CyberWire Daily - Daily & Week in Review: Gunnery hacking. Influence operations and a proportionate response thereto? Yahoo breach post mortems. NIST issues Special Publication 800-184: "Guide for Cybersecurity Event Recovery."
Episode Date: December 23, 2016In today's podcast we hear more about how Fancy Bear has gone to war. Russia denies meddling with US elections. US retaliation for influence operations is still under consideration—some speculate th...at when it comes, it may be loud. Siemens patches its widely used HVAC controller. Post mortems on the Yahoo! breach continue (and draw attention to cybersecurity EFTs). FBI Special Agent Keith Mularski describes the takedown of the Avalanche botnet. Awais Rashid from Lancaster University on data exfiltration by APTs. And NIST releases its guide to cyber incident response and recovery. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Fancy bear goes to war.
Russia denies meddling with U.S. elections.
U.S. retaliation for influence operations is still under consideration.
Some speculate that when it comes, it may be loud. Siemens patches its widely used HVAC controller,
postmortems on the Yahoo breach continue and draw attention to cybersecurity EFTs,
and NIST releases its guide to cyber incident response and recovery.
I'm Dave Bittner in Baltimore with your CyberWire summary and week in review for Friday, December 23, 2016.
More people look at the compromised Android Fire Direction app that enabled Russian forces to locate and destroy Ukrainian artillery during hybrid combat in eastern Ukraine.
The Ukrainian officer who developed the app and provided it to his comrades has said reporting on the hack contains rotten information.
But he also advises users to delete older versions and download the app only directly from him
and not from some dodgy third-party source.
Some commentators are saying that the risks CrowdStrike reported are overblown
because the phones and tablets with the app installed wouldn't be internet connected.
Maybe, but video from Ukrainian sources showing the gunners using the tool certainly suggests
they're connected wirelessly to something, in some cases guns, in other cases mapping programs like
Google Earth, all of which suggest the devices are accessible from the web
and capable of reporting back to the Russian army. Apart from some targeting of ISIS operators
developed by monitoring their online activity, this incident does seem to offer the clearest
instance yet of lethal tactical hacking. Many observers see this as a new overlap of military
operational domains as cyber ops intersect with kinetic combat.
Others see a natural evolution of electronic warfare into cyberspace.
CrowdStrike attributes the gunner hacks to Fancy Bear, Russia's military intelligence
agency, the GRU.
It says the code in the ex-agent malware is similar to that found in the U.S. Democratic
National Committee networks.
Russian President Putin has denied again meddling with U.S. elections
and expressed hope for better relations even as U.S. investigation into influence operations continue.
President Obama has said the U.S. will take proportionate action against Russian cyber operations
at a time and place of its own choosing.
The list released this week of Russian organizations and individuals
that will face U.S. sanctions is probably not that promised action,
but rather a continuing response to the years-old Russian re-engorgement
of Crimea and other Ukrainian territory.
Reports suggest that the U.S. was better prepared to defend against a hacking offensive
than it was for the information operations that actually materialized.
a hacking offensive than it was for the information operations that actually materialized.
So the U.S. still presumably has some retaliatory cyber operations in the barrel,
but what those might be remains to be seen. There's not much hint of them in recent high-minded harrumphing from Director of Central Intelligence Brennan, who had declined to sink to the
adversary's level, deplores skullduggery, etc. The Council on Foreign
Relations says people at Fort Meade told them that U.S. Cyber Command likes the idea of loud
cyber weapons, so retaliation, if it comes, may be noisily obvious. Moving to industry news,
Siemens releases firmware patches for its popular DeZego PX industrial control hardware.
firmware patches for its popular DeZego PX industrial control hardware. This product line is widely used for controlling HVAC systems in commercial buildings.
Mozilla has announced plans to upgrade sandboxing in its Firefox browser.
With Yahoo's future very much up in the air, observers look at the company and see a case
study in the tensions that exist among cost control, user experience, and security.
Financial analysts note that the record-setting breach has drawn attention to cybersecurity
exchange-traded funds.
And finally, a kind of Christmas present from NIST.
The Institute has released Special Publication 800-184, its Guide for Cybersecurity Event
Recovery.
Its build is a playbook designed to help organizations respond and recover when they come under cyber attack.
And the enterprise would do itself a favor by taking a look.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And I'm pleased to be joined once again by Professor Avas Rashid.
He heads the Academic Center of Excellence in Cybersecurity Research at Lancaster University.
Professor, we talk about APTs, Advanced Persistent Threats, and you wanted to fill us in today on data exfiltration by APTs.
Yes. One of the interesting evolutions of our hyperconnected infrastructure is that within any organization, your systems are increasingly more complex. So there was a time where, as an organization,
you pretty much had full control over your network and what was connected to that network.
As we open up our infrastructure through internet and web-based interfaces, we allow employees to
bring their own devices. We use cloud-based systems, both in terms of software and infrastructure. It basically means that
increasingly your organization's network is a patchwork of systems, and that makes security
of this infrastructure a very complex task. And advanced persistent threats, the sophisticated attackers can actually exploit
this complexity to enter the system and exfiltrate valuable data from the system.
We have seen various scenarios of these where attackers have actually stayed within the system
for several months waiting for an opportunity to do lateral movement.
We also see various patterns in terms of how attackers
might actually extract data out of these systems.
A lot of the times, attackers would use fairly open channels
like your HTTP or file transfer protocol, email and webmail.
But also we see very sophisticated mechanisms that exploit often cloud-based services,
such as the various storage environments that many organizations now allow and use,
such as services such as Box or Dropbox.
And the reason is that if you are using these services as an attacker, then the traffic
actually blends in with normal traffic and it doesn't get picked up by security systems
and anomaly detection systems.
Similarly, you can have many other advanced exfiltration channels that attackers might use. So, for example,
a lot of organizations now use voice over IP techniques, and you can actually use steganography
where you can hide information in those voice over IP packets to try and extract information
out of these systems. In general, I think the key problem has to be that whenever we look at the data across
an organization, we need to think and ask the question, where are our data assets? Because
many a times we think of our data assets as things that are in storage, they sit somewhere on disk,
and we think that, for example, encrypting disks, which actually is a very good activity and we must
do, protects that data.
But there is also data in use that is brought regularly into a computer's memory and hence decrypted and is utilized in day-to-day processing.
And then there is data in motion that transits across the network or from our network into other services, for example, cloud-based services, which actually creates potential vulnerability points
which an attacker can exploit.
So given that our systems are now so complex
and attackers are getting increasingly sophisticated,
we need to think about where are our data assets
and how we may protect them.
Avas Rashid, thanks for joining us.
Rashid, thanks for joining us.
My guest today is Keith Malarski.
He's a supervisory special agent with the FBI, working out of the Pittsburgh office,
where he oversees all cyber investigations for that region.
Special Agent Malarski and his team were instrumental in coordinating international efforts to take down the Avalanche botnet,
which was a criminal syndicate involved in phishing attempts, bank fraud, and ransomware.
Up here in Pittsburgh, we've been working many different botnet cases. A couple years ago, we did a takedown of the Game Over Zeus botnet that used the peer-to-peer infrastructure.
And then last year, we did a takedown of the Drydex botnet that used the peer-to-peer infrastructure. And then last year, we did a
takedown of the Drydex botnet. So in wake of those two takedowns, we kind of started looking at the
Avalanche infrastructure, which was a way for criminals to anonymize their botnets. So instead
of just one botnet going over the Avalanche infrastructure, there were a dozen or so at any given time.
And what Avalanche did was it had many different layers of obfuscation and proxy networks that kind of almost acted like a peer-to-peer, but it was actually what they call fast flux network that would enable it to be very difficult for law enforcement to find out where the back end is to be able to shut it down. And then we had some victims here in western Pennsylvania from a couple of these botnets
that were hosted over Avalanche. And that's kind of how we got involved.
And these were not insignificant attempts to transferring money.
No, absolutely not. They really go after small to mid-sized businesses that have a few hundred
thousand to millions of dollars in their account.
And that's what the criminals were mostly targeting from the banking Trojan side.
And so the network comes to your attention.
Take us through the process of how you go about working with other agencies around the world to bring it down.
We work very closely with our German counterparts at the German State Police over there.
And they had been looking at this
infrastructure for a couple of years. And they had reached out to us based off of some of the
success we had in the previous takedowns. So we started working with them. We started looking at
the types of botnets that were being hosted there. And then we were able to get victims here in Pennsylvania.
And then from starting to do those investigations, we just started pulling the strings and looking at where the infrastructure was hosted around the world, identifying subjects
in different countries. We really leveraged our what we call our legal attachés, which are FBI
representatives that are stationed in all the countries overseas. They're
at the embassies. And their job is to get liaison with our foreign partners over there and really
make it a lot easier to move these cases along a lot quicker. So we work very closely with them
to pass intelligence on a real-time basis on where infrastructure was moving, you know, who the
subjects are, and we were able to make the investigative process go a lot faster.
And so take us, you know, through the point where you feel as though you've identified
some of the people who are actually running this botnet, and then it's time to pull the
trigger and bring them in.
Yeah, so what we wanted to do was a twofold approach. One
is we wanted to get the people responsible for it and some of the people that were running the
botnets. But at the same time, we also wanted to hit the infrastructure and take that down.
So we had to take a two pronged approach. One is we wanted to work with our foreign law enforcement
partners to get them the intelligence for them to do surveillance or whatever they needed to do to
confirm the identities and get them the evidence so we could plan searches. The second thing that
we needed to do was work with private industry in order to sinkhole the domains that the malware was using and also to seize the servers and
infrastructure. So what we had to do was get a criminal, what we call a criminal temporary
restraining order, in order to give us the authorities to be able to seize the domains,
which the last count, I think, was somewhere around 870,000 domains that the malware would
talk to that we would have to seize.
There were over 40 different Internet registries that participated in this, including there was a registry on Christmas Island.
And so he was in control of like a couple of the domains.
But we had to go to him because we had to sinkhole them.
And, you know, he ran the local marina and also the Internet Registry.
So we had to really go, you know, at the far ends of the earth
in order to make sure that everything was going to work very well.
We had a meeting at the EC3, which is the European Cybercrime Center at Europol.
And we brought together all the different countries in the Internet Registries
to kind of say, OK, we're going to do this takedown on this day.
And this is kind of what we needed to do and get everything in place.
So on takedown day, we went and did our law enforcement action doing searches and arrests.
And then we see servers and then we started sinkhole in the domains to be able to take all the infected
computers away from the bad guys. So that's kind of it in a nutshell.
Give us a sense for the scale of the operation. How many people were brought in and what are we
talking about with the servers? Really, the scope of it was unprecedented.
We had over 40 different countries participate in this.
We had law enforcement action in, I think, about half a dozen of them where we had some seizures and we had some arrests in Ukraine and in Bulgaria and in Germany.
So I can't get into a lot of the law enforcement details yet because it's still ongoing.
The scope was really just huge, you know, with 40 different countries.
If you could just imagine trying to get four people, you know, in a conference room to try to do things coordinated,
yet alone to have 40 countries from, you know, not being in a conference room to do something coordinated, it was very difficult.
But it all worked out and it all turned out very well.
What are the ripples of this around the world?
Do the other bad guys around the world take notice?
Well, we hope so because what we're trying to target and one of the strategies that the FBI does in working with our law enforcement partners is that we want to go after shared criminal services.
and partners is that we want to go after shared criminal services. And what shared criminal services are, it could be like bulletproof hosting providers. It could be people that are,
you know, writing malicious code that's used across, you know, the whole criminal platform.
So in this case, we went after and took out one of the shared criminal services that was used by over 12 different organizations that were running their own separate botnets.
So we think that has a major impact because we're not just disrupting one organization.
We're disrupting 12.
And by taking Avalanche off, it will make it much more difficult for people to host these malicious code and botnets.
We're trying to make
the world a smaller place because cybercrime has no borders. And it's this type of coordination
and these type of successes that we can build on, you know, for future operations.
That's Keith Malarski. He's a supervisory special agent with the FBI.
with the FBI. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal
devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.