.
And of course, CrowdStrike isn't the only one who regards Guccifer 2.0 as a Russian sock puppet.
SecureWorks presents evidence that the DNC hack was one aspect of a comprehensive espionage campaign
against U.S. targets known to be of close interest to the Russian government. evidence that the DNC hack was one aspect of a comprehensive espionage campaign against
U.S. targets known to be of close interest to the Russian government.
ThreatConnect lays out the evidence available to its researchers and concludes that Guccifer
2.0 is a denial and deception operation, most probably mounted by Russian intelligence services.
Their evidence is admittedly circumstantial, but ThreatConnect's reasoning is interesting and worth a look.
You'll find a link to their treatment in today's CyberWire Daily News Brief.
And by the way, CrowdStrike isn't the only company Guccifer 2.0 names and dispatches.
He also rags Kaspersky, which he claims has deliberately created the myth about the almighty Russian hackers,
because it's good for business.
Kaspersky, of course, is Eugene Kaspersky's eponymous and very Russian security company. But as we say, what Guccifer 2.0 is
selling, few are buying. Researcher Chris Vickery reports that a 2014 version of Thomson Reuters'
widely used WorldCheck database of terrorist actors has leaked online. Thomson Reuters says
it's secured the third-party source of the leak.
We hear from Andrew Komaroff, chief intelligence officer at InfoArmor,
who told us, quote,
upon review, the data appears likely to have been stolen
from one of WorldCheck's partners or customers
who is likely using it in their own operations, end quote.
WorldCheck, used for watchlisting and other purposes
by private and governmental organizations,
including banks and police forces,
is controversial for some of the people and organizations it includes as connected with terror.
Such watchlisting clearly has its uses in flagging potentially illicit transactions.
We've heard this week about another round of fraudulent SWIFT-related money transfers
affecting banks in Ukraine and Russia.
Today we hear from Cytigic expert Dan Pastor on how criminals can accomplish such fraud.
We've seen the rising trend not only in specific attacks on SWIFT,
but specific, dedicated, financially driven attacks on monetary value assets,
such as bank accounts accounts and specifically on financial
transactions basically what we were able to see is that this is basically been a
trend that's been rising since the beginning of January 2016 while a lot of
the industry might have been surprised about the rise of the quick rise in
attacks on on Swift and on particularly on, we can actually show that it's been in the making for quite a while now.
If you use this analysis, if you use this trend analysis and look at it in a wider perspective,
you can actually forecast these types of attacks and be better prepared for that in the future.
Pastor says these attacks coincide with a shift in availability of sophisticated attack tools.
Less capable attackers that in the past were not able to use highly sophisticated or advanced
attack methods have now been able to get much more into it due to what we call the trend
of proliferation of advanced attack methods there has been
much more dedicated and and focused and sophisticated uh attacks or attack methods
that have been used which in the past were only used by by nation states or truly advanced
attackers you don't need to be a once-in-a-generation attacker or hacker in order
to perform these advanced attacks. What you need to do is have sufficient funds and sufficient
CPO, I guess, and you need to know what your targets are. So that's a very, very alarming
and interesting trend we've been able to see, And you can see that actually coinciding with the attacks on SWIFT.
That's Dan Pastor from Cytigic.
Oculus, the California-based virtual reality company, hasn't appointed a new CEO. If you
follow them on Twitter, you may have heard that news, but it's a hoax. Instead, Oculus has become
the latest high-profile tech company to sustain a social media hijacking.
Their Twitter account is now back under company control.
The Internet of Things' potential to be exploited in distributed denial-of-service attacks has
been realized this week in the form of a large botnet of Internet-connected security cameras.
Lizard Squad's Lizard Stressor tool has been implicated in forming the botnet and
hurting the bots. Observers think this augurs more use of lizard stressor in DDoS attacks involving the IoT.
The fig leaf of security testing Lizard Squad had once draped over lizard stressor
has by now largely withered and dropped.
Its uses are by now pretty clearly criminal.
There's not even a plausibly grey hat claim to be made about it.
The Hard Rock Hotel and Casino in Las Vegas and the Fast Dining Chain Noodles & Company
both confirm they've suffered data breaches that affect customer paycard information.
Brad Busse of StealthBits Technology tells us that this is a sign of the inability of legacy anti-malware approaches
to keep pace with emerging threats.
He notes that it's always a good idea to minimize your attack surface
and isolate inherently vulnerable point-of-sale systems.
Quote,
When you cut off the traditional methods of malware propagation,
the number of breaches will fall significantly.
End quote.
And last line's Craig Kensick gives Noodles props
for being relatively transparent about the breach they suffered.
He does note that the duration of the breach at Noodles & Company., about six months, makes it difficult to notify all affected customers,
and that so far Noodles has advised everyone to look over their card statements for anomalous
charges. Since doing so is universally regarded as common-sense good practice whether or not a
breach has been disclosed, this strikes Kensick as placing too much of the onus on the customers.
Quote, Target offered customers whose credit card or debit card info was compromised a free credit
watch service for a year. Noodles & Company may want to consider this for affected customers.
Turning to policy news, one of the concerns surrounding the Brexit referendum in the UK
is that anti-Brexit hacktivism will surge. Hacktivism in particular,
but other kinds of cyberattacks also, do seem to be keyed to events in the physical world,
including anniversaries, historically significant dates, holidays, seasons, and so on. We spoke with
Level 3's Dale Drew about the seasonal nature of cyberattacks. We'll hear from him after the break.
Finally, to end on an unfortunately downbeat note,
information may well want to be free,
but in some places it's being put pretty firmly in chains,
or at least under house arrest.
Russia is about to require, in a formal and legal way,
that software vendors backdoor their products and give keys to the government.
And observers note the retirement of Liu Wei,
head of China's central leading group
for cyberspace affairs,
the country's internet control authority.
Back in 2000, U.S. President Clinton
ironically wished the Chinese government
good luck in its efforts to control the web,
saying they might as well try to nail Jell-O to the wall.
Liu Wei seems to have succeeded
in advancing what he would probably call
internet sovereignty more than anyone expected.
Jell-O, meet Wahl.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and
ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. Thank you. give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today
to see how a default deny approach can keep your company safe and compliant.
Joining me once again is Dale Drew.
He's the chief security officer at Level 3 Communications.
We're leading into summertime here, at least in the Northern Hemisphere.
And I'm curious, do we see any shifts in the types of attacks that we see on a seasonal basis?
You know, we really do see shifts in seasonal activity.
shifts in seasonal activity. I would say at the end of the summer, there's a very large,
very sharp increase in ransomware and classic computer attacks. Usually what happens is that college kids enjoy their summer, and when they come back, they want to show the botnet that
they've amassed. And so we see a very large uptick in ransomware attacks at the end of
the summer. Same thing with the end of the winter, around the end of December, beginning of January
timeframe, that same uptick with the same activity occurs as well. So those attacks are very seasonal.
And so you're crediting that to college-age kids heading back to school?
You know, I would say for the most part, you know,
it's a bit of an assumption on our part,
and also based on some of the originating traffic that we've seen.
But, yeah, I'd say for the most part, at least the uptick,
we are attributing mostly to college kids coming back from school.
All right, summertime and the hacking is easy.
Dale Drew, thanks for joining us.
All right. Summertime and the hacking is easy.
Dale Drew, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.