CyberWire Daily - Daily: Pakistan phishes Indian Army. US election hacks continue as the US investigates and mulls its response. New ransomware strains. More IoT botnet infestations. ISIS struggles to explain loss of Dabiq.
Episode Date: October 17, 2016In today's podcast we hear about Pakistani phishing in the Indian Army's pond. ISIS loses prophetically important town of Dabiq, and must adjust its messaging accordingly. WikiLeaks continues to poke ...at the Clinton campaign. Fancy Bear is again in the spotlight as the US preps a response to Russian election hacking. IoT malware—Mirai and LuaBot—affects networking gear. Dyre's masters are back and working on a new banking Trojan. Robert Lee from Dragos Security offers his opinion on recently nuclear power plant breach revelations. Malek Ben Salem from Accenture Technology Labs explains new research on semantic technology for security analytucs. And what, exactly, does EvilTwin think he, she, or they might be up to? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Pakistani fishing noticed in Indian army networks.
ISIS loses prophetically important town of Dabiq
and must adjust its messaging accordingly.
WikiLeaks continues to poke at the Clinton campaign.
Fancy Bear is again in the spotlight as the U.S. preps a response to Russian election hacking.
IoT malware affects networking gear.
Dyer's masters are back and working on a new banking trojan.
And what exactly does evil twin think he, she, or they might be up to.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Monday, October 17, 2016.
Physical space and cyberspace intersect again in South and Southwest Asia.
After India's late September cross-border strikes against terrorist groups in Kashmir, either state-run or of the patriotic-hacktivist variety, probably the
former, have apparently embarked on a phishing campaign directed against Indian Army targets.
The phishing emails spoof an Indian Army intelligence address. The subject line
fishbait includes, quote, actual story of surgical strike done by
Indian army in POK, end quote. Yesterday, rebels of the Free Syrian Army, backed by Turkish armor
and close air support, took the small town of Dabiq in northern Syria from the ISIS forces that
had been holding it. The loss of the physically insignificant town will have an outsized strategic impact on ISIS messaging. A 7th century hadith prophesies that the last
hour would come after the Romans, generally regarded as the infidel West, landed at Dabiq.
The prophecy says that a third of the Muslim army would desert, a third would be martyred in battle,
and the remaining third would go on to conquer Constantinople, that is modern-day Istanbul, which would be the immediate prelude
to the rise of the last enemy and the victorious return of the Mahdi. It's noteworthy that ISIS's
slick online magazine is named Dabiq. The messaging that's emerging adopts the familiar
millenarian trope when the necessity of dealing with an apparently unfulfilled but highly specific prophecy arises.
The time is not yet, and the struggle continues.
The prophecy will be fulfilled nonetheless.
Still, ISIS had been betting heavily on winning in Dabiq.
Whether trimming the message will carry as much credibility as the group would wish remains in question.
WikiLeaks continues to harry the campaign of former Secretary of State Clinton.
The campaign says the leaks were achieved by hacking, which the campaign is comparing to Watergate,
and demanding that Republican candidate Trump be asked what he knew about the hacking and when he knew it.
The comparison is perhaps infelicitous, since it's reminded people as much
of analogies to Nixon's tape erasure as it has to the famous what-did-the-president-know question
asked in the wake of the 1972 Watergate break-in. The FBI is said to be investigating, but the Bureau
understandably won't say much about the latest Podesta leaks beyond, yes, we're investigating
things, but of course we don't like to say much about what we're investigating.
Election-related hacking also hits the National Republican Senatorial Committee, the NRSC,
with donor lists being scraped and exfiltrated to a domain associated with the Russian mob.
The data theft occurred between March 16th and October 5th of this year.
Among the data exposed were credit card credentials, which suggests that the motive was theft.
Russian intelligence services are generally suspected as the source of the data stolen from the Democrats.
Given the degree to which Russian security services are thought to have compromised Russian organized crime,
they may have a paw or two in the NRSC hack.
The U.S., having officially attributed much of the election hacking to Russia, continues to prepare some sort of response, but what that
response will be remains up in the air. BuzzFeed has a profile of prime animal of interest, Fancy
Bear, with an interesting rundown on this GRU unit's long history of cyber operations against non-U.S. targets.
The outlet quotes an anonymous U.S. Defense Department official as saying,
quote, Fancy Bear is Russia, or at least a branch of the Russian government, taking the gloves off.
It's unlike anything else we've seen, and so we are struggling with writing a new playbook to respond, end quote.
Fancy Bear is famous for the provocative noisiness of its
attacks on the Democratic National Committee earlier this year, much more obvious than the
quiet persistence its colleague Cozy Bear used for over a year. The unnamed defense official
told BuzzFeed, quote, if Fancy Bear were a kid in the playground, it would be the kid stealing all
the juice out of your lunchbox and then drinking it in front of you, daring you to let him get away Most bets on the U.S. response are placed on sanctions,
but there were curious reports over the weekend that the CIA,
not generally conceived of as the lead U.S. agency in cyber operations,
was said to be preparing for a cyber war with Russia.
Whether that's defensive prudence or preparation for offensive operations remains to be seen.
In cybercrime news, there are more concerns about the Internet of Things.
Sierra Wireless warns that its cellular gear has been roped into the Mirai botnet
that did so much DDoS damage last month.
The affected equipment is AirLink Gateway communications gear.
Another malware variant with the potential to inflict denial of service conditions is
Laubot, which researchers at Malware Must Die say has been targeting ARIS cable modems
with increasing sophistication over the last two months. Known since late 2015,
Laubot's renewed activity suggests a rise in the DDoS risk.
The IoT contains bigger potential problems than DDoS, as bothersome as DDoS is.
We're thinking, of course, of the industrial IoT,
and we spoke with Robert Lee about reports last week
that an unnamed nuclear power plant had sustained a disruptive cyber attack.
There was malware in a facility that caused them to take some
responsive actions, but it wasn't on the nuclear side of the facility anyways, because that would
have caused a case where they would have had to take down production environments. So it was on
the sort of the business systems that they were using at the nuclear environment. It's concerning
because we want to make sure that we have the standard
practices in place where we aren't introducing random malware. So if a facility can get infected
with some well-known piece of malware off of USB into the environment, they're most certainly
susceptible to a well-funded actor trying to infiltrate it. The pushback on the hype though is
this wasn't really a cyber attack where someone was trying to cause a nuclear meltdown.
By all accounts, it sounded like it was an accidental malware infection.
That's Robert Lee from Dragos Security.
The authors of the dire Trojan, largely quiet since last November, are back and working on a new banking Trojan, TrickBot.
Fidelis reports observing
TrickBot in several Australian bank networks. There are signs it may be about to appear in
Canada as well. Kaspersky describes a new, tougher-to-root-out ransomware strain,
Crippi, which encrypts individual files with their own individual key.
And finally, a curious new strain of ransomware, Exotic. You can recognize it by
the Hitler imagery it uses. It's not actually a threat yet, according to its discoverers at
Malware Hunter Team. Exotic's developer, Evil Twin, seems more interested in cozying up to
security researchers than in effective cybercrime, thanking them for their feedback and sharing screenshots.
This is either a vanity project or a new approach to crimeware R&D. Our marketing department tells
us, we asked, that associating yourself with one of the five worst genocidal monsters of the 20th
century isn't a good look, but who knows? Maybe Evil Twin is using a different focus group.
Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Joining me is Malek Ben-Salem. She's the R&D manager at Accenture Technology Labs.
Malek, I know you wanted to tell us about some of the work you're doing with semantic technology for security analytics.
Correct. An example of semantic technologies is ontologies, which are typically used to enable knowledge sharing and reuse.
which are typically used to enable knowledge sharing and reuse.
In our lab, we tried to leverage ontologies to enhance security analytics at the edge.
This was a DARPA-funded project.
It was part of the program called ICAST, the Integrated Cyber Analysis Systems Program that DARPA funded. And within this program,
we used an ontology. We defined and built a new cybersecurity ontology, which we leveraged to
look at logs created by new software installed on devices and automatically infer the schema of that log based on the security
ontology that we've developed. Why is this important? Users will keep using software all
the time and security analysts will need to understand any logs created by that software
and need to use it for understanding when a device is compromised
or when software is compromised. However, if they use existing SIM technologies, they would have to
build APIs for every new software and every new log format that's created. With our tool, with this
automated way of inferring the schema of that log, automatically, they don't have to do that. And all of that information, all of those logs that are created can be automatically consumed, contextualized, security analysts can make about what the incident is
about, what's the root cause, and where to look further to understand what's causing it.
And so what kind of accuracy do you get with this sort of system?
It varies depending on how structured the log is. So some of these logs are very structured in their schema. Others are
what we can call semi-structured types of data. So the accuracy varies depending on how structured
the data is. But we are conducting experiments to measure those accuracies. Who in particular
would this sort of thing benefit? It will definitely benefit security analysts.
So eventually this will be deployed as an agent on endpoint devices.
That's why I refer to security analytics at the edge.
or the desktop would be looking for all of these logs as they're created. If it sees a new format,
then it will try to make this mapping and it will try to organize the information created by those logs into that general schema and send it back to a central location for analysis or perhaps even keep it local and wait for the security analyst to make
a query if they suspect that a computer is compromised. And so it makes that query to the
agent and then they identify what information is relevant to a suspected incident and send that
back to the security analyst. All right, Malek Ben Salem, interesting stuff.
Thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform secures their personal devices, Thank you. reached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team
of editors and producers. I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.