CyberWire Daily - GCHQ and MalwareTech's arrest. Chinese oilfield sustains malware infestation. US Cyber Command now a UCC. Ukraine fears another cyber campaign. Turla returns. GPS spoofing. Extremism online. ICO hack.
Episode Date: August 21, 2017In today's podcast, we hear that GCHQ may have known about the FBI's intentions to arrest Marcus Hutchins even before Hutchins departed England for Black Hat. A Chinese oil production field is though...t to have sustained some sort of cyber incident similar to those involving NotPetya. US Cyber Command receives elevated status—it's now the tenth Unified Combatant Command. Ukrainian authorities warn that country's financial sector to expect a new wave of cyberattacks. Turla is back, inviting you to the G20 meetings. GPS spoofing fears rise. Dealing with extremism online. Palo Alto Networks' Rick Howard on the fading popularity of the Rig exploit kit. And another initial coin offering is hacked. Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper. Your patient data depends on incident response plans. Prepare with DeltaRisk's webinar. JHUISI & partner COMPASS Cyber present Cyber Security Conference for Executives on September 19th in Baltimore. Register for the event. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
GCHQ may have known about the FBI's intentions to arrest Marcus Hutchins
even before Hutchins departed England for Black Hat.
A Chinese oil production field is thought to have sustained some sort of cyber incident
similar to those involving NotPetya.
U.S. Cyber Command receives elevated status.
It's now the 10th Unified Combatant Command.
Ukrainian authorities warn that country's financial sector to expect a new wave of cyber attacks.
Turla is back, inviting you to the G20 meetings.
GPS spoofing fears rise, dealing
with extremism online, and another initial coin offering is hacked.
I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, August 21, 2017.
The Sunday Times reported yesterday that Britain's GCHQ apparently knew the U.S. FBI
intended to nab Marcus Hutchins when the White Hat showed up in Las Vegas for Black Hat.
Apparently, no one wanted an extradition fight. There is, of course, no such fight,
since Hutchins was taken into custody in the United States. The report on GCHQ foreknowledge
is unclear with respect to motive.
Most discussion doesn't go beyond thinking that British security officials just wanted to do a solid for a close but grumpy partner.
Hutchins, arrested on August 2nd and now out on bail, is working in the U.S. while he awaits his October trial.
He's accused of having written, advertised, and sold the Kronos banking trojan.
He's accused of having written, advertised, and sold the Kronos banking trojan.
Hutchins was hailed as a hero for his role in flipping, more or less inadvertently,
the kill switch on WannaCry, when that bit of pseudo-ransomware was biting the UK's National Health Service hard.
His arrest remains controversial in security circles, with many white-hat researchers feeling themselves newly vulnerable to similar prosecution.
White Hat researchers feeling themselves newly vulnerable to similar prosecution.
Some of the more overheated discussions have advised vulnerability researchers to boycott all conferences held in the U.S.
Needless to say, that's unlikely in the extreme to happen.
Sinopec's Shendley Oil Field in China, one of that country's larger production fields,
announced this morning that it had disconnected many of its offices from the
internet. Early reports indicate a cyber attack, but the story is still new and developing.
A short account distributed by Reuters and sourced to Cinepec's website is the principal report so
far. The incident is vaguely characterized by Reuters as ransomware that hobbled big business
across the globe. Presumably that would be either the NotPetya or WannaCry pseudo-ransomware code,
but as we say, the story is still developing.
U.S. Cyber Command will now become a unified combatant command.
On Friday, President Trump made the formal announcement.
Cyber Command has been a sub-command of U.S. Strategic Command.
The upgrade in Cyber Command status has met with general approval.
Many experts have long seen Cyber Command's current position,
commanded by the director NSA but operating as a subordinate organization of U.S. Strategic Command,
as leading to fragmented and imperfectly focused cyberspace operations.
Its close ties to NSA bring with them, many observers think, the familiar
difficulties that arise when intelligence and operational missions are commingled.
Operators responsible for intelligence tend to find themselves looking on the sunny side.
When intelligence is independently developed, it's thought that more realistic appraisals of
the adversary's situation are likelier. Unified combatant commands are,
according to the U.S. Joint Staff, commands with a broad continuing mission under a single commander
and composed of significant assigned components of two or more military departments that is
established and so designated by the President, through the Secretary of Defense, with the advice
and assistance of the Chairman of the Joint Chiefs of Staff. They report directly to the Secretary of Defense, then to the President, making them in effect
the top-level U.S. military organizations.
Six of the current UCCs are geographical, focused on a specific area of responsibility
– Europe, Africa, North America, South America, Asia and the Pacific, and the Middle East.
The remaining three are functional – transportation, special operations, and strategic forces.
Cyber Command will become the fourth functional command.
The decision is also regarded as a step towards splitting Cyber Command leadership from the National Security Agency, the NSA.
Currently, both organizations are led by the same officer, Admiral Michael Rogers.
Separation would involve another presidential decision.
Ukraine's security services and central bank have warned that country to be on alert for a fresh wave of cyberattacks.
The financial sector is thought likely to be especially targeted.
The Russia-connected Turla cyberespionage group is back and luring targets with fish bait
that looks like a note from Germany's Federal Ministry for Economic Affairs and Energy,
inviting recipients to save the date for October's G20 meetings in Hamburg.
At least some of the spoofed notes have been in English.
Their presentation is fairly convincing.
Researchers at security company Proofpoint see novel features in the dropper being used.
For one thing, it fingerprints the infected system itself.
This was formerly done by the back door, Copa Luwak, it installed.
Turla's been around for some time, since 2007 at least,
and it's generally believed to be a threat actor run by Russian intelligence services.
It's gone by a lot of names.
If you're keeping score at home, you may know Turla as Waterbug, Krypton, or Venomous Bear. Turla itself is the name of
one of the group's principal tools, other names for which include Snake and Ouroboros,
for Turla itself, and Epic Turla, also known as Whipbot or Tavdig.
There are reports that GPS spoofing affected maritime traffic in the Black Sea briefly this
summer. Observers fear this amounts to Russian demonstration of a new capability.
Today, the destroyer USS John S. McCain collided with a tanker east of Singapore.
This is the fourth collision in the Western Pacific a U.S. Navy ship has been involved with over the last year, which strikes observers as unusually high. Real Clear Defense reports speculation that ship
navigation systems, probably GPS, may have been interfered with, presumably by Chinese operators.
After the Charlottesville riot and homicide, industry remains uneasy about the role it should
play in policing extremist
content online. The Electronic Frontier Foundation warns tech executives that such content policing
is a slippery slope. The foundation argues that speech ought generally to be free,
and that companies who control vast stretches of cyberspace ought not to become censors.
The dangers of unaccountable restriction, the EFF thinks, are great,
and likely to be underappreciated. Effectively, they join Cloudflare CEO Matthew Prince's call
for some reflection on the matter, even as they agree with Prince's own self-assessment that his
decision to kick the neo-Nazi Daily Stormer off Cloudflare's service was as dangerous as he felt
it to be unavoidable.
The companies themselves are in a tough spot. They have their own reputations to worry about,
and U.S. law, at least, would generally permit them to decline to provide services.
The tech companies are in an even tougher spot in other jurisdictions.
Several European countries, notably Germany, will hold third-party service providers liable under laws restricting hateful content.
Investigations into last week's jihadist murders in Spain see unusually far-flung connections to Brussels, Wales, and Maryland.
There may have been operational connections between the Spanish cell with money laundering operations in the U.S.
A Marylander has copped a plea to this one,
and logistical support mounted through Wales. Both the U.S. and Spanish ends of the connection
are thought by investigators to have contemplated massacres in churches.
Significant evidence concerning the Islamist cells has been gathered online.
And finally, another initial coin offering, this one for the Enigma platform, has been hacked by crooks.
They made off with some $500,000.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life. Thank you. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. who puts her career on hold to stay home with her young son. But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
blackcloak.io.
Joining me once again is Rick Howard.
He's the Chief Security Officer at Palo Alto Networks, and he also heads up Unit 42, which is their Threat Intel team.
Rick, welcome back.
We wanted to talk about the RIG Exploit Kit today,
and you all have seen a marked decline in the use of it.
These Exploit Kits, they started to come onto the landscape around 2006.
Cyber adversaries began to automate the process of exploiting endpoints, so they didn't do
it manually every time.
And so by 2010, it was fairly common for hackers to sell these collections of tools as a kit
in underground markets.
They're basically
SaaS applications for cyber adversaries. You know, the cyber adversary compromises a watering hole
website. This is a website that they know their victims like to read. And then they redirect a
portion of the victim's traffic to these exploit kit SaaS servers. The SaaS application would then
look at the victim's host configuration,
determine the specific exploit to run to compromise the victim's machines.
And so once compromised, the SaaS application would deliver the malware payload to the victim.
And so common names we've seen over the last few years are WebAttacker, Blackhole, Angler, Neutrino, and RIG.
And, for example, Unit 42 has has been tracking rig for a while now and
and two specific adversary playbooks one's called ei test and the other one's called
pseudo dark leech and i love these names okay man so now sometime this spring both playbooks
okay the adversaries behind them stopped stopped using RIG to compromise victim networks.
They stopped using that exploit kit.
Unit 42 has noticed that adversary playbooks, they're used in other exploitation kits like Fiesta and Sweet Orange.
They started to drop off too.
And it appears that many cyber adversaries are turning away from exploit kits towards spam to compromise their victims' endpoints.
Now, it's impossible to know for sure why this is happening. It could be a number of things,
all right? In May, Prudpoint said that it had been a year since they saw a new zero-day vulnerability
in an exploit kit. So maybe the price of zero days have made them prohibitive to use in common
exploitation kits. I don't know. Also, the industry has gone after the exploit kit infrastructure in a big way.
Both Cisco and RSA have coordinated takedown operations this year.
And let's give the browser developers from Google some credit.
Chrome is by far the largest user base of any browser, about 47% compared to Microsoft's 19%.
And they have significantly upped their game in terms of browser security this past year.
So a combination of all those things
probably is what attributes to this.
Exploitation kits have not disappeared
by any means.
They're still around.
This is just an indicator
that the landscape is changing
and we should be paying attention to that.
All right.
Good information as always.
Rick Howard, thanks for joining us.
Thank you, sir. Thank you. The default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Your business needs AI solutions
that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI
and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.