CyberWire Daily - DPRK exploiting Flash Player zero-day. ISIS wants hacking help. JenX DDoS, Scrareby ransomware updates. Crime and punishment.
Episode Date: February 5, 2018In today's podcast, we hear that Flash Player is being exploited by DPRK's TEMP.Reaper, also known as Group 123. ISIS may have a hacker help-wanted sign out. JenX botnet update. Scareby ransomwa...re tells victims it will shred their files if they don't pay up. The Nunes Memo remains a political Rohrschach Test. A Japanese teenager is arrested for writing cryptocurrency-stealing code. Lauri Love will not be extradited to the US. Peter Levashov is not so lucky.  Joe Carrigan from JHU responds to listener mail on passwords. And the FBI is not emailing you to say you may be entitled to compensation.  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Flash Player is exploited by DPRK's temp reader, also known as Group 123.
ISIS may have a hacker help wanted sign out.
We've got a Gen X botnet update.
Scarebuy ransomware tells victims it will shred their files if they don't pay up. The Nunez memo remains a political Rorschach test. A Japanese teenager is arrested for writing cryptocurrency
stealing code. Lori Love will not be extradited to the U.S. Peter Lavashov is not so lucky.
And the FBI is not emailing you to say you may be entitled to compensation.
I'm Dave Bittner with your CyberWire summary for Monday, February 5, 2018.
Exploitation of an Adobe Flash Player Zero Day is now generally being attributed to North Korean operators belonging to the Temp Reaper threat group, also known as Group 123.
South Korea's CERT warned of the campaign last week.
Researchers at security firm FireEye have been investigating.
They say they've seen Temp Reaper operators working with their command and control infrastructure from IP addresses
belonging to Pyongyang's StarKP network. StarKP is a joint venture between North Korea's
government post and telecommunications corporation and an outfit based in Thailand, Loxley Pacific,
which would seem to associate Tempreter clearly with the North Korean regime.
The targets so far have been South Korean. The exploit is delivered by a malicious Excel file delivered by a phishing email.
Cisco researchers, and Cisco is the company that's been tracking the threat actor as Group
123, have identified the payload as RockRat, malware that enables remote code execution
on victim systems.
If you decide to continue to use Flash Player, you'll have to wait for the security updates
Adobe has said it intends to deliver sometime this week.
As usual, treat email attachments with caution.
Administrators might also consider implementing protected view for office in their enterprise.
There's also a possibility of waterhole attacks built around some South Korean websites.
possibility of waterhole attacks built around some South Korean websites.
Security industry researchers, many of them GCHQ alumni, warn that ISIS is trying to recruit hacking talent in labor black markets.
The terrorist group has hitherto excelled at inspiration, but generally flunked hacking
proper, demonstrating little more than an ability to vandalize poorly protected sites.
Europol and other police agencies have continued to assess the aspiring caliphate's hacking skills as low,
but an influx of criminal coding talent could change that.
So could increased access to commoditized hacking tools,
a flourishing market for which now exists in various dark web souks.
Some such criminal services have long been available.
Distributed denial-of-service attacks can now be hired.
In one example of this, researchers at Radware and other security companies
have tied a gaming server rental operation, SanCalVCA,
more closely to the GenX botnet.
SanCalVCA offers Grand Theft Auto San Andreas hosting,
and they also offer to hit targets with distributed denial-of-service attacks
for the low, low price of $20.
People are working to get the service taken down,
and Radware says it's had some success in getting exploit servers taken down,
but they also say that this has slowed rather than stopped the growth of Gen X.
Scarab-y ransomware, a variant of the well-known Scarab malware,
brings a new twist to ransomware.
It encrypts files, of course,
but then it threatens to delete 24 files from the victim's systems
every four hours the extortionists aren't paid.
In most ransomware capers,
the extortionists simply threaten to up their prices.
But a threat to destroy the data beyond recovery lends more urgency to their demands.
This may be an empty threat.
Security firm Malwarebytes, which has been studying the ransomware,
hasn't found the sort of backdoor access that would lend credibility to the promise of shredding.
It also seems the criminals may be implying they're retaining copies of shredded files
that they could return to the victims upon payment of ransom.
As always, the best practice against ransomware is secure and regular backup of files.
Scaraby, to judge from its code, is apparently a Russian criminal product,
and it spreads by RDP manual dropping, its ransom note appears in broken, poorly translated English,
and not, one should note, the artfully
implausible screenwriter's broken English used by the shadow brokers. So these look like actual
hoods and not cat's paws for a certain nation's security organs. Where are the brokers being
these days? We are being wondering, by the ways. Hobnobbing in Davos with wealthy elites, maybe?
Saving up the Super Bowl leftovers foods they could not finish yesterday
because they lose appetite watching Gronk not catch final pass from Brady,
so they will be eating wings and cucumbers while watching Olympics next week.
Maybe be sharing snack with Fancy and Cozy.
In the U.S., the Nunez memo is expected to be followed by other memos and releases.
Reaction
to the controversial memo and the controversial FBI surveillance it describes continues to fall
generally along predictable partisan lines. More documents and controversy are expected over the
course of this week and beyond. We close with some news of crime and punishment. First, the
extraditions. British hacker Laurie Love,
who hit U.S. government sites in 2012 and 2013, will not be extradited stateside after all.
The High Court overturned his 2016 extradition order, but left the door open to Love's prosecution
in the U.K., saying it would not be oppressive to do so. Mr. Love counted coup against an impressive list of U.S. agencies,
NASA, the FBI, the U.S. Army, the Department of Defense, the Federal Reserve, the Missile Defense
Agency, the Department of Health and Human Services, and the Department of Energy. It's
thought that Mr. Love's Asperger's syndrome, which he introduced in extenuation and mitigation,
played a role in the court's decision, as did the American
prosecutor's presumed intention of asking for the 99-year max.
The judgment said, in part, quote,
The experience of imprisonment in England would be significantly different for Mr. Love
from what he would face in the United States.
The support of his family, in particular, would mean that he would be at far lower risk
of suicide and consequence.
On the evidence we've seen, his mental and physical condition would survive imprisonment
without such significant deterioration, although it would undoubtedly be more problematic for him
than for many prisoners." Russian hacker Peter Lavashov, alleged creator of the Kelohoz botnet
and reputedly one of the world's leading spammers, was not so lucky.
He's been extradited to the U.S. from Spanish custody.
Mr. Levashov has claimed connections to Russian President Putin's political party.
How that will help him in the Connecticut federal court that will hear his case is unclear.
A Japanese teenager, said to be a third-year high school student in the Osaka Prefecture,
has been arrested on charges of developing malware that enables theft of Monacoin, a Japanese cryptocurrency.
So far, the only loss identified in the alleged theft is of 15,000 yen, roughly $660,
but police are investigating to determine whether there might be more victims.
The unnamed boy says he's innocent because because I didn't do it with malicious intent.
Finally, lies again receive a bodyguard of truth,
in this case truth in the form of links to legitimate news articles
reporting the apprehension of various online fraudsters.
They're appearing in phishing emails to lend verisimilitude
to what would otherwise be a bald and unconvincing narrative.
The emails represent themselves as being from the Internet Crime Complaint Center, commonly
known as the IC3.
The typical phish bait is to tell the recipients that they may be entitled to compensation
from companies that have abused them.
If you open the attached text file, you'll be downloading an information stealer.
If you visit the link to a fake IC3 site, you'll be downloading an information stealer. If you visit the link to a
fake IC3 site, you'll be prompted to enter a lot of personal information. The FBI warns everyone
against taking the bait, and the real IC3 site is easy to remember. It's ic3.gov.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. Thank you. $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of
new members discover they've already been breached. Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute.
Joe, welcome back.
Hi, Dave.
So we have some more follow-up from Nathaniel Yu who wrote in to us.
He's talking about passwords.
One of my favorite subjects.
I know.
Well, that's why I saved it for you.
He said, instead of telling users not to write down passwords and instructing them to construct complex and long passwords, issue them randomly generated and distributed 12-digit passwords on a sticky note and teach them that they can easily keep them safe by adding a uniform passphrase to the beginning or end of each password.
This is an idea I came up with earlier on that I call a brain token.
This allows people to only have to ever know one password for work at a time.
That's an interesting idea.
This allows you to write down your password
because you keep the secret component of it in your head,
and you don't share that with anyone,
and you either add that to the beginning or end of a password.
Seems reasonable.
It seems like a good idea.
If I had to vote on this one,
I would vote this one down. Really? Okay.
So here's my concern with it.
You're handing out the 12
characters of alphanumeric
information that are not to be
remembered and you're putting them on post-it notes and you're writing
it down. So you're writing down a portion of the password.
Right. So now if the user believes
that the password
is secure because they've got this secret piece, what is the secret piece?
They're probably not going to pick a very long and difficult to remember secret piece because they've already got a randomized piece that's written down.
So this is where the person would say they'd add one, two, three at the end of it, and that's not secure.
Exactly.
Well, they don't know what my code is, but now we're just back to guessing passwords again. Once I get your 12 digit code, I can just go in and
brute force your password using easy guesses. And I'll bet 80 to 90% of the time I can get it
pretty quickly. Rather than doing this, what I would suggest people use is either a password
manager or a two-factor authentication. And a lot of times in two-factor authentications,
you can do exactly what the listener is suggesting here.
You can prepend or postpend some extra digits to an authentication token
that is usually either a piece of hardware that you have
or it's an app on your phone.
I prefer to have the piece of hardware rather than the app on the phone.
Yeah.
What I have heard people suggest with this brain token idea that I think is interesting is
that you use it in addition to your randomly generated passwords from your password manager,
because you and I have talked about the idea of if they get into your password manager,
they own you. So this way, if you allow your password manager to create a long password,
and then in addition to that,
you have this brain token, that takes away the danger of someone basically owning your password
manager if they get into there. Correct. I think that's a good idea. I think that's a good use of
a brain token kind of concept, because you're still using large random passwords that are
difficult to guess, if not impossible. And now you're making it,
you're hedging your bet that somebody has come in and into your computer somehow,
or they've gotten into your cloud-based password management system, and now they
had the keys to your kingdom. So you're protecting that by adding an extra bit of information to it.
And then the idea being that if once they start testing your passwords, they find none of them
work, they just throw the whole thing away. Yeah. And I think that's a good defense. Yeah,
sort of your own built in two factor. Correct. Yeah. All right. Very good. Joe Kerrigan,
thanks for joining us. It's my pleasure.
Cyber threats are evolving every second. And staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and
securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too. The CyberWire podcast
is proudly produced in Maryland out of the startup
studios of DataTribe, where they're
co-building the next generation of cybersecurity
teams and technologies.
Our amazing CyberWire team is
Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn, Tim
Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Thanks for listening.
We'll see you back here tomorrow. Thank you.