CyberWire Daily - Indiscriminate IOCs erode confidence in attributions. Official leaks erode trust in information sharing. Exploit updates.
Episode Date: January 5, 2017In today's podcast we hear about how indiscriminate indicators of compromise spawn fake news about a Vermont grid hack. Meanwhile, the Mounties cautiously, tentatively, investigate some odd potential ...IOCs at an Ontario utility. A hacker claims he pwned the FBI, but it looks like a hoax. A quick rundown of exploits currently romping in the wild—many of them involve ransomware. Rick Howard from Palo Alto describes Security Orchestration. Marika Chauvin from Threat Connect shares research on Hacktivists vs Faketivists. And yes, your thumbprint will authenticate you to your phone even if you've dozed off, Mom. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Indiscriminate indicators of compromise spawn fake news about a Vermont grid hack.
Meanwhile, the Mounties cautiously, tentatively investigate some odd potential IOCs at an Ontario utility. A hacker claims he pwned the FBI, but it looks like a hoax.
A quick rundown of exploits currently romping in the wild. Many of them involve ransomware.
And yes, your thumbprint will authenticate you to your phone, even if you've dozed off.
even if you've dozed off.
I'm Dave Fittner in Baltimore with your Cyber Wire summary for Thursday, January 5th, 2017.
There's no shortage of fraud and alarmism gurgling around in cyberspace this week, but fortunately there's also no shortage of cooler heads and skeptical eyes either.
Last weekend's view halloo over fancy bears prancing through northern Vermont's electrical grid
has by now subsided into a never mind, no game there after all.
The story is instructive.
Burlington Electric, which seems to have been acting soberly and responsibly throughout,
had updated its scanners to look for indicators of compromise provided by the Department of Homeland Security
in its alerts pertaining to Russian election influence operations.
On Friday, one of the utility's employees checked email on Yahoo.com,
and the IP address, benign according to ThreatPost, popped up as an IOC.
Utility General Manager Neil Lunderville told ThreatPost,
Based on that alert, we isolated the computer and reached out to the feds to let them know what we saw.
So far, so good. And by the way, bravo, Burlington Electric.
We sent the report to the feds and their indication was that they would get back to us.
We went home and the report broke. And it was wrong.
Boy, was it ever.
Someone was talking to the Washington Post and it wasn't Burlington Electric.
The Post, of course, checked and was talking to the Washington Post, and it wasn't Burlington Electric.
The Post, of course, checked and corrected its story over the weekend, but not before Vermont's governor and congressional delegation were in full cry,
baying for GRU blood.
We wondered if fear of Russian grid hacking would move north of the border,
and it appears it has.
Canadian authorities are investigating a possible cyber threat
against Ontario's Hydro One electrical utility. There may be nothing more to it than there was
to the Burlington electric incident, but the Royal Canadian Mounted Police are on the case.
The Canadian reaction is more cautious and measured than the past week saw from their
neighbors to the south. And in any case, the RCMP is on the case. The Mounties always get their man,
if there's a man or woman to get. Another claimed hack may be a hoax. The Black Hat
showboat hacker who goes by CyberZeist says he compromised a US FBI website and dumped the
credentials he harvested on Pastebin. But the caper looks bogus. The Register reports that
the security team at Plone,
which produces the FBI's content management system, calls hogwash.
The email addresses seem to be derived from old publicly available dumps,
and the password hashes don't add up either.
Speaking of things that don't quite add up,
we speak regularly of hacktivists here,
people or groups who take up a cause online.
But what about fakedivists?
We checked in with Marika Chauvin, Senior Threat Intelligence Researcher at ThreatConnect,
about their recent blog post, Hacktivists vs. Fakedivists, Fancy Bears in Disguise.
This all kind of began with the DNC breach and its aftermath.
A threat actor known as,
or a persona known as GooseDrawer 2.0
kind of came out of the woodwork
right after CrowdStrike announced
that it had attributed the attacks on the DNC
to Fancy Bear and Cozy Bear.
So in the fictivist research that we've done
at ThreatConnect,
we focused primarily on Fancy Bear because we have found overlaps in targeting focus and infrastructure used by Guccifer 2.0, DCLeaks, and FancyBear.
So the day after the breach was publicized, Guccifer 2.0 emerged with a WordPress blog and then later, a couple days later, a Twitter handle.
And then later, a couple days later, a Twitter handle.
Guccifer 2.0 claimed that that persona alone was responsible for the DNC hack and that they compromised the organization in the summer of 2015.
And then what was likely an effort to add some legitimacy to the persona's claims, it then began posting documents that were stolen from the DNC on that blog.
Now, interestingly enough, the more that Guccifer 2.0 talked and the bug that mistakenly gave Bernie Sanders'
campaign unauthorized access to voter information. Now, that sounds plausible until you start kind of looking into that bug. And in our conversations with NGP Van, we found that the specific bug that
was referenced by Gooch for 2.0 didn't even exist in the code
until December 2015. And so I like to say that either this guy, gal, group, this faked best,
either has a TARDIS or a souped up DeLorean. Because, I mean, that's the only way he could
have traveled forward in time and then back. Why a persona at all?
You know, why not simply have, you know, WikiLeaks release the information or just have it anonymously go to the press?
Was there any sense of what the advantage is of putting, you know, some kind of a face behind this stuff?
I believe so.
I mean, I can speculate as to what the people behind the persona were trying to do.
But when it comes to something like WikiLeaks, they have no control over the timing of a publication.
Whereas if they create their own persona to share that information out,
not only do they have the plausible deniability that they would have gotten with something like WikiLeaks, but they also have control over the message that's getting
out there and the timing of that information. That's Marika Chauvin from ThreatConnect.
Several exploits in the wild draw security researchers' attention. We'll run through
some of them quickly. Forcepoint reports the return of the MM Core
backdoor spyware in two new variants, Big Boss and Silly Goose. The GDI Foundation warns of a
campaign actively targeting MongoDB. Fujitsu and its partners Forcepoint and Recorded Future are
tracking the RIG exploit kit, which is now serving Trickbot and Madness Quantloader.
And we note that ransomware does indeed seem to be holding its prominence in the threat landscape.
It's increasingly seen equipped with DDoS and doxing functionality.
Dunbar Security calls the latter doxware.
Goldeneye ransomware is appearing in campaigns targeting HR departments,
especially vulnerable because the nature of their business
tends to make them willing to open email attachments. There is some good news on this
front. Emsisoft has a decryptor for version 3 of Globe Ransomware. So again, bravo, Emsisoft.
And finally, we heard yesterday about the teddy bear and Billy Bass threats to mental well-being, if not to security.
Today we hear about another toy-related issue.
Parents take heed.
An Arkansas mother had secured her iPhone with a nice biometric feature
enrolling her fingerprint to control access.
She dozed off as moms will in Arkansas and elsewhere.
But when she awoke, presumably refreshed,
she saw to her horror that she apparently had been hacked. The indicator of compromise was the purchase of some $250
worth of Pokemon-themed toys from Amazon. Before Mom could call Isaac Mama to report
the incident for investigation, her six-year-old daughter proudly told her,
Mommy, I was shopping. The child had used Sleeping Mom's thumb to unlock Sleeping Mom's iPhone.
We say, don't feel bad, friend.
A lot of us have been there.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker joined once again by Rick Howard. He's the CSO
at Palo Alto Networks. He also heads up Unit 42, which is their threat intel team. Rick, you had a
recent blog post. It was called The Next Board Problem, Automatic Enterprise Security Orchestration.
This is a new term to me.
Describe what you're talking about when you're talking about security orchestration.
Yeah, this is something that popped up in the last year or so.
Lots of network defenders are struggling with this idea.
And it's kind of this evolving evolution of how we manage our network defense.
You know, when I first started doing this in the 90s, all we had was
defense in depth. And, you know, we would put random controls in our networks and hope that
the bad guy would be stopped. And back in those days, you know, we all had three controls. We
had a firewall, we had an antivirus solution, and we had an intrusion prevention system.
And when we only had three, it was easy enough to manage.
But defense in depth really hasn't worked that well,
and we've been struggling with it until about 2010
when Lockheed Martin and crew wrote a white paper describing the kill chain.
And what they realized is that we needed to put prevention controls
at every phase of the kill chain.
And security vendors were only too happy to find really great products to put at each
of those spots.
And what has happened then is an explosion of security tools.
We call them point products that everybody has to manage.
Typical organizations that I run into are running 15 to 20 point products that just
do security down the kill chain.
15 to 20 point products that just do security down the kill chain. Other high-end organizations with lots of resources, they're managing 80 point products. I talked to one financial a couple weeks
ago. He claimed to have 150. And how do you manage all those things? And the dirty secret in the
security community is that we expect the customer to do that. And it is my experience that you pay
for a point product three times. You buy the box, you're going to buy a person who can make the box
go, maintain it, keep the blinky lights going. And you got to buy a person who understands the data
coming off the box. And you probably need a fourth person who can stitch them all together. If you
have 15 point products, someone has to be able to paint a coherent picture. Well, most organizations cannot do that. And it's expensive and time consuming,
and it just doesn't get done. And what many organizations do is just deploy those machines
in the default configurations and hope that they do some good. So there are two models that have
emerged to try to fill that need. And one is the platform play.
And all the firewall vendors have a platform play where they put all those point products into a single platform for the purpose of stopping the bad guys down the kill chain.
So that's one model.
The other model is third-party vendors doing the orchestration for the customer, meaning they might be at CloudPlay and they
might orchestrate 20 or 30 of the point products themselves.
So you give them permission to do that for you.
So those are sort of the two competing models that are doing this orchestration bit.
So is the notion to take some of the complexity away from the organization sort of, I'll job
that out to someone else?
Yeah, because most organizations barely have enough to do their security operations center.
They definitely don't have enough people to do intelligence and maintenance of all the gear that
they have. So the question customers are asking us is why aren't the security vendors talking to
each other and getting this stuff done or helping us to move closer to that goal of getting all that
without them having to do all of it.
And so these are the models that are pushing forward.
All right, interesting stuff.
Rick Howard, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home? Black Cloak's award
winning digital executive protection platform secures their personal devices, home networks,
and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.