CyberWire Daily - Iranian brute-forcing tool leaked. Third-party data breach touches medical testing company. Ransomware news and updates. An antitrust look at Silicon Valley?
Episode Date: June 4, 2019Jason, an Iranian brute-forcing tool, has been leaked. A third-party breach affects customer and patient data held by Quest Diagnostics. Eurofins Scientific is recovering from a ransomware attack. A l...ook at Baltimore City’s ransomware infestation shows no signs of EternalBlue, security firm Armor says. Instead, it looks like “vanilla ransomware.” And the prospect of antitrust investigations drives down Big Tech stock prices, tipping the Nasdaq into a correction. Emily Wilson from Terbium Labs on dark web fraud guide pricing. Guest is Jordan Blake from BehavioSec on digital transformations. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_04.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
An Iranian brute-forcing tool called JSON has been leaked.
A third-party breach affects customer and patient data held by Quest Diagnostics.
Eurofins Scientific is recovering from a ransomware attack. A look at Baltimore City's
ransomware infestation shows no signs of Eternal Blue, security firm Armour says. And the prospect
of antitrust investigations drives down big tech stock prices, tipping the Nasdaq into a correction.
stock prices tipping the Nasdaq into a correction.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 6, 2019.
You will recall, perhaps, Lab Duketekin, an individual or group that presents itself as
connected to Iranian cyber operators.
That connection is as a dissident, evidently, because LabDuktecan has specialized in leaking what it says are Tehran's hacking kit.
And in another apparent leak this week, JSON, software designed to hijack Microsoft Exchange email accounts, has been dumped online.
Microsoft Exchange email accounts has been dumped online.
Minerva Labs has taken a look at JSON, and its conclusion is that the tool is a straightforward,
brute-forcing appliance designed to derive and check passwords for Exchange accounts.
JSON is associated with OilRig, also known as APT34 or Helix Kitten,
generally attributed to Iran's Ministry of Intelligence and Security.
Lab Duktegan began releasing Iranian attack tools in March.
By bleeping computers count, to date, the Iranian tools that have been leaked online include two power-shell-based backdoors, those would be known as Poison Frog and Glimpse,
which security firm Palo Alto Networks calls versions of Bond Updater.
Four different web shells,
HyperShell and HiShell,
FoxPanel and WebMask.
This last one, a DNS spionage tool,
Cisco Talos analyzed.
And now, Jason.
There's been a major data breach
affecting a U.S. healthcare firm.
In this case, it's a third-party problem.
In an 8K filed this week with the U.S. Securities and Exchange Commission,
the large medical testing firm Quest Diagnostics disclosed that American Medical Collection Agency, AMCA,
a third-party collection services firm, noted Quest that AMCA had detected unauthorized activity in its network.
The breach is a large one.
As reported by TechCrunch and others, the breach appears to have affected nearly 12 million people.
The unauthorized user took personal data, medical information, and credit card numbers from AMCA,
which believes the intruder was active between August 1st of last year until this past Friday.
AMCA said it was notified of the possibility of a breach by a credit card company
and upon investigation concluded that someone had indeed been in its network.
As more of the things we do in our day-to-day lives shift online,
from shopping to social media,
and even things like visits with our doctors and other
medical professionals, the organizations that handle those services need to manage that demand
and the security implications that may come with it. Jordan Blake is from authentication company
Behaviosec, and he advocates organizations creating a position of digital transition architect
to help manage the ongoing evolution.
I think the idea is that companies are already undergoing digital transformations. These are
companies who've been around for a long time and they've been focused on, you know, whatever it is
they do. Retailers, banks, companies who bottle beverages, you name it. Everyone is recognizing that to be successful
and to compete in 2019 and beyond, they need to be transforming digital. And what that means is
they need to be focused on bringing digital experiences to their business to better deliver
a good customer experience, utilizing technologies
like big data and analytics, mobile technology. How does this play out in the real world? Are
we talking about enhancing an online experience with people's interaction with the company,
or does it extend beyond that? It extends beyond that. Those are some of the most obvious
ways that companies want to transform. So if you're
a grocer, for example, it's not enough just to put food on the shelf anymore, but you have to
look at the expectations of your consumers. So there are digital experiences, mobile-first
experiences that are expected for consumers, but it goes beyond that. You would look at your supply chain
and how you're ordering and how you're making decisions about what should be ordered and how
the products get to you and how those products get to the consumer. This notion of having a
digital transformation architect, describe to me what you're getting at with that.
The digital transformation architect makes sure that the
overarching transformation strategy and execution of it is not tripped up by unexpected security,
compliance, and other risk factors. The idea is that the digital transformation architect is a central overseer who's able to kind of objectively
weigh the opinions of various stakeholders in the business. So we're talking about CISOs, CIOs,
CEOs, marketers, developers, and just generally aligning leadership across the organization so that they can partake in these digital
transformation activities. And if I'm looking to integrate someone like that into my organization,
what level should they sit at? Typically, what we've seen is that to be successful,
they are reporting into the C-suite, in some cases, the CEO or the CIO or the CISO, but they are at sort of a fairly high level because really the goal here is to digitally transform as a business, not to transform a particular stovepipe within.
And so what are some of the security implications of this?
Well, that's a good question.
The security implications are numerous. You can imagine an organization that is used to
dealing with physical customers where they kind of meet them face to face and transact that is now
moving into the digital realm needs to make sure that they can trust that people on
the other side of the connection are who they expect them to be. Then we get into sort of this
questions of authentication and how you deliver a great customer experience at the same time that
you're trying to make sure that people are who they say they are and you're not going to fall,
become victim to fraud.
But what are your recommendations if someone wants to proceed with this sort of thing?
What's the best way within their organization to get in there and sell it?
The first thing you need to do is recognize that it's really about culture, and it's not about particular technologies. You need to have meetings. You need to educate those internally what this is about, do that, people need to be brought in,
they need to be made part of the effort.
Everyone needs to own digital transformation in their specific context.
That's Jordan Blake from Behaviosec.
Eurofin's Scientific, a Luxembourg-based provider of food,
environmental and pharmaceutical testing,
disclosed yesterday that it sustained a ransomware attack over the weekend.
The infection has impeded some IT operations but appears to have been contained,
so while the story is still young, it appears that Eurofins may have been better prepared than other recent ransomware victims,
like, for example, the city of Baltimore.
It seems increasingly unlikely that Eternal Blue was involved in the ransomware attack on Baltimore.
Researchers at the security firm Armor obtained attack code samples
and found no signs of Eternal Blue or other propagation mechanisms
in what they told Krebs on Security was pretty much vanilla ransomware.
The strain, as we've noted, is Robin Hood,
and no serious observer thought
that Robinhood was in any way related to NSA. It remains possible that Eternal Blue was exploited
to move Robinhood to unpatched servers, but that possibility appears to be relatively remote.
The initial infection is generally believed to have come via phishing,
and no one has disputed that Baltimore left its servers unpatched. Armour also has found communications from people claiming to be the attackers,
but their responsibility can't be verified. They may be communications from the crooks,
or they may simply be the work of taunters. The English is broken, but broken English can
easily be part of a false flag. And besides, even pranksters sometimes have poor command of English.
While we have your attention, could we interest you in taking a survey?
You could win big prizes like a pen, stickers, notepad, or a pint glass.
Maybe even an air-gapped Galaxy S4 with nothing on it whatsoever
except potentially unwanted programs.
It's conceptual art.
We call it the persistence of Pup.
Street value somewhere north of a million.
We're just kidding about the S4 and the million bucks and the art,
but you might win that other stuff,
even a swell card autographed by all of us here at the Cyber Wire.
Now, you're probably asking yourself right now,
Dave, why are you offering this chance to win big, big prizes?
And the answer is to ask you to help us improve the quality,
relevance, and overall value of the Cyber Wire's content.
We've put together a short audience survey
that should take five minutes or less to complete.
The survey is completely voluntary, anonymous, and confidential.
Go to thecyberwire.com slash survey and fill it in if you can spare a moment.
And no, we're not kidding. We would really like to hear from you.
So go to thecyberwire.com slash survey and look for your chance to win some official CyberWire swag.
To return to the news, the likelihood of significant antitrust investigations of big tech is on the rise.
According to the Wall Street Journal, the U.S. Department of Justice has been in conversations with the Federal Trade Commission to see who will take on the case of Apple, and Justice is thought to have been given the first bite.
Justice will also conduct any investigation of Google.
The Federal Trade Commission is thought to have responsibility for Facebook and Amazon.
Not to be left out of the picture, Congress will hold its own inquest. The House Judiciary
Committee announced its intention to hold hearings on competition in digital markets,
which can be expected to be relatively wide open. The prospect of antitrust action has hit the stock
prices of leading tech firms, pushing the Nasdaq composite down 10% from its May highs.
As the Washington Post points out, that's erection territory.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Emily Wilson.
She is the VP of Research at Terbium Labs.
Emily, always great to have you back.
You and I have been talking about the fraud guide that you all recently published.
This is Fraud Guides 101, Dark Web Lessons on How to Defraud Companies and Exploit Data.
There's some interesting details here in the guide that you wanted to share with us.
There were some interesting things that stood out to me on pricing and also on age.
First on pricing, we knew these guides were cheap these guides are widely available and they are uh extremely inexpensive
and of course again as i always mention when i talk about the prices for dark web data
it's not as though people are spending their own money on this right even if you even if you're
spending your own money in the beginning, you're going
to have extreme returns. If you buy one stolen payment card, you're going to pay for that payment
card and however many more, 10 times over. So pricing for these, we got a combination of
different kinds of guides. We got some that were listed individually where you go and the vendor
says, this is the guide you're purchasing and you buy that guide.
We also purchased some collections or guide packs, which are exactly what they sound like.
These collections of hundreds, thousands, sometimes tens of thousands of guides all bundled together, which it might surprise you, but they're not that much more expensive.
And in some cases, they're cheaper than individual guides.
Overall, the price for these averaged out to less than $8 per guide.
And that's just for the guides.
That doesn't count all of the supporting materials and bonus items that vendors include.
Supporting materials would be things like fonts or images or templates, software that they include alongside it.
Because these aren't just guides.
It's also everything, in most cases, everything that you need to execute on the scheme.
Everything except the data, which you would need to go by separately.
So when we include all of those supporting files and all the guides and everything that we got out of this in the end, it averaged out to less than a penny per file.
Wow.
Now, another thing that you all tracked here was the age of these files themselves.
What did you find there?
I had a suspicion that these guides were not as up-to-date as the vendors might lead us to believe.
Everyone says new, updated, fresh, working,
recent, 2019, you know, all of these buzzwords that you have for marketing on the dark web markets.
In reality, most of the guides are a little bit older than that. We found just 5% of the files
are from the last two years or from 2018 and 2019. And more than a quarter of the guides are a decade
old. Some of that has to do with,
interestingly, there was a spike of files dating back to 1994, all of which turned out to be
copies of the Anarchist Cookbook. Of course. A dark web favorite. That old chestnut. Yes. Yeah.
Interesting. One of the things that strikes me here is just the breadth of information that's being shared here.
It's everything from, you know, little side street hustles to more sophisticated fraud plans.
Sophisticated is an interesting word to use there because we, you know, I've seen all different kinds of materials over the years that I've been doing this.
And I definitely saw that same range in what we obtained for this,
for this research project.
So we have guides that are quite literally three line text files.
You know, it's, it's, the question is how to, you know, how to do whatever type of crime.
And the guide simply says, Google it.
I, you know, I love, I, you have to respect the grift at that point.
If you're out there buying a guy, if you're out there selling a guy on how to commit a crime,
and the answer is Google how to commit this crime, just a little bit of respect for that.
All the way to the other end, the other extreme, where we're talking about 40 or 50 page formatted,
highly detailed, highly researched materials.
I'm thinking in particular there was a guide on how to dox,
how to go out and do these doxes,
these detailed targeted leaks of information that included,
I won't get into too many details,
but included a lot of information about sourcing,
a lot of information about breadth and depth
and where to leak information.
There really isn't a ton of unique information.
You have people piecing together different collections and different guides over time.
You have some people who are genuinely selling their own unique methods.
But in most cases, you know, fraudsters are lazy.
They're just like us. They're taking the easy way out.
All right. The name of the report is Fraud Guides 101,
Dark Web Lessons on How to Defraud Companies and Exploit Data.
It is from Terbium Labs.
Emily Wilson, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the CyberWire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies. Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.