CyberWire Daily - Iran hacks for influence. Brazilian PII up for auction. Prince Harry vs. Fleet Street. Electrical infrastructure cyber risk. Paying ransom. HildaCrypt developers say they’re going straight.
Episode Date: October 7, 2019Iranian threat group Phosphorus (or Charming Kitten) has been found active against US elections and other targets. A big database of PII on Brazilians is up for auction in the dark web souks. Prince H...arry takes a legal whack at Fleet Street. An Atlantic Council session takes a look at electrical infrastructure cyber risk. An Alabama medical system pays the ransom to get its files back. And HildaCrypt’s developers say it was all in fun, and release their own keys. Joe Carrigan from JHU ISI on the wider availability of malicious lightning charging cables. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/October/CyberWire_2019_10_07.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Iranian threat group Phosphorus, or Charming Kitten,
has been found active against U.S. elections and other targets.
A big database of PII on Brazilians is up for auction on dark web markets.
Prince Harry takes a legal whack at Fleet Street.
An Atlantic Council session takes a look at electrical infrastructure cyber risk.
An Alabama medical system pays the ransom to get its files back.
And Hilda Cripps' developers say it was all fun and released their own keys.
Build-A-Crips developers say it was all fun and released their own keys.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, October 7th, 2019.
At the end of last week, Microsoft warned that a threat group it calls Phosphorus, and that others call Charming Kitten or APT35, is already actively
working to affect the 2020 U.S. presidential election. Phosphorus is Iranian and linked to
the Iranian government. The principal target appears, Reuters reports, to be President Trump's
campaign, and the activity seems to be in its reconnaissance phase. The threat actors' targets
are not exclusively campaign
operations. Journalists, government officials, and Iranian expatriates are also of interest to
Phosphorus. There were apparently four successful account compromises in the campaign, none of which
affected either campaigns or journalists. Comment on the Iranian work has tended to say that Tehran
has apparently learned from Moscow's playbook,
or at least St. Petersburg's.
In some ways, this seems correct, false persona, amplified messaging,
attempt to compromise influential accounts, and so on.
But in another respect, the campaign differs from those that have emanated from Russia.
Russian influence operations have tended to have simple disruption as their aim,
with the strategic objective being to widen pre-existing fissures in the societies they
target, with a view to eroding trust in those societies' institutions. Such a purely negative
objective would seem to be easier to achieve than influencing a society or its leaders
in a particular direction. That's what Tehran appears interested in doing.
It would apparently welcome a more predictable and tractable American administration.
In this respect, the Iranian style in influence operations resembles China's more than it does Russia's.
Tice reports that a cybercriminal going by the name X4Crow is auctioning what they claim is a 16GB SQL database
holding personal information on about 92 million Brazilian citizens.
The data are the usual identity theft gold,
names, dates of birth, taxpayer IDs, gender, and mother's names.
Prince Harry is suing the newsgroup Newspapers and MGN Limited, alleging, according to reports in The Guardian, that the papers were responsible for phone hacking that invaded his privacy.
It's an old incident. The Duke of Sussex is claiming damages from hacking the tabloids are said to have committed against royal phones between 1994 and 2011.
The New York Times published a wrap-up of the incident almost a decade ago.
So why now?
The Duke of Sussex has his hackles up at press treatment of his duchess.
Speakers at an Atlantic Council event last week warned that cyberattacks on power infrastructure
are now a present risk and no longer just a theoretical possibility.
Discussions stress the importance of visibility into the systems that deliver power
and that visibility should extend from the sensor level
through utilities' customer-facing business systems.
It should also include the power industry's supply chain,
as former U.S. Homeland Security Secretary Michael Chertoff argued.
The utilities don't operate in a vacuum, he pointed out.
They themselves depend
upon transportation, telecommunications, and other suppliers to actually operate and provide power.
Attacks against that supply chain can disrupt the services the utility companies provide.
Siemens released the findings of a survey conducted in partnership with the Poneman Institute,
which found that 54% of utilities
professionals expected an attack on critical infrastructure within the next 12 months,
while only 42% rated their organization's cyber readiness as high. Additionally, 56% of the
respondents said they had experienced an attack in the past 12 months that led to the loss of
sensitive information or an outage in the
industrial environment. The study was based on a survey of 1,700 utility professionals around the
world, and it touched on risks to electrical power and water distribution utilities. In general,
the utilities are aware of the risk. The task now is to plan to manage it.
The Tuscaloosa Post says the DCH health system unlocked ransomware encrypted
files by paying the extortionists. When the FBI last week warned that ransomware had become a
matter of high concern because of its high impact, a number of media outlets fastened on to what they
took to be the Bureau's change of heart concerning the wisdom of paying ransomware. That's not
actually what they said.
The Bureau did say that while organizations should evaluate all their options, in general,
paying the ransom was a bad idea. There's no guarantee the hoods will actually give you a decryptor that works. In fact, the ransomware is nowadays often really a wiper. While in the early
days of ransomware, it seemed that payment often did indeed get you a decryptor that worked, that hasn't been true recently. There's also the downside that paying
ransom simply fuels a bandit economy. You tend, after all, to get more of the behavior that you
reward, and that's as true of ransomware as it is of problems that range from the horrific,
like terrorism, to the merely irritating, like the squeegee kids at the corner of Pratt and President here in Charm City.
What the Bureau does advise is that you tell them, if you've been hit by ransomware,
whatever actions you take to recover.
In this case, the DCH Health System seems to have rolled the dice and come up with a
lucky seven.
Pricey, but at least they got their data back.
The developers of the Hildadecrypt ransomware strain,
which they told Bleeping Computer was never used against anyone,
has released the decryption keys to his work.
That way, should any script kiddies get a hold of the code and use it against anyone,
anyone can decrypt their files.
It was never meant to do any harm, they said,
characterizing it as more of an educational initiative.
If so, it seems a
singularly ill-conceived educational initiative, like new math or caning in old British public
schools. At any rate, the hill-de-crypt masters say they now intend to turn their attention to
more conventional and benign activities. Good call.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the
agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time
visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute
and also my co-host on the Hacking Humans podcast.
Joe, great to have you back.
Hi, Dave.
Story came by via Vice and Motherboard.
Yeah.
This is from Joseph Cox, and the title is
Legit-Looking iPhone Lightning Cables That Hack You Will Be Mass-Produced and
Sold. Right. This is from
MG, who is
demoing these at DEF CON
I think this year, and selling them for
$200 a pop. And what are we talking
about here? This is a lightning cable. It looks
like a lightning cable. It acts like a lightning cable. It does
everything a lightning cable does, but
it also has a Wi-Fi
access point built into it.
I mean, that's one of the benefits, I guess, of miniaturization is we can now build essentially a USB cable
that is capable of running a Wi-Fi hotspot on it as well.
And this looks exactly like an Apple-branded lightning to USB cable.
It looks very, very similar.
MG is saying that he's doing this completely transparently and out in the open
and letting everybody know that these things are there.
And that's true to his credit that he is doing that.
He's not covering it up, not being surreptitious about it.
Hack 5 will be selling them.
Hack 5 is the company that sells the Wi-Fi pineapple and other hacking tools.
So it seems like a legitimate vendor for these things.
But the end result is that, I got to tell you, Dave,
we're at a point now where if you don't buy your USB cables
from a reputable source, then you shouldn't trust them.
I would say you can't trust your lightning cable
unless you buy it directly at an Apple store.
Yeah, I guess I have mixed feelings about the availability of something like this
because of how deliberately it's trying to look like a legit cable,
which, of course, is part of the point here.
I can imagine it wouldn't be that hard for someone to buy a real Apple cable, take it home, swap it out for one of these, return it, and have it be put on the shelf at their local Apple store.
That's a good point.
Yeah.
That's a good point.
Do you have any issues with the fact that these types of things are being sold at all?
I understand your concern with it.
I generally don't. Maybe I'm missing something here, but I think somebody is going to make these things,
period. Okay. The fact that these are readily available and being talked about openly is better
than somebody making them and not talking about them. And I think that's a bigger danger. Because
these things have a Wi-Fi access point in them,
they are detectable because they're going to have to emit some kind of Wi-Fi.
Yeah.
Right?
And you can probably see them on a Wi-Fi analyzer,
but nobody's going to do that, right?
Well, and how many – yeah, I mean, open up your Wi-Fi anywhere.
There's going to be a dozen devices that are beaconing.
Correct.
They're all going to have random names.
Yeah, but if you plug this thing in, you'll see, hey, there's a new one, and the signal
strength is strong.
Yeah.
Chances are this is a malicious cable.
But by then, it's probably too late, right?
Right.
Right.
So maybe you just plug it into a wall adapter first.
Mm-hmm.
I don't know.
But I mean-
So that's going to become part of our routine.
Right.
Yeah.
No.
It's not.
It's also not going to become part of our routine to x-ray these cables and make sure they're good.
Right.
We've talked about doing that before.
Take him over to the TSA and let him do that.
Yeah.
I guess the trouble I'm having is the fact that there is no labeling on this, which I understand is the point.
Right.
Right.
I get your concern.
Yeah.
I get your concern 100%.
Yeah.
It's not an invalid concern. And I'm not 100% married to my position on this either.
Mm-hmm.
You know, that this is cool and it's neat that they're making it and Hack 5 does this kind of thing.
It's not the only type of tool in this sort of brand of tools. I mean, there's all kinds of similar things that –
Yeah, if you go to Hack 5's website, you can get a Wi-Fi pineapple, which will let you spoof other people's Wi-Fi.
That's what the device does, among other things.
But this is an interesting one.
The fact that it's being mass-produced, so the price comes way down, which greatly increases the possibility that you could find yourself subject to one of these. Right. Imagine,
imagine these things costing less than an actual,
uh,
uh,
lightning cable from Apple.
Right.
Right.
And now I sell them on Amazon,
uh,
and in my local area,
right.
Cause I can kind of localize where I'm going to sell them.
I'm just imagining just leaving these things around on a trade shows.
Even better.
Just leaving them around because I think you and I have talked about before.
You leave one of these in the lunchroom at your office for a couple days,
it is gone.
Somebody's going to notice it and within a couple days,
if you don't grab it, someone else is going to
because of a free lightning cable.
That's right.
And that's the point.
Yep.
And I'm not sure how you fight against that.
Like you said, you buy your own and, I don't know, mark them with a Sharpie so you know yours are yours.
I'm just going to lock myself in a room somewhere.
I'm going to get a flip phone.
Right, yeah.
Pull my abacus out of the closet and do all my computing that way.
Build a log cabin in the woods of West Virginia.
Yeah, that'll go well.
Right.
All right.
Well, I'm curious to hear what our listeners think about this.
Yeah.
You understand my discomfort.
I absolutely understand your discomfort.
And yet I understand the legitimate uses of this.
And this does oog me out a little bit.
There's just something about it that it's a mild discomfort that I just can't seem to shake.
And maybe the problem is me, not the device.
I don't know, Dave.
I don't think it's you.
I think the problem is that we're seeing so much now that we're just learning we can't trust anything.
We have these things.
We have deep fakes.
We have other things that you think you can trust, but you just can't trust them.
Right, right.
Because what we all need is another source of low-level anxiety in our lives.
Exactly. That's lives. Exactly.
Right?
That's wrong.
Yeah.
All right.
I don't know what this is going to do to us evolutionarily.
Yeah, I don't know.
All right. Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. Designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too. Thank you. Thanks for listening.
We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.