CyberWire Daily - Deloitte hacked. Verizon AWS S3 exposure. Phantom Squad's protection racket. Nuclear tension expected to spawn cyberattacks. Updates on CCleaner backdoor and FinFisher distro. Carlos Danger goes to jail.
Episode Date: September 25, 2017In today's podcast, we review reports saying that Deloitte has been hacked. Details are sparse but the story is developing. A Verizon AWS S3 bucket is found exposed online. Locky is being spammed o...ut in quantity. Phantom Squad hoods run a DDoS protection racket. Kinetic tensions the US, Tehran, and North Korea raise expectations of cyber offensives. Chinese intelligence thought behind CCleaner backdoor. Unnamed ISPs accused of FinFisher spyware campaign complicity. Chris Poulin from BAH on vulnerabilities in connected cars. And Carlos Danger will go to the Big House. Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. Recorded Future's user conference RFUN 2017 comes to Washington, D.C. , October 4th and 5th, 2017, bringing together the people who put the act in actionable intelligence. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper If you want to execute at machine speed, doesn’t make sense to see what the algorithms a good machine runs on can do for you? Check out sponsor Cylance .  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Reports say that Deloitte has been hacked,
a Verizon AWS S3 bucket is found exposed online,
Lockie is being spammed out in quantity.
Phantom Squad hoods run a DDoS protection racket.
Kinetic tensions in the U.S., Tehran, and North Korea
raise expectations of cyber offensives.
Chinese intelligence is thought behind the sea cleaner back door.
Some unnamed ISPs are accused of
Finn Fisher spyware campaign complicity.
And Carlos Danger will go to the
big house.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Monday, September 25, 2017.
This morning, The Guardian broke the story that Deloitte had been hacked.
Deloitte is both a Big Four accounting firm and, like its peers, a leading provider of
cybersecurity consulting services.
The firm was compromised through an admin account in October or November last year and
discovered the breach in March 2017.
Investigation is ongoing, but Deloitte is being tight-lipped, saying only that few clients'
information,
including emails, was exposed. Six clients are said to have been notified so far that they may have been impacted by the breach. When they were notified is not clear. It appears that Deloitte's
Microsoft Azure account was compromised. Azure is Microsoft's cloud service, similar in function to
its competitors' Amazon Web Services or Google Cloud.
The admin account, through which the hackers gain their entree to the cloud account,
appears to have been secured only by a simple password and not with any form of multi-factor authentication.
Exactly how the hackers achieved access is not publicly known.
The incident is said to affect mainly customers in the U.S.
The information exposed to compromise includes e-mails,
including client e-mails, and possibly user names and passwords,
IP addresses, and business and health information.
Some of the content at risk is thought to include
sensitive security and design information.
Some observers believed something was up when Deloitte retained Washington law firm Hogan
Lowell at the end of April in connection with some unspecified cybersecurity matter.
That matter now appears to have been this breach of Deloitte's Azure account.
This is another breach at a high-profile enterprise, Equifax, the Securities and Exchange Commission,
and now Deloitte.
enterprise, Equifax, the Securities and Exchange Commission, and now Deloitte.
In another unfortunate trend, an Amazon Web Services S3 bucket has again been found exposed to public access. This one involves a fumble at Verizon, where the U.S. telecom giant left
server configurations and other sensitive information hanging out on the Internet.
The exposure was found by security researchers at the firm Chromtech.
The compromised material appears to involve, for the most part,
internal Verizon wireless systems, specifically distributed vision services, DVS,
which is a middleware system that exchanges data from Verizon's back-end
to the front-end apps Verizon staff uses in stores and call centers.
Chromtech and UpGuard are the two security firms who appear to be dining out on their
assembly line discovery of exposed cloud services.
It's unfortunate they have so much raw material to work with.
More cyber extortion waves continue.
One of the more notable is a large spam campaign distributing the venerable Lockheed ransomware.
Another is more of a protection racket.
The crooks of the Phantom Squad group are shaking down companies with the threat of denial-of-service attacks if they don't pay up.
DDoS prevention shop Cloudflare says it's about to launch a new service that will make distributed denial-of-service something you only read about in history books.
Good luck to them. We hope they're as good as their word, and we'll watch developments with
interest. As observers goggle with continued astonishment at Equifax's handling of its breach,
some look to Belgium for an alternative model of credit reporting that presumably handles
consumer data in a more consumer-friendly fashion.
International tensions over Iran and North Korean missiles and nuclear programs prompt concerns about the coming waves of cyberattacks from the two countries.
In the case of Iran, U.S. skepticism about that country's compliance
with a nuclear arms control agreement is seen as offering Tehran
an opportunity to undertake a fresh campaign of cyberattacks.
It's either a pretext or provocation, depending on whether you view the matter from Washington
or Tehran.
Iran has shown some capability in both espionage and sabotage, and its abilities in both areas
are generally held to be on the rise.
In the case of North Korea, the tensions that are believed likely to find
expression in cyberattacks are being increased by Pyongyang's recent round of long-range missile
and high-yield nuclear weapons tests. The weapons the DPRK has been testing are thought to be either
full-blown thermonuclear devices or, at the lower but still very dangerous end, boosted implosion
weapons. There's been little in the way of diplomacy and evidence from either Pyongyang or Washington.
Recent North Korean cyber activity has for the most part concentrated on theft,
either in the form of raids on cryptocurrency wallets and bank accounts,
or in the form of aggressive and illicit Bitcoin mining on other people's servers.
Avast thinks the backdoor insinuated into its CCleaner security software
was probably put there by Chinese intelligence services.
Kaspersky and other companies looking into the incident
attribute the hack to APT17, the threat group also known as Deputy Dog,
a departure from the customary naming of Chinese threat groups after pandas.
Kaspersky also sees a tie to the cyber espionage group Axiom.
Novetta regards Axiom as an umbrella organization engaged in coordinating espionage on behalf of the Chinese government.
The back door in SeaCleaner appeared designed for use against major Western tech companies,
appear designed for use against major Western tech companies,
and this too is consistent with Chinese intelligence services' long-standing interest in intellectual property and industrial espionage.
ESET is looking at the spread of Finn Fisher spyware
and has concluded that major Internet service providers in affected countries
were complicit in spreading the lawful intercept product into targeted devices. ESET
declines to name the countries where they observed this campaign, citing concerns for the safety of
people in those countries as grounds for its reticence. Finn Fisher has seen considerable
use by relatively repressive regimes. And finally, in the latest high-profile conviction of a
prominent politician on charges related to online misbehavior, disgraced New York Congressman Anthony Weiner has been sentenced to what the New York Post trumpets as hard time.
It's not good for the former representative. He got 21 months in prison this morning, but it's not exactly hard time either.
It's not exactly hard time either.
He'll be serving his sentence, in all probability, at a minimum security federal institution,
where he won't exactly be breaking rocks in the hot sun or working on the chain gang,
but it's a swift and deep fall nonetheless.
Weiner apparently had hoped to escape jail time even after his conviction for engaging in suggestive chats online with underage girls.
Hope springs eternal, evidently.
After his departure from Congress and public apology,
Mr. Weiner sought political redemption in a run for mayor of New York.
His campaign, never a front-running one in the Democratic primary,
cratered when it came to light that he was still misbehaving
under his old nom de mor, Carlos Danger.
his old nom de mor, Carlos Danger. Solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now.
of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation
to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking
and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24
only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way
for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Chris Poulin.
He's a principal at Booz Allen Hamilton Strategic Innovations Group. He heads up their Internet of Things security team over at Booz Allen.
Chris, welcome back to the show.
We wanted to talk today about connected automobiles.
Let's just start with some basic things.
If I head out today and I buy myself a brand new car, what sort of vulnerabilities do I need to worry about?
new car, what sort of vulnerabilities do I need to worry about? Well, it's kind of interesting because, you know, right now there haven't been any at least publicized attacks on vehicles. And
the reality is that there are all kinds of ways that cars could be attacked. You know,
some of it is because of the complexity of the software and firmware in the vehicles right now.
In fact, they say that there are approximately
100,000 lines of code that run a modern luxury automobile. And I believe Ford said in their F-150
that they have 150 million lines of code because now those pickup trucks are effectively offices
on wheels. I don't know how you quantify how vulnerable a vehicle is because that's sort of
a general thing. But in terms of the different
types of vulnerabilities that we get concerned about are obviously if somebody can hack in
through the telematics unit, which keeps the car connected back to the automaker and then jump from
the in-vehicle infotainment system, you know, so basically the area in the car where you're
tuning the radio and setting the seats, you know, and things like that. If they can jump from that, as we've seen in some demonstrations in the past, over to the CAN bus,
then effectively you can control just about any aspect of a vehicle.
So the brakes are all controlled electronically now.
Engine components are controlled electronically.
Steering now is controlled electronically as well, by the way, for lane departure assistance and things like that.
You know, it's funny because the autonomous vehicle, self-driving, all the auto manufacturers
are getting in on that game. It's, you know, there's lots of reasons why we should all be
driving self-driving cars, or actually that's the wrong way to say it, that the cars should be
driving themselves. But one of the things that's kind of, I think people get a little bit scared
of is that there are far more sensors in
self-driving cars now and far more actuators, things that actually can take control of the car
and do things. So the sensors themselves obviously are sampling the environment. So what cars are
ahead of you? What does traffic look like? What is the environmental factors? Is the road wet or not?
Are you departing from the lanes? And if you can trick those sensors, you can actually cause the car to react in a way that
is false, at least in terms of the physical reality of what the road is presenting to
the vehicle.
So that's one way, right?
So it's almost like an external, to some extent, you can actually be outside of the car and
present it with perhaps a picture that you project onto its video camera or into its LiDAR sensors that make it believe that the road curves to the left when, in fact, it goes straight or that there is no car in front of you when, in fact, there is.
And so you rear-end it.
And so that's part of it. actually break in, as I pointed out before, because everything is becoming more by wire driving instead of manual controls, which is kind of a harder thing for an attacker to do,
obviously, is to actually get in and take control of the car by invading the canvas.
They can also accomplish the same thing. The thing that I always caution people,
you know, and I'm not a big fan of fear, uncertainty, and doubt, is that at least at
the moment, there's not a lot of motivation for an attacker to cause harm to
passenger vehicles, unless you're some sort of high profile target. And I think probably more
to the point is that the vulnerabilities are going to be about cybercrime, which is perhaps
they'll find some way to put ransomware on the car and keep you from being able to start your
car until you pay half a Bitcoin or something like that. So I think that's far more likely in the future.
So we should be worried about it, but probably not as worried about the safety aspects
as we are about potentially the economic impacts of nobody being able to go to work.
All right. Interesting stuff as always.
Chris Poulin, thanks for joining us.
Thank you. is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
Hello, dearest listener.
In the thick of the winter season, you may be in need of some joie de vivre.
Well, look no further, honey, because Sunwing's Best Value Vacays has your budget-friendly escapes all the way to five-star luxury.
Yes, you heard correctly.
Budget and luxury all in one place.
So instead of ice scraping and teeth chattering,
choose coconut sipping and pool splashing.
Oh, and book by February 16th with your local travel advisor or at And that's the Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.