CyberWire Daily - ISIS claims responsibility for Sri Lanka massacre. Spearphishing embassies in Europe. How the Blockchain Bandit probably did it. Mexican embassy doxed.
Episode Date: April 23, 2019ISIS claims responsibility for the Sri Lankan bombings. The government maintains its declared state of emergency, and has arrested at least forty in the course of its investigation. Check Point descri...bes a spearphishing campaign against embassies in Europe. It’s thought to be the work of the Russian mob. Weak keys let the “Blockchain Bandit” rifle alt-coin wallets. And a disgruntled bug hunter doxes one of Mexico’s embassies. Justin Harvey from Accenture on preserving digital evidence in the aftermath of a cyber attack. Guest is Maryam Rahmani on the upcoming NYIT Girls in Engineering and Technology Day. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/April/CyberWire_2019_04_23.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
ISIS claims responsibility for the Sri Lankan bombings.
The government maintains its declared state of emergency
and has arrested at least 40 in the course of its investigation.
Checkpoint describes a spear phishing campaign against embassies in Europe.
It's thought to be the work of the Russian mob.
Weak Keys let the blockchain bandit rifle altcoin wallets.
And a disgruntled bug hunter doxes one of Mexico's embassies.
of Mexico's embassies.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for Tuesday, April 23rd, 2019.
ISIS has claimed responsibility for the Easter massacres in Sri Lanka.
A statement published by the jihadist organization's news agency AMOK says the bombings were retaliation for last month's massacre of Muslims
at a New Zealand mosque and were intended to kill Christians. Sri Lankan authorities,
who continue their social media crackdown during a declared state of emergency,
continue to believe the attacks were the work of local jihadists acting with foreign support.
The death toll has now reached 321.
Sri Lanka's decision to block social media is being read by many,
the Washington Post among them, as another instance of growing distrust in big tech.
They cite the inability of algorithms to keep pace with the number of people
who wish to and did share the attacker's video of number of people who wish to, and did,
share the attacker's video of the massacre in Christchurch, New Zealand, as of a piece with Sri Lanka's crackdown.
But this isn't as clear-cut a matter as much opinion would have it. Sri Lanka's action
is more like a government in the late 19th or early to mid-20th century shutting down
newspapers during times of emergency.
The government is concerned about inflammatory posts that could feed further immediate violence,
not about social networks' inherent untrustworthiness.
As Facebook pointed out, quietly,
People rely on our services to communicate with their loved ones,
and we are committed to maintaining our services and helping the community and the country during this tragic time. Facebook in this case has a point, and the Sri Lankan government has legitimate counter
concerns. Social media users have driven violent mass behavior, in South Asia especially, far too
often in recent years, and that's the immediate concern here. It's not clear what role online
communication played in coordinating the
attacks, but the government doesn't want a mass murder to turn into mass rioting.
The number of arrests made so far in the case is said to have reached about 40.
Researchers at Checkpoint describe a targeted spear phishing attack against government finance
authorities and embassies in Europe.
The hackers appear to be Russian, and they appear to be criminals,
although that's a tougher call,
given the growing penetration of the Russian mob by the Russian security organs.
The campaign used malicious Excel files marked implausibly as if they were from the U.S. State Department.
The payload was a weaponized version of TeamViewer,
capable of taking
screenshots of infected systems. One of the gang members, who goes by the name EvaPix,
was active on a hacking and carding forum, The Verge notes, talking about the attack and offering
advice to others who might wish to do likewise. This alone suggests that a criminal as opposed
to a state actor is responsible.
The campaign has received surprisingly high reviews for the convincing quality of its work,
but we're not so sure.
The subject line was military financing program.
Marking a spreadsheet top secret, splashing some U.S. State Department logos all over it,
and then shooting the stuff around by email with an
invitation to click now, click now now now, seems a come on more designed for NAFEs than for
diplomatic sophisticates. But we have to admit we like the touch that the attachment represents
itself as GSA Form 1566, Revision 9-74, which is the current top-secret control sheet.
The State Department watermark is just gravy.
A close reading of the fish bait would, however, reveal that the workbook title is in Russian,
Zapros Undine, or Request One, which isn't exactly how they'd express it at Foggy Bottom,
especially not in Cyrillic characters.
especially not in Cyrillic characters.
The verbiage on the bogus Form 1566 would also strike experienced textual critics of the General Services Administration canon as wayward.
It says,
The attached material contains secret information which bears directly upon the effectiveness of conduct of foreign relations,
which reads a little like someone shoehorning Russian into an English
sentence. It goes on in a bold-faced screamer,
To display data in document, click Enable Editing and enable content on the protected view bar.
And the instructions close, syncing in prose with,
As such, the attached material deserves special care in its handling, custody,
and storage as required by the information security.
The information security would advise not touching this with the proverbial 10-foot pole.
In fairness to Evapix and company, judging from Checkpoint's analysis, they did seem to put in
the work as far as the attack chain is concerned. And indeed, while more recipients than one would
like to believe did indeed click,
now, now, now, others at once rightly bonged it to the spam folder. Good awareness, Italy and Kenya,
two countries at least where the diplomatic staff seem to be paying attention.
NYIT is the New York Institute of Technology, a not-for-profit university headquartered in
New York.
Their College of Engineering and Computing Sciences is hosting a Girls in Engineering and Technology Day this coming May 4th at their Long Island campus.
Maryam Rahmani is a technology consultant who's helping run the event, and she joins
us to share why STEM-focused events targeting young women matter. The program is focused on high school girls,
sophomore, juniors, you know, by the senior year, you could say they've already decided,
you know, where to go. But the important thing is, how do we reach these high schoolers to be
interested to look into STEM programs.
Often you see that they are very strong in math and physics and biology and other science-related courses,
but somehow by the time they end up in colleges, they don't even pursue these types of degrees,
whether it's engineering computer
science or or other stem related and so we felt that by providing them an
opportunity to see women that have studied engineering and have had
marvelous career track as well as having an ability to see what each major offers,
and also even get to play around with the hands-on workshops
without having any previous experience, as an example, with cybersecurity,
with drone or coding, that potentially would be triggering their interest
and excite them to look into STEM programs, whether at NYIT or beyond.
Now, do you think that providing this sort of environment where the girls get to speak to other
girls and other women, does that provide them with insights that they wouldn't get at a regular tech
event where there were both boys and girls there? So that's a very good question, Dave. Yeah, so I believe that girls will be very comfortable in an environment with their peers
that they can really just focus and imagine, what would it be for me?
Would I ever be like that lady that is a keynote?
Can I reach to those levels?
It would be less distraction. It's a program that is completely dedicated for them and they will have an opportunity to not feel that, oh my gosh, I may not have the experience that my male peer may have, for instance, with coding or something else. without having any previous experience. They just get to really just be curious and try something
and not feel that they're being sort of compared. So I feel that the environment would really
encourage them. And one of the tags that I guess NYIT uses for this particular event is see her, be her. I think that's very important. I often think of my
own 15-year-old daughter, and I think it's so important for these girls to be able to look at
women like myself and have a face for what we look like, that we are not like some, you know, stereotypes that are sometimes shown,
whether in information security, whether in other aspects of engineering, that academic career
really prepares us to be thinkers and innovators and have the skills that our country so badly needs for the future,
for its security and for its competitiveness.
So that's really what I believe in, you know, sort of programs like this
provides these young ladies to be able to experience all in one day.
That's Mariam Rahmani.
The event is at NYIT. It's Girls in Engineering and Technology
Day, coming up May 4th, 2019. If it's the blockchain, it's got to be secure, right? Well, not necessarily.
Researchers at the firm Independent Security Consultants grew curious of what might happen if,
instead of using an effectively unguessable 78-digit key to their wallet,
a cryptocurrency user decided to, say, smack it with, well, something easy like the number 1.
They looked and found that a lot of altcoin traders were doing just that.
And they found, moreover, that someone they're calling the blockchain bandit had got there first
and made off with the coin such wallets contained.
In fairness to the users, we note that not every weak key is as easily guessable as one,
and the silver lining to the theft, if there can be said to be one,
is that Bitcoin bandit probably lost most his or her shirt
when the altcoin speculative bubble deflated last year.
his or her shirt when the altcoin speculative bubble deflated last year.
A disgruntled bug hunter has released documents taken from a server in Mexico's Guatemala embassy.
He told TechCrunch he expected a reply, and when he doesn't get a reply, then it's going
public.
So there.
The doxing included many identity documents, passports, visas, and so on.
Much of it had markings indicating that it was confidential or sensitive,
but that seems to have indicated for the most part that the data were private
and not that they represented state secrets.
Anywho, the hacker has since explained his motives.
On his Twitter timeline overnight, he said,
I am an idiot, and who are we to disagree?
Know thyself.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning
with purpose, and showing the world what AI was meant to be. Let's create the agent-first future
together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Justin Harvey. He's the Global Incident Response Leader at Accenture.
Justin, it's great to have you back. We wanted to touch today on preserving evidence when a cyber
attack happens. What can you share with us today?
Well, what I can share with you is the first thing
that many organizations make a mistake in
is actually destroying the evidence,
thinking they're doing the right thing.
They have patient zero.
It has some sort of malware or an adversary on it
that has appeared within their SIM.
And the first thing that people want to do is say,
well, let's go reimage that box. And reimaging is absolutely the wrong thing to do because you
absolutely don't know how the adversary got on there. You don't know what they've stolen or
grabbed. And you also don't know if the adversary has moved laddery off of there or if they have
secondary or tertiary persistence mechanisms. So the first thing that we tell our clients to do is hibernate the system.
Don't put it to sleep.
Don't shut it down.
Don't disconnect it from the network.
I mean, disconnecting from the network, from the physical network is absolutely okay, but
make sure that you hibernate the system.
That ensures that the running memory is preserved and actually, from a technical
perspective, it writes it to disk so that when we do digital forensics on it, we get to see the
full picture, which is both the memory, which has very valuable bits of information with what the
adversary has done since last reboot, as well as the disk in order to do the analysis.
I could see someone's first impulse to be that something's gone wrong.
Let's just walk around and pull the plug.
That's actually pulling the plug is probably okay.
But when you do that, you never know if there's an encryption routine running
or if there's something else that could be inadvertently interrupted.
So what you want to do is if you do pull the plug, if it's something else that could be inadvertently interrupted. So what you want to do
is if you do pull the plug, if it's a hardwired connection, absolutely follow up with a Hibernate
directly following. I see. What about in terms of folks who may have to preserve things
for regulatory reasons? Well, from a regulatory perspective, you want to focus on the machines
or the systems that matter. Let's say
you're hit with a widespread ransomware attack and 4,000 of your 5,000 machines have been affected.
You clearly don't want to go forensically image 4,000 systems. That would take up a lot of disk
space and take up a lot of time. But you want to focus on material systems that are pertinent to the investigation. Regulators want to see
how they got in, how they escalated privileges, how they moved laterally, and what they took
and or what they got. So sometimes that's actually not forensic data. Sometimes it's actually log
data that you can save off and keep to the side so that when you are audited or you are working
with regulators, you can actually paint them a full picture.
And in incident response terms, what you want to be developing is a timeline.
On Monday, the adversary sent a phishing attack.
On Tuesday, Allison clicked on the link.
On Wednesday, they were able to move laterally and they took this information.
So when you show this to the regulator, you want to show a very complete timeline with as much perspective information as possible while not going completely overboard and
inundating them with information. Is there a natural tension that comes into play here where,
you know, folks want to get back up and running, they've got business to do,
and we've got this machine sitting there in hibernation mode in times of wasting?
machine sitting there in hibernation mode in times of wasting? Yeah, the number one priority for my clients, Dave, is how do we get back to doing the business that we do, collecting revenue,
communicating to customers, dealing with patients. And the answer is, particularly for some of these
larger attacks or the more dangerous ransomware, you really want to find out how the adversary
or the threat got into the network
before you start standing everything back up for a few reasons. First is you don't know if the
adversary has a secondary or tertiary backgrounds. Many of the attackers out there, they want the
ability to persist if you find one of their legs of persistence, in other words. So it's a very standard practice to see
them use one type of malware to persist, and then there's a backup that no one ever really realized
out there on the perimeter or the edge. The second thing to take into consideration with
restoring services is you also don't know the dwell time. I think that the jury is still out for the average of dwell time. Some
vendors put it at sub 100 days. Some vendors put it at over 200 days. Let's just pick the average.
Let's pick 150 days of average time that an adversary, once they've compromised an organization,
how long they get free reign to do whatever they want. So when you're running this
case and you want to get back to operations, how do you know that the adversary hasn't already been
implanted themselves within the backups inadvertently? Meaning Monday, the adversary
got in. On Tuesday, the backup ran and you discover it on Friday. Well, let's go back to
Tuesday's backup. Well, that wouldn't do very much good because the adversary, you're just basically reinstalling the adversary with their tools.
So you really need to have a good idea of how the adversary got in, how they're persisting in order to close those loopholes off before restoring services.
All right.
Well, Justin Harvey, thanks for joining us.
Thank you.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.