CyberWire Daily - Daily: Run DNC. Online inspiration and the limits of investigation. North Korean cyber ops.
Episode Date: June 14, 2016In today's podcast, we talk about the breaking news concerning Russia's hack of the DNC, with insights from STEALTHbits Technologies' Adam Laub. We discuss the state of the investigation into what,... if any, role online inspiration played in the Orlando gunman's massacre. North Korea appears to have engaged in a long-running campaign of cyber espionage against the South. The Molerats' failure to clear document information may have unmasked them. The Vawtrak banking Trojan gets more evasive. Shadow apps place enterprises at risk, and application collusion disturbs mobile users. The Angler exploit kit has practically vanished, replaced for the most part by Neutrino. Symantec's acquisition of Blue Coat fuels M&A speculation. And the price of that Windows LPE zero day keeps dropping. Ben Yelin reviews a judge's ruling that restricts the FBI's use of hacking. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Russians hack the Democratic National Committee.
Investigation continues into apparent jihadist inspiration behind the Orlando nightclub massacre.
North Korea appears to have engaged in a long-running campaign of cyber espionage against the South.
The mole rats' failure to clear document information may have unmasked them.
Vautrak improves its game but continues to be distributed via malicious macros.
Shadow apps place enterprises at risk, and application collusion is a problem for mobile users.
The Angular exploit kit seems to have practically vanished, replaced by Neutrino.
Symantec's acquisition of Bluecoat fuels M&A speculation, and the price of that Windows LPE Zero Day keeps dropping.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Tuesday, June 14, 2016.
In news that began breaking shortly before noon today,
the Democratic National Committee says that it has been hacked by Russian intelligence services.
The spies have been in their network since last summer.
The DNC noticed signs of trouble in late April of this year and eventually hired security company CrowdStrike
to investigate and remediate the intrusion.
DNC Chair Debbie Wasserman Schultz, a representative from Florida,
said, as quoted in the Washington Post,
quote,
The security of our system is critical to our operation
and to the confidence of the campaigns and state parties we work with.
When we discovered the intrusion,
we treated this like the serious incident it is and reached out to CrowdStrike immediately.
Our team moved as quickly as possible to kick out the intruders and secure our network, end quote.
CrowdStrike is said to have found two threat groups in the DNC's network,
which they're calling Cozy Bear and Fancy Bear. Cozy Bear, possibly an FSB operation,
that is the descendant of the KGB,
that's the one that's been monitoring
DNC email and chat since last summer.
Fancy Bear, also Russian,
and in CrowdStrike's view,
clearly GRU,
which is to say military intelligence,
is the one that tripped the alarm
when it arrived this April.
Fancy Bear is said to have stolen documents
and to have obtained access to the
systems used by the DNC's entire research staff. That research prominently includes opposition
research on presumptive Republican nominee Donald Trump, and this is the compromise that's
attracting press attention. How the attackers got in is unknown. CrowdStrike cautiously speculates
that it was spear phishing. We spoke to StealthBits Technologies' Adam Laub.
He offered this perspective.
The interesting part about it is it seems that the Russian hackers themselves
haven't been the ones rattling around inside the DNC.
It was really their monitoring of somebody else who had done the hacking to begin with,
a Romanian hacker.
But they got the information almost by accident or
secondhand as a result of monitoring somebody else. Anything having to do with American politics is
of interest to other nation states that perhaps aren't big fans of the United States and even
potentially our allies. I think that's given the current events around the political campaigns
being run here in the United States, and potentially the opportunity to affect the
outcomes of those campaigns by, again, nation states that, again, aren't particularly enamored
with the United States and our policies, would relish the opportunity to have information that would lead to an outcome of their desire.
The story is still developing, but one thing that struck us was that the Russians seemed to not do a whole lot to try to cover their tracks.
We asked Adam Laub about this, and he said he didn't find it particularly surprising, given the players.
didn't find it particularly surprising, given the players.
Anything with the Putin administration, bravado is at the core of much of what goes on from a news perspective. You look at the, I think it was the G8 summit last year in Australia,
Putin pulled up a couple of warships off the coast of Australia just to flex his muscles a little
bit. This is no different in terms of claiming responsibility
for having this information,
whether they did obtain it themselves
through their own techniques
or nation-sponsored hacking organizations,
or whether they did get it through
this other well-known Romanian hacker
that they had been following and obtained information from.
That's Adam Laub from StealthBits Technologies.
The investigation into Saturday's massacre at Orlando's Pulse nightclub continues.
A look at the shooter reveals, retrospectively, a history of online jihadist radicalization,
giving some point to ISIS claims of responsibility for the murders.
That responsibility, as is typically the case with ISIS operations
outside the dwindling territory under the caliphate's control,
is a matter of inspiration.
The civilized world has yet to find the right information operations
to deploy against ISIS, in part because ISIS messaging is so alien
to the marketing understanding prevalent among its opponents.
The self-declared caliphate doesn't promise jobs,
health care, education, or ease. Instead, it promises righteous rule, justice, meaning,
and transcendence, and it does so with a message of death. Omar Mateen, the shooter, was twice
interviewed by the FBI once in 2013 and again in 2014. He was also, problems and all, deemed employable by a physical security company.
Thus, U.S. investigators, especially the FBI, have come under considerable criticism for failing to
stop the shooter. He's being called a known wolf. But much of the criticism seems wayward. It's
difficult to see how any of the warning signs so clear in hindsight might have given probable cause
to watch or detain, still less prosecute, Mateen.
It's also worth noting that with respect to inspiration,
intra-Islamic squabbling among competing jihadist groups seems not to matter much.
There's evidence Mateen, while unable to distinguish ISIS from al-Qaeda from the Taliban,
caught the common underlying call to jihad clearly enough.
Outlines of the long-running North Korean cyber campaign against South Korean enterprises
become clearer.
The DPRK's hacking seems to have aimed principally at espionage.
News reports highlight theft of some aviation design data from cooperative U.S.-Republic
of Korea combat aircraft programs, but also as data destruction.
42,000 documents are said to have been destroyed.
South Korean authorities say that the stolen data wasn't especially sensitive,
but there are widespread concerns that the long-running campaign was
battle space preparation for some larger, more damaging operation.
In fairness to the DPRK, we must note that Pyongyang denies the allegations
and denounces them as a provocation.
In justice to common sense, however, we must also note that signs point to Pyongyang.
A bit more has emerged on how the mole rats, Palestinian hacktivists operating from Gaza and elsewhere against Israeli targets, were uncovered.
Clear Sky reports that apparently one of their malware developers neglected to clear the properties of a Word document they were using as a vector.
According to Sophos, Vautrak, a banking Trojan that's been in circulation for some time,
is picking up new capabilities, mostly improved evasion and obfuscation, and new target sets.
The Trojan is typically distributed by email in the bogus guise of a U.S. Postal Service invoice.
It uses corrupt macros to deliver pony malware.
App security worries enterprises, especially since apps loosely construed are the biggest part of shadow IT.
A study by CloudLock Cyber Lab reports that since 2014, shadow apps have increased by a factor of 30 on corporate networks.
shadow apps have increased by a factor of 30 on corporate networks.
The study classifies 27% of third-party apps as high-risk,
opening enterprises to exploitation by attackers able to impersonate legitimate users.
McAfee Labs has been taking a look at mobile apps in particular,
where they see an increase in the risk of collusion,
a situation in which attackers use two or more apps against a target.
The common outcomes of successful collusion are information theft, financial theft, and service misuse.
There are other noteworthy developments in the black market.
For some reason, the Angler exploit kit appears to have fallen completely out of favor,
its former business having moved, for the most part, to the Neutrino kit.
Why this has happened remains something of a mystery,
especially given Angular's recent upgrade to evade Microsoft's EMET security suite.
But Malwarebytes reports that spammers
have essentially abandoned it,
and that ransomware purveyors are shifting to Neutrino.
In the legitimate cyber sector,
Symantec's announcement of its acquisition of Bluecoat
prompts M&A speculation about CyberArk,
a potential acquisition, Checkk, a potential acquisition,
Checkpoint, a potential buyer, FireEye, a potential acquisition and a potential buyer,
Imperva, and Proofpoint, both potential acquisitions.
Mantec is acquiring the computer network operations practice of Ocean's Edge.
Finally, that flashy, splashy Microsoft local privilege escalation zero day that hit the black market on May 11th continues to drop in price.
Initially offered at $95,000, the crooks have already knocked it down to $85,000.
Still pricey, you can get a building lot in Laurel, Maryland for $85,000, but the discounting
suggests some marketing problems.
Maybe they need a catchy name.
May we suggest Bounder, Squatter, Carpetbagger, or Occupy Windows as possibilities?
Discuss among yourselves.
Do you know the status of your compliance controls right now?
Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Thank you. businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit Threat again is Ben Yellen from the University of
Maryland Center for Health and Homeland Security. Ben, I saw an article in Motherboard recently about
a decision a judge made that makes it a little harder for the FBI to use hacking. What can you
tell us about this story? So just a little bit of background.
The FBI was investigating a person named Jay Michaud, who was a Vancouver public schools worker.
And Michaud ended up being arrested in July of last year as part of the FBI's investigation into
a website that does child pornography. It's called Playpen. And the investigative technique the FBI
used to gain evidence was that it hacked into Playpen and took control for it for a couple of
weeks back in February of 2015. They actually ran the entire site from a government server
and employed what they called a, or what's called a network investigative technique or nit
which is just a piece of malware that reveals the information on the site's users the fbi used
evidence gained from this hacking technique to bust this person who was trafficking in
child pornography this was the evidence that they were going to use to prevent a trial. And a judge just ordered the FBI to reveal the full code used for this hacking.
The FBI refused. The FBI didn't want to reveal its methods. And the judge held that if they didn't
disclose their method of hacking, then evidence would not be permitted.
And this might allow, you know, a criminal, somebody who traffics in child pornography, to go free.
So it's a very significant decision.
The Justice Department is fighting this order, asking the judge to reconsider.
But it could have very wide-reaching implications.
This is a very, very effective tool for law enforcement to catch some
of our worst criminals, traffickers, child pornographers. It's a tactic that could be
used in terrorism cases. And judges are recognizing that unless the FBI details its method of hacking,
they can't be sure that the hacking has gone beyond the parameters of the original
search warrant given to the FBI to conduct the searches. So I think this could have
a very significant and potentially detrimental effect on law enforcement going forward.
All right, Ben Yellen, interesting story. We'll keep an eye on it. Thanks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your
role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.