CyberWire Daily - Daily: Influence online, from jihad to kawaii. Cybercrime. Industry updates.
Episode Date: July 19, 2016In today’s podcast we hear about the doxing of a major ISIS forum, and we take a look at the state of play with respect to online information operations in the war with ISIS. We ask whether jihad an...d kawaii offer contrasting case studies of inspiration. In Turkey, did coup plotters (who might have known better) overlook the Internet? DDoS campaigns rise against governments, companies, and games. A researcher shows how 2FA and account recovery capabilities can be subverted for fraud. Malicious Excel macros are out in the wild. So are the Cknife web shell, as described to us by Recorded Future's Levi Gundert, and the venerable Enfal malware family. Joe Carrigan reminds us why we she be using two-factor authentication. We look at some recent venture investments. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2 governments, companies, and games.
Turning two-factor authentication toward fraud.
Malicious Excel macros.
The story of the C-Knife web shell.
NFL malware stays relevant after all these years.
And some trends in security investment.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Tuesday, July 19, 2016.
A prominent ISIS web forum administrator has had his online correspondence hacked and two years of it dumped on Pastebin, Motherboard reports.
The content includes recruitment information and communication with forum members.
A Flashpoint researcher observes that
the myth of a highly secure jihadi underground is exactly that.
It's a myth.
The material that's been released is thought to be sufficiently interesting
to the intelligence services of the civilized world
that the forum participants have some grounds to worry.
Some of the correspondence was encrypted with ISIS's homebrew version of PGP.
The forum went down shortly after the doxing, under repair.
The relative lack of security found in jihadist online operations should be unsurprising.
ISIS, whatever its larger long-term aspirations and woofing about its technical chops,
has long concentrated on the internet as a place for information operations,
technical chops, has long concentrated on the Internet as a place for information operations, specifically for the sort of inspiration that would draw recruits and prompt independent
attacks.
The PAC leaders essentially are howling at the lone wolves.
More sad indications of the success such inspiration appears to be having may be seen in the case
of the Afghan teenager who attacked train passengers near Würzburg, Germany, with an
axe.
And in evidence, French authorities say they have that the man who murdered Bastille Day
holidaymakers in Nice was much taken up with searching online for information about the
Orlando massacre. German police officials caution against jumping to conclusions about the Würzburg
attacks. On the other hand, an ISIS flag was found in the attacker's apartment,
and ISIS itself hasn't been shy about claiming the boy as one of its soldiers.
Postmortems on whatever it was that happened last weekend in Turkey conclude that the coup plotter's central error was failure to take down the internet. How they might actually have done
so, analysts tend to leave as an exercise for their readers, apart from some hand-waving in
the direction of DDoS.
Shutting down the internet is easier said than done, and again, ironically,
Turkish citizens during the Erdogan era have grown fairly adept at circumventing blocks to their access to social media.
It would seem to be particularly difficult to do this under the time pressure of a coup d'etat.
Ars Technica reports that one of the plotters is alleged to have been a Turkish army colonel regarded as an expert in cyber operations. Considering distributed denial
of service attacks, compare ones suffered this week by Philippine government websites. The attacks
are widely held to be the work of Chinese security services, acting against their country's rival for
control of territorial or international waters in the South China Sea.
Symantec has reported banking malware concealed in Excel macros,
a new wrinkle on distribution of malicious code.
There's also some fresh news on a long-used family of espionage tools popular in China.
Recorded Future has been looking at a dangerous web shell they're calling Sea Knife.
We spoke with Recorded Future expert Levi Gundert about the threat.
In this case, we actually alerted on some of the technologies that were mentioned in a Chinese
forum post. And because we do natural language processing in Chinese and Russian and a lot of
other foreign languages, we're able to detect these sorts of events. And so this event for
C-Knife came through because of references to
things like ASPX and PHP and so forth and so on. And so it was very interesting when we dug into
it because the first reference we had to it was actually in December of 2015. We hadn't internally
caught it until this alert fired in March. And that was about the same time that CNife had been
posted to GitHub.
But it was all done in Chinese.
So the only chatter about this particular web shell was in Chinese forms, Chinese speaking forms.
The CNife exploit uses a programming technique called a web shell.
I asked Gunder to explain the technology.
The term web shell is probably a little bit more confusing than what it is. It's really just a file that's giving an adversary access to the underlying operating system or shell. It doesn't have to
be malicious. It could be something that's benign or helpful. But essentially what it is, is just a
file that sits on a web server. And that file is essentially some sort of code. So generally
speaking, these files that get placed on web servers are only used by actors and adversaries with malicious intent.
And what they're doing is they're remotely calling these files on the web server to do things like access a database, upload additional tool sets, just maintain persistence in the web server while they map other parts of the network.
There's so many different ways to leverage a web shell,
limited by the creativity of the individual using it.
There's a well-known Chinese exploit called China Chopper,
and the creators of CNife describe it with nationalistic pride
as a cross-platform evolution of China Chopper.
China Chopper was built for Windows only,
and so if you were going to install the controller,
so the controller connects to that file on the web server, that controller was only built for Windows.
It's portable executable versus C-Knife, which is built in Java.
So I've run it on Linux, and it runs on Windows, it runs on Mac, so it's completely cross-platform compatible.
Levi Gundert says they haven't spotted C-Knife in the wild yet,
and he offers some advice for protecting yourself from web shell exploits.
If you're going to prevent web shells, you actually have to understand your web servers and their environments.
You have to do the basic things like upgrade and patch and where you run content management systems like Joomla or WordPress,
and or you have plugins for those things.
You know, if you're in an enterprise and you have hundreds of servers or even double digits,
it becomes fairly complex to understand whether a particular file should actually be on that web server or not. And because it's not particularly malicious in and of itself,
it becomes very difficult to detect these things. And so it really comes back to doing a better job of hunting in
your own traffic, in your own servers, and also just really doing some good due diligence on the
basics, you know, for those web servers. Because over and over again, we see that some of the
really impactful campaigns tend to start with a web server. You know, that's where they initially
gain a foothold. That's Levi Gundert from Recorded Future.
You can read the entire CNAEF report on their website.
Another espionage tool, Enfal, was first spotted in 2004,
but continues to circulate in appropriately updated forms.
Verint has been tracking Enfal
and notes that its targets tend to be diplomatic missions
and non-governmental organizations in East Asia, with some attention recently to Brazil and Ethiopia.
Enfall offers a striking example of the way venerable malware persists in evolved forms.
In industry news, experts warn about the importance of addressing cybersecurity during
mergers and acquisition in all sectors. We heard last week at Cynet's Innovation Summit
that venture capital's interest in cybersecurity startups
is growing more sophisticated and selective,
but that it's far from over.
Other observers see a trend toward a somewhat smaller number
of somewhat larger investments.
This morning, SkyCure announced that it's received
$16.5 million in Series B funds.
Foundation Capital led this round, which brings SkyCure's total funding to $27.5 million in Series B funds. Foundation Capital led this round,
which brings SkyCure's total funding to $27.5 million.
Finally, we return to the topic of online inspiration.
If inspiration is a form of information operations,
and if information operations are largely marketing and battle dress,
consider the marketing phenomenon of Pokemon Go.
A piece in Foreign Policy sees this as the culmination of a Japanese government soft power campaign
spread through the cult of the cute, or Kawaiya.
This seems like a big stretch, although we're too close both physically and temporally
to the recently concluded Bronycon to underestimate the power of the cute.
And to compare the Shinto matrix of Pokemon to Jihad
would do an injustice to both Shinto and Islam.
But information operators might study the Pokemon Go phenomenon with profit
if they seek a benign case study of viral inspiration.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
Joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information
Security Institute. Joe, we've been seeing all these breaches with passwords and people getting
into people's accounts, people using common passwords on multiple accounts.
One of the ways that we can sort of fight this is by using two-factor authentication, right?
Right.
Yeah, there are three parts to identify somebody or to authenticate them, and that's who they are, what they know, or what they have.
So if you look at that from your perspective, who you are could be like a biometric,
like your iris scan, fingerprint, facial recognition, something you know could be
your username and password, and something you have usually winds up being a cell phone,
your cell phone. So a lot of sites such as Gmail and many banking sites will have a setting,
an optional setting where you can go in and enable a two-factor
authentication process where you enter your username and password, and then they send a text
to your phone with a code. And then they prompt you for that code. You enter the code. If it
matches, you get authenticated because presumably you have your phone. So now what happens is if my
password's out there in one of these hash leaks or plain text, God forbid,
and it gets compromised and guessed or brute forced or whatever,
now somebody has to identify me personally, find out where I am physically,
steal my phone, then go log in and enter the code.
So obviously making it a lot harder than just being able to have the password on its own.
And some of these services allow you to kind of dial in when they hit you with a multi-factor.
Gmail says every time you log in from an unrecognized computer, it will send you one of these codes.
There's a financial institution that I use that has the setting that I can be prompted every single time I log in for it.
And so now every time I enter my username and password, I get the code and I answer the code
and I log in. And yes, it takes a little more time, but now it's going to be a lot harder for
someone to break into my account. And I think that's part of it is getting over that hump of,
you know, because it is when you're trying to log into something, and you have to wait for that text to come, it can make you, you know, it's a slow dance,
it's a little bit of a roadblock. And that can be an annoyance, but really, in the big picture,
probably worth it. Right? It's like a work factor. So now in order to get into my account,
not only do I need a username and password, but I also need a little bit of time. Well,
to me, a little bit of time is not much,
but to somebody who might be trying to brute force it,
it's going to be significant.
And again, it's one of those things
where we might not be able to make
our accounts completely secure,
but if the other accounts are less secure than ours,
then the hackers are going to spend their time
on those other accounts instead of ours.
Correct.
And nothing is ever going to be completely secure. Right, so we do the best we can. Right. All right, Joe,
thanks once again for joining us. My pleasure. And now a message from Black Cloak. Did you know
the easiest way for cyber criminals to bypass your company's defenses is by targeting your
executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers. I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.