CyberWire Daily - Fancy Bear in France (and in Germany, too). Israel debates Cyber Authority's charter. Sudan says its using Electronic Jihad against ISIS. Verizon, Symantec threat reports out. Adware campaigns.
Episode Date: April 27, 2017In today's podcast, we hear about the bear tracks analysts are seeing in Macron's campaign for France's presidency. (They're also appearing in German political parties' think tanks.) Cyber gangs con...tinue to pore over ShadowBrokers' leaks. Verizon and Samsung threat reports see ransomware and nation-state espionage as the trending issues. Amid debate over cyber authorities, Israel says it detected and stopped a major attack. Palo Alto Networks' Rick Howard outlines a new white paper on credential theft. Ellison Anne Williams from Enveil describes their innovation in encryption. Adware infests online markets through spam and Trojanized apps. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Bear tracks are seen in Macron's campaign for France's presidency.
They're also appearing in German political party's think tanks.
Cyber gangs continue to pour over Shadow Brokers leaks. Verizon and Samsung threat reports see ransomware
and nation-state espionage as the trending issues. Amid debate over cyber authorities,
Israel says it detected and stopped a major attack.
And Adware invests online markets through spam and trojanized apps.
It's through spam and Trojanized apps.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Thursday, April 27, 2017.
France will hold its runoff election for president in little more than a week.
The campaign has been marked by accusations of Russian influence operations,
paralleling those conducted against American targets,
notably the Democratic National Committee last year.
The tactics, techniques, and procedures used point to the same actor,
Fancy Bear, also known as Pawnstorm, also known as APT-28, and officially known as the Russian Military Intelligence Agency, GRU.
Intelligence firm ThreatConnect reviews the circumstantial
evidence that Emmanuel Macron's campaign for France's presidency was indeed phished by Fancy
Bear. The threat actor used the spoof domain onedriveonmarsh.fr in its phishing. On Marsh
is Macron's political movement. The domain was registered using the email address johnpinch at mail.com, and Fancy Bear is known for registering its spoofed domains from mail.com addresses.
The johnpinch address was also used to register three other domains, accountsoffice.fr, portaloffice.fr, and mailonmarsh.fr.
far. All are hosted on dedicated servers, which, as ThreatConnects points out, is typically a sign that a domain has been operationalized. A pricey option, but one that gives operators more control
over their infrastructure. And finally, the IP address used by an associated domain is the same
one called out in the U.S. intelligence community's report on Grizzly Step, the allegedly Russian
operation against the Democratic National
Committee. So the evidence is circumstantial, but ThreatConnect is reasonably convinced that
it points to Fancy Bear. Macron's campaign has confirmed that it sustained phishing attempts,
but it also says that no data was lost. Observers are watching for leaks time before the second
round of the elections, May 6th and 7th.
If the intent is to spring a last-minute surprise in the campaign's endgame,
Fancy Bear has less than 10 days to work with.
Chinese and Russian criminal organizations continue to pick through Shadow Broker's recent dump
as they look for tools they can exploit in the wild.
Chinese criminal gangs tend to have a casual moonlighting relationship with their
government, but the connection in Russia is considerably closer, as the gangs are suborned
to work for the security services and are offered a measure of protection when they do.
Israel's government takes the unusual step of reporting that it sustained and stopped a cyber
attack mounted by an unnamed foreign state. The disclosure may be related to ongoing controversy over a proposed cyber security law in draft before the Nesset
that would grant expansive powers to Israel's cyber authority.
Haaretz reports that senior officials of both the Shin Bet Security Service and the Mossad Intelligence Agency
have protested to Prime Minister Netanyahu that the revised cyber authority charter would prove detrimental to Israel's security.
The deputy chief of staff of the Israeli Defense Forces and other senior defense officials
are said to have joined Shin Bet and Mossad in objecting to the proposed law.
Sudan's government is employing a hacking group called Electronic Jihad against ISIS.
Critics see a collateral effect on dissidents in general,
and many see the capability as more likely to be used
against opponents of the regime than against ISIS.
At the 2017 RSA Conference Innovation Sandbox,
one of the finalists was a new company called Envail,
demonstrating what they say are breakthroughs in homomorphic encryption. Ellison Ann Williams is founder and CEO of Envail, demonstrating what they say are breakthroughs in homomorphic encryption.
Ellison Ann Williams is founder and CEO of Envail.
So Envail developed technology that allows folks to interact with data. So that could be via search
or analytics in a way that no one can see into the content of that interaction, so what they would
care about. The results that are coming out of
that, or even the data itself, because it will operate over encrypted data as well as unencrypted
data. So let's dig into that a little bit. What we're talking about is homomorphic encryption.
Can you just kind of give us an overview of what we're talking about with homomorphic encryption?
Yeah, absolutely. So we're powered by homomorphic encryption is really what we call it. And homomorphic encryption is just a type of
encryption that allows you to perform operations on encrypted data as if it were unencrypted in
plain text space. And so when I say that we're powered by homomorphic encryption, there is,
you know, several decades of research on homomorphic encryption out in the open literature.
So lots of people have looked at it.
And what we've really done that's very novel and really enables it to be practical in a way that it was never before is that we use it and employ it in a very creative way through our algorithmics.
So even to the point where we're able to kind of swap out the homomorphic crypto for other things if people were so desired to do that.
So my understanding up until I heard about you all was that homomorphic encryption really wasn't practical, that it was too processor intensive to really be used in the real world.
People had it functioning in the lab.
So what's the discoveries that you all made to make it workable?
What's the discoveries that you all made to make it workable?
Yeah, so homomorphic encryption, exactly like you said, for the past 20 years or so, has been a computational intractable kind of problem, so not practical for any kind of scale.
And so what we did, having backgrounds in both pure mathematics and crypto and then distributed algorithmics, is we married those two together. And so we developed these algorithms that use this homomorphic encryption in very efficient and I'll call it creative ways
so that we're able to leverage the encryption
and have it operate over large, large volumes of data
to achieve a practicality that's just never been possible before.
That's Ellison Ann Williams from Envail.
Both Symantec and Verizon have released major threat studies,
and they highlight two trends,
the growing popularity of ransomware among criminals
and the very significant rise in cyber espionage by nation-states.
Ransomware needs little further introduction,
but the increase in cyber espionage is having an effect on targets
other than the government organization's espionage services are generally thought to pursue.
Again, concentration on industry, political organizations, and individuals represents an updating of traditional espionage practices for the cyber age.
It's also striking how thin the deniability of many operations has become.
Take the brazen and noisy fancy bear as Exhibit A.
operations has become. Take the brazen and noisy fancy bear as Exhibit A.
And finally, in online advertising, bad money continues to drive out good. Risk IQ describes Notrove, an ad spammer whose large-scale efforts are damaging legitimate advertising.
Checkpoint warns of another quiet botnet, False Guide, infesting Android devices,
some 600,000 of them, it estimates, with adware.
So watch your phones, everybody.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
off.
In a darkly comedic look at motherhood and society's expectations, Academy
Award-nominated Amy Adams
stars as a passionate artist who puts
her career on hold to stay home with
her young son. But her maternal
instincts take a wild and surreal turn
as she discovers the best, yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your
company safe and compliant. Joining me once again is Rick Howard. He's the chief security officer at Palo Alto Networks, and he also heads up their Unit 42 threat intel team.
Rick, welcome back.
We wanted to touch base today on a new white paper that Unit 42 has put out around credential theft.
Yeah, thanks for having me.
This is a nice introduction to the topic.
introduction to the topic and you and i have talked in the past about the importance of making it easy for network defenders to deploy prevention and detection controls down the adversaries
life cycle in the 2016 verizon data breach investigations report the authors noted that
63 of all confirmed data breaches leveraged credentials in way. So our unit 42 analyst, Robert Falcone, he said it this
way in the white paper, credentials are the oxygen of malicious activity. So there are basically five
primary techniques that attackers use for stealing credentials. And the most common one is one we all
talk about all the time is credential phishing and spam. But there are other techniques, right?
Social engineering, this is where the bad guy
calls you on the phone and tricks you into giving up your password. Another one, or a common one,
is reusing stolen passwords or shared credentials. And what I mean by that is the bad guy that's
going to attack your network doesn't actually steal them himself, but he goes to an underground
site and buys a bag of them from some other nefarious hacker.
So he just gets a use of them.
He didn't steal it himself.
Another one that's been around forever is BruteForce.
Yes, it's still possible to guess passwords.
And then the other one that's interesting is the security question reuse.
You know, when you call your favorite website to change your password, one way the owners of the site checks to see that you are legitimate is they ask you a set of these security questions,
you know, like what is your favorite dog or what's the name of your first girlfriend or, you know,
what's the ID of your wife's maiden name?
The problem with these security questions is that the adversary can easily guess most of these answers
by just running around your social media feeds, you know, so they're not great.
And so what can be done? It just runs around your social media feeds, you know, so they're not great.
And so what can be done?
First one is use two-factor authentication for your SaaS applications.
I know that sounds hard for the general purpose users like the grandmas out there, but it really has become a lot easier to do that today for most of these SaaS applications.
The second one is, and I'll probably get a little flack for this, but I think you should be using password manager, like LastPass. Password managers,
if you don't know, they plug into your browser and elsewhere, and they help you generate strong passwords for your online activity, and they store them securely. And then they remember them for you
as you frequent your favorite sites. And even grandmas can use password managers.
Once their nephews or nieces sets it up,
even they can figure out how to use it.
So password managers, use them.
I think the last one I like is for the security questions.
Okay, and here's the recommendation.
Don't use the correct answers to security questions.
So instead of using or answering my wife's true maiden name,
make up another password or phrase that you can remember something like, you know,
snart blaster, you know, something like that. Don't tell anybody what it is, though. Okay. So
then there is no way for an adversary to peruse your social networks to find that snart blast
is your wife's maiden name. So those are the three things you should do. And the bottom line for all these recommendations is to reduce the attack surface.
Users can adopt these easy best practices.
Use two-factor authentication for all your SaaS apps.
Use a password manager and don't be truthful on your security questions.
All right.
As always, good information.
Rick Howard, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your
executives and their families at home? Black Cloak's award-winning digital executive protection
platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening. where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.