CyberWire Daily - Daily: IP theft in Germany. "Sledgehammer" looks like DDoS by Turkish patriotic hacktivists. Floki Bot and Dridex in the wild. Competition for cyber talent in a tight labor market.
Episode Date: December 8, 2016In today's podcast, we hear about an industrial espionage campaign against Germany's steel industry. Turkish hacktivists' Sledgehammer gamifies DDoS (and installs backdoors in its gamers). The Floki B...ot Trojan is a cheap and evasive addition to the Zeus family. Dridex is back. GPS gets a cybersecurity upgrade. Too many people are still using Windows XP. Joe Carrigan from the Johns Hopkins University Information Security Institute reports back from the Grace Hopper conference. ZScaler's Deepen Desai describes the Stampado strain of ransomware. NSA is said to be struggling to compete with the private sector for cyber talent. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Industrial espionage is back and it's poking into the roar.
Turkish hacktivists use a sledgehammer to install back doors.
The Floki Bot Trojan is a cheap and evasive addition to the Zeus family.
Drydex is back.
GPS gets a cybersecurity upgrade.
Too many people are still using Windows XP.
And NSA is said to be struggling to compete with the private sector for cyber talent.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Thursday, December 8, 2016.
Tyson Krupp discloses that it lost steel production intellectual property to a cyber attack early this year.
The IP theft is said to have been discovered in April.
The culprits are unknown, but some reports suggest that they were based in Southeast Asia. Tyson Krupp has filed a criminal complaint, and an investigation is well underway. According to security company Forcepoint, a distributed denial-of-service attack,
Sledgehammer, originated in Turkey and is affecting organizations the attackers evidently
regard as unsympathetic to Turkish government policy. This appears to be a patriotic, hacktivist operation,
but one never really knows what degree of organized criminality
or state-directed is at work in cases like this.
The victims include political parties,
like the ruling center-right German Christian Democratic Party, the CDU,
opposition and dissident parties in Turkey,
such as the People's Democratic Party of Turkey
and the Kurdistan Workers' Party, the PKK, and that perennial burr under the Turkish
government's saddle of a more appropriate, anything devoted to memorializing the World
War I-era massacres in Armenia, like the Armenian Genocide Archive.
The sledgehammer campaign is unusual, Forcepoint says, in the way it's gamified DDoS.
The hackers run a DDoS collaboration platform called Surface Defense.
Our linguistic staff warns us against attempting to pronounce the original Turkish, so we won't.
Anyone who signs up for the platform is asked to attack a specific set of political targets,
and in return they earn points they can trade in for rewards,
like their own copy of the
DDoS tool or a swell click fraud bot. It's as if the cyber underground has discovered the marketing
value of giving away green stamps or a set of steak knives or some other promotional goodies.
Play with caution if play you must. Of course, we say don't play. Not only would it be wrong and
you'd be a bad person, but surface defense will also
surreptitiously backdoor your own system to turn it to sledgehammer's own ends.
There's no more a free lunch than there is honor among botmasters.
Cisco's Talos Group and Flashpoint together report on FlokiBot, essentially an evolved
Zeus Trojan. It's for sale in dark web markets and poses a threat to point-of-sale
systems as well as banks and insurance companies. It's more evasive than its Zeus ancestors,
and it's also active across three language communities, Portuguese in Brazil, English,
and Russian. FlokiBot is widely available on the black market, where it sells for just $1,000.
This is discount attack code. Its famous Game Over
Zeus predecessor was sold only inside restricted groups and in its prime fetched $15,000.
The banking Trojan Drydex is back and circulating among Scottish systems. The most recent come-on,
Fujitsu CTI reports, is an email purporting to be from and for Scottish football supporters.
That's soccer fans for our American listeners. The email, of course, carries a malicious payload.
Ransomware continues to be a threat, and one strain widely available is known as Stampado.
Deepan Desai is director of security research at Zscaler, and he brings us up to date on Stampado.
Director of Security Research at Zscaler, and he brings us up to date on Stampado.
So Stampado is yet another ransomware strain.
There have been more than a dozen ransomware strains in 2016.
The strain has been around since July of 2016. That's when we first saw it being advertised on the Underground Forum by the author.
The author goes by the moniker The Rainmaker,
and he was offering a lifetime, full lifetime support for just $39.
Some of the unique things about the payload,
it is written in AutoIT, which is a scripting language.
So it was pretty easy for us to reverse engineer.
is a scripting language. So it was pretty easy for us to reverse engineer.
The second thing, it has capabilities
to encrypt more than 1,200 different file types.
This was pretty unique because they were also
targeting files that were already encrypted
by other popular ransomwares, like Server, Locky,
some of the prevalent ransomware variants out there
right now. So what essentially they're doing is they're double dipping on systems with weak
security posture. And the end user will end up paying double ransom, right, for each of those
infections in order to retrieve their file. The other interesting feature we found in this variant was it had features to spread.
So from the infected system,
if there are shared network drives
or there are connected removable drives,
that's where it will make a copy of itself.
And the way it copies itself is,
it will look for existing files
and hide those existing files and rename
all the existing files. And then it will make a copy of itself using the same icons as the
original files. And those are essentially shortcut files, which point to the StemParo
binary, which is also copied on the removable drive. So it had the ability to spread over the network as well as through the removable drives to different users.
And if the user pays the ransom, will they get their files back?
If the user pays ransom, yes, they will get a decryptor from the author.
But in this case, it is fairly easy for the user to retrieve the files through one
of the publicly available tools as well. Amisoft has published a tool. Also, we are planning to
push out a tool as well, which will be able to generate the decryptor using the binary itself.
Because it's not a public-private key-based encryption, asymmetric encryption in other words,
it is possible to retrieve your file, so we would recommend not paying any kind of ransom.
That's Deepan Desai from Zscaler. They have more information about the Stampado ransomware
on their website. An upgrade to the Global Positioning System, GPS, provides a timely
reminder of the way in which cyberspace is important to operating in outer space. Lockheed Martin has completed what it describes as a major
upgrade to the ground stations that control the orbiting constellation of GPS satellites.
Prominent in that upgrade is a set of measures put in place to improve the cybersecurity of GPS.
Other upgrades include a beta release of AirDroid that addresses vulnerabilities
discovered by Zimperium and Locus Energy's patch of issues in its solar power home electrical
meters. Here's something that won't be patched, Windows XP, which reached the end of its support
life back in April of 2014. Yet, a study just released shows that 9 out of 10 National Health Service trusts in the UK are still using Windows XP.
U.S. congressional Democrats and others continue to advocate bipartisan investigation of Russian attempts to interfere with recent U.S. elections.
And finally, competition for cyber labor remains intense.
The Daily Caller rather breathlessly says that the private market
is demolishing America's premier spying agency, by which they mean NSA. Sorry, CIA and DIA, NRO,
and GA for that matter. Former Director NSA Keith Alexander told a conference at the University of
Maryland that the problem was the government's inability to compete with private industry on pay
and low morale brought on by what he characterized as negative and unfair media coverage of the
agency. Some signs of that competition may be seen in a job opening at Facebook, which is looking for
an offensive security engineer. We read that as a honcho kind of call for a vulnerability researcher
or penetration tester. But the Register has a different take on it.
Their headline index suggests that Facebook's looking for a sysadmin
who will tell help desk callers,
here's your new password, champ.
Now go yourself.
Well, we're a family show.
But we really don't think the House of Zuckerberg is looking for someone who would recommend monogenesis.
On the other hand, if they are, we hear Tay might be available.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com
slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute.
Joe, you recently attended the Grace Hopper Conference.
So give us some background here. What is the Grace Hopper Conference and what were you doing there?
It's the Grace Hopper Celebration of Women in Computing.
there? It's the Grace Hopper Celebration of Women in Computing.
It's a gathering of about 12,000
women from all over the world who come
to, in this time,
Houston, Texas.
And I was there primarily representing
the Johns Hopkins University
Information Security Institute trying to recruit
women into our program, our cybersecurity
program. There are a lot of undergraduate
women at this conference.
In fact, next year I'd like to have my daughter go. She's a computer of undergraduate women at this conference. In fact, next year, I'd like
to have my daughter go. She's a computer engineering major right now. It would be great to
have her go there to network and to meet other women in computing. We have conferences like this.
We have the Grace Hopper Celebration. I'm familiar with the Women in Cybersecurity.
Women in Cybersecurity is coming up in April, right?
Yes. And I think last day of March, first day of April.
Last day of March, first day of April.
You and I were both there last year for that conference.
There's another one that's good.
And that's also a great conference for women to meet and network.
I think we have this issue in the field, certainly within cybersecurity,
but I think in tech in general of women being underrepresented.
We're not getting enough women into the field. And when we get them in,
they're not staying. Right. We have, you know, back in the 80s, before the dawn of the personal
computer, you and I were discussing this earlier, that women represented a much higher share of
computer science graduates. The statistics I've heard are around 30 percent, and now it's down
around 12 percent. So it's moved in the wrong direction, actually.
So I think, you know, the bottom line is, I think those of us who think this is important,
that this type of, you know, that the diversity of both with women and minorities,
I think there's a real truth here that when you have a diversity of thought, that leads to
better solutions and better answers. And I think those of us who believe that, who are behind that
notion, we have a role to play of supporting these types of conferences, these types of efforts.
We do. Absolutely. My opinion and my observations are that the steering of people towards these
fields, it happens very early in life. It happens very early where these people start having the inclination
towards engineering. So having those opportunities, even as a child. Even as a child, getting the
right toys, making sure that your kid, whether they're a boy or a girl, has Legos to play with,
just things they can get the spatial relationships up. Give them toys that teach programming, if you will. We got our kids mind storms.
Now, that being said,
I pushed both my kids towards the engineering field
and my son just has no desire to pursue it.
He is completely uninterested,
but he is very much interested
in the field of business and accounting
and that's where he's decided he's going to go.
But my daughter has taken to it and taken's going to go. But, you know,
my daughter has taken to it and taken to it very well. Right. All right. Joe Kerrigan,
good talking to you. My pleasure. And now a message from Black Cloak. Did you know the
easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.