CyberWire Daily - Email brute-forcing. Aadhaar woes. Leaked Equation Group exploits remain a problem. Hijacked Chrome extensions. Pulse wave DDoS. FBI interviews "Profexor." Extremism and vigilantism. OurMine hacks HBO Twitter, Facebook.
Episode Date: August 17, 2017In today's podcast, we hear that Holyrood is defending itself with some success against email brute-forcing. India's national ID system compromised, again. ShadowBroker-leaked exploits continue ...to do damage. Hijacked Chrome extensions prove difficult to eradicate. New variants of Locky and other ransomware are out. "Pulse wave" DDoS attacks are observed. Researchers find DDoS-as-a-service for sale in Chinese online souks. Governments express suspicion of foreign IT. Extremist site loses hosts, but its content will go on, even as opposing vigilantes mistakenly dox innocent targets. Emily Wilson from Terbium Labs with thoughts from Black Hat and shifting awareness of the dark web.  Brad Stone from Booz Allen on a recently released report on NotPetya. And OurMine hijacks HBO social media accounts. Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper. Your patient data depends on incident response plans. Prepare with DeltaRisk's webinar. Domain Tools leverages both human and machine intelligence to expose malicious infrastructure. Learn more in their white paper. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Holyrood defends itself against email brute forcing.
India's national ID system is compromised again.
Shadow broker leaked exploits continue to do damage.
Hijacked Chrome extensions prove difficult to eradicate.
New variants of Locky and other ransomware are out.
Pulse wave DDoS attacks are observed.
Researchers find DDoS has a service for sale in Chinese online markets.
Governments express suspicion of foreign IT.
An extremist site loses its host, but its content will go on,
even as opposing vigilantes mistakenly dox innocent targets.
And OurMine hijacks HBO social media accounts.
I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, August 17, 2017.
The campaign against the Scottish Parliament's email services continues,
but the BBC reports that defences at Holyrood seem to be holding firm.
India's Aadhaar Personal Identification System,
a government program that assigns citizens a 12-digit number linked to biometric information, has sustained a data exposure incident.
Flaws in the e-hospital app, developed by the National Informatics Center, has made
Adthar numbers available to a free and dodgy Android app, MyGov, whose developer was arrested
in late July.
This particular incident is thought to have affected a few thousand citizens,
but investigation is still in progress, and it's not known if there was any other exploitation
of the software issues. Most adult Indians, 99% according to reports, are enrolled in
the National Identification Program.
Exploits leaked by the shadow brokers continue to damage enterprises.
WannaCry has resurfaced in a South Korean LG service center,
and businesses affected by NotPetya are still tallying their losses.
In some cases, those losses are being reckoned in the hundreds of millions.
We spoke with Brad Stone from Booz Allen's CyberForesight Threat Intelligence Solutions team about their research into the attack and their conclusion that there may be more to the attack than initially suspected.
I think all of us were kind of watching similar to when we saw WannaCry,
watching Bitcoin accounts and others to kind of see if this classic ransom,
where's the financial benefit?
And as soon as we started seeing things like the email and other ways for the payment
to not really be monitored,
it started to make us think, wow, what else is going on here?
And so in particular, kind of pulling together analysis, leveraging what we were seeing from other great groups,
but then also looked at the fact of, wow, this end result of the actual ransom at the top
looked more like a cover-up to activities focused on Ukraine that
have been going on for months. You know, we suspect probably deployed that type of malware to kind of
wipe the forensic elements and evidence of that. That's the kind of analogy to think of
an arson torching a building to kind of cover their tracks.
And so take us through some of the details of this. So you're saying that there was infiltration earlier on and that this NotPetya attack was there to cover their tracks?
Yeah, so our analysis leads us to suspect that a telebot, a known unit that we track and watch,
destroyed thousands of machines with a focus on Ukraine, really causing a lot of substantial
collateral damage across the globe. But in
particular, the evidence shows that prior to that malware being launched, they had been actively
pursuing theft of information from specific targets. So think of this almost as a three-pronged
attack, first starting off with leveraging a campaign focused around the Emidocs
tax software as kind of an initial entry point, then moving into the second phase,
where seeing some of the telltale signs of telebots using some other capabilities to do
exfiltration, other activities. And then finally, with the kind of not pet new variant put over top to kind of clean that environment.
And the way we were able to kind of piece together the information is, at one level, kind of watching the submission of folks cleaning up prior to the variants.
We're always out there looking at what's happening with malware across the globe in different areas, trying to track these different campaigns and actors and their different TPPs and how they're using it.
And we're able to kind of see in particular with things in Ukraine, some cleanup that was occurring that led to this quick view of, wow, organizations were dealing with this.
And then you have the ransom on top of it.
and then you have the ransom on top of it. So not only do you have an organization kind of using a worm-enabled ransom in a different way, then the other tremendous element of this is when we
start looking at what about the unintentional consequences to the rest of the world? The damage
to their organizations is substantial, which completely changes the game for these other
organizations where maybe in the past it's, I'm not in that market, that threat actor is not focused on me. But when folks are leveraging
easily obtained tools, worm enabling them, we have a quick global impact. So your average CISO
out there today doesn't only just have to worry about what's important to their industry,
their company, but having that broader awareness is now part of their daily
routine, and it just adds to the challenges that they're already facing. That's Brad Stone from the
Booz Allen Cyber Foresight Group. You can find their report on the Telebots Group and Petya
on their website. Hijacked Chrome extensions are being purged from Google Play, but the malicious
software the extensions carry has shown itself
surprisingly effective at evading security checks established to routinely catch such attacks.
Morphous Labs warns that one of the malicious extensions is particularly active in Brazil,
where criminals are phoning Marks and telling them to install it as an update to their bank's
security module. It seems hardly necessary to point out that installing software on the authority of a cold call is unwise, but there you have it. Confidence
games continue to work because most of us are disposed to have confidence in the people we
cross paths with. Ask any social engineer, they'll tell you. Morphous Labs notes, we must say in
fairness to the people who fell for the calls, that the conversations were professional, plausible, and highly targeted,
often asking for a specific employee by name.
In any case, when Morphus informed Mountain View of its discovery,
Google removed the offending extension called Interface Online from the Play Store on Tuesday.
It reappeared Wednesday and had to be eradicated again.
on Tuesday. It reappeared Wednesday and had to be eradicated again. In both infestations,
VirusTotal reported that none of the 58 most widely used anti-malware products had detected it.
Morphous has suggested some steps Google might take to limit the damage a hijacked extension might do, including blocking an extension's access to passwords unless the user gives
explicit permission, and not allowing extensions
to override system proxy rules.
New ransomware strains, including versions of Locky, Cerber, and Shortcut's 2016 open-sourced
PHP ransomware product, are circulating in the wild.
Researchers at several companies, including Cyber Reason, Heimdall, and Komodo, are tracking
them.
Some of the strains, especially the Cerbear variants, have acquired evasive functionality
that looks for signs that a target might be defended.
There are also some developments in the distributed denial-of-service world.
Researchers at the security firm Encapsula report seeing what they call pulse wave DDoS,
in which waves of highly repetitive pulses hit targets over hours or
even days. The technique, Encapsula says, is a new one. It will bear watching.
There are also developments on the commodity side of DDoS. Cisco's Talos researchers report
finding an increase in Chinese black market sites offering DDoS for higher services.
With both ransomware and DDoS remaining a threat,
there are indications that some companies are quietly stockpiling Bitcoin
with a view to be able to pay off their attackers,
a practice most security and law enforcement experts recommend against.
But then, everybody's got their own cost-benefit calculation.
Governments turn a cold eye toward foreign-made software and hardware. In the U.S.,
Kaspersky remains under controversial suspicion over alleged connections with Russian intelligence
services. India has told a number of Chinese device manufacturers to give proof of security
and appropriate data handling if they expect to continue to do business in the subcontinent.
And in Russia, the Security Council head warns that widely used foreign software
is implicated in long-standing Western plots to destabilize the country.
The Russian concerns mirror U.S. suspicions in an almost ridiculous fashion.
There may be a break, however, in U.S. investigation of the last election cycle's DNC hack.
An unnamed man, he's so far publicly
identified only by his nom de hack Profexor, has turned himself in to Ukrainian authorities and is
talking to the FBI. Profexor is not charged with anything, but he says he developed the remote
access tool used against the DNC and that Fancy Bear obtained and used a copy.
Have you heard? Winter is coming, and we don't have to see any pirated Game of Thrones script to know that. In any case, a chill wind has blown through HBO's social media accounts.
Variety reports that the Our Mind hacking group, which has hit media companies before,
late Wednesday took over HBO's Twitter and Facebook accounts.
Our Mind poses as a white hat group, not a white walker group,
and has invited HBO to contact them for security advice.
The incident is believed to have no connection with that other phony white hat, Mr. Smith.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations, Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold
to stay home with her young son.
But her maternal instincts
take a wild and surreal turn
as she discovers the best
yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking
and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24
only on Disney+.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home? Black Cloak's award
winning digital executive protection platform secures their personal devices, home networks, Thank you. executives, and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Emily Wilson.
She's the Director of Analysis at Terbium Labs.
Emily, welcome back. You are recently back from Black Hat and some interesting observations
you have in terms of Black Hat and how people are dealing with the dark web these days.
Yeah, it was an interesting year this year. We were at Black Hat last year and we had a booth and
the reactions were broadly people coming over looking for swag as people do at trade shows.
Let's be honest about why we're all actually there.
But asking, you know, hey, dark web, what's going on?
What is the dark web?
Or people who knew about the dark web, kind of vague curiosity.
This year, people came over very directly.
Hey, I'm working on this.
I want a dark web data source.
What can you do for me?
And very different kinds of conversations,
conversations about privacy and about GDPR. It was a much bigger jump this year than I was expecting it to be from last year.
So is your take that we're sort of over the hump of people not having awareness of the dark web?
It's certainly moving faster, gaining awareness more than I thought we would.
The way I'm thinking about it right now, I think we're starting to see
the dark web and data leaks as a whole becoming something like social media was five years ago,
where it was clear it wasn't going away. It was clear it was a place of interesting information
and people not necessarily knowing what they want to do with it said, oh, I should have one of those.
Now, you know, using the analogy of social media, I think years ago when people weren't
quite sure what to make of it, sort of particularly people who are used to old school marketing,
they would look for gurus, they would look for experts.
And of course, that allowed there to be people who maybe didn't really know about much about
it, but claim that they did.
Are we in that zone right now where there's a lot of
confusion as to what really is the dark web and what people are selling and what you need to know?
I think we're seeing not only with the dark web, but with a lot of data in the industry as a whole.
And I think something like machine learning or AI would fit into this category as well is
we're stuck in this intersection of trying to discuss advancements and new technologies and new data sources and explain them as compelling and hype them up.
There is that marketing piece of this, and we often do that with something like fear or confusion or mystery, while at the same time trying to be realistic and pragmatic about what you can actually do with this information once you have it.
to be realistic and pragmatic about what you can actually do with this information once you have it.
So is it a matter of just taking the time for this to settle down,
or do we have to establish some standards? Where do we need to go?
It's a great question, and if I had an answer, I think maybe we could call me a guru.
I think we'll start to see the conversation continue to be shaped by GDPR as something like personal information becomes an even higher priority in conversations.
In terms of other things like data sources or AI or machine learning,
I think we'll see consolidation in the industry over the next several years.
And I think we'll start to see people be more realistic about these technologies
or about what you can use data for as we consolidate
and as people are scrambling a little bit less to differentiate themselves.
All right. Interesting take. Emily Wilson, thanks for joining us. And staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Pure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.