CyberWire Daily - Daily: Military, law enforcement cooperation take a toll of ISIS operators. DDoS investigations. Mirai botnet can be rented on the black market. Beware ATM skimmers. Ransomware hits San Francisco light rail. Bogus news of cable show hacking.
Episode Date: November 28, 2016In today's podcast, we hear about how military, law enforcement cooperation are taking a toll of ISIS cyber operators. President Obama says the US elections weren't affected by hackers. DDoS in Brusse...ls and Ireland remain under investigation. A Mirai botnet is available for rent on the cyber black market. ATM skimmers threaten holiday users—and the new inset skimmers are tough to detect. Ransomware hits San Francisco light rail (so the Muni lets passengers ride free). Booz Allen's Brad Medairy walks us through the Ukraine grid hack. Emily Wilson from Terbium Labs describes how they celebrate the holidays in the Dark Web. And no, Anthony Bourdain's foodie show wasn't hacked to get banned in Boston Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com hacking retrospective, DDoS in Brussels and Ireland under investigation,
a Mirai botnet is available for rent on the cyber black market,
ATM skimmers threaten holiday users, and the skimmers are tough to detect,
ransomware hit San Francisco light rail,
and no, Anthony Bourdain's foodie show wasn't hacked to get banned in Boston.
to get banned in Boston.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Monday, November 28, 2016.
It's good to be back.
The New York Times has an account of how cooperation between law enforcement agencies, notably the FBI, and U.S. and U.K. military forces have enabled the arrest,
or in many cases the battlefield killing, of ISIS social media operators.
The Times notes that in a number of cases the social media operators appear not to have been replaced,
which seems surprising given that plausible candidates are apparently out there and available.
Perhaps the drone strikes are deterring volunteers,
although at least publicly ISIS adherents seem to court rather than avoid martyrdom, so the lack of secession seems curious.
In separate actions, French security services have rolled up an alleged ISIS terror ring through, in part, evidence derived from online sources.
Some of those arrested were implicated in planning for a series of terror attacks, at least one of which was to have targeted Euro Disney.
French authorities view the alleged plots as part of a concerted effort to disrupt and undermine upcoming elections,
widely believed to favor right and center-right parties,
hostile to what ISIS considers its political, religious, and demographic interests.
In the U.S., as major and minor political parties allege in a low-grade way,
vote hacking and other forms of election fraud, President Obama officially poo-poos the notion
that the election was somehow tampered with by anyone. This dismissal seems unlikely to affect
litigation over recounts. There's no word yet on how last week's denial-of-service attack on the
European Commission was accomplished.
Radio Free Europe, Radio Liberty, notes that the attack coincided with a meeting in Brussels
between Ukraine's president and EU officials, but this may have been coincidental.
The European Commission has emphasized in its public statements that the attack was quickly contained.
It's worth noting that denial-of-service incidents often serve as misdirection for other attacks.
This appears to have happened during last December's takedown of a significant section of Ukraine's power grid.
Booz Allen Hamilton recently published a walkthrough of that attack in a paper titled When the Lights Went Out.
We spoke with Booz Allen's Brad Madary.
From an attack perspective, it really occurred over the period of a year through a series of phishing attacks.
It started with reconnaissance, identifying potential targets, and launching a phishing campaign that was the entry point into several organizations.
From the phishing attack, malware and a series of remote access chargings were installed.
The adversary then established a command and control connection and began to harvest credentials.
Once they had the credentials, they were able to basically laterally move across the corporate network,
perform some additional reconnaissance, and then basically move laterally again into the industrial control system network. At that point,
the typical security mechanisms that are in place in an enterprise don't necessarily exist in the
OT environment. The adversary developed some malicious firmware and they delivered malware
to the environment. And then basically, they just scheduled the UPS to be shut down. They
tripped the breakers. At that point,
then they turned the lights out. And that set off a series of events that, you know,
were difficult to recover from. Was there anything unusual about the Ukrainian system itself? Were
they particularly vulnerable compared to other facilities of their type? In my opinion, it's
fairly similar to a lot of environments that we see.
And at the end of the day, when people are the weak link, I talk to a lot of folks, even outside of utilities and manufacturing.
And I was talking to a client, and we were talking about one of their European manufacturing facilities.
I said, think about how easy it would be to go onto something like LinkedIn to find
your employees in your facility, craft a fairly basic phishing attack, and an operator on a
machine to click on the phishing email and either inject a piece of malware or remote access toolkit
or even something like ransomware that would potentially bring down a controller or an HMI.
So I think that these environments are all fairly fragile.
I think that, you know, in many cases, there's a big disconnect between the IT and the OT environment,
and basic hygiene and some security practices that we see in the enterprise aren't in place on OT networks,
and I think that they're fairly exploitable.
That's Brad Maderi from Booz Allen Hamilton.
The name of the report is When the Lights Went Out,
Ukraine Cybersecurity Threat Briefing,
and it's available on the Booz Allen website.
In other DDoS news, router vulnerabilities were exploited last week
to disrupt service to some 400,000 webmail users in Ireland.
And two hoods using the Noms tode-hack Popopret and Best Buy are renting a Mirai botnet said
to contain 400,000 devices.
Best Buy, we note, is of course quite unconnected with the well-known Big Box Electronics retailer.
This Best Buy is known for his VIP status in underground markets like the notorious
Hell Forum.
The botnet need not be rented as a whole.
The two impresarios are offering a variety of service levels. Here's one representative sample.
Quote, price for 50,000 bots with a tack duration of 3,600 sex, one hour, and five to ten minute
cool-down time is approximately 3 to 4k per two weeks. End quote. They decline to say too much
about their offerings.
Security, don't you know?
But they make the possibly true but quite unsubstantiated claim
to have had access to Mirai source code before it was made generally available.
Their version is thought by some security researchers
to offer evolved IP address spoofing
and some ability to evade DDoS mitigation systems.
Popopret and Best Buy are not unknown to threat researchers.
They're thought to have been responsible for the GovRat Trojan,
which the security company InfoArmor identified in November 2015
and which hit U.S. government and business targets.
Krebs on Security offers another glimpse into the criminal underground
with sales videos for ATM inset card skimmers.
The inset skimmers are quite thin and look as though they'd be difficult to detect,
so anyone using an ATM is advised to avoid stand-alone systems, especially those in poorly
lighted areas. You're better off going to an ATM permanently installed in a bank.
Today, of course, is Cyber Monday, and all online and brick-and-mortar shoppers are advised to exercise due caution and circumspection as they browse and buy.
Cyber criminals are also observing the holidays in their own way, and we'll hear from Terbium Labs' Emily Wilson after the break, who can tell us a thing or two about how they celebrate on the dark web.
And we close with two notes about hacks, both real and imaginary.
And we close with two notes about hacks, both real and imaginary.
Over the weekend, San Francisco's Muni light rail system was hit with HDD crypto ransomware that infected scheduling and payment.
Those responsible caused this message to appear on ticketing terminals. Quote, you hacked. All data encrypted. Contact for key.
Crimpton 27 at Yandex.com, ID 601, end quote.
We predict that YouHacked will soon join All Your Bases Are Belonged to Us as a hacker meme.
We also note that Yandex is a Russian multinational offering a range of internet services.
The crooks have asked for a relatively paltry 100 Bitcoin, about $75,000, which so far has not been paid.
They issued a follow-up offer to decrypt
one machine as a token of capability and good faith, but as far as we know, San Francisco
hasn't taken them up on the offer. Remediation is presumably in progress, but until it's complete,
the Muni is responding to the attack by opening the turnstiles and letting passengers ride for free.
Finally, Thanksgiving evening, that's last Thursday for those of you who may be unfamiliar with the U.S. holiday,
it was widely reported and believed that Boston-area foodies
who thought they were tuning in to watch Anthony Bourdain's eating show, Parts Unknown,
were instead served up 30 minutes of graphic adult content.
The evidence that this happened was a tweet by one Rose,
but apparently it never happened, or at least no one else saw it.
The cable service RCN, which delivers the CNN feed to Boston,
says it's looked into it and found that nothing of the kind occurred.
As RCN goes on to say, primly, about Rose,
quote,
Only a technical review of the individual's equipment involved
could ascertain how this might have occurred.
We've confirmed that this one customer account is in proper working order, end quote.
So come clean, Rose.
And advice to all of us, even if it's tweeted, it ain't necessarily so.
But you all knew that, right?
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have
continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe
and compliant.
Joining me once again is Emily Wilson. She's the Director of Analysis at Terbium Labs.
Emily, we just got over the Thanksgiving holiday weekend. And of course, part of that is Black Friday. And it
turns out that Black Friday is actually pretty big on the dark web. It is. So Halloween tends
to be the favorite holiday. Halloween and New Year's Eve, incidentally, kind of favorite holidays
of the drug vendors. But when it comes to fraud, everyone gets excited for Black Friday.
And so people have big Black Friday sales.
In the same way that your favorite retailers are out with kind of door busters and dropping prices,
you have fraud vendors who are offering major discounts on cars just in time for the holidays.
So buying up credit card numbers, you won't believe these prices.
Absolutely.
Buying up credit card numbers You won't believe these prices
Absolutely and it's funny I remember last year
There were actually
Kind of comments and forums saying
Hey are you going to do a big sale for Black Friday
I want to make sure that I'm here in time
While supplies last
So the fraudsters on the dark web
Are they taking advantage of the massive
Amount of traffic that happens on
Black Friday online
For their own ill-gotten goods?
Absolutely. And so I think that's both online, plenty of online transactions, and also
kind of physical corrupted points of sale. You have a massive amount of spending going on and
a large number of transactions going on, kicking off right around Thanksgiving and all the way
through kind of the end of the year and even the first part of the new year. And so Black Friday is a great chance
for people to empty their current stock and get ready for all of the new cards they're going to
add over the next month or two. I see. So they're clearing them out,
planning that they're going to get new ones over the holidays as well.
Yeah, absolutely. And when you're buying something at a pretty steep discount,
you can't complain too much if the validity rates are pretty low.
You were mentioning that there's sort of a sense of community, that people are actually, you know, decorating for the holidays.
It's funny, they do. You know, I remember last year kind of looking forward to seeing what people come up with this year.
But, you know, one of the big Russian fraud forums had, you know, snow over their logo and a Santa Claus in the corner.
And, you know, people will post with, you know, images over their logo and a Santa Claus in the corner. And, you know, people
will post with, you know, images or kind of red and green colors. You know, people do celebrate
the holidays. Emily Wilson, thanks for joining us. And now a message from Black Cloak. Did you
know the easiest way for cyber criminals to bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data
workflows, helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.