CyberWire Daily - Influence operations in Germany. More Turla. KHRAT looks like political spying. Exposed AWS S3 and MongoDB databases hit. Ransomware notes. Cyber gangland rumbles.
Episode Date: September 5, 2017In today's podcast, we hear that election influence operations appear to have begun in Germany. Turla's spoor tracked to the Pacifier APT. Cambodia takes an authoritarian turn, possibly extending to ...domestic spying via RAT. Rival jihadists remain active online; US Cyber Command working to deny them cyberspace safe havens. More exposed AWS S3 databases. MongoDB databases hit with ransom wiper. PrincessLocker and Locky ransomware continue to romp in the wild. Free RAT backdoors criminals. Johannes Ulrich from SANS Technology Institute and the ISC Stormcast podcast on DDoS extortion emails. Disgruntled customer doxes booter service. Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. To learn about combining threat intelligence, analytics, and orchestration, check out ThreatConnect’s webinar. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper. JHUISI & partner COMPASS Cyber present Cyber Security Conference for Executives on September 19th in Baltimore. Register for the event. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Election influence ops begin in Germany.
Turla's spore is tracked to the pacifier APT.
Cambodia takes an authoritarian turn, possibly extending to domestic spying via RAT.
Rival jihadists remain active online.
U.S. Cyber Command is working to deny them cyberspace safe havens.
There are more exposed AWS S3 databases.
MongoDB databases are hit with a ransom wiper.
Princess Locker and Locky ransomware continue to romp
in the wild, a free rat backdoors criminals, and a disgruntled customer doxes a booter
service.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Monday, September 5, 2017.
German authorities have long been concerned about the security of the federal elections scheduled for September 24
and have sought to increase cyber readiness appropriately.
Election-related cyber operations appear to have begun.
Julia Kluckner, leader of Chancellor Angela Merkel's Christian Democratic Union,
says the political party's website was hit with 3,000 attacks yesterday.
The kind of attack was unspecified.
It's not yet publicly known whether they were probes, DDoS, or what have you.
But Kluckner says they originated from a large number of Russian IP addresses.
That's circumstantial evidence of Russian involvement, of course,
but Russian attempts to erode confidence in German elections
and the country's political system as a whole have long been expected.
German security services have been preparing for such an eventuality over the past year.
With the elections less than three weeks away, influence operations will bear watching.
Polls continue to give Chancellor Merkel's party a comfortable lead over its Social Democrat rivals.
More research exposes other activities attributed to Russian intelligence services.
Last week, the Bratislava-headquartered security firm ESET described renewed Turla activity.
On Friday, researchers at the cybersecurity company Bitdefender connected the Pacifier APT to the Turla Group.
Bitdefender has been tracking Pacifier since 2016
and says the advanced persistent threat had been active since 2014 at least.
Its dropping of multistage backdoors is consistent with other reports of activity by Turla.
Cambodia's government has been taking an increasingly authoritarian turn with respect
to political discourse recently. Prime Minister Hun Sen on Sunday ordered the shuttering of the
country's major opposition newspaper, the Cambodia Daily. The government had earlier closed some 15
radio stations broadcasting the Voice of America and Radio Free Asia. In a development that may be related to tighter censorship,
a wave of KH remote access Trojan infections is moving across Cambodia's networks.
KH rat is not apparently criminal in motivation the way most similar rats are.
Instead, it appears designed to establish surveillance over domestic political opposition.
Researchers at Palo Alto Networks Unit 42 report that this particular campaign first
surfaced in June of this year.
The most recent wave is using spam and phishing emails, many of which are baited as information
about the Mekong Integrated Water Resources Project, to compromise machines and steal
information that includes the system's language and IP address.
compromise machines and steal information that includes the system's language and IP address.
It uses keylogging, screenshots, and remote shell access to observe user behavior.
It also uses a bogus Dropbox cloud storage service that in fact directs to a Russian IP address.
The actors behind the campaign appear interested in refining their target list,
probably as battle space preparation for a more focused spearfishing campaign. Unit 42 doesn't attribute KHRAT to the Cambodian government. While they do
note that the malware has been hosted on a Cambodian government site, that in itself could
mean little. After all, ransomware has found its way on occasion onto U.S. government sites.
The researchers do think that the group behind the campaign is sophisticated and that it
bears watching.
As they put it on their blog, quote,
We believe this malware, the infrastructure being used, and the TTPs highlight a more
sophisticated threat actor group, which we will continue to monitor closely and report
on as necessary, end quote.
Sometimes rival, sometimes cooperating jihadist groups
continue online recruiting and inspiration efforts.
U.S. Cyber Command is said to be conducting cyber operations
that mirror U.S. kinetic action against ISIS.
The intention is to deny the caliphate physical and virtual safe havens.
More misconfigured AWS S3 buckets expose information that ought to have remained
private. UpGuard found resumes submitted to security firm TigerSwan exposed by recruiting
vendor TalentPen. ChromTech researchers found user information belonging to Time Warner Cable
customers exposed by BroadSoft, which developed Time Warner Cable's MyTWC app.
It's worth noting that in both cases, the party responsible for the data exposure is a third-party vendor,
which again highlights the risks inherent in the data supply chain.
A large-scale ransom campaign has hit MongoDB databases.
Security researchers call it a continuation or resumption of the MongoDB apocalypse that began last December and continued into early spring.
The attackers are searching for exposed, accessible MongoDB databases, wiping their contents, and replacing the missing content with a ransom demand.
Three criminal groups appear to be active. 26,000 servers have been affected, with one group,
presumably the Bigfoot of the criminal trio, responsible for hijacking 22,000 of them.
The attacks come at an unfortunate time for MongoDB. Last month, the company quietly filed
for an IPO that would take it public before the end of 2017. The expected valuation is thought to be at least $1.6 billion.
Other ransomware currently endemic in the wild include Princess Locker,
now being distributed via the RIG exploit kit, and of course a recently evolved version of Locky,
which is particularly spooking enterprises in India.
The Indian government has warned users to be on their guard.
in India. The Indian government has warned users to be on their guard.
Finally, in cyber gangland, there are some currently running beefs among those who trade in the black markets. Security firm Zscaler has been watching a newish remote access Trojan,
Kobian Rat, whose developer is offering a free builder that would let other crooks develop
custom versions of the malware for their own use.
That same developer, Zscaler says, has also included a backdoor to his own command and control infrastructure.
Cobian hasn't been much of a hit in markets anyway.
Its functionality, particularly a buggy keylogger, isn't really up to criminal snuff,
but news of the backdoor will probably make it a hit on the market.
up to criminal snuff, but news of the back door will probably make it a hit on the market.
And the DDoS booter service TrueStressor, we'll call them greyhats since it's possible to imagine legitimate uses for what they offer, has been hacked by a hacked-off customer who
late last Thursday uploaded a bunch of stolen data to Hashbin and Pastebin.
His message to TrueStressor is worth quoting as an example of what poor customer service can draw upon any provider,
legitimate or, in this case, illegitimate.
We boutlerize the language because, of course, we're a family show,
but connoisseurs of potty mouths can easily infer the original.
We quote,
TrueStressor database leaked.
F-ing scammers, that's what happened when you banned people for no reason and you don't know how to manage
your site. What the heck, fellows?
All PHP files downloaded
when I went to that scatological
slang. But hey, who cares?
Here's all the info.
So there. Be nice to your customers.
One side note,
it appears that TrueStressor is renting
infrastructure from another DDoS
stressor service, Defcon.pro.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning
with purpose, and showing the world what AI was meant to be. Let's create the agent-first future
together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight
Pictures. Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by johannes ulrich he's the dean of research at
the sands technology institute and he also hosts the isc stormcast podcast johannes welcome back
you had an interesting topic today you wanted to talk about ddos extortion emails
yeah ddos extortion emails is something that doesn't seem to go away now. About two years ago, we had some very active groups that performed very powerful DDoS attacks against banks and the like.
And there are now a lot of copycats here for this particular scheme, but they don't actually have the capability to launch these large DDoS attacks.
Instead, what they do is they send an email asking
for an unspecified number of bitcoins in order to prevent a denial of service attacks. They just hope
that the victim will pay up, never realizing that the criminal here doesn't actually have
the capability to launch these denial of service attacks. What we've seen in a couple of cases is where the criminal actually does launch a very small,
short denial of service attack, just usually five minutes or so in order to demonstrate their firepower.
Typically, this is really just meant to scare the victim.
The denial of service attack is pretty small and not too difficult to defend against.
But again, a small denial of service attack like this may scare the victim into paying up.
So this is a little bit game of nerves here where you just have to sit tight and hope for the best
that if you do receive a letter like this, that the actual denial of service attack will not happen.
Paying up typically is the wrong thing to do here because it does not prevent additional demands that will arrive later
once they figure out that you are easily scared into paying up to these demands.
And so beyond just sort of hoping that it's not the real thing, what kind of
protections can an organization put in place to protect themselves against DDoS attacks?
Yeah, given the frequency and ambiguity of these DDoS attacks, you definitely should have your
defenses in place. And defenses usually mean that you have to sign up for some kind of DDoS prevention service. The problem with
real and powerful DDoS attacks is there's really not much that you can do on premise within your
own network to defend against it. You need your ISPs, you need outside providers to filter the
traffic as far away from your network as possible. So are these folks generally targeting larger businesses or smaller businesses who might not
have the sophistication to protect themselves?
The fake letters we have seen against all kinds of businesses.
They seem to be targeting a little bit the businesses that are likely to be attacked,
like financials. Now, sometimes they also try to hit businesses at very critical points in time,
like large traffic days or, for example, e-commerce businesses around the holiday season
where you do have a lot of business happening.
And that, of course, makes these businesses particularly vulnerable.
All right.
Johannes Ulrich, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks
for listening. Your business needs AI solutions that are not only ambitious, but also practical
and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can Thank you. insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.