CyberWire Daily - Fancy Bear is snuffling around corporate IoT devices. Machete takes its cuts at Venezuelan military targets. What Mr. Kim is buying. MegaCortex goes for automation. Vigilantes, misconfigurations, etc.
Episode Date: August 6, 2019Fancy Bear is back, and maybe in your office printer. El Machete, a cyber espionage group active at least since 2014, is currently working against the Venezuelan military. A UN report allegedly offers... a look at what Mr. Kim is doing with the money his hackers raked in. MegaCortex ransomware shows growing automation. Another unsecured AWS S3 bucket is found. A bank stores some PINs in a log file. Vigilante smishing. And when popping off becomes arguably criminal. Craig Williams from Cisco Talos with updates on Sea Turtle. Guest is Chris Roberts from Attivo Networks with a preview of his Black Hat keynote, A Hacker’s Perspective, Where Do We Go From Here? For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/August/CyberWire_2019_08_06.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Fancy Bear is back and maybe in your office printer.
El Machete, a cyber espionage group active at least since 2014,
is currently working against the Venezuelan military.
A UN report allegedly offers a look at what Mr. Kim is doing with the money his hackers raked in.
Mega Cortex ransomware shows growing automation.
Another unsecured AWS S3 bucket is found.
A bank stores some pins in a log file.
Vigilante smishing, and when popping off becomes arguably criminal.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, August 6th, 2019.
Microsoft reports that Strontium, also known as Fancy Bear or APT28, that is Russia's GRU military intelligence service,
has undertaken a campaign to breach enterprise networks by exploiting poorly secured IoT devices, printers, video decoders, and voice-over IP phones.
Redmond says that in April, its researchers discovered infrastructure of a known adversary communicating to several external devices.
Once in, the attackers would seek to pivot to more interesting targets.
At least two of the corporate victims had left manufacturers' default passwords on their devices.
A third had failed to keep their software updated.
The campaign's goal is unknown.
ESET is tracking recent activity by Machete,
a cyber espionage threat actor working against Venezuela's military, as well as some targets
in Ecuador, Colombia, and El Salvador. Machete was identified by Kaspersky in 2014 and has since
been tracked by Cylance. While it's been mostly active against Spanish-speaking countries,
it's also looked at targets in Canada, China, Germany, South Korea, Sweden,
Ukraine, the United Kingdom, and the United States.
There's no clear attribution, and ZDNet notes that it's unknown
whether Machete is state-directed or the work of freelancers.
It typically gains entry to its targets by phishing.
What do you buy with your ill-gotten cyber gains?
Well, if you're Mr. Kim, maybe a few implosion weapons,
some launch vehicles, you know, whatever you can fit into your cart.
Reuters says that yesterday it saw a report on North Korean cyber operations
the United Nations Security Council received last week.
Pyongyang's extensive state-operated cybercrime program
has raised some $2 billion since its inception,
the report said.
The starting date of the cybercrime operations
isn't stated in the fragments of the report
that have been released,
but Computing observes that the UN
significantly tightened sanctions on North Korea in 2006.
The funds have been used to pay for Pyongyang's weapons of mass destruction,
essentially its nuclear and ballistic missile programs.
Foreign banks and cryptocurrencies are the principal targets.
There have been at least 35 reported instances of DPRK actors attacking financial institutions,
cryptocurrency exchanges and mining activities
designed to earn foreign currency,
the report is said to conclude.
The Security Council is likely to consider
further sanctions against North Korea,
although there can't be much left to sanction.
In yet another case of a user
failing to secure its data in the cloud,
UpGuard has found more than 6 million email addresses
in an unsecured
Amazon S3 bucket belonging to the U.S. Democratic Senatorial Campaign Committee. The data were
posted in 2010 and appear from file names to have some connection with former Senator Hillary
Clinton's campaign, perhaps a do-not-contact list. People who were associated with the campaign say no, the data were compiled by the DSCC.
And the DSCC notes, with some justice, that the information exposed consisted only of email addresses, which is true enough.
It could have been more damaging.
Still, almost any data can be valuable to some criminal or intelligence enterprise.
The DSCC says that the data are almost a decade old,
which is also true,
but another way of looking at the matter,
as UpGuard observes,
is that the data have been gurgling around in the cloud
for nine years now,
which is plenty of time for exploitation in some form.
The Black Hat conference in Las Vegas is underway,
and the keynote at this year's Codenomicon event
is being given by Chris Roberts, chief security strategist at Ativo Networks. conference in Las Vegas is underway, and the keynote at this year's Codenomicon event is
being given by Chris Roberts, chief security strategist at Ativo Networks. The title of his
talk is A Hacker's Perspective, Where Do We Go From Here? Chris Roberts joins us with a preview.
I mean, let's face it, as an industry, you've got to look at the numbers. We are spending,
you know, 120 plus billion dollars in this industry and we keep
losing more and more data. So I would argue that we're not exactly in a good situation. We have
failed the charges that we are meant to protect. Is your sense that things are getting better or
worse or are we treading water? At best, I would say we're treading water. I wouldn't say that
we're getting better. I mean, the innovation is fantastic. I
mean, don't get me wrong. We're actually doing some amazing, amazing, innovative things. But
we have a lot to do. We have a long way to go. I mean, you've got over 3000 security vendors out
there, each one of them, unfortunately, telling organizations that they can fix everything.
And let's be perfectly honest, quite a lot of them can't. We spend a long time
chasing buzzwords. We have security conferences where 50,000 people go, but let's be honest,
half of them probably don't want to be there. And the cost of attending, let alone the cost
of putting a booth in one of those is ridiculous. There's an industry where, you know, we're more
focused on minting millionaires and billionaires than we are
actually protecting data.
So it's a little frustrating, should we say.
I can sense your frustration.
Do you think you're erring on the side of being a little bit cynical?
Are there things to be optimistic about?
It depends on where you stand.
Let's be perfectly honest.
If you are a consumer and you've just watched your shopping experience go down the drain because
somebody lost your data you just watched a couple of banks lose your information you're in the
military you lost you know your credentials and all the intelligence there you go to a hospital
and they lose your data no i wouldn't take a really positive look at our industry you flip
it around and you look at our industry and
what we are trying to do and maybe some of the movements that we're doing now where we have
actually realized that we've got some challenges and we have to do things differently, then maybe.
But I mean, I wouldn't say it's too little too late, but I would definitely say that
we have a lot of growing up to do as an industry and we need to do it a
lot faster than I think a lot of people want to believe and I think that's
probably especially relevant from like the vendor supply side less so the
people that are in the trenches you know the people on the the blue team that are
actually trying to protect us think you're doing as best they can. So what do you suppose are the forces that could make that sort of change come into play?
I think collaboration, communication would be two of the big ones. And then really taking a
step back and looking at the humans. And if we turn around and actually spend more time looking
at the humans that we have, you know, they are to some degree our best assets. And that's everybody from, you know, the users that we've blamed for everything. Maybe we turn
around and try to educate them in how to protect themselves more effectively and not do it in a
punitive manner all the way through to the, you know, the board level, the directors and everybody
else. And how do we educate in a way that they understand,
not in a way that we're comfortable teaching? I think those are probably two very big ones.
And then a little bit of humble pie. We need to go back to the businesses and to the areas of
the business we've blamed and say, hey, how do we solve this problem together?
What are the take-homes you want?
Folks who see your presentation at Black Hat and are going back to their leadership,
what are the messages you want them to take home with them?
I think one of the probably the biggest ones is ask more questions.
You know, I mean, if you think about it, Black Hat and other conferences
are ripe with vendors and suppliers trying to tout their wares.
And, you know, I look at Ativo and I look at the guys, you know, that I'm talking about, and arguably we're there for those same
reasons. And to me, it's a case of the people that are coming to listen to the talk. I want
to educate them. I want them to ask more questions. When a vendor or a supplier says, hey, you know,
I can blind you with science. I want somebody to actually hold their feet to the fire and say, show me.
Tell me. Don't just explain it to me and prove it to me.
How are you actually going to help me?
How are you going to help reduce risk?
I think that's part of it.
I think the other part of it is really that war cry we've been having,
which somewhat is back to the basics, which is, you know, focus on the human,
focus on the simple things.
You know, it's the grunt stuff that we don't like doing.
That's Chris Roberts from Ativo Networks.
According to Accenture, megacortex ransomware shows signs of greater automation
as its masters trade stealth for volume and speed.
ZDNet says the ransom demands exceed $5 million.
The extortion targets have, for the most part, been in Europe and North America.
Monzo, the British mobile-only bank, warned customers over the weekend
that it had been storing some encrypted pins in log files.
Some of the bank's engineers had access to the files, but no need to know any pins.
The bank has now deleted any files improperly stored this way
and has advised customers of additional steps they can take to protect their accounts.
None of the pins seem to have been accessed by anyone outside of Monzo,
nor have any of them turned up in any of the places one would expect they had leaked.
Nonetheless, Monzo has advised its customers of additional actions they could take to secure their accounts.
Info Security Magazine points out in an aside,
one problem with such warnings and disclosures, they can be indistinguishable from fish bait.
It seems that many of them wound up in spam traps or were disregarded and dumped by cautious customers.
And now, some smishing with a side of PewDiePie.
People in the U.S. have been receiving texts with the following message,
I'm here to warn the masses about SMS email gateways.
Please look up how to disable it on your phone or call your provider and ask.
The text is accompanied by some promotional barking in the interest of YouTube celebrity PewDiePie.
Naked Security calls him controversial,
which is one way of looking at the gaming commenter,
whose cultural presence defies easy explanation.
Some of those who've noticed the text have been troubled
by the question of how the texters got the recipient's phone numbers in the first place.
According to Wired, however, they didn't.
They brute-forced them by writing a script to generate all possible mobile numbers,
from 1 to 9999999.
The texters then associated these numbers with each U.S. area code.
From there, they sent the text to the email-to-SMS gateways used by carriers.
That's about 7.2 billion possible phone numbers.
Wired identifies the spammers by their hacker names,
Jawser and OxGiraffe, a pair who last December
hacked poorly secured printers and Chromecast
to disseminate a pro-PewDiePie message.
And InterAlea lay some wisdom on the masses about these vulnerabilities.
They appear to be doing the same kind of shtick now,
so if you're in the masses, and who isn't,
that's why you may have been getting those messages.
And finally, a case in Pennsylvania illustrates some of the legal dimensions of cyber-stalking.
A Warminster, Pennsylvania man, Blair Strauss,
has been sentenced to two and a half years in federal prison
for threatening his estranged wife and her family.
He did this online,
and the people he threatened weren't all in state. We'll give the prosecutor the last word.
U.S. Attorney William McSwain offered a succinct explanation of why this was a crime.
Quote, it's not an excuse to say you were just mouthing off. If you threaten serious bodily
injury or even death over the internet, that is a federal crime with consequences.
Quote.
So a word to the wise.
Control yourselves, ladies and gentlemen.
At some point, shooting your digital mouth off crosses the line into communicating a threat.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology. Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Craig Williams.
He's the head of Talos Outreach at Cisco.
Craig, it's always good to have you back.
You and I talked previously about Sea Turtle, and you've got some updates to share with us. Before we get to that, can you just give us a brief overview, reminder?
What is Sea Turtle?
Sure.
So Sea Turtle is one of two separate campaigns that we believe are operated by different actors
that we're seeing in the Middle East and North Africa involving DNS tomfoolery, we'll call it.
Basically, actors hijacking DNS to redirect victims to their site.
And the Sea Turtle campaign, primarily it's been reserved for strategic military targets at this point. When we identified this actor, you know, we worked with
Cyber Wire and several other partners in the Cyber Threat Alliance to get the word out there so that
people could see the difference in the TTPs. You know, normally when you do something like that,
bad actors, particularly those, you know, who are likely related to nation states,
tend to stop their activity, right? They don't want to be openly seen doing bad things.
Unfortunately for us, the Sea Turtle actors did not stop.
They continued with their mission.
They basically changed their TTPs a little bit.
They added some additional infrastructure.
But overall, they just continued to compromise sites.
And so it's unusually brazen.
Normally, when you catch somebody red-handed, they'll stop,
particularly if other
people have blamed other actors right it's it's like a get out of jail free card but these actors
didn't care you know like imagine if you're a bank robber and all of a sudden one of the witnesses
misidentifies somebody else as the bank robber and the police get him criminals quit while you're
ahead right normal criminals would be like hey i'm gonna stop this week and then tomorrow i'm
gonna come back in a completely different outfit and continue robbing banks if i
want but you know they would probably stop to not get caught uh these actors have not stopped
they've changed their operations a little bit we were able to identify some additional past
activity with them and unfortunately they seem to be broadening the types of places that they target
so this is this is kind of what we
were worried about, right? I mean, last time we talked about how they were primarily targeting
basically military strategic targets. So for the average user, not that big of a concern.
Now, it's not expanded too much outside of that, but it has expanded to other government
organizations, energy companies, things like think tanks, international organizations,
and airports. It's a disturbing trend. You know, I'm concerned
that this activity will continue to broaden as they continue to be successful. You know, one of
the more concerning things we've noticed in the past is that for some of the very, let's call
them high value targets, the attackers were actually making new individual servers for each
one, new name servers with new IP addresses, so that it would be very difficult for it to be noticed and for it to be identified. Unfortunately, I guess they decided that that was
not necessary anymore. And so they started reusing infrastructure, which is how we initially found
them. So it looks even more like a system that's been in place for a while. They're not only
broadening their target set, but they're optimizing their capabilities.
So what is available in terms of defense against this?
Well, there's a lot of different ways to defend against it.
I think the primary one is making sure that your registrars are secure, making sure that your name servers are hardened.
Simple things like multi-factor authentication can be extremely useful.
If you have very sensitive domains, start looking at things like DNSSEC.
Try and validate lookups with a recursive resolver or something like OpenDNS, right?
Make sure that everybody's seeing
the right domain for your site.
You know, so there's lots of different things you can do.
You can make sure that passwords are rotated,
particularly if you're something that nation states
in the Middle East and North Africa may want.
You know, if you're a registrar hosting those type of domains or TLDs, realize that you're a target, right?
I mean, we're seeing secondary targets attacked in the United States and Sweden.
So we need to make sure that everyone who's involved with these type of sites and these type, basically potentially hosting this type of information, realize that they're a target.
You know, and you can do simple things too, like look who's connecting to your VPN.
Where is it coming from?
So this is one to watch.
Definitely. I don't think these actors are going to go away
until they have a significant reason to.
From what we've seen, they've only continued to expand their operation,
and I expect we'll continue to see that going forward.
All right. Well, Craig Williams, thanks for joining us. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders
who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
alerts and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.