CyberWire Daily - Hacks shake confidence in financial system. FinFisher using MitM. CCleaner backdoor had specific targets in mind? US Forces Korea debunks bogus NEO warning. Locky masters like Game of Thrones. nRansomware asks for a different kind of payout.
Episode Date: September 22, 2017In today's podcast, we hear that the EDGAR breach is being seen as a blow to confidence in financial system. Credit bureaus continue to receive heightened scrutiny after the Equifax breach. FinFis...her campaign suggests ISPs may have been compromised. The backdoor in CCleaner seems to have targeted specific companies. US Forces Korea personnel receive a bogus noncombatant evacuation order. Someone behind Locky watches a lot of Game of Thrones. Malek Ben Salem from Accenture Labs with a new attack vector that uses power management systems. Guest is Robert Sell sharing his experience participating in a DEFCON capture the flag. And Thomas the Tank Engine would never do what some skids show him doing. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The Edgar breach is seen as a blow to confidence in financial systems.
Credit bureaus continue to receive heightened scrutiny after the Equifax breach.
Finn Fisher campaigns suggest ISPs may have been compromised. The back door in SeaCleaner
seems to have targeted specific companies. U.S. Forces Korea personnel receive a bogus
non-combatant evacuation order. Someone behind Lockheed watches a lot of Game of Thrones.
And poor Thomas the Tank Engine would never do what some skids show him doing.
I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, September 22, 2017.
The breach of the U.S. Securities and Exchange Commission EDGAR system has spooked investors and legislators alike.
It's being called a blow to confidence in the U.S. financial system. How serious a blow remains to be seen. The financial
sector has long been a leader in adopting such security measures as threat information sharing,
encryption, and fraud detection, and the SEC, as one of that sector's principal regulatory bodies,
has pushed for more attention to cybersecurity and risk management in the entities it oversees. It is the SEC, for example, that has moved
publicly traded companies to explicitly address cyber risk in their regular 10-K filings.
As is so often the case when a high-profile breach is disclosed, closer scrutiny reveals
that the Department of Homeland Security had
warned the SEC of unaddressed vulnerabilities back in January, and a congressional study
released this July in which the Government Accountability Office found the SEC had failed
to fully implement 11 security recommendations made two years ago.
These are embarrassing, but not directly related to the breach, which seems to have taken place and been detected last year.
It was only last month, however, August 2017, when the SEC realized that whoever hacked Edgar probably was able to execute illicit insider trades,
based on early knowledge of the still non-public material information they found there.
The hackers did obtain data that would have given them an
illegal advantage in trading stocks. How much they may have made on such speculation remains unknown,
as does the identity of the threat actor that found its way into Edgar. Nation states, terrorists,
and ordinary criminals are all possibilities, and little that's been made public would incline one
to choose one category over another.
The SEC breach announcement feels like the second haymaker in a one-two punch,
whose first blow came two weeks ago when the credit bureau Equifax got around to disclosing that its own systems had been penetrated.
But the risks the two cases involve are quite distinct.
The SEC says that no personally identifying information
was compromised, but with Equifax, personal data was stolen with a vengeance. Here too
there's no clear indication of who might have been responsible.
It now seems that whoever hit Equifax spent several months carefully establishing their
presence in its systems. They started working their way into its networks at least as early as March 10th of this year.
According to Ars Technica, Mandiant, the FireEye unit Equifax has brought in to clean up,
says it's detected roughly 35 IP addresses the attackers used to access the company's network.
The attacker's identity is still unknown,
and Mandiant has so far not found any signs that point to known threat actors.
FinFisher spyware, the controversial Lawful Intercept product, has been romping lately in
the wild. Security firm ESET warns that ongoing campaigns distributing the FinSpy surveillance
tool have features that suggest some internet service providers may have been compromised
to distribute the Lawful Internet product to its targets by man-in-the-middle attacks.
In the past, fin-fisher spyware has typically been spread by spear phishing, watering hole
attacks, physical access, or zero days, so compromised ISPs represent a departure.
Investigation into the supply chain's insinuation of a backdoor into a vast sea-cleaner security product
moves toward the conclusion that the effort was more closely targeted than initially believed.
Cisco thinks the hackers were after a relatively small number of large companies.
Intel, Microsoft, Linksys, D-Link, Google, Samsung, Cisco, O2, Vodafone, and Gosselman.
Google, Samsung, Cisco, O2, Vodafone, and Gosselman.
Things are tense in the Korean peninsula, but not yet so tense that U.S. civilians are being evacuated.
U.S. Forces Korea says the text and social media messages that yesterday appeared to be a noncombatant evacuation order telling U.S. civilians to leave South Korea at once was a hoax.
Responsibility has not been determined.
It could be a state actor, with Pyongyang the obvious suspect,
but a freelancing skid doing it for the sick lulz is just as likely.
Maybe even more likely.
In any case, U.S. forces Korea was quick to squash the rumor.
Finally, we all know that ransomware is a problem.
We heard late this morning from Fishme, the security company who's been tracking the latest round of Lockheed fishing infestations.
Fishme's noticing that those responsible for the ransomware attacks seem to watch an awful
lot of Game of Thrones. Any suggestion, however, that the extortionists are white walkers is
probably unfounded. Still, today is the
autumnal equinox, which does mean that winter is coming. And in what could be categorized as
simply inevitable, malware hunter team researchers have found a strain of ransomware that demands
nude pictures of the victim, not Bitcoin, as its ransom. The newly classified malware called
nRansomware
is actually a screen locker that doesn't encrypt files,
which leads some to classify it as more prank than criminal enterprise.
Still, it's deplorable.
The extortion message reads in part,
Your computer has been locked.
It then tells the victim to email the hackers,
and it goes on to explain,
After we reply, you must send at least ten nude pictures of you.
After that, we will have to verify that the nudes belong to you.
The message is displayed over a picture of Thomas the Tank Engine,
uttering a demotic oath in joining Parthenogenesis
in the coarsest terms possible,
and that seems just wrong,
since no very useful engine would say any such thing.
Sir Topham Hatt, call your office and get your barristers working on a copyright injunction.
By the way, we think the extortionists may be less than pleased should they get what they're asking for.
I mean, suppose they hit up some lame security guy,
the kind of Captain Obvious who tells people that password is a bad password.
You're setting yourself up for maximal aesthetic insult skids.
You may get more than you bargained for, but exactly what you deserve.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life. Thank you. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for a thousand dollars off.
In a darkly comedic look at motherhood and society's expectations, Academy Award nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with
her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal
devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
blackcloak.io. Joining me once again is Malek Bensalem. She's the Senior Manager for Security Research and Development at Accenture Labs. Malek, welcome back. You have a new attack
vector that you wanted to describe for us today. What do we need to know?
Yeah, thanks, David. Yes, this is a new
attack factor that leverages the energy management model that's running on any device
to conduct a cyber attack. So we know that devices have a dynamic voltage and frequency
scaling model that basically regulates the energy consumption on the
device. The operating frequency and the voltage can be configured via memory mapped registers
from software, as well as with some hardware. It turns out that these software registers can be leveraged to launch an attack against the TPM or the trusted zone on the device.
An attacker can stretch the operational limits of the energy components, meaning changing the frequencies or the voltage of the device, and that can introduce or induce the system to fault.
that can introduce or induce the system to fault. And those faults can be used to break the security properties of the system, including confidentiality and the integrity of the code running within the
TPM environment. Now, what's unique about this attack is that unlike the traditional attacks,
which require an attacker to be in the physical proximity of the victim's system
or they may need special equipment to conduct the attack. Here, the attacker does not need any of
that. They don't need to be close to the device. They don't need to have special equipment. They
can launch the attack just through software. And this attack has been demonstrated on devices, on ARM devices.
So the attack can impact hundreds of millions of devices.
So has this attack been seen in the wild or is it merely in a stage of a proof of concept?
No, this is in the stage of a proof of concept.
It has been demonstrated at the Usenik Security Conference
in August this year for the first time.
So this is really a totally new,
completely new attack vector
that was demonstrated by researchers from Columbia University.
Interesting stuff.
As always, Malek Ben-Salem, thanks for joining us. a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
My guest today is Robert Sell.
He's a senior IT manager for a major aerospace company, and this past year he competed in the social engineering competition
at the DEF CON conference in Las Vegas, where he discovered it's remarkably easy to gather
information on a targeted organization and to use it to get their employees to tell you even more.
Every year the social engineering village, what they will do is they will target a certain
industry. And this year it was the gaming industry. And so what they will do is they will target a certain industry. And this year, it was the gaming industry.
And so what they will do is they will give all the candidates. This year, there was 16
competitors. And we all got a company from that particular industry. And sometimes they will warn
each other and they'll say, hey, this is going on. Be careful when you answer the phone. And it's
really interesting to see how it evolves over those couple days
because a lot of the security people from those companies are actually at DEF CON,
sometimes even in that room.
And they react differently depending on how they view the whole exercise.
There's two stages to the competition.
The first stage is really the OSINT stage.
That's open source intelligence. And
so what they want you to do, they give you certain flags. There's about 29 flags worth
different amounts of points depending on the difficulty of the flag. They want you to then
collect that information into a report. So for example, one of the flags would be who does your
garbage disposal? That would be worth so many
points another one might be what's your SSID for your wi-fi and that would be a little more
difficult to get so that would be worth more points and so just using open source intelligence
not engaging with the company at all basically what you find on the internet you want to collect
all those points and put it into the report. And so what was your strategy for gathering up that sort of information?
Well, because it's a corporate organization, one of the best sources I found was to start with
anyway was LinkedIn. It's amazing how much information you can pull off of that just to
get started. And I started building an Excel spreadsheet based off of that. And very quickly,
I had hundreds of data points, everything from executive personal cell phone numbers,
home addresses, you name it, gym memberships, what they eat for lunch, their pet names.
And that really helps you to develop really solid pretexts. So, yeah, there's a ton of information out there.
And so you arrive at DEF CON and the moment of truth is there.
It's time for your 20 minutes in front of an audience.
Take us through that.
Yeah, when they called my name or ushered me into the booth, I was so excited.
Because this is something I'd been thinking about for over a year.
And I just remember trying to, I wasn't nervous at
all. There's a few hundred people in the room and they're all watching you. So you'd expect some
level of nervousness, but I was just so excited to go in there and do my part and be part of this,
this whole village experience. And so it was just trying to calm down and get my heart rate to go
down a little bit. This was the first probably 30 seconds. And then making those first few calls. And the first few calls I did, I just got
voicemail. And they start the clock, you've got 20 minutes, and that 20 minutes goes by incredibly
fast, probably because it's so fun. But the first 10 minutes, I had a real problem getting anybody.
The phone would just ring it
would go to voicemail I think most people perhaps were at lunch because I was calling around that
time so it was a bit disheartening at first and then I had to fall back on on my backup plan and
I started calling reception because they were always there and that's when I finally got somebody
and finally started scoring points so the first 10 minutes was really uneventful.
And everybody I could feel everybody's sympathy in the room.
And the last 10 minutes is really where I really started to get points.
And the last three minutes was where I really started to get points very quickly.
I had a very rapid fire pretext, which was actually an engagement survey.
And as soon as they agreed to do it, I just started firing off the questions.
And they couldn't write down the points fast enough for those last two minutes, which was exciting.
What was the information that you were assigned to collect?
And what was your successful strategy to do so?
Yeah, so for the OSINT report, you basically collect all the flags that you can,
just going through the list, for the live
vision, your 20 minutes at DEF CON, for each person, you can get the same points. So for example,
if I get the SSID from person A, I can then go get it from person B as well. For me, basically,
what I wanted to do was run through as many flags as possible with
anybody that I got. So one of my favorite pretexts is the engagement survey. So it would be, hello,
I'm so-and-so calling from this company. I'm working with your VP of HR, who is this person.
And she gave me your name as a person that could help me to really build this engagement survey.
I just want to ask you a few questions really quickly to only take two minutes.
And then boom, boom, boom, boom, boom, boom, boom, boom.
And that usually works very effectively.
So what were some of the takeaways for you?
What are some of the lessons you took home after experiencing this?
It was interesting to see how susceptible to attack this sort of attack companies are.
And there is a ton of information out there. I don't think many people are looking at how
protected their organizations are from this or how they're going to mitigate that risk.
And so for me, coming back to the company where I work, it was, I immediately wanted to look at how I could defend
against that. So user awareness training, especially at the executive level, doing OSINT
on yourself and your company to see what's out there, I think is really important. And then
looking at who's responsible, should you get a breach of this kind? If your executive comes to the IT security group and says,
hey, I just gave all my information to so-and-so because I thought it was real.
What does that mean to you, right?
Odds are that we are responsible for that, but we often don't think about that very much.
Our thanks to Robert Sell for joining us.
We've got an extended version of this interview for our Patreon subscribers
at patreon.com slash the cyberwire.
There's lots more in that interview, including Robert's advice for first timers at DEF CON.
So check that out at patreon.com slash the cyberwire. We'll be right back. Vacays has your budget-friendly escapes all the way to five-star luxury. Yes, you heard correctly.
Budget and luxury, all in one place.
So instead of ice scraping
and teeth chattering, choose coconut
sipping and pool splashing.
Oh, and book by February 16th
with your local travel advisor or at
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.