CyberWire Daily - Hidden Cobra strikes from Pyongyang. Microsoft patches last of ShadowBrokers' leaked exploits. Sanctions coming over Russian election influence operations. Electrical and natural gas sectors brace for CrashOverride.
Episode Date: June 15, 2017In today's podcast, we hear that the FBI and the Department of Homeland Security have warned that Hidden Cobra actively pursuing DDoS campaigns. Microsoft patches remaining ShadowBrokers' exploits, ev...en in deprecated systems. The US Congress votes to sanction Russia for election influence operations. Those operations have a long, long history, going back to the 1930s at least. Electrical and natural gas sectors work to protect themselves against CrashOverride. Emily Wilson from Terbium Labs reminds us not to forget the basics. Michael Callahan from Firemon shares survey data suggesting that IT pros spend too much time fixing their coworkers personal devices. Mergers and acquisitions seem to be followed by layoffs—Hexadite is said to be the latest case. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The FBI and the Department of Homeland Security warn that Hidden Cobra is actively pursuing DDoS campaigns.
Microsoft patches the remaining Shadowbrokers' exploits,
even in deprecated systems.
The U.S. Congress votes to sanction Russia
for election influence operations.
Electrical and natural gas sectors
work to protect themselves against crash override.
Mergers and acquisitions seem to be
followed by layoffs.
Hexadite is said to be the latest case.
I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, June 15, 2017.
The U.S. FBI and Department of Homeland Security warn that North Korea's government is responsible
for a botnet being called Hidden Cobra that's been making trouble for some time.
Believed to be connected to that well-known threat actor, the Lazarus Group, Hidden Cobra, that's been making trouble for some time. Believed to be connected to that well-known threat actor, the Lazarus Group,
Hidden Cobra used Delta Charlie malware to herd botnets for distributed denial-of-service attacks
against media, aerospace, infrastructure, and financial targets.
U.S. businesses appear to have received the most attention,
but Hidden Cobra's hood is thought to cover the globe.
Kaspersky Lab, in a comment on U.S. CERT's warning, says that the tools mentioned in
the technical advisory have been observed in the wild in some 26 countries, including,
in addition to the U.S., France, Brazil, and Russia.
As was the case with the WannaCry threat actors, who've also been connected, although with
less consensus, to the Lazarus Group and the North Korean regime,
Hidden Cobra shows a strong preference for beyond end-of-life and unpatched Microsoft Windows instances.
Recognizing the magnitude of this problem, Microsoft this week has taken the unusual step of issuing patches for retired Windows versions.
The exploits addressed, the last of those leaked by the shadowbrokers, include Exploding Can, which targets old versions of the Internet Information Services web server to permit remote code execution,
Esteem Audit, a flaw in Windows Remote Desktop Protocol, and Englishman Dentist, which permits remote code execution in object linking and embedding.
linking and embedding. Redmond says it's decided to patch because of the unusually elevated threat of state actors using exploits in the wild the shadow brokers leaked in April. It's warned users
not to expect patching of deprecated systems to become the norm. Indeed, some observers have
criticized Microsoft's decision as likelier to prolong the agony than to ameliorate the problem.
The U.S. Congress has voted overwhelmingly to sanction Russia
over its probing of U.S. electoral machinery.
Other recent sanctions have addressed Russian incursions into Ukraine.
Sanctions are now being leveled in response to election influence operations.
Those operations have been shown recently to have been more extensive
and persistent than hitherto believed.
Most of the Russian activity, beyond the now well-known doxing of the Democratic Party and Clinton presidential campaign,
seem to have concentrated on accessing voter registration data.
Those data were put to use in 11th hour spear phishing campaigns,
and also in some preliminary attempts at altering voter information in state databases.
There's much understandable dudgeon in Congress over Russian influence operations,
and for all the furor, one might be forgiven for concluding that this is something new.
In fact, it's not.
Historians and security experts point out that such activities,
both black propaganda and election influence operations, are nothing new.
that such activities, both black propaganda and election influence operations, are nothing new.
The website War on the Rocks, for one, usefully traces their history back eight decades.
The publication tells a story more lurid than the most overheated conspiracy theories today,
whether left or right, have imagined.
From roughly 1937 on, U.S. Representative Samuel Dickstein was on the payroll of the NKVD, the Stalin era's ancestor of the KGB, and now, of course, the FSB.
Dickstein, Democrat of New York, was the founding co-chair of, wait for it, the House Un-American Activities Committee,
later famous as the young Representative Richard Nixon's launching point to national prominence.
Representative Dickstein not only served as an agent of influence, but he also assisted
NKVD illegals in obtaining passports and other materials necessary to their free operation
in the United States.
His successes were limited largely on the Soviet side.
His NKVD handlers were on several occasions purged and shot.
What is new today is the enabling role the Internet now plays
in rapid dissemination of unfiltered fish stories
and in opening up many new access points to information
that up through the first two-thirds of the 20th century
would have required a black bag job to obtain.
A special congressional election in the U.S. state of Georgia
draws attention to voting system security weaknesses,
and Georgia is unlikely to be alone.
The special election, which concludes June 20th, is being watched closely as an index of the general vulnerability of U.S. election systems.
If you're in IT, chances are you've got co-workers coming to you from time to time to ask for your help with their personal devices, their laptops or mobile devices.
Firemon recently conducted a survey of 350 security IT pros and found that 83% of them regularly help co-workers with personal computer problems,
and 80% of them say it takes more than an hour per week.
That adds up.
Michael Callahan is chief marketing officer
at Firemon. What we thought people were going to say was they were spending almost all of their
time just firefighting, right? And which a lot of them were just to keep up with the latest risk or
the latest threat or incident or whatever it was. What we found was that they were saying quite a
bit of their time was actually spent helping out their
colleagues, personal IT issues. So their laptops, their phones, their tablets, which was surprising
to us. So I can imagine many of our listeners who work in IT furiously nodding their heads in
agreement at the notion that they get commonly asked to help co-workers with their personal devices.
I'm curious because it strikes me that this is sort of part of the politics of everyday office life. If the head of HR comes to me and says, hey, I'm having trouble with my phone,
or I can't figure out how to save this file on my laptop,
I can't imagine someone just sort of shuffling that person away and saying,
no, I don't have time for you. I think that's true. You can't just say no,
because in some level it does impact the business, even though it's their personal devices. So even
if the IT person wasn't helping, then the person is going to probably try to self-help, which takes
away from their time to focus on their normal job because they're trying to download a patch or
unfreeze something or whatever. So it is a little bit just of the daily politics. Over 80% of the IT people said
that they were being asked to help fix things by personal things of their colleagues. So it wasn't
like 5% or 10%. It was almost everyone, right? So it wasn't 100%, but it was 80%. About the same
amount, 80% of that group
said it takes more than an hour a week. So the impact is actually not immaterial across an
organization. If this is a reality, and for non-technical reasons, it would be hard to
shut down this sort of thing, what are your suggestions for how organizations can deal with it?
sort of thing. What are your suggestions for how organizations can deal with it?
I don't think it's going away, right? To what you just said, you can't just say,
sorry, and close your door. So I think there's another approach that has to happen is there is going to be an amount of time that people will need to devote to this. There's a couple of things
that the IT teams could do. They could have particular office hours where they open themselves up. So at least
it's a little more contained. Although the downside of that is computers don't break between
nine and 10 in the morning. It's at varying times. But you could possibly consolidate some of the
requests. Could you do things to free up more time so that the IT staff wasn't as stressed out?
So when they're trying to manage the security
infrastructure, give them tools that helps them automate that. So give them the tools so that
they're able to manage some of the more business related stuff maybe a little more effectively.
That's Michael Callahan from Firemon.
Crash override malware is receiving close attention at high levels of government and
industry. Dragos analyzed crash override from
samples obtained during investigation of last winter's Ukrainian power grid hack.
Related sectors are watching the electrical industry's response closely. DNG-ISAC and
others suspect the malware may have implications for the natural gas industry as well. DNG-ISAC,
the security information organization of the downstream natural gas sector,
is working closely with their counterparts in the electrical power sector
to develop an effective response to crash override.
Bitfinex, the world's largest Bitcoin exchange, began experiencing DDoS attacks Tuesday.
They continued through yesterday, and the exchange seems not yet to have fully recovered.
In industry news, Microsoft confirmed last week that it was buying Hexadite, through yesterday, and the exchange seems not yet to have fully recovered.
In industry news, Microsoft confirmed last week that it was buying Hexadite.
VentureBeat reports that Hexadite laid off most of its U.S.-based workforce on the day of the announcement.
And finally, to return to our earlier notes about the long-standing Russian policy of
seeking to influence U.S. politics, we should note in the interest
of clarity and historical accuracy that Richard Nixon was never identified as a paid Soviet agent.
Whatever Mr. Nixon's dog Checker's provenance may have been, it almost surely wasn't Moscow Central.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. Thank you. $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking
and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney Plus.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home? Black Cloak's award
winning digital executive protection platform secures their personal devices, home networks, Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Joining me once again is Emily Wilson.
She's the Director of Analysis at Terbium Labs.
Emily, you know, we hear about these high-profile attacks,
but you want to make the point that maybe those aren't the things that in day-to-day operations people need to be focused on.
Absolutely. I think we hear about attacks, whether it's something like Yahoo or LinkedIn or Ashley Madison or TalkTalk, depending on your industry and what you're interested in. We hear about these breaches and that's great. And, you know, these are I think the the press that we see around these
can help to drive conversations about security and privacy as a whole. But I think it creates
this sort of misconception that breaches happen to big companies and only to big companies, or that you only need to worry about the breaches
that happen to big companies. And I think that really draws attention away from the fact that
most of the data that I at least see all day, every day, isn't coming from the yahoos of the
world. It's coming from, you know, the place you get your car serviced or, you know, the dentist
that you see.
So an analogy would be how people are worried about an airplane crashing when you're more likely to get run over by a car crossing the street.
Absolutely, and I'm not saying we shouldn't make our planes safer,
but you should also look both ways before you cross,
and you should make sure that your brakes are working.
So when we see all these stories about zero days,
maybe that's not what we should be chasing after. Yeah, I think in the same way that it's not the
best use of energy or resources to focus only on big breaches and preventing big breaches.
You know, I think there's a tendency to focus on the latest, sexiest exploit or the, you know,
the most popular strain of
ransomware right now when really what's happening every day you know this
equivalent of you know kind of getting rear-ended for example are really the
very simple things you don't want to hear about you don't want to talk about
like phishing or you know people poking at you know known vulnerabilities and in
databases right the MongoDB, for example.
Right, the everyday sort of boring things that you have to deal with,
the blocking and tackling that doesn't get very much attention.
Obviously that, so I guess what we're saying is,
you know, beware of chasing shiny objects.
Absolutely.
The shiny objects are always going to be there,
and they're going to come along, and they're going to be interesting,
and we should talk about them.
But I think it creates this idea that, you know, these breaches, when they happen, they happen big and they happen loud and they happen in isolation.
And you should be worried about one major attack.
Well, you know, have you talked to your employees about clicking on links in their emails?
Have you done it recently?
How recently?
Emily Wilson, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.