CyberWire Daily - Daily: Shamoon and Fancy Bear are back. Mirai never left. San Francisco Muni saved by good backups. New Android Trojan found. Firefox patches threat to Tor anonymity. Surveillance policy, ISIS investigations in Germany.
Episode Date: December 1, 2016In today's podcast, we learn that Shamoon is back, again probably from Iran, and again hitting Saudi targets. Mirai infestations are turning up in the UK; observers see a criminal race to round up the... biggest bot herd. Fancy Bear is also back, and still pawing at WADA. Good backup practices enabled San Francisco's Muni light rail to recover from ransomware. Palo Alto warns of a new Android Trojan. Facebook says there's no way ransomware was hidden in Messenger images. Firefox patches the zero-day that threatens Tor anonymity. Professor Jonathan Katz from the University of Maryland explains why ransomware crypto is hard, and Group iB's Dmitry Volkov describes ATM jacking group Colbalt. Germany mulls going for more surveillance, less privacy, as investigations of ISIS operations continue. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Shamoon is back and again probably from Iran and again hitting Saudi targets.
Marai infestations are turning up in the UK.
Observers see a criminal race to round up the biggest bot herd.
Fancy Bear is also back and still pawing at WADA.
Good backup practices enabled San Francisco's Muni light rail to recover from ransomware.
Palo Alto warns of a new Android Trojan.
Facebook says there's no way ransomware was hidden in Messenger images.
Firefox patches the zero-day that threatens Tor anonymity.
Germany mauls going for more surveillance, less privacy. hidden in messenger images. Firefox patches the zero-day that threatens Tor anonymity.
Germany mauls going for more surveillance, less privacy,
as investigations of ISIS operations continue.
I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, December 1, 2016.
Shamoon, the drive-wiping malware that hit Saudi Aramco and other energy firms hard in 2012, is back, with infections reported in Saudi government systems.
Saudi investigators say their forensic investigations lead them to attribute the
attack to an Iranian source. Shamoon, also called Distrack, appears to be purely disruptive in
operation, with no reports of data exfiltration.
That was the case with the former appearance of Shamoon.
In 2012, it destroyed data on Saudi Aramco devices, forcing hasty disconnection and costly replacement of the oil company's systems.
That attack was attributed by most to an Iranian actor as well.
A group calling itself Cutting Sword of Justice claimed
responsibility. Even as Deutsche Telekom recovers from its Sunday distributed denial of service
attack, there are reports today of further Mirai infestations affecting internet routers outside
Germany. In the UK, both TalkTalk and Post Office broadband service has been disrupted by an evolved
version of the Mirai botnet herding malware.
The security firm Plixer has been keeping us informed about the progress of Mirai.
Thomas Poore, director of IT and services at Plixer, told the CyberWire he sees these latest episodes as amounting to a continuation of the Mirai arms race. Hoods are competing to develop
a leading position in the number of bots that can be marshaled for an attack. Exploiting routers distributed by TalkTalk and the post office
greatly increases the volumetric capacity of the attack tool.
Quote,
Customers knocked offline during the infection growth expansion already feel the pain,
which may be marginally compared to an attack against some of the largest ISPs down the road.
End quote.
So in this view, there's more Mirai coming.
Estimates place the number of exploitable devices at greater than 40 million, which Poore says means that even if a
fraction of those devices are compromised, quote, the power behind this Mirai variant could be
unprecedented, end quote. Fancy Bear is also back. The World Anti-Doping Agency has again come under
cyber attack, and the responsible parties are either Fancy Bear or someone masquerading as Fancy Bear.
The evident goal of the attack is to discredit the World Anti-Doping Agency as corrupt.
You'll recall that the agency had sanctioned a number of Russian Olympians
during the Rio Games this past summer.
San Francisco's Muni light rail has recovered from the ransomware attack
it sustained this past weekend.
It didn't pay the ransom, and so far, none of the data releases the extortionists threatened have occurred.
Muni says that's because the attackers didn't get any data in the first place.
The recovery, observers note with general approval, was made possible by Muni's sound backup practices.
by Muni's sound backup practices.
The notion of an ATM spitting out all of its money seems like something out of a heist movie,
or maybe a bad sitcom.
But as we've reported, a cyber gang,
likely Russian-organized crime,
has come up with a way to make the machines do just that
in Armenia, Belarus, Bulgaria, Estonia, Georgia,
Kyrgyzstan, Moldova, the Netherlands, Poland, Romania, Russia,
Spain, the United Kingdom, and Malaysia.
Group IB is a cybersecurity firm that's taken a lead role in investigating the caper
and have named it Cobalt.
We spoke with Dmitry Volkov, who joined us from their offices in Moscow.
We have observed and targeted attacks against financial institutions
like banks, payment systems since 2013.
This specific group we detected first in the middle of this year.
The first attack happened in Russia, so one of the Russian banks was robbed.
And then we started to detect spear phishing campaigns targeting different countries.
In Asia, in Europe, in post-Soviet Union countries as well.
We started to receive requests from different banks from European countries.
We see a malicious activity inside of their corporate network.
And it was clear that fraudsters are going to attack banking systems and ATM.
How does it work? How are they getting these ATMs to spit out their cash?
Well, we have special crafted malware tools.
It's not malicious programs in traditional understanding.
So we do not infect the system with this malware.
We do not use some persistent techniques to make this program live forever on the infected system.
But this tool allows us to use traditional API functions,
or sorry for my,
we use legitimate calls to financial software
to make ATM to spit out cash.
Yeah, it struck me that it seems like
if I were a manufacturer of an ATM,
the one thing I would not want it to ever be able to do
is spit out all of its cash, right?
But you have to provide this ability to legitimate software because you need to operate the ATM machine. You need to support it.
So basically, once they had access to the network that
connected to these ATMs, they could use these standard tools
to then manipulate them into doing what they wanted.
Actually, the tools are not standard.
So we developed our own tools for these purposes.
But the interface we should communicate with ATM, yes, it's standard.
How are the banks preparing to protect themselves from this?
Well, first of all, we need to protect all the corporate infrastructure.
These cyber criminals, they use a very simple technique to get inside of corporate network.
They send a spare phishing emails.
Is there something that banks who haven't been affected,
can they do anything to sort of preemptively protect themselves
now that we know that this attack is occurring?
Are there any sort of, I don't know, fingerprints that they can look for?
Yes, of course.
In our effort, there are a pretty long list of indicators
that could be used to detect suspicious activity.
But, I mean, banks, they should think about cybersecurity in more complex.
So, first of all, of course, we need to protect against phishing attacks.
It's almost impossible because banks have thousands of employees.
But it's possible to detect it in the early stages.
We need to segment and do proper segmentation of the network
and restrict access from different segments
and detect anomaly attempts of connection from non-critical segment to critical segment.
That's Dmitry Volkov from Group IB.
Their full report on the Cobalt ATM hacks is available on their website.
Palo Alto Network's Unit 42 reports on a new Google Android Trojan,
Plugin Phantom, that abuses the Droid plugin framework.
Plugin Phantom, which includes a keylogger,
extracts a wide range of user and device information.
It can take screenshots, intercept texts,
reveal your location, and more.
Facebook is calling hogwash on Checkpoint Software's report
of Locky ransomware being spread by images in Facebook Messenger.
The social media giant says there's no Locky in the images it delivers
and suggests Checkpoint is misinterpreting vulnerable Chrome extensions, which Facebook
says it's blocked for some time, as betraying a vulnerability in Facebook Messenger.
Firefox has patched a zero-day that could be exploitable to de-anonymize Tor users.
Germany's Interior Ministry has proposed legislation that would limit the
transparency of online surveillance. Such surveillance has been instrumental in collaring
ISIS terror suspects in particular. Interception of communications from jailed ISIS adherents
implicated in a plot to bomb a Sikh temple in the Ruhr city Essen suggests that they continued
planning for unusually repellent attacks targeting
children with, among other things, poison.
Investigation into the alleged ISIS mole in the BFV continues, and eyebrows from RT to
the Washington Post are being raised by revelations that the alleged mole had a pre-BFV career
in producing adult material.
The media outlet's surprisingly retro assumption seems to be
that this fact ought to have led a security agency to think twice before hiring him.
It's also seen as surprising that the gentleman in question converted to Islam
and sought out ISIS on the strength of phone conversations
with a religious guy in Austria whose last name escapes the gentleman in question.
Inspiration works in funny ways.
Or to quote another famous and late-blooming German,
of the crooked timber of humanity, no straight thing may be made.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta
brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Thank you. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Jonathan Katz.
He's a professor of computer science at the University of Maryland and head of the Maryland Cybersecurity Center.
Jonathan, a fun article came by in InfoWorld recently,
and the headline was,
Stupid Encryption Mistakes Criminals Make. You know, sometimes these malware authors
don't end up being the sharpest knives in the drawer when it comes to choosing how to
implement their cryptography. Well, that's true, but I wouldn't blame them too much,
actually. I think what this demonstrates is that cryptography is hard. And just to set the
context here, right, this was in the context of ransomware, where criminals are writing malware that will go into your machine and then encrypt the files in your machine.
And then you'll have to pay the criminals some ransom in order to get your access to your files back.
So, you know, what you can see here is that, number one, that crypto is actually not that easy.
And so even the criminals are making mistakes.
But it's interesting still to see what kind of mistakes they're making in their code.
And what kind of mistakes do we see them making?
Well, a lot of them are mistakes that we see also honest people making when they implement crypto.
For example, one of the problems that the researchers found was being made very often was that criminals were using bad sources of randomness to generate
keys for encryption. And if you don't generate your keys uniformly at random, then it can become
easier to guess the key being used. So they just mentioned one example where the ransomware authors
were using essentially something based on the current time in order to generate an encryption
key. But of course, the current time is not all that difficult to guess. There's only a limited number of possibilities,
only a limited number of seconds in a day, as it were.
And so it wasn't that hard, actually, for the engineers to figure out the key
and then decrypt the file on their own without paying the ransom.
So we do see from time to time after these ransomware schemes have been out for a while
that some research group will come up with a crack for the ransomware.
So this is a matter of being able to reverse engineer it and find out where the weaknesses are?
Yeah, exactly. So I guess it's spy versus spy. You have the ransomware people who are writing
this code and trying to encrypt files and get people to pay a ransom. And then on the other
end, you have people trying to attack the encryption scheme being written by the ransomware
writers. I think the other comment I wanted to make, actually, is not only demonstrating that encryption is hard,
but you have to keep in mind the incentives of the ransomware writers, right? All they want,
actually, is not for the, they don't care whether the encryption is secure or not.
What they care about is that it's secure enough to convince the person at the other end to pay
the ransom. And so if it's, you know, any significant amount of effort to reverse engineer it and undo the
encryption, or if they have to pay a consultant a large fee in order to do it, then they may just
as well end up paying the ransom in the first place. And from that point of view, the ransom
where writers have already won. Good point. Jonathan Katz, thanks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.