CyberWire Daily - Islamist hackers hit websites in Britain and Austria. Mac malware linked to Iran. Criminals follow the money into the cloud. M&A notes. Dendroid RAT author gets probation.
Episode Date: February 8, 2017In today's podcast, we hear that ISIS-affiliated hackers deface UK National Health Service sites with propaganda. Turkish Islamists DDoS Austria's parliament. Poorly crafted, but troubling, Mac malwar...e seems linked to Iran. Criminals follow the money into the cloud. Salient buys Triple I, Malwarebytes picks up Saferbytes, and Sophos buys Invincea. Pala Alto Networks' Rick Howard walks us through the adversary playbok. The author and purveyor of the Dendroid RAT gets probation. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
ISIS-affiliated hackers deface UK National Health Services sites with propaganda.
Turkish Islamist DDoS Austria's parliament.
Poorly crafted but troubling Mac malware seems linked to Iran.
Criminals follow the money into the cloud.
Malwarebytes picks up saferbytes and Sophospies Invincia.
And the author and purveyor of The Dendroid Rat gets probation.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, February 8, 2017.
The Independent has reported that a number of national health services sites in the UK have for the last three weeks been targeted by ISIS-adhering hackers belonging to the Tunisian Falagu team.
The most visible aspect of the attack involved website defacements
with images of violence in Syria and a demand for an end to Western aggression.
Patient information may have been exposed in the course of the hacks,
but so far at least, such information seems not to have been compromised.
The Cabinet Office believes the coordinated attack is a serious one,
more serious than earlier defacement campaigns. In part, this is due to the choice of target.
The National Health Service, after all, affects essentially everyone in the UK. Various NHS
trusts have sustained a number of successful attacks over the past year, many of them criminal
ransomware incidents, but this coordinated defacement campaign suggests a more disturbing class of threat.
Still, NHS has proven a relatively soft target in the past,
and the most recent attacks have little about them to suggest a significant increase in ISIS cyber capability.
Note, for example, the continuing emphasis on information operations as opposed to, say, data theft or destruction.
continuing emphasis on information operations as opposed to, say, data theft or destruction.
The Tunisian Falaga team is believed to be working in concert with two other ISIS-affiliated groups,
Global Islamic Caliphate and Team System DZ.
In other ISIS news, captured files suggest the caliphate is having difficulty keeping its foreign fighters motivated and on task.
Iraqi forces seized documents in Mosul last month
belonging to ISIS's Tariq bin Ziyad battalion.
Of interest are the effect anti-ISIS military operations
seem to be having on foreign fighters in particular,
an express desire to return home, mostly to France and Belgium,
and the apparent requirement ISIS has that fighters claiming to be too sick
or injured to fight submit a doctor's note.
A different Islamic hacking group, this one of a Turkish nationalist as opposed to an
ISIS bent, briefly disrupted access to the Austrian parliament's website over the weekend.
The distributed denial-of-service attack was mounted by the Lion Soldiers Team, known by A quick rundown of some upcoming events.
Of course, if you're planning to be at RSA next week,
visit our event sponsor, E8 Security.
They're having a book signing and a cocktail party
with author Gary Hayslip.
And be sure to drop by event sponsor
Deep Instinct's booth as well.
They're in the North Hall at 4805
and see what they can do for you.
In Fulton, Maryland, on February 26th,
join event sponsor DataTribe in the Start startup Crucible for their Hacking the Home contest.
And on the 1st of March, check out the Cybersecurity Summit in Denver as they offer their Senior Executive Security Conference.
We've got a full listing of events on our website, thecyberwire.com.
We've been following Fancy Bear and Cozy Bear for a long time now.
We've been following Fancy Bear and Cozy Bear for a long time now.
It's time to note the appearance of a new bad animal in the menagerie,
and this one's not even Russian, still less a bear.
Think of it as a Persian cat.
It's being called Charming Kitten,
and it's a threat group thought to be connected to Iranian security companies.
Charming Kitten is unusual in that it appears to be focusing on Mac malware.
Early reports suggest the malware, called Mac Downloader and designed to steal passwords from the Mac keychain, is poorly crafted.
It poses, sort of, as a malware removal tool, kind of, but its come on is poorly written
and badly proofread, and thus unlikely to be plausible.
Its more recent appearances have been in devices used by
critics of Iran's human rights records. Such critics in Iran tend to favor Max for their
presumed security advantages. But it's also appeared in fishing and watering hole incidents
involving a bogus United Technologies website that offers equally bogus professional development
courses to employees of Lockheed Martin, Boeing, and Raytheon.
So, inept as the initial come-on may have been, Charming Kitten will bear watching.
Reports suggest that Charming Kitten and Flying Kitten, another Persian cat, may have their claws out as much for U.S. defense and aerospace companies as they do for Iranian dissidents.
An unknown state-sponsored group, possibly though not certainly Russian,
used word macros to distribute a maliciously doctored version
of a Carnegie Endowment report on the implications of U.S. President Trump's election.
Fish Labs has taken a look at last year's phishing schemes and noticed a trend.
Criminals are increasingly going after data held in cloud services.
We heard from Tim Erlin, Tripwire's Senior Director of IT Security and Risk Strategy,
who thinks we shouldn't be surprised.
Thieves go for value, as we've known since Willie Sutton explained why he robs banks.
As Erlin says,
"...storing your data in the cloud doesn't magically protect it."
We can expect criminals to subvert whatever protections are in place, whether those are in a traditional enterprise setup or in a modern cloud. There's some news on mergers and acquisitions.
Salient CRGT has announced its acquisition of Information Innovators, Inc., commonly known as Triple I.
Salient, which includes security among its offerings, sees Triple I's expertise in the federal mission space,
particularly the healthcare space,
as complementary to its existing capabilities.
Malwarebytes has also made an acquisition,
Italian firm Saferbytes,
specialists in anti-malware, anti-exploit, anti-rootkit,
cloud AV, and sandboxing.
Malwarebytes sees the acquisition as enhancing its threat feed and enterprise remediation offerings.
In the largest bit of M&A news, Sophos has announced its agreement to buy Invincia
for a $100 million cash consideration with a $20 million earn-out.
Sophos intends to integrate Invincia's machine learning and malware detection technology into its endpoint protection offerings.
And finally, returning to crime and punishment,
Pittsburgher Morgan C. Culbertson, now 21,
arrested in July 2015 during the FBI's takedown of the Dark Code Hacking Forum,
has been sentenced after his guilty plea in charges related to his authorship of the Dendroid Remote Access Trojan.
Culbertson, who seems destined to be known forever as a former FireEye intern,
which seems really unfair to FireEye, who after all did nothing worse than offer a kid a break,
got off very lightly, three years probation and 300 hours community service.
He could have faced 10 years in club fed.
Not all youths are so lucky.
Get scared straight, kids.
This really is a permanent record,
even if you get the no jail time Mr. Culbertson received.
There are teenagers doing time for cybercrime,
and they serve that time in a real prison,
not something constructed in Minecraft.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, Thank you. and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Joining me once again is Rick Howard. He's the CSO at Palo Alto Networks.
He also heads up their Unit 42 Threat Intel team.
Rick, welcome back. I know today you wanted to, well, you wanted to talk about something
called adversary playbooks. That's new to me. What are we talking about here?
Well, it's good to be back again, David. So yeah, let's talk about adversary playbooks,
kind of a new idea that we're pushing. When cyber adversaries attack their victims'
networks, they leave clues behind in their wake, sort of telltale signs that they have been there.
And we all know what these are. They're called indicators of compromise. Network defenders,
our community, have been sharing these things for years, but that really hasn't worked that well.
I mean, we share them by the gazillions, but the bad guys still seem to get in.
What we have found more useful to share is entire adversary playbooks.
Now, to understand what an adversary playbook is, let me throw a sports analogy at you.
Oh, goody.
So in American football, both teams come to the game with an offensive and defensive playbook.
Plays that they have practiced to get ready for the game on both sides of the football.
Now, it's the same in our community in cyberspace.
We're used to hearing about how network defenders, guys like us, we have playbooks within our own organization that describe how an InfoSec team responds to an ongoing incident.
And we reach for the playbook and we know what to do.
But on the other side of the football, so to speak, the adversary has a playbook too.
We know that cyber adversaries don't freelance their attacks on the fly for every new victim.
They don't come, oh, how am I going to do it today?
Let me try something completely different.
They rerun the same tools over and over again down the cyber kill chain from delivering to compromise to establishing the command and control channel to moving lateral into ultimately exfiltrating data or destroying it.
Everything that adversary does down the cyber kill chain is their playbook.
is their playbook. So the idea then is for network defenders to share everything we know about a specific playbook so that we can deploy prevention and detection controls at every stage of the
cyber kill chain. So when we're just blocking just one indicator of compromise, you have a chance to
stop the bad guy, okay, but if you are blocking at every stage of the kill chain, you exponentially
increase your chances for stopping the bad guy,
because even if the adversaries find their way around one of your blocks,
they will immediately run into another one at the next stage. You buying any of that?
Yeah, absolutely. So I imagine we're looking for patterns in the playbooks, looking for
pieces of playbooks that might be passed around, that sort of thing?
Yeah. So yeah, we might, Unifor 2, we might know like three pieces of a playbook and we share it with another security vendor.
They might know the same three, but might know two others.
So now together we have a better, more mature,
more robust idea of the complete playbook.
And the idea then is to share it among everybody
so we have the most complete playbook there is,
so that we can get it to everybody
so they can deploy those prevention controls.
So is there a mechanism for sharing?
Well, that's what everybody's playing with right now.
And how do we do that efficiently?
There's a couple of models out there.
There is the platform play, which is what all firewall vendors do.
There is a third-party vendor play, which is some third party does it for you.
I've talked to you before about the Cyber Threat Alliance,
a group of cybersecurity vendors who have decided to share playbooks amongst themselves
so we can help our collective customers be better protected.
So we are moving in that direction.
The playbook idea is a relatively new idea, though.
Good information as always.
Rick Howard, thanks for joining us.
new idea, though. Good information as always. Rick Howard, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award
winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team
of editors and producers. I'm Dave Bittner. Thanks for listening. and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.