CyberWire Daily - Daily: Who is Boson Spider? Legit zero-days among Shadow Brokers' leaks.
Episode Date: August 18, 2016In today's podcast we hear more about the Shadow Brokers, who are confirmed to have dropped some genuine zero-days. Most observers now think there was a compromise at NSA; some suspect Russian intelli...gence services. North Korea is again scrutinized for SWIFT fraud. Operation Ghoul targets industrial intellectual property in thirty countries. We see continued industry churn (including some layoffs as well as M&A rumors). CrowdStrike's Adam Meyers tells us about the Boson Spider gang, and Ben Yelin from the University of Maryland Center for Health and Homeland Security weighs in on the Shadow Brokers. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. and a high-stakes investigation unfolds. Starring Sterling K. Brown, James Marsden, and Julianne Nicholson.
Paradise is streaming January 28th only on Disney+.
Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of
signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. DeleteMe's team does all the work for you with
detailed reports so you know exactly what's been done. Take control of your data and keep your
private life private by signing up for DeleteMe. Now at a special discount for our listeners,
today get 20% off your DeleteMe plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way
to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout.
That's joindeleteme.com slash n2k code n2k.
N2K. North Korea comes under fresh scrutiny with respect to Swift bank fraud. Cisco continues its pivot away from routers and switches and towards security.
CrowdStrike talks about Boson Spider.
And we have really nothing to say about Pokemon today.
I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, August 18, 2016.
The shadowbrokers case continues to play out in the news cycle.
A bit later in this show, we'll hear some thoughts on the matter from the University of Maryland's Ben Yellen.
But to review the current bidding, no one appears willing to step up and pay the 1 million bitcoin, roughly $576 million, for whatever it is the shadow brokers are offering.
This isn't surprising on at least four counts. First, the auction site has a dodgy look with some very flaky payment terms and conditions. Second, the auction site has been rickrolled.
Third, more than half a billion dollars is a lot of money, even for wealthy elite,
the announced marketing demographic.
And fourth, and most importantly, it seems unlikely that money is the real goal here.
What the shadow brokers have released so far as a teaser is, most observers think,
likely to be genuine NSA files. Much of the material is related to ways of subverting firewalls and other security products. And at least two security vendors, Cisco and Fortinet,
have confirmed that zero days referenced in the files are indeed genuine.
Both companies have begun issuing patches.
Analysts writing in Wired see this episode as showing the unwisdom of hoarding
as opposed to disclosing zero days.
Even in the small numbers, NSA is believed to stockpile them.
A study by Columbia University, whose results were released earlier this month,
credibly suggested that the scale on which NSA collected undisclosed zero days
was far smaller than many had long suspected.
Edward Snowden, commenting online from his Moscow place of retirement
and actually sounding a bit sympathetic to NSA,
thinks it unsurprising that the agency
was successfully attacked. After all, it's a very attractive target to the opposition,
but surprising that the success was so loudly advertised. Most observers have, however,
concluded that the Shadow Brokers operation can be credited to Russian intelligence services.
Most observers, but not all. The alternative theory is that the files
were either physically exfiltrated on a storage device by some disgruntled insider, Snowden Jr.,
as one observer called the conjectured insider, or that they were incompletely staged on a server
by some agency operator who committed a serious mistake, and that the wrong person noticed.
None of these explanations is mutually exclusive,
and what the physical theft and error in staging theories have going for them
is the presence of things in the files that aren't normally remotely accessible.
Suspicion of North Korean involvement in recent swift bank fraud re-emerges.
The DPRK is chronically short of hard currency. Investigators are revisiting the theory that the theft from the Bangladesh bank represents part of a state-sponsored criminal campaign
to shore up Pyongyang's hard currency reserves. In industry news, Cisco continues its pivot away
from switches and routers and toward increased reliance on cybersecurity, cloud, and Internet
of Things offerings. This shift in strategy has a downside for Cisco's highly qualified workforce.
The company has announced that it will cut 5,500 jobs, or some 7% of its workforce.
Company executives have also said they intend to look for more acquisitions
in their strategically favored lines of business.
We spoke recently with CrowdStrike's Adam Myers about recent trends and their investigation of the Boson Spider cyber gang.
Here's what he had to say.
Looking at Boson Spider, we first kind of observed it back in August of last year.
And they used Angular as well to deliver their payload.
They used bulletproof hosting services, which are another component of the
e-crime ecosystem. Once you have your malware, one, you want to spread it, and that's what
Angular came in. And then the other thing you need to do is you need to be able to control it. You
need some sort of command and control. The way that you can kind of keep your command and control up
and running, one of the components that they'll use is known as a bulletproof host, which is just a hosting service that might be law enforcement resistant, or they'll tip off the
attacker when a subpoena or a search warrant or a hold order comes down. Now, once they had their
infrastructure stood up and they actually had it deployed out to a number of hosts,
they offered an affiliate model for monetization. And so effectively what that means is that anybody
that wants to leverage their botnet to steal credentials or steal information can pay a
subscription cost effectively to get access to that botnet and then use it within their own
malware as a service type of subscription.
And so if you look at who their victims were, they were generally financials. And in one affiliate network, they were targeting U.S. banks and some Canadian banks.
Other affiliates targeted Japan, Singapore, Hong Kong.
So that gets not only an understanding of how they're using this and against whom,
but also potentially who is their customer set and what they're interested in.
So if we see Boson Spider shut down, which we actually did pretty recently, then if we start seeing all of a sudden a new Dridex, which is another malware as a service botnet,
which is another malware-as-a-service botnet,
if we see a new customer come online there and they start targeting Japan or Hong Kong,
then we might have a better understanding of that
whoever that threat actor is that was using the Boson spider infrastructure
has now moved over to Drydex.
One of the interesting things about this particular botnet
was that it used domain name generating algorithms.
When you want to control a botnet, you use a command and control domain or IP address.
And good guys want to block that.
So if we know that Boson Spider had a domain of badguy.com,
we would identify that, we would block it,
and then they would be unable to control their botnet.
And so what they do is they write an algorithm
that kind of takes a bunch of different random pieces of data and uses that to generate domains on the fly.
So the domain that they're talking to at 9.47 a.m. on August 9th won't be the same domain that they're talking to perhaps at 11.47 a.m. on August 9th.
perhaps at 11.47 a.m. on August 9th. And if you understand that algorithm and you can reverse engineer it, then you can actually use that to predictively block those domains. So through our
intelligence analysis, customers are able to take that and then use those domains to block
this actor on their infrastructure and stop them from being able to take advantage
of any of their accounts or their credentials.
That's Adam Myers from CrowdStrike.
Studies by Dell and Okta highlight the difficulties of upgrading legacy systems and the security
penalties involved in failing to do so.
LogRhythm's CTO Chris Peterson commented to the CyberWire that many legacy systems were
never designed to withstand cyber attacks. Operations that depend on such systems need,
he said, quote, a security strategy based on rapid detection and response, end quote.
This is, Peterson added, especially important for the IoT. Quote, as the rise of IoT further
compounds risk, companies must assume that both old and new systems can be compromised.
They need to automate the security monitoring of their infrastructure to ensure the fastest detection, response, and neutralization possible.
We also heard from Red Seal CEO Ray Rothrock, who suggested the Dell study in particular should serve as a reminder of the importance of prioritizing defenses.
Quote,
Every organization has legacy systems, some more than others.
The trick is to think about your network,
understand the risk associated with any given piece of software or operating system,
fix those that pose a high risk, monitor those that do not.
End quote.
Finally, we are pleased to report that we see no new developments on the pokefront.
We do, however, have an alternative theory as to the source of the shadowbroker's prose style.
On yesterday's show, we noted that our linguistic staff conjectured that the style came from uncritical use of Google Translate,
but ultimately rejected this hypothesis after a few admittedly rough-and-ready trials.
But alert listener Jess Barron contacted us to suggest an alternative theory.
The Shadow Brokers sound an awful lot like the Incredible Hulk.
She offered links to some Hulk tweets as evidence.
Perhaps there's a Hulk-speak generator out there available for general use.
In which case, Miss Barron, thanks for the insight and...
Hulk smash, Google Translate.
The shadow brokers are more Hulk than the Hulk.
Oh, and General Thunderbolt Ross was unavailable for comment.
Dr. Banner is believed to still be on sabbatical.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best, yet fiercest, part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. Thank you. $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Thank you. Ben Yellen, Senior Law and Policy Analyst, University of Maryland Center for Health and
Homeland Security
Ben, we've been following this story about the group calling themselves the shadow brokers
who've leaked data they claim comes from the NSA.
What's your take on this?
Ben Yellen, Senior Law and Policy Analyst, University of Maryland Center for Health and
Homeland Security
Yeah, this is potentially a very serious breach. The release on this shadow broker site appears to be computer code that the NSA uses to break into the networks of foreign governments.
So it's malware devices.
And these are some of the NSA's most closely held tools now being potentially in the hands of both an unreliable group and now available
to the general public and possibly to hostile actors, both state actors and otherwise.
We don't yet know who is behind the hacking.
What I find interesting is that Edward Snowden, who, as we know, leaked documents from the
NSA three years ago, is claiming that the Russian government has hacked into this
NSA technology as sort of a threat against the United States because the United States has been
posturing about punishing Russia for the rumored leaks into the Democratic National Committee
system. So this is a very significant breach. I think the NSA is scrambling to figure out how
this happens. And I think it's going to have pretty wide-ranging consequences.
And so let's dig into that. What do you think some of the consequences could be?
Well, I think one of them is that it undermines the federal government's claim. When we had
earlier, Dave and I talked about the Apple case, and Apple had made the argument that once it develops software to break
encryption, that sort of software is going to be available to hostile users. And the NSA and the
FBI had said that was not going to be the case. Now we have the situation where the most sensitively
held tools for the National Security Agency, the small malware that we use to get information from hostile
governments, now has been released to the public and now will be available to hostile actors.
So I think it's in some ways a slap in the face to the FBI and the NSA. The one somewhat saving
grace is that this is not the most recent technology. This leak appears to be of some of the malware tools
that were being used in the middle of 2013
and onward for the next couple of years.
So it is slightly outdated.
And perhaps the silver lining here
is that the hacker's access was cut off at some point
before the most recent technology was developed.
But I think it still will have very wide-ranging
and potentially serious consequences.
We'll keep an eye on it. Stay tuned. Ben Yellen, thanks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their
families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.