CyberWire Daily - Daily: Nation-state hacking (and nation-state victims of hacking). Loyalty program breaches, and a new Android Trojan strain.
Episode Date: December 14, 2016In today's podcast, we learn that Ukraine says its Defense Ministry was hacked, probably by Russia. US investigations of apparent Russian influence operations during elections continue. Venezuela talk...s up cyber threats as contributing to its financial crises. Dr. Web reports a new Loki Trojan variant in the wild. BugSec and Cynet disclose Facebook Messenger flaw (now patched). Level 3's Dale Drew provides insights on nation state hackers. Omri Iluz from PerimeterX warns us about gift card fraud. Colonel's Club breached. And hacktivists go after Russian consular data. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Ukraine says its defense ministry was hacked.
U.S. investigations of apparent Russian influence operations during elections continue.
Venezuela talks up cyber threats as contributing to its financial crisis.
Dr. Webb reports a new Loki Trojan variant in the wild.
BugSec and Cynet disclose Facebook Messenger flaws, now patched.
Colonels Club breached, and hacktivists go after Russian consular data.
data. I'm Dave Bittner in Baltimore with your Cyber Wire summary for Wednesday, December 14,
2016. Ukraine's defense ministry stated yesterday that its website was downed by disruptive cyber attacks that seem designed to prevent the ministry from providing updates on the Russian hybrid war
being waged in eastern Ukraine.
The obvious suspect in the case would be Russian intelligence services.
Investigation of election hacking proceeds in the U.S.,
with concentration on influence operations widely believed to have been conducted by Russia.
Illinois Republicans say the FBI warned them in June that four seldom-used accounts may have been compromised as far back as 2015,
roughly the period when Cozy Bear established persistence in DNC networks.
Some emails, none particularly discreditable, eventually turned up in D.C. leaks, generally thought to be a Russian sock puppet.
The CIA has famously concluded that Russian services did in fact seek to influence the election,
and some private security companies, notably CrowdStrike,
share that view with even higher confidence than the CIA.
The details remain murky, especially the connections between the Russian services and WikiLeaks.
Director of National Intelligence Clapper has told Congress
that evidence of coordination between the Russian government and WikiLeaks is still inconclusive.
There does, however, appear to be a strong circumstantial case for WikiLeaks having served as a conduit of information from Russia to the public.
WikiLeaks has denied that Russian intelligence provided it with the DNS emails it releases.
it with the DNS emails it releases.
Venezuela, in the throes of its continuing economic and financial crisis, pulled in a prominent bank president for questioning over the weekend in connection with allegations
that he was complicit in December 2nd cyber incidents involving online banking systems.
Venezuelan officials also suggest that their withdrawal of their highest denomination currency,
the 100 Bolivar
Note, is connected with unspecified concerns about cybersecurity as opposed to the widely
believed prospect of hyperinflation. The executive in question was Victor Vargas,
president of the Banco de Occidental de Escoento. Dr. Webb, original discoverer of the Loki Trojan,
warns that a new version can infect native Android OS libraries. Dr. Webb, original discoverer of the Loki Trojan, warns that a new version can infect native Android OS libraries.
Dr. Webb also reports that some Trojan downloaders are appearing preloaded in the firmware of discount Android phones.
BugSec and Synet say they've discovered a vulnerability in Facebook Messenger.
They're calling it Original. That could give attackers access to chats and photos.
Facebook has fixed the flaw, but it could also affect websites using origin registration checks.
As the holidays approach, many of us are expecting to either give or receive gift cards.
It's an increasingly popular gift, giving the recipient the ability to buy something they really want
and providing the giver with the comfort of knowing they spent slightly more time
on choosing a gift than simply stuffing an envelope full of cash.
But gift cards come with their own security issues,
as we learned from Amri Elouz from Perimeter X.
You need to be very careful.
Last holiday season, gift card fraud was one of the most lucrative attacks,
and we've seen a significant increase.
We expect it to be, again,
one of the top attacks this holiday season. So the way that attackers abuse gift cards is by simply
guessing the numbers. A gift card is simply a list of numbers, and if a website provides a way to
check the balance and the attacker has access to enough bots, he can simply
try hundreds of millions of combinations and he will be very successful at some point in finding
gift cards with balance. So if you look at the gift card, while it seems like a long list of
numbers, there is a structure in it. There's usually a prefix per website.
There's usually check digits at the end. So the actual number is much shorter. It's still
very hard to find one if you just go and type them manually. But imagine you had 10,000 bots
that can now go and type as fast as they want a gift card into the page that checks balance.
They'll run for weeks until they find gift cards with balance.
And even if their success rate is very, very low, because they have so many bots and these bots can try as fast and as wide as they want. They just harvest. You can
look at this as mining or as they call it, harvesting gift cards. So from my point of view,
if I receive a gift card, as far as I know, I've never run across a gift card that allows,
you know, for something like two factor authentication. Is it a matter that I should
really be vigilant and use that gift card as quickly as possible to minimize the
probability of someone harvesting it? I think that the most important part is knowing what's
your balance on the gift card. If you're like me and you get 10 or more gift cards during the
holiday period, you don't write down the balance. So if someone harvests your gift card numbers,
you just go in and you know this is supposed to be a $100 gift card, but it has no value on it.
You're just going to throw it away.
Just have a list.
Someone gave you a gift card.
Put it in a spreadsheet somewhere.
When you got it, what's the balance?
If you complain, most websites would give you back the money, but you need to know how to complain.
I wouldn't say go and use it as fast as possible. We still want to have the opportunity to buy
what we want when we want it. I don't want to let the attackers dictate our lives.
Just needs to be a little bit more organized and get the money back when someone harvests
your gift card. That's Omri Elouz from PerimeterX.
Netgear has pushed out firmware updates for vulnerable router models.
Microsoft patches Skype, IE, Edge, and Windows.
And Adobe has issued another patch for a Flash Zero day.
KFC, the chain formerly known as Kentucky Fried Chicken,
warned that its loyalty program has been breached.
About 1.2 million British members of the Colonel's Club have been advised to reset their passwords
after 30 customers' personal information appeared to have been compromised.
It's a fairly quick disclosure.
Michael Patterson, CEO of Plixer, told the Cyber Wire,
The fact that KFC came forward about the breach is honorable.
Clearly they have systems in place that allowed them to research which accounts were targeted.
KFC needs to keep in mind that the targeted 30 accounts could have been a diversion method to distract from the real attack, end quote.
He also noted that the company, Yum Brands, was commendably cautious in not holding credit card information in its loyalty program databases.
commendably cautious in not holding credit card information in its loyalty program databases.
And finally, Russian officialdom hasn't escaped the unwelcome visitation of the hacktivist community.
Someone from the New World Hacktivists, going by the Brassica-themed handle Kapustiki,
has stolen some 30,000 passport records from the Russian consulate in the Netherlands' website.
Mr. Kapustiki says his motive is to raise awareness about the dangers of a data breach, and that he'll only leak a few of
them at a time until people get the message. Somehow, one doubts the FSB will take him at his
word. Mr. Kapustiki in November counted coup against Indian diplomatic missions in Italy,
Libya, Malawi, Mali, South Africa, and Switzerland. No plausible
motive beyond the implausible public education motive is evident. Perhaps it's all just for the
lulz. Our linguistic staff, by the way, tells us that kapusta means cabbage, and they assure us
their grandmothers saw to it that they ate plenty of it. If you're in the Netherlands,
may we suggest the Snert instead?
Or in the UK, some KFC.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their
controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. Thank you. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. Thank you. www.nasa.gov definition of what that is is a little bit fuzzy for some people. And I know, you know, from your point of view at level three, you all have a unique perspective on nation state hackers.
What's your perspective? What can you share with us about them?
Well, you know, we recently published a blog on the anatomy of a nation state hacker. And it's
really because of some of the observations we were seeing in a lot of these nation states that were just contrary to our common belief about how the ideal of how a nation state operator would work.
And, you know, it's sort of twofold.
I mean, on the one hand, you know, we really saw it as it looked like and it operates like a fairly mundane job.
I mean, we were able to detect when a nation state employee clocks in for the day.
We're able to see when they go to lunch, you know, and they go to lunch for an hour or
so, right?
And then we see them when they come back and then when they go home.
It's a very sort of regimented sort of process.
In fact, this idea was, you know, we saw in some nation states, we saw a fairly complex ecosystem of different connected organizations that were responsible for different pieces.
One piece responsible for identifying the companies that were engaged in certain intellectual property, searching for patents, searching for news stories, you know, Internet forum posts and things like that, and building this sort of
database of assets, of potential targets. We saw other organizations that were responsible for
social research. What employees worked on what projects, what keywords do they use,
what technology do they have? And then there was organizations responsible for downloading,
purchasing, and getting access to source code of a pretty
wide variety of product portfolio so that if they found out that a particular target
was using that, they would have potentially access to undiscovered security exposures
in the form of zero days or half days to be able to weaponize that and then gain access
to that target company for extended periods of time.
We also saw a vast majority of it was really dependent upon getting access to the employee.
I mean, most of these attacks we saw were based on phishing attacks, targeting very specific
employees. And then the last one that I'd say is that one of the big observations we saw was
a lot of nation state employees more and more are renting out their services to organize crime.
Not only so those nation state actors can get a little extra cash on the side because they are
being paid like government employees, but also because the nation states want to be able to
obfuscate the complexity of those attacks with another actor, another source. And so when we
see an attack, the fingerprint is pretty easy to determine.
We're like, that's Fred from Nation State X. We know that fingerprint. We know that style.
But it's not a nation state in this case. It really looks like an organized crime attack. And so,
being able to attribute attacks is becoming much more difficult these days because
those resources are sharing not only to other nation states, but to organized crime.
All right. Interesting stuff. Dale Drew, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.