CyberWire Daily - Daily: Stressor, booter shoppers arrested. Small DDoS against Russian banks. Botnets and home routers. Popcorn Time ransomware. US investigates Russian influence operations.
Episode Date: December 12, 2016In today's podcast, we hear about how an international police action swept up youths shopping for DDoS tools. Russian banks sustain a mild, easily parried DDoS attack. Mirai gets trickier. US-CERT war...ns against vulnerabilities in home routers. Popcorn Time ransomware says it's doing good by doing bad, but few will be deceived. US opens an investigation after the Intelligence Community concludes that Russian services tried to throw the US election away from Clinton and toward Trump. Emily Wilson from Terbium labs describes the markets for drugs and pharmaceuticals on the dark web. And North Korea says they didn't do it, you tantrum-throwing conservative puppet regime, you. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Shopping for DDoS tools, kids?
The cops have got their eye on you.
Russian banks sustain a mild, easily parried DDoS attack.
Mirai gets trickier. U.S.
cert warns against vulnerabilities in home routers. Popcorn Time ransomware says it's doing good by
doing bad, but few will be deceived. The U.S. opens an investigation after the intelligence
community concludes that Russian services tried to throw the U.S. election away from Clinton and
toward Trump. And North Korea says they didn't do it, you tantrum-throwing conservative puppet regime, you.
I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, December 12, 2016.
We begin the week with a quick roundup of news and notes on cybercrime.
Last week, an international police sweep rounded up people suspected of using distributed denial of service tools.
Authorities from Australia, Belgium, France, Hungary, Lithuania, the Netherlands, Norway, Portugal, Romania,
Spain, Sweden, the United Kingdom, and the United States cooperated with Europol,
collared 34, and cautioned another 101 users of hacking tools.
Most of the suspected were young adults. In fact, a lot of them haven't yet turned 20.
The persons of interest were flagged by their purchases of stressor and booter services in various black and gray markets.
The purveyors of such DDoS tools had attempted to position them as legitimate items,
or at least legitimate enough to avoid the
attention of law enforcement. That marketing placement would appear to have decisively
failed with last week's arrests. Russian banks did, after all, sustain the DDoS Russian authorities
pointed to with foreboding a week ago. It hit last Monday, but any of you who were looking for it may
be forgiven for having missed it because the campaign wasn't very large. Rostelecom, the state-owned telecommunications service, reported
Friday on how it parried the campaign. The attacks peaked at only 3.2 million packets per second,
with the longest attack lasting a bit more than two hours. 3.2 million packets per second is well
within the range of what DDoS mitigation services handle easily.
By way of comparison, back in September, Krebs on Security sustained an attack that peaked at 143 million packets per second,
two orders of magnitude larger than the poke at the Russian banks.
The attacks were mounted by botnets herded from among home routers that used a vulnerable implementation of the TR-69 protocol.
among home routers that used a vulnerable implementation of the TR69 protocol.
This is the same exploit implicated in DDoS attacks last month against IRCOM,
TokTok, and Deutsche Telekom.
U.S. CERT warned against using the Nighthawk line of Netgear home routers. The flaw could be exploited to bring routers into a botnet that could serve as a DDoS attack tool.
Netgear has acknowledged the problem
and says it's working hard to come up with a fix.
The Mirai IoT botnet malware has been upgraded.
It now sports a domain generation algorithm.
As SANS recommends, alert your intrusion detection and DNS sensors.
Turning to ransomware, there's an unusually repellent campaign in progress
that offers free decryption in exchange for your willingness to infect your neighbors.
Popcorn Time, not to be confused with the video content app that uses the same name,
displays the following warning upon infection.
We are sorry to say that your computer and your files have been encrypted,
but wait, don't worry.
There is a way you can restore your computer and all of your files
send the link below to other people if two or more people will install the file and pay we
will decrypt your files for free so it's like a chain letter with a payload this is repellent
enough but the criminals who ask for one bitcoin roughly 800 claim to be syrian computer students
engaged in collecting money on behalf of impoverished Syrians
victimized by the ongoing multi-party fighting among the Assad regime,
rebels of various stripes, and of course ISIS.
The Assad regime has long been in the market for lawful intercept tools,
which too many have been willing to sell it.
ISIS, of course, concentrates on its online brand in what continues to be an effective branding campaign.
In other news of international cyber conflict, the U.S. intelligence community reported with high confidence late Friday
that Russian intelligence services had been acting against the candidacy of Democratic nominee Clinton during the U.S. presidential election.
The evidence of intent to influence the election in favor of the Republican nominee
consists largely of the dog that didn't bark. No Republican National Committee documents were
leaked, even as WikiLeaks, Guccifer 2.0, and DCLeaks vigorously doxed the Democratic National
Committee. While some insiders say the Republican National Committee wasn't hacked, only routine
communications among individual Republicans were exposed during
the run-up to voting. The general opinion is that they probably were, and that the take was withheld
to influence the election. President Obama has directed an investigation, but doesn't believe
the election results were called into question. President-elect Trump dismissed claims that he
benefited from Russian support. One interesting sidelight,
the Russians appear to have been as surprised as anyone by President-elect Trump's success.
The state of Georgia's request that the Department of Homeland Security explain
apparent attempts to penetrate the firewall around the state's election systems
spawns an investigation. There are several possibilities. Nefarious DHS attempts on the system, benign vulnerability scans, attack by a rogue employee, or nothing at all.
Benign vulnerability scans seems likeliest, although there were some reports of a rogue employee,
but investigation remains in its earliest stages.
And finally, North Korea has issued its customary denial of responsibility for malware found in South Korean military networks.
The charges, Pyongyang says, are beyond the realm of common sense and represent the kind of tantrum the puppet conservative party in South Korea throws during times of stress.
Pyongyang's denials show a new reach for hipster freshness, however.
The headline was, North Korea hacking? Even a stone image of the Buddha would laugh.
Okay, maybe not enough for open mic night at the chuckle hut, but north of the 38th parallel, that is Saco stuff.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. Thank you. with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And I'm pleased to be joined once again by Emily Wilson. She's the Director of Analysis
at Terbium Labs. Emily, we've been sort of making our way through your recent report.
It was called Separating Fact from Fiction, The Truth About the Dark Web. And some of the things you dug into here was drugs versus pharmaceuticals. Tell us, what did you find when it comes to that?
We took a look at kind of legal versus illegal content on the dark web, and we thought those
proportions were interesting. But then we wanted to dig into kind of just the illicit content, the things people tend to talk about.
And of that, we found that drugs make up about 45 percent, which is a fair amount of that, right?
And when we're talking about drugs, what are we talking about?
We're talking about things that are a physician to get a prescription for.
And so in that case, we included, you know, anti-anxiety medications or ADHD treatments or kind of other medications you would think of them.
So in this case, pharma is a subset of drugs and drugs include, yes?
We broke them out differently in this case because one of the things
that we see, and it's difficult to measure intent here when people are buying things that look like
pharmaceuticals, but one of the things that we see for pharmaceuticals is that they're branded and
sold very differently than drugs. So when you have drugs in here, thinking kind of recreationally,
you know, you don't particularly care where, you know, your LSD is coming from. You care about the
reputation of a vendor. You maybe don't care tooSD is coming from. You care about the reputation of
a vendor. You maybe don't care too much about your cocaine. You trust the reputation of the vendor.
But when you're dealing with pharmaceuticals, brand matters and big pharma brands matter. You
want to trust the reputation of the manufacturer and less so of the vendor. So when you're dealing
with pharmaceuticals, especially for things like steroids or human growth hormones, you are seeing kind of very clinical packaging and people are
invoking brand names and dosing information. And you don't so much see that with recreational drugs.
We thought pharma was a really interesting use case to break out because, you know, it's the
kind of thing that really makes for an interesting discussion when you're thinking about privacy or anonymity on the dark web.
These are things that you may want to buy privately because you have a sense of embarrassment or kind of a stigma about it, whether that's medication for dealing with erectile dysfunction or some anti-anxiety medications or other drugs that can be used to treat kind of mental health issues.
And then you have other things where it may be an access issue, right?
You know, someone will show up looking for, you know, a medication to induce abortions,
something that it may be because of the state you live in.
It may be because of the stigma in your home life or it may be a cost issue.
And so, you know, these are...
A drug that's expensive here in the United States may be available from another country,
and I could access that on the dark web.
Absolutely. And that's something where if you are willing to take that risk into your own hands,
something that may not be FDA approved, or you're trusting the vendor, you know,
has what they claim to have, That is of interest to some people.
And what about reputations? I mean, are there vendors who become known for
actually providing the real goods?
Absolutely. Reputation building is everything on the dark web. You have a market that exists
entirely based on reputation because it has to be anonymous by nature. And so you have nothing if
you don't have your reputation. And I think the dark web community does a really good job in
building up that institutional knowledge. And it's really almost a self-policing community.
You know, if someone is providing something that isn't pure or isn't safe, people are quick to comment on that and
they're quick to jump on it and warn other people off. All right. Interesting stuff. Emily Wilson,
thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.