CyberWire Daily - Influence operations and elections, and the difficulty of doing anything about them. Dynamite phishing investigation. Snake hisses at Macs. Fatboy at your (criminal) service.
Episode Date: May 5, 2017In today's podcast we hear about elections and election influence operations in Europe, and the difficulty of taming Fancy Bear. Some weekend reading. The Google Docs worm and dynamite phishing incide...nt takes an odd (but implausible) turn. Snake malware seems poised to strike at Mac users. We welcome Johannes Ulrich from SANS and the Internet Stormcenter Podcast. Allan Liska outlines his book on ransomware. And there's a new product in the crimeware-as-a-service souk: it's called "Fatboy," it speaks Russian, and yes, it's ransomware. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Elections and election influence operations in Europe
and the difficulty of taming Fancy Bear.
Some weekend reading.
The Google Docs worm and dynamite fishing incident takes an odd but implausible turn,
snake malware seems poised to strike at Mac users,
and there's a new product in the crime-as-a-service market.
It's called Fatboy, it speaks Russian, and yes, it's ransomware.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Friday, May 5th, 2017.
French voters will elect their next president this weekend,
and the election's final week has been roiled by accusations that Marine Le Pen's campaign colluded with Russia.
Her opponent, Emmanuel Macron, currently holds a lead in the polls.
Both candidates are, relatively speaking, outsiders. Macron says his organization
experienced attempts to get at its emails and that these attempts were thwarted.
In Germany, which will hold its federal elections on September 24, the director of the Domestic
Intelligence Service, BFV, warns that their agency
has seen a marked increase in Russian cyber espionage directed at influencing the elections.
Think tanks associated with both major parties in Chancellor Merkel's coalition government
have been targeted. In both France and Germany, as was the case in the U.S., Russia's GRU,
Fancy Bear, as it's come to be familiarly
known, is the animal of interest. One might wonder, then, what effect Western countermeasures
may have had on such Russian activity. Wired magazine takes a look at what U.S. sanctions
did to slow down election-focused Russian cyber espionage and conclude that the sanctions
accomplished essentially nothing. Fancy Bear is
prancing through Western networks clad in the barest fig leaf of plausible deniability.
Brazen is what Wired calls fancy. According to New American Foundation analyst Peter Singer,
that's because sanctions are effective when they hold something valuable at risk.
What's valuable to Russian President Putin, Singer thinks, is concealment of oligarchical corruption and his own personal wealth from the Russian public.
And sanctions are shrugged off because they haven't successfully exposed this.
Those interested in the historical continuity of Cold War espionage and propaganda with current
cyber and influence operations will find the National Security Archive's Cyber Vault Highlights,
just published by George Washington University, worth consulting.
And it's all properly declassified and FOIA'd, so presumably safe for work.
No WikiLeaks dodginess about it.
It's the Cyber Vault, and that's not Vault 7.
Another set of readings worth consulting may be found listed in Palo Alto's Cybersecurity
Canon, their honor roll of books they think every cyber practitioner should consult and master.
Every year Palo Alto inducts a new class. We were at their gala in Washington last night,
and the books and authors are well worth your attention. Check out the CyberWire Daily News
Brief today for a full list.
The Google Docs worm phishing campaign has taken a very odd turn. Many remarked when it first surfaced on its similarities to the tactics, techniques, and procedures used by Pawnstorm.
You remember Pawnstorm, Trend Micro's name for what the other people call Fancy Bear,
APT28, or the GRU. But attribution is notoriously difficult, and it won't be easy here
either, because someone seems to be interested in muddying the waters.
A person claiming to be a student at Coventry University says he was
responsible for the episode, and that it wasn't really an attack, just a test
or a trial. A test of what, or a trial of what,
isn't clear.
Nor is it clear that the person claiming responsibility is particularly plausible himself.
Bleeping Computer calls him some Twitter dude, and that's not an unfair characterization.
This Twitter dude identifies himself as Eugene Popov,
but Coventry University says they've never heard of any Eugene Popov,
and that Eugene Popov doesn't appear to be one of their students.
There are other grounds for skepticism, too.
For one thing, the Twitter account, at Eugene Popov,
was registered essentially simultaneously with the attacks.
Maybe that's legitimate, but it certainly looks like a sign of track-covering disinformation.
Nor does the address that registered the account look right, either.
Finally, the account has a picture associated with it, as accounts do,
and this picture is of another Popov entirely,
a presumably innocent and uninvolved molecular biologist at the Russian Academy of Sciences Institute of Molecular Genetics.
So no, the smart money is on Eugene Popov not being at all who he claims to be.
His Twitter account now seems to be gone too, but while it was up, it identified him as a white hat hacker.
Few are convinced, but hey, stranger things have happened.
Whoever's behind the incident, observers think OAuth abuse is likely to continue.
Google still gets good marks for quick reaction and containment of the incident,
Google still gets good marks for quick reaction and containment of the incident,
but Motherboard makes note of the fact that people, including Google,
were warned of the possibility of such dynamite phishing almost six years ago.
Researcher Andre Damar described it to an independent standard-setting body,
the Internet Engineering Task Force, IETF, back in October 2011,
and now his warnings seem to have come true.
Snake malware, also known as Terla, Agent BTZ, or our favorite, Ouroboros, is back and getting an upgrade.
Fox IT thinks it sees signs Snake is being prepared for use against macOS targets.
The cyber espionage tool has been in use for about a decade, targeting embassies,
government organizations, colleges and universities, pharmaceutical companies and various
researchers. Much of its activity has been focused on Ukraine, but other targets in Europe and North
America have also been hit. As is the custom, Snake poses as a legitimate app, and it's often
spread by phishing emails. So Mac users, stay alert.
Recorded Future describes Fatboy, a new ransomware-as-a-service offering
on a Russian-language criminal forum.
Customer support is available over Jabber,
and there's even a user panel for customer engagement.
Hitech Bridge's Ilya Kolachenko sees this as a foreseeable evolution
of the crimeware black market toward commodification.
The same thing, after all, happens in legitimate markets.
Kolachenko says, quote, ransomware is about business, not about technology, end quote.
And for now, at least, ransomware seems to be good business.
For a bad business, that is.
for a bad business, that is.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. And it's my pleasure to introduce a new partner to our podcast. I'd
like to welcome Johannes Ulrich. He's the Dean of Research for the SANS Technology Institute,
but many of you probably know him as the host of the ISC Stormcast podcast, another daily cybersecurity podcast.
Johannes, welcome to the show.
Thanks for having me.
We just want to start off by way of introduction. Tell us a little bit about yourself, your background, and what brought you to cybersecurity podcasting.
background and what brought you to cybersecurity podcasting? Well, I originally started out in physics. That's sort of where my career started and that's what I went to school for. But while
doing physics, I also ended up doing a lot of computer work and with that also, well, I guess
today you would call it in and of things, but remote control of experiments. That sort of got me into security
in part because, well, you get into security by being breached at some point. For me, it was
pretty simple. The home system I used to remote control my experiments was actually used by a
spammer that then sort of got me into firewall security and all of that good stuff.
One thing I realized back then was that it's really hard for someone to understand when
you're looking at your logs, what does it all mean?
What's important?
What's not important?
So back in 2000, I started a system called the shield.org that collects firewalls
from volunteers around the world. And that later then, as I joined SANS became the Internet Storm
Center. And well, what we're trying to do at the Internet Storm Center is to build a global
information security sharing community. And part of this, of course, is getting the word out,
disseminating what's happening today out on the Internet.
And that's sort of where the daily podcast that I'm doing fits in.
All right. Well, it is not unlike the Cyber Wire.
It's the daily briefing of cybersecurity news.
We were joking before we got on the air here that you sort of cover the morning drive
time and we cover the afternoon drive time. So between the two of us, I think people
really have all their cybersecurity news covered for the day.
Right. My goal is to make you sound smarter when you arrive in the office in the morning.
So if you listen to the podcast in the morning, you get sort of the lowdown on the technical
issues that happened.
A little bit different from the Cyber Wire
that really covers more of the politics
and business also around security,
which is also very important.
I try to focus a little bit more
on the nitty-gritty technical details.
Yeah, it's a great show.
For those of you who haven't checked it out,
it's the Stormcast podcast.
And Johannes Elric,
we're real happy to have you join us here on the Cyber Wire.
We'll talk to you soon.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their
families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
My guest today is Alan Liska.
He and Timothy Gallo are co-authors of the book Ransomware, Defending Against Digital Extortion.
Alan Liska has worked as both a security practitioner and an ethical hacker. Tim and I both work with a lot of different types of customers.
What we were seeing very early on is that they were really concerned about ransomware,
but we hadn't seen, and this is late 2015, early 2016,
we hadn't seen as much of a response from the security community. There were a lot of blog
posts and things like that, but our customers were really feeling like their vendors were letting
them down. And we realized, well, there's nobody that's really offering a lot of advice on what you
need to do in order to protect yourself from ransomware if you're a corporation.
So we kind of got together and said, you know, we should write a book on this because we're
giving out a lot of the same practical advice over and over again. And if we can sort of
take what we've been telling people ad hoc and create a more formalized version of it,
then I think we'd have something that would be useful to a whole lot of people.
The first three publishers we reached out to disagreed with us completely. None of them had
any interest at all in the book.
And then we submitted it to O'Reilly, and within 30 minutes, we had a callback from our O'Reilly editor saying, yes, this is a great idea. We really want to do this.
What is it about ransomware that makes it a little tougher for people to wrap their arms around?
I think it's kind of strange. There's the Ponemon study that's done
repeatedly that says that most breaches go undetected for, I think it's about 150 days
right now. And so when you think of a breach, especially in a corporation, most of the time,
the breach itself doesn't disrupt business operations.
So you're breached, data is leaving your network for months, possibly being undetected,
but the day-to-day operations of the business go on.
It's only after it's discovered and incident response kicks in and so on, then maybe some business operations
are disrupted.
Ransomware disrupts immediately.
You know immediately that something bad happened in your organization and there's an immediate
cost, right?
There may be a cost afterwards if it's discovered that you had a breach, especially if you were liable for something that happened, if you were found to be negligent.
But there's an immediate cost to ransomware.
And so I think that's why it stays on the mind of so many people is because it's an attack that is very tangible to those organizations.
Take me through some of the highlights of the book.
What are some of the things that you all cover?
We start with the history of ransomware, and then we dive into kind of why, you know, the economics of ransomware,
why ransomware makes sense from the point of view of the bad guy.
You know, a lot of people don't think about that, but there are
organizations, in some cases professional organizations, that are
behind these ransomware campaigns. So understanding why they
are doing what they're doing and why it's profitable
for them to do this. We carve out a chapter
to discuss whether or not you should pay the
ransomware. And despite our best efforts, it's not just one page with the word no written in 96
point font. You know, it's more of a nuanced discussion around that. And then the bulk of
the book is what can you as an organization do to protect yourself against ransomware?
What are some steps that you can do both from a practical perspective?
Here's some things that we can secure.
And from an educational perspective, how can we know what's going on?
How can we educate our users?
And then we highlight some of the different types of ransomware and some of the biggest ransomware campaigns that are currently out there to give people a feel for the different approaches the ransomware authors are taking.
While you all were doing the research for the book, was there anything that caught your eye, anything that surprised you?
I think the biggest thing that caught our eye, and Tim and I have been involved in the InfoSec world for a
very long time. And so we're aware of how bad guys work and how organizations work to protect
themselves and some of the limitations that they have in protection. But we were really surprised
at the professionalism of some of the more advanced ransomware developers, you know, scheduled
release cycles, patching their software, obviously operating help desks, which I'm sure you've seen
out there. Those type of things that are really the signs of a professional organization and
oftentimes working better than some legitimate software companies do.
That's Alan Liska, co-author, along with Timothy Gallo, of the book Ransomware, Defending Against Digital Extortion.
If you'd like to hear more about ransomware, there's an extended interview with Alan on the next episode of the Recorded Future Inside Threat Intelligence podcast, scheduled for release this coming Monday, May 8th.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions
that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform
comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.