CyberWire Daily - DDoS attack on ProtonMail. Rancor cyberespionage campaign. PythonBot serves ads and a cryptominer. EU joint cyber response unit forming. Arrests in BEC campaign. Reality Winner's plea.
Episode Date: June 27, 2018In today's podcast, we hear that ProtonMail was hit this morning by an Apophis Squad DDoS attack. Rancor cyberespionage campaign observed in Southeast Asia. PythonBot serves up adware and c...ryptojacking. WannaCry-themed protection racket is all bark and no bite. EU organizing a joint cyber incident response force. FBI and international partners make arrests in an Africa-based business email compromise racket. Reality Winner's guilty plea. Emily Wilson from Terbium labs with a story of a six-year-old dealing with identity theft. Guest is Paul Aubin from Varonis on the protection of federal systems. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Proton Mail's been hit by Apophis Squad DDoS.
Rancor's cyber espionage campaign is observed in Southeast Asia.
Python bot serves up adware and cryptojacking,
a WannaCry-themed protection racket is all bark and no bite,
the EU's organizing a joint cyber incident response force,
the FBI and international partners make arrests in an Africa-based business email compromise racket,
and reality winners guilty plea.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday,
June 27, 2018. A major distributed denial of service attack hit both ProtonMail and ProtonVPN for several hours. The affected
service provider says a group linked to Russia is claiming responsibility. The group counting
coup is Apophis Squad, according to both TechCrunch and what we've seen in a bit of flame war between
ProtonMail and those it calls clowns. The attack this morning lasted several hours, although most users experienced it
as intermittent service outages. ProtonMail is an encrypted service incorporated in and operating
from Switzerland. The company said their upstream DDoS protection service, Radware, needed more time
than usual to perform its mitigations. The attack was more focused than the usual run-of-the-mill
denial-of-service attacks Protonmail and others experience daily. Apophis Squad has been making
a nuisance of itself for several years, and hey, looky, looky, Apophis Squad still seems to have
its very own Twitter account. Apophis Squad apparently takes its name from the Greek version of the Uncreator,
the dark and baleful serpent of Egyptian mythology. Apophis is the enemy of the sun god Ra,
and he's usually held in check by the god Set, or in this case, of course, by the engineers at Radware.
Palo Alto researchers describe Rancor, a new APT group engaged in cyber espionage against Singapore, Cambodia and Thailand.
Attribution isn't clear, but there's some circumstantial commonality between the backdoor Rancor is using and that employed by Chinese threat actors.
Palo Alto thinks the campaign probably insinuated itself into its target's webpages through spear phishing.
probably insinuated itself into its target's webpages through spear phishing.
It's using two distinctive malware strains, Diddy Kong and Plainty.
The latter strain, Plainty, looks to be novel.
Kaspersky researchers are warning that a new variety of adware is infesting susceptible Windows machines. They call it Pbot or Pythonbot, obviously because it's written in Python.
Peabot is not only an irritating strain of adware, but it's also a crypto-jacker.
Most of the victims seen so far have been located in Kazakhstan, Latvia, Ukraine and Russia.
The UK's Action Fraud Centre is warning that WannaCry connected emails are circulating.
Indeed they are, but don't
be deceived. The emails represent nothing more than an empty threat. It's a continuation of an
ongoing campaign in which some petty hoods are telling people that they'll infect them with
WannaCry if they don't pay up. Again, the threat is empty. The crooks don't have WannaCry or
apparently anything else. So just delete the email as the spam it is
and move on. The EU is organizing a cyber response force that will coordinate the union's reaction
to incidents. The Declaration of Intent proposed by Lithuania has advanced and acquired more
signatories. France, Finland, Croatia, Estonia, Spain, and the Netherlands are on board with Lithuania,
and Belgium, Slovenia, Germany, and Greece have signed on as observers.
Lithuanian officials said, as reported by InfoSecurity magazine, that, quote,
each participant would need to have a standing cybersecurity unit,
which could join the neutralization and investigation in virtual or even physical reality
in the event
of a significant cyber incident, end quote. The group plans to hold its first joint exercises
later this year. The U.S. federal government regularly faces criticism for inefficiency and
insufficient attention to cybersecurity. Paul Aubin is regional sales manager for the civilian
intelligence and global system integrator business at Varonis, where they recently Security. Paul Aubin is Regional Sales Manager for the Civilian, Intelligence, and Global System
Integrator business at Varonis, where they recently surveyed government IT professionals,
and he shares the survey results. The really key finding that was really important to us is,
you know, I think it was 82% said protecting the data is now our top priority. You know,
if you look at a network, you know, between 60 and 80 percent of the data
on a network is what we call unstructured data. You know, Word files, PDF files, Excel spreadsheets,
you know, those documents that are created by users, not the Oracle database or the financial
database type data, right? The problem with that is, is you don't know what's in that data. You
don't know if that data is what we call sensitive, right? And sensitive, just to define that for your listeners, is any data that is seen by the wrong group or individuals can cause harm, right?
That's how we define sensitive.
It could be a PII information.
It could be a list of social security numbers and driver's license, which would be really bad.
But it could also just be a memo that you wrote about an employee.
So sensitive goes beyond what people normally think, the HIPAA, the PCI, and that type of thing, right? What was really valuable to us is that is now a
top priority in the agency, right? And if you look at CDM, phase four is 100% about protecting that
data. What is your advice for folks who want to get into that government market? Because it's
different than selling to the
private sector. The rhythms are different. The cycles are different. Do you have any tips for
folks? You know, I tell people who want to, you know, I think let's first separate people who
want to work as contractors in the government sector versus people who want to work for,
you know, sell to the government sector like I do. You know, the big difference is just to
understand that the pace is going to be very different, that the process is going to be very different.
Right.
That there's going to be a lot of rules and roadblocks that you just have to accept.
Right.
And just know that that's part of it and accept it.
Don't complain about it.
You know, I'm not saying don't change some of it, but, you know, understand that that's just the way it works.
Is that slower cycle a potential barrier for protection itself?
Does it slow down the ability to innovate, to take on new technologies?
Do you follow my line of thinking here?
It is. I definitely believe it is.
I've talked to a number of federal agencies that are like, hey, this is fantastic.
I wish I would have talked to you 10 months ago.
But I've already spent my allocation for this year. You're in my fiscal 19 plan now.
So what does that really say? Okay, I see value in this. I want to add this protection that you
provide, but I'm not going to do it for nine months. Or there's even a few agencies out there
that are ready to do it, but due to waiting on a ward of contracts or waiting on a ward of service agreements, you know, it's still going to be six to nine months.
So, yeah, the the bureaucratic nature of government does slow it down and probably does leave things unprotected differently than what would happen in a commercial agency where the CEO is like, shoot, I'm going to lose my job if I don't fix this.
I'm going to reallocate resources. I'm going to reallocate people and I'm going to make this a priority
today. Right. I think the other thing that's changed is you're seeing accountability.
You know, the executive order around accountability on cybersecurity that came out earlier this year
from the current administration, you know, is now holding senior executives, senior military
officers and even cabinet level leaders and political appointees responsible for this.
And I think that might have been some of the problems prior to this is,
okay, I didn't do it, we got a breach, but nobody lost their job over it.
That's Paul Aubin from Varonis.
An international law enforcement effort, Operation Keyboard Warrior,
has resulted in the arrest of eight suspects as a business email compromise ring based in Africa is broken up.
The U.S. FBI is particularly pleased with the callers.
Booz Allen's Dark Lab has been tracking business email compromise activity for some time. They note that it usually establishes itself in one
of three ways. Commodity key loggers, compromise of a company employee's internal email account,
or most commonly, sending a deceptive email to someone authorized to transfer money
and then directing them to perform a wire transfer. Dark Lab has a list of domains recently
involved in this last form of business email compromise.
You can find that list posted in Booz Allen's Perspectives blog
under the entry New BEC Scheme Targets Companies Worldwide.
Reality Winner's plea agreement in the case of classified material leaked to The Intercept
calls for Ms. Winner to serve five years and three months in prison.
Her guilty plea was entered yesterday, calls for Ms. Winner to serve five years and three months in prison.
Her guilty plea was entered yesterday,
but her sentence will be formally imposed at a later date.
She acknowledged taking classified material from her workplace she was then working for an NSA contractor in Georgia
and offering it to The Intercept.
Supporters of the 26-year-old NSA and Air Force alumna
are asking that the court consider her service to her country in mitigation.
It's difficult not to notice that much the same could be said for anyone who released classified material when such release wasn't duly authorized,
a little like the famous jokey example of chutzpah in which the child who killed his parents throws himself on the mercy of the court because
he's now an orphan. Ms. Winner was scooped up quickly by investigators after the intercept
sought to authenticate the documents they were offered. Good on the intercept for trying to
confirm a story, but it was bad luck for the leaker, since the agency that saw the material
was able to swiftly find where the leak came from.
Specifically, Ms. Winner was undone and unmasked by micro-dots in the printed documents she proffered to the journalists.
Now, researchers at TU Dresden say they've developed a technique of masking such identifying marks. Too late for Ms. Winner, but soon to be on offer for future leakers.
The researchers looked at 141
printer models made by 18 manufacturers and mapped four distinct tracking dot patterns or matrices.
They created an app that automates tracking dot pattern extraction and analysis, and also creation
and implementation of anonymization patterns that can be overlaid on a document to render the dots
ambiguous. The app works at least for scanned documents, and the Teju Dresden crew has made
it available. Too late for some, and of course one imagines there will be a response from those
who work on tracking technology. And finally, no, it's not just you. Yes, Slack went down this morning, with many an earthquake through many a business.
Reasons for the outage are unclear, but Slack is back up, for at least some of us.
It was, of course, a trial, speaking face-to-face with your co-workers.
If you think you had it rough, imagine how it was for me,
talking to the linguistic staff or the gunnery desk or, heaven forbid, the historians.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Emily Wilson. She's the Director of Analysis at Terbium Labs.
Emily, welcome back. You have a tale to tell, a story to share with us. This is about a six-year-old getting hit with some identity fraud.
Tell us the story.
What do we need to know here?
So this is a story that I first read a few months ago.
I think it first dropped in April, and I found myself referencing it in conversation often enough
that I wanted to share it with your listeners.
So the situation here is that a six-year-old girl out of Arizona was first hit with ID theft back in 2011.
Yes, a six-year-old ID theft.
And this is one example of,
and I'm sure your listeners are coming to hear more
about every day, of synthetic ID fraud, right?
This is a situation where someone is using
the social security number of another individual, typically a child,
combined with information from a variety of other sources to create this new composite ID.
And so the mother of the six-year-old found that somebody had been opening retail credit card accounts
with this child's social security number.
retail credit card accounts with this child's social security number.
And this begins sort of a twisted tale where the mother,
I think as any of us would think to do, decides to try and prosecute this and try and take this all the way to the end and not only kind of bring some
attention to the issue, but also help her daughter out because the last thing you
want when you're six is bad credit. So over the course of
four or five years,
you know, this mother is consistently dealing with issues. She's going to stores and trying
to get information about who opened the account, showing them the social of her daughter saying,
you know, this is my kid's social. You have to share with me the information
opened under this identity in stores saying, you know, no, we can't give you that,
you know, showing lots of gaps in the framework that we have now.
So protecting the privacy of the fraudster.
All right, go on.
And the mother goes so far as she's talking to the Social Security Administration
and asking to get a social reissued for her daughter.
And she changes not only her daughter's first name, but her middle name
in an effort to create a new ID based on the Social Security
Administration's requirements. And they say, no, you have to change her last name, too.
So you're already changing, you know, the identity that this girl has come to know because somebody
else is committing fraud and the government saying, sorry, we can't do anything about it.
And so in the end, they still have not reissued a social. They are now seeing another set of frauds being applied to this girl.
And this is, again, seven or eight years after the initial fraud.
And I just it's a horrifying story.
And I think it's one that we're going to see more examples of in the years to come as people begin to recognize that their kids IDs are being used for things like this. Well, and I think it also points to the possibility that we rely on that social
security number for far more things than what it was originally designed for and what's useful.
And, you know, perhaps it's time to move on. There are a lot of good conversations being
had about finding some other authenticator. And I'm excited to see that happen. I think in the
meantime, we're in this weird dynamic. And I say weird because there's really no other word for it. It's a situation where we're using a single identifier that is both universally known and yet extremely sensitive for everything that we do kind of with the government and in the private sector in many cases.
And this is something that people can easily get their hands on, easily exploit. And until very recently, businesses had no way to verify the one good piece. If there is a good piece, the one small piece of progress in this story is that recently, end of May, there was a Consumer Protection Act that came out that is going to require the Social Security Administration to create a system to allow financial institutions and others,
other relevant parties, I should be clear, to confirm that the name and contact information
associated with the social actually matches up to what the financial institution was given.
And this is the kind of solution that you think would have been around since the 90s. But no,
it's 2018. Wow. All right. Well, it's a sad story for the six-year-old,
but hopefully it'll end well for her. As always, Emily Wilson, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, Thanks for listening.
We'll see you back here tomorrow.
Thank you. into innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.