CyberWire Daily - Election cyber-influence campaign in France. (Will UK and Germany follow?) AMT bug to be fixed. HandBrake compromised. Kazuar upgrade for Snake. Ransomware black market.
Episode Date: May 8, 2017In today's podcast, we discuss Emmanuel Macron's victory in France's presidential election despite last-minute hacking and leaked emails. (Hacked emails seem not particularly scandalous as the story d...evelops.) Germany and the UK brace for cyberespionage in their own upcoming elections. Intel AMT flaw more serious than expected, will get fixes this week. HandBrake download server proved RAT-infested. Kazuar looks like an Uroburos upgrade. Emily Wilson from Terbium Labs weighs in on Op Israel. Ransomware market features FrozrLock and Fatboy. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Emmanuel Macron wins election to France's presidency despite last-minute hacking.
The hacked emails seem not scandalous as the story develops.
Germany and the UK brace for cyber espionage in their own upcoming elections.
The Intel AMT flaw is more serious than expected and will get fixes this week.
The Handbrake download server was rat-infested.
And the ransomware market features FrozerLock and Fatboy.
I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, May 8, 2017.
France's presidential elections are over, and Emmanuel Macron has won office against the National Front's Marine Le Pen,
despite 11th-hour leaks of hacked emails.
French election law prohibits distribution of late-breaking materials within 40 hours of voting.
The law is best understood as mandating a news blackout with a view to avoiding the sort of last-minute surprise a campaign would have difficulty responding to.
Macron's En Marche movement disclosed that it had been breached shortly before the legally mandated blackout began. A variety of social and alternative media did push the material, including several based in the U.S., 4chan prominently among them. Wikileaks was apparently not among the hosts, as had been
widely reported, but Julian Assange's site did offer some magnet linking that kept the archive
accessible after some of the original sites had been taken down.
Onmarsh says most of the material in the dump is genuine, but that the archive has been
salted with fabricated content aimed at disinformation.
Some of the fake content, Onmarsh suggests, was put there itself, both protectively to
discredit the leakers and possibly as a kind of canary trap.
The dump is very large and will take time to sort out,
but preliminary looks suggest most of the materials is anodyne,
routine and not particularly scandalous.
Thus, it's much more like the low-grade penetration of Republican sites
during the last U.S. election than it is the more incendiary hacking
of the Democratic National Committee.
The Republican leaks consisted mostly of thank-yous to donors,
notes about fundraising dinners, and so forth.
The En Marche leaks seem to largely be that sort of thing.
French authorities, of course, are investigating,
and early speculation about attribution looks toward Russia.
Since the incident resembles influence operations,
Russian intelligence services are generally and officially regarded as having conducted during the last U.S. campaign cycle.
Both Trend Micro and Flashpoint have reported circumstantial evidence that Russia's GRU
military intelligence service was behind the incident. And remember, GRU operations are also
commonly known as APT-28, Pawnstorm, and, of course, Fancy Bear.
Before the last-minute tranche of leaks, President-elect Macron had called for closer
ties between French and U.S. intelligence services. He envisioned a comprehensive overhaul
of France's defense policy, and some of his senior advisors have indicated a desire to
approximate the sort of relationship currently enjoyed by the intelligence services of the Five Eyes, the US, the UK, Australia, Canada,
and New Zealand. So we shall see if current concerns about cyber espionage drive a transformation of
the Five Eyes into the CISIA. British and German officials prepare for cyber attacks and influence operations against their own upcoming elections.
German officials engage in public musing about hacking back and offending servers.
Predictable German attacks alarmism ensues among the many who really ought to know better.
The British general election has been called for June 8th, exactly a month from today.
German federal elections are farther out.
Germans will go to the polls on September 24th.
Not all the news at the beginning of the week is so obviously political and cloak and keyboard.
Last week, researchers disclosed a long-standing authentication bypass flaw
in several generations of Intel chips.
That flaw, discovered by security firm Embeddy,
is expected to be fixed later this week. In the meantime,
researchers warn that the vulnerability is worse than initially thought,
with more active management technology users exposed to more dangerous remote code execution than initial estimates reported.
Intel has published as an interim measure both a vulnerability detection tool and a
mitigation guide. They're
available at downloadcenter.intel.com/.download.
There's also a problem reported with the popular video conversion app Handbrake. A mirror download
server for the software was compromised by hackers, who replaced the Mac version with
its own version that comes preloaded with the Proton remote access Trojan.
Handbrake has issued removal instructions.
Researchers continue to follow the twists and turns of Snake in the dark web,
its spyware that's confirmed to exist for Windows and Mac,
and there are reasons to suspect that it also has a Linux version as well.
Snake, properly speaking, refers to the Mac version being
tracked by the researchers at Fox IT. The Windows version has been named Casuar by Palo Alto
Networks after a word found in the malware's source code. Casuar is casuari in various Slavic
languages, so a big bird. Palo Alto believes it's found signs in Casuar code that a Linux version is also out there.
Casuar seems to represent an upgrade over the Ouroboros spyware used by Turla,
a threat actor believed by Kaspersky and others to be operating out of Russia,
perhaps as early as 1995. Among the novelties seen in Casuar is an API that enables the malware's masters to reverse
command and control traffic as needed.
Terla and its works seem to represent the sort of hybrid state criminal operation often
observed in Eastern Europe.
And elsewhere in the dark web, the cyber-black market sees the continuing popularity of ransomware.
Both of the recent entries we're hearing about hail from Russia.
The first, FrozerLock, is offered to criminal customers at the low, low price of $220.
It comes with a slick presentation and a tagline touting it as
a great security tool that encrypts most of your files in several minutes,
which on reflection hardly sounds like a recommendation.
And Recorded Futures' look at the Fatboy ransomware-as-a-service offering
discloses an interesting pricing structure.
Fatboy uses The Economist's Big Mac Index
to peg pricing to the victim's regional cost of living.
Thus a Londoner or a Manhattanite should expect to pay more
than a resident of Sheffield or Indianapolis.
So, from each according to their abilities to each according to their needs, we guess.
Big Mac, by the way, is a tool that explains exchange rates,
and has nothing to do with the 563-calorie confection offered at McDonald's restaurants.
So any connection to Fat Boy is purely coincidental.
boy is purely coincidental.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can
keep your company safe and compliant.
Joining me once again is Emily Wilson. She's the Director of Analysis at Terbium Labs.
Emily, we covered the fact that Op Israel happened recently. Every April 7th,
it comes around. And you all saw some interesting observations when it came to Op Israel this year.
We did. Every April 7th, we kind of keep an eye out, expect this to happen. And I think it's
interesting that we have these kind of anticipated events in cybersecurity, right? We expect data to
be leaked. We know roughly what it will be and how it will appear
and what people will say about it.
But what we didn't expect this year
was that we saw actually a bunch of op-Islam posts,
information being dumped kind of in the week leading up to it
and then definitely kind of in bulk on April 7th.
Normally, we see those in kind of the days following, right?
These kind of retaliatory posts in exchange for the Op Israel data on April 7th.
But this year, it was the other way around.
So just to clarify, explain to me, what is Op Islam posts?
What is that?
Yeah, in this case, so these Op Islam posts, you know, Op Islam is a broader operation kind of attacking any kind of Islamic targets.
What we saw here was still in that same vein, right?
So whether these are kind of Muslim targets
or companies that have ties in the Muslim world,
what we saw were these same kinds of posts,
but with active and open pro-Israeli kind of manifestos at the beginning.
And then we reported that Op Israel really has,
historically, has not been much more than a nuisance to the Israelis.
I think that's a fair assessment. You know, I think certainly probably the first year of this, everyone was a little surprised.
And, you know, 2014, then I suppose the second year, you know, kind of people watching this space.
But now we know to expect it. We know largely how the information is going to appear.
But now we know to expect it. We know largely how the information is going to appear.
And I think in this case, it's people looking for any outliers.
What's new? What's different? Or is this going to be same old, same old?
So is it more a matter of a group getting attention rather than actually thinking that they're going to really have any effect on Israeli security? Yeah, I think, at least from the data that I saw this year, I didn't see anything
that went as far as really getting into kind of true Israeli state security. I think we have here
a couple of groups of people who are looking to kind of make a nationalistic or religious statement,
and they're kind of picking sites that are moderately interesting, but not overly impactful at a state level.
All right. Emily Wilson, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers. I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease
through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.