CyberWire Daily - Gothic Panda seems to have a government job. Not all extortion is ransomware (ask Disney). WannaCry update. The ShadowBrokers are back. So is WikiLeaks
Episode Date: May 17, 2017In today's podcast, we hear that APT3, also known as Gothic Panda, has been fingered as an agent of China's Ministry of State Security. An unreleased Disney flick is held for ransom: Disney doesn’t ...pay, movies goes up on Pirate Bay. WannaCry may be sloppy but it's still dangerous. OT has a harder time patching against WannaCry than IT does. Dr. Charles Clancy from VA Tech's Hume Center contracts the Shadowbrokers vs Vault 7. Area 1's Oren Falkowitz describes innovative ways to prevent phishing. The ShadowBrokers are back and still talking crocodile. And WikiLeaks releases more of Vault7. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
APT3, also known as Gothic Panda,
is fingered as an agent of China's Ministry of State Security.
An unreleased Disney flick is held for ransom.
WannaCry may be sloppy, but it's still dangerous.
OT has a harder time patching against WannaCry than IT does.
The shadow brokers are back and still talking crocodile.
How to be preemptive against phishing.
And WikiLeaks releases more of Vault 7.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, May 17, 2017.
The spread of the WannaCry ransom worm worldwide remains this week's leading story,
and we'll turn to it later in the podcast.
For now, we'd like to cover other material that may have gotten lost in all the WannaCry-ing.
Recorded Future announced this morning their conclusion that APT3 is being run on behalf of a Chinese government agency,
the Ministry of State Security.
APT3 is also known as Gothic Panda.
There's a panda bear family out there that's no more related to Cozy Bear and Fancy Bear than raccoons are related to grizzlies,
or, for that matter, President Xi to President Putin. APT3 is generally held to have been responsible for Operation
Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. Clandestine Fox was a
use-after free exploit against Microsoft Internet Explorer discovered in April 2014 by FireEye.
It was found in defense and financial services networks.
Clandestine Wolf exploited an Adobe Flash Zero Day.
It was served up in phishing emails to targets in the aerospace and defense,
construction and engineering, telecommunications, and transportation sectors.
DoubleTap, described by FireEye in November 2014, exploited multiple known vulnerabilities in Microsoft software, including remote code and privilege escalation
bugs. It was distributed by spear phishing and showed a reliance on social engineering as opposed
to difficult-to-come-by zero days. The common denominator in all three operations is, of course,
espionage, and the list of clandestine wolf targets suggests that the espionage is in large measure economically motivated industrial espionage.
Last week, on May 9th, tipsters whose identity is unknown but who go by Intrusion Truth
said that APT3 was the work of Guangzhou Boyu Information Technology Company, also known as Boyusec for short.
Recorded Future undertook an open-source intelligence investigation of the organization,
and this morning announced they have high confidence that Boyusec is doing contract espionage,
both traditional and economic, for China's Ministry of State Security.
On Monday of this week, Disney CEO Bob Iger told an employee town hall meeting
that the entertainment giant was being shaken down by extortionists who threatened to release
a stolen copy of a forthcoming Disney movie. The Hollywood Reporter said Iger characterized
the demand as a huge sum in Bitcoin. Disney refused to pay, and true to their evil words,
two digital copies of Pirates of the Caribbean Dead Men Tell No Tales turned up this morning on Pirate Bay, that grey market emporium for all sorts of things swiped, swapped, or stolen.
Dead Men Tell No Tales is slated for release this Friday. The files are thought to have been stolen from a post-production vendor who was adding dialogue to the movie.
stolen from a post-production vendor who was adding dialogue to the movie.
One of the hardest attack vectors to protect against is phishing.
It's just human nature that a certain number of people,
no matter how well trained, are going to click the link in the phishing email.
Area One Security specializes in protection against phishing,
and they caught our eye with a system they describe as preemptive defense.
Oren Falkowitz is CEO at Area One Security.
We find statistically that when attackers send simple, very unsophisticated plain phishing messages to organizations,
if they send just 10, there's a 90% success rate of one person opening the message, clicking on a link, downloading a file, entering their username and password.
And so you're describing something that you refer to as preemptive cybersecurity.
What does that mean?
Statistically today in the cybersecurity industry, organizations learn about a year after they've been breached or had damage that they've been the victim of a cyber incident,
which the root cause of was phishing.
And so the idea behind preemption is to take an action at a point in time where you can see a different outcome, where no data is lost,
where no machines are impacted, where no networks are breached. And it turns out that there are also
really good core areas in life for this method. And applying them to cybersecurity makes a lot
of sense. So a good example of this would be a flu vaccination. You know, every year there is an outbreak of the flu, there are new strands of it,
but humans, people, right, they don't walk around in fear of someone coughing on them.
They take a vaccination to protect themselves. And the same thing can apply in this space where
we identify proactively hundreds of thousands of phishing websites and other, you know,
phishing attacks that go against organizations that go against people, and we can give them a vaccination before they cause damage.
So how does the technology like this work?
Are you analyzing links that people click on? What's the process?
Attackers in the cybersecurity space have set up their phishing campaigns
in a way that they exist before they get sent to users, before they get distributed.
And so what we focus on is creating technologies that one, can identify and can learn what are
those patterns of attack before they impact the user. And the second is technologies that take
action on behalf of our users to vaccinate them in real time, to protect them so that they don't
have to think about it and they can go about their job without the worry of being coughed on.
If an attacker was to send an email with a link to a website that looks like a commercial banking
login, right, a website that looks like you're logging into your bank, well, I would just analyze
the link and tell you that this is a malicious page. But you'd have to do that at such speed, right,
that there's still some risk for damage.
What turns out is that that website,
before it can be sent to the user,
before it can be embedded as a link in an email,
that website has to exist
and it has to be accessible on the World Wide Web.
And part of our sensing technology
is finding those sites before they are ever sent.
And so we're able to preempt them
so users don't have to worry
and we don't have to analyze them in the moment.
We go ahead and find them before, and that is the notion of preemption.
That's Oren Falkowitz. He's from Area 1 Security.
Returning to WannaCry, the ransomware campaign is so massive and unselective
as to amount to a pandemic affecting old, unpatched,
pirated, or beyond end-of-life Windows systems.
Their take has now risen above $70,000 in payoff money,
but that's small change when contrasted with the number of victims.
Their back end is essentially manual, and the victim interface doesn't look up to snuff either.
A few people have recovered access to their files by paying up, but most experts are cautioning victims against taking
that route. The criminal infrastructure is so dodgy that the odds won't be in your favor.
The advice people are receiving is to patch their software and back up their files,
but for one important class of the affected systems, that advice may be less than helpful.
But for one important class of the affected systems, that advice may be less than helpful.
We hear from industrial control system security experts Joe Weiss of Applied Control Solutions and Eddie Habibi of PAS.
They point out that many ICS are built on vulnerable versions of Windows,
but that those versions were all modified and adapted by the big industrial control system vendors
to handle complex systems of systems that can't tolerate downtime.
Patches must be thoroughly tested for unintended consequences
before they're applied to industrial systems,
and thus such systems have a patch cycle inherently longer
than the ones you may be accustomed to for the business software on your office's laptops.
So, if you're one of the suits at a highly automated manufacturing
plant or utility, go easy on your sysadmins. They're not being lazy or negligent, it's just
that patching is a far tougher challenge in their world than it is elsewhere. The shadow brokers are
back and talking. Their leak of the eternal blue exploits enabled the WannaCry pandemic.
The brokers continue their implausible charade of monetizing exploits
allegedly stolen from NSA, while simultaneously saying
they're really in it for the glory of facing off against a worthy opponent.
That is, those Professor Moriarty's, those Joker's,
those Dr. Doom's of the equation group.
The shadow broker said yesterday they'd taken the month of May off
to watch WannaCry and You're Fired, that is, La Faire Comi, but they promised to be back in a big
way in June when they say they'll launch a monthly leak subscription service. Finally, Wikileaks has
dumped another set of Vault 7 documents. These purport to originate with the CIA. Some of them are said
to describe methods of impeding PowerPoint and degrading the quality of presentations
composed in the popular presentation software. The wording in the documents suggests the authors
think PowerPoint users have it coming. Should we take this to mean that Langley is full of Edward Tuft disciples? Maybe not.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires
done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking
and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24
only on Disney+.
Cyber threats are evolving every second
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Dr. Charles Clancy.
He's the director of the Hume Center for National Security and Technology at Virginia Tech.
Clancy. He's the director of the Hume Center for National Security and Technology at Virginia Tech.
We wanted to talk today about the Vault 7 and the Shadow Brokers releases of information, and really you wanted to contrast the two of them. I did. I think it's important to understand
when you hear about all these leaks of cyber capabilities from now both NSA and CIA,
that there's a difference between leaking tactics, techniques, and procedures,
or so-called TTPs, versus the actual tools themselves, the actual code behind zero-day
exploits, for example. So if you look at a lot of the data that's been released so far,
particularly in the Vault 7 leaks, it's been mostly documents, PowerPoint, that really talk about how the CIA
does what it does. And based on that, some security companies have been able to fingerprint
certain TTPs and attribute, with some degree of confidence, a wide range of hacks across the world
to the Vault 7 TTPs. Shadowbrokers, on the other hand, is more than that. It includes a lot more
of the source code, which has an even greater devastating impact because now you're not just
fingerprinting attacks and building defenses against the techniques and procedures that are
being used, but you actually can build specific malware identifiers and hashes that can be used
to detect and block the actual
exploits themselves. There's a lot of debate ongoing right now as to the total impact. I think
the folks that are in the trenches and the intelligence agencies who are working these
problems would claim that there is a huge impact in national security as a result collectively of
these leaks. But at the same time, there are plenty of unpatched computer systems out in the world.
leaks. But at the same time, there are plenty of unpatched computer systems out in the world.
And there's lots of opportunity to be had just doing basic run-of-the-mill phishing attacks against unpatched Windows computers, which remains the largest threat surface that hackers,
whether you're part of an intelligence agency or organized crime, leverage today.
While these releases of information are certainly interesting and damaging,
sometimes the old-fashioned ways are the easiest ways in.
Indeed. So, for those that are looking to have a good defense against these sorts of things,
please just keep your software up to date, have antivirus installed,
and basic cyber hygiene will win out most of the time.
All right. Dr. Charles Clancy,
thanks for joining us. And now a message from Black Cloak. Did you know the easiest way for
cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home? Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io. And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening. Thank you. insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.