CyberWire Daily - LeakedSource is down. DoubleFlag's called out for bogus stolen goods. Fancy Bear is in UK, German networks. Shamoon alert in Saudi Arabia. Scamming tech support scammers.
Episode Date: January 27, 2017In today's podcast, we hear that LeakedSource is down, maybe for good. DoubleFlag seems to be selling bogus data on the black market. (And where, we ask, is the Ripper review? If you can't trust a cri...minal, who can you trust these days? Sad.) Fancy Bear is back—actually, she never really left—now snuffling at British and German networks. Saudi Arabia remains on Shamoon alert. The Dridex banking Trojan has reappeared, in an improved version. Dale Drew from Level 3 Communications shares findings on the Asia Pacific region. Vince Crisler from Dark Cubed puts Grizzly Steppe in perspective. And tech support scammers get scammed—don't try this at home. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Leaked sources down, maybe for good.
Double Flag seems to be selling bogus data on the black market,
and where, we ask, is the Ripper Review?
Fancy Bear is back, Actually, she never really left.
Now snuffling at British and German networks.
Saudi Arabia remains on Shamoon alert.
The Drydex banking trojan has reappeared in an improved version.
And tech support scammers get scammed.
Don't try this at home.
Try this at home.
I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, January 27, 2017.
Leaked source, gray market purveyors of access to stolen passwords, is down, possibly for good.
Someone with the handle LTD, claiming to be in a position to know,
said yesterday on an online forum that leaked source had been raided by U.S. authorities,
shut down and gone for good.
The U.S. Justice Department has primly declined to comment, but the word on the virtual street is that the feds took them down.
Leaked source had specialized in finding and selling stolen credentials
they'd discovered in various dark web dumps.
One of the bigger breaches, whose results they they scooped up involved Twitter, with 32 million
accounts, Dailymotion, with 85.5 million records, and Weebly, with 43 million accounts.
Leaked Source had been much criticized for their trade.
People generally believe they should have quietly notified victims, as opposed to cracking
passwords and making them available for anyone. But journalists and others have made more or less reluctant use of leaked
source in their reporting. More evidence of the lack of honor among thieves emerges at week's end.
Double Flag, the criminal group who's been selling data stolen from large Chinese ISPs,
claims to have stolen data on 126 million individuals from U.S.
Cellular.
And of course, they'll sell the data to you.
But U.S. Cellular tells Hack Read they've investigated, and Double Flag's wares are
bogus.
There's been no breach, and it's all a lot of hooey.
Is Double Flag about to get a bad review on Ripper?
Secure Works reports that Fancy Bear, the Russian GRU outfit famous for compromising
the U.S. Democratic Party's National Committee last spring, has been found in a British television
network, unnamed for legal considerations. Fancy Bear established persistence in July 2015
and wasn't detected for a year, which is interesting given Fancy Bear's relative
noisiness compared to its sibling Cozy Bear. As happened with the DNC, Fancy Bear's relative noisiness compared to its sibling, Cozy Bear.
As happened with the DNC, Fancy Bear seems most interested in email,
and not only business email, but also email exchanged among reporters and producers working on stories.
SecureWorks believes Fancy Bear got into the network back in July of 2015 and stayed undetected for a good 12 months.
Such quiet persistence is interesting because Fancy Bear has
the reputation of being pretty noisy. Her cousin Cozy Bear is the quiet one, which seems right
given that they're respectively the GRU, that's Russian military intelligence, the equivalent of
the U.S. DIA and NSA, and the FSB, which is the KGB's successor organization. German authorities
are also seeing an increase in activity that looks like Fancy Bears.
This pawing at media and political targets strikes many observers as battle space preparation
for this year's round of national elections in Europe.
Diplomatic sources in Russia's London embassy dismiss the allegations as Western nostalgia
for the Cold War.
ThreatConnect has devoted some attention
to fleshing out the indicators of compromise by Fancy Bear that appeared in the U.S.
intelligence community's Grizzly Step report. ThreatConnect's observations are interesting
and a reminder of the distinction between evidence and intelligence.
Saudi worries about Shamoon persist. Intel Security has an overview of their current research into
Shamoon 2's details, and Wapak Lab reports signs that the malware is turning up in the shipping
industry as well. The well-known banking trojan Drydex is back, and Flashpoint says the malware
now employs a new user account control bypass method. It's now trickier and more evasive.
See Flashpoint's report for the details.
And finally, you know the Microsoft support scam? Not, we hasten to note, affiliated with Microsoft in any way.
It's also known as the help desk scam. Someone calls you and says over the call center boiler room background noise that they're from Microsoft support and that your computer's infected with a virus, and that you should give them your password so they can fix your machine. Well, they recently called Ars Technica,
which decided to play some virtual whack-a-mole with him. The caller said he was from the technical support center and that they were going to help him speed up his computer by purging junk files
that they detected. The Ars staffer kept the guy on the line for two hours, feigning cluelessness
and recording their scam on a virtual machine. He wrote about it in Ars Techner kept the guy on the line for two hours, feigning cluelessness and recording their scam on a virtual machine.
He wrote about it in Ars Technica in an article called You Took So Much Time to Joke Me.
Read the whole thing, and in the meantime, remind your trusting friends and family that no one from the Technical Support Center is going to call them.
Ever.
Ever. winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and
ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
Joining me once again is Dale Drew. He's the Chief Security Officer at Level 3 Communications.
Dale, your group recently put out a paper outlining some of the threats that you all are seeing from the Asia Pacific region. What can you tell us about that? Well, thank you. We've been trying to get a lot
more focused on sort of the cause and effect piece of threat intelligence. And so we're doing a lot
more focus on particular regions and particular actors. And so as an example, we did an analysis on Asia-Pac and tried to sort of uncover some data to determine if Asia-Pac is acting in a way different than any other region.
I'd say that we track about 8 million malware victims per day in Asia-Pac.
And that's versus about 28 million in the U.S.
And that's versus about 28 million in the U.S.
And so, you know, there's there's a pretty much a rolling average of eight million compromised victims on a daily basis within Asia Pac.
You know, the other interesting thing is, is that China compromises occur because of phishing attempts, right? Where a bad guy sends an email to a victim, had them click on
the email, and then they become a malware victim as a result. So it shows you the, not only how
compromisable the infrastructure itself is because of lack of patching practices and things like
that, but also how susceptible the end users are from still clicking
on those emails that end up getting them compromised. And what do you see in terms of
rate of growth of these attacks? Is the Asia-Pacific region growing faster than the rest of the world?
I would say that the Asia-Pacific region is growing at a little bit of a faster rate than, say, the United States, which is right now the largest set of compromised machines.
But as an example, some specific regions in Asia-Pac, the Philippines as an example, that rate has doubled quarter over quarter.
And we largely think that's because of accessibility and use of IoT devices in the
Philippines. Asia-Pac in general is growing at a fairly small rate, not as fast as the U.S.,
but some regions like the Philippines are absolutely doubling in size every quarter.
And how does this all align with populations versus available connectivity
compared to places like the United States?
It tends to be a direct correlation of population as well as density of infrastructure.
Especially, we are seeing a definite trend where, a change in that trend,
where it used to be predominantly
if you were hosting infrastructure, the country who was hosting the most infrastructure was
the most compromisable.
And that's why the U.S. is always on the top of the charts because data center and environment,
you know, critical infrastructure like DNS infrastructure and hosting providers being
at the top of that list in the US.
That trend is changing. Now it's turning into end users who are operating things like IoT
and the ability for those end users to click on phishing email. And so we're seeing a lot more
compromisable systems based not on where business hosted infrastructure is, but where the consumers
are. And so that's why you're seeing these enormous explosion in trends in these other
countries like Brazil, Taiwan, China, and the Philippines, because the end users are
discovering that by compromising those IoT devices, whether they're routers or cameras,
they can compromise many more devices and have a much larger impact on being able to use those devices for malicious purposes.
All right. Dale Drew, thanks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
My guest today is Vince Crisler. He's the CEO of Dark Cubed, a startup cybersecurity company looking to make their mark with an easily deployed, cost-conscious cybersecurity platform.
Mr. Crisler also served as Director of Information Assurance for the White House's Executive Office of the President
and was responsible for the creation of the first-ever Cybersecurity Operations Center to protect White House's Executive Office of the President and was responsible for the creation of the first ever Cybersecurity Operations Center to protect White House networks. We began our conversation
talking about the U.S. DHS's Grizzly Step Report, attributing compromises to Russian threat activity.
What really interested me was looking at the IPs that were released, and there were about 876 of
them in that document, and to see what we could learn from
the information that was released about the threat actors and about the infrastructure that they were
using, the first step that I performed looking at that analysis was just what sort of infrastructure
are those IP addresses related to? And that was a quick and simple execute a reverse DNS lookup on
all those IPs, and then parse that out into a graph analysis where
we're able to look at the top-level domain,.com,.net,.edu, looking down at the domain,
and then looking down at the subdomains and relating those all together. And so we were
able to see there the influence of some of the online hosting providers. And also in a lot of
those reverse DNS entries, I started to see a lot of Tor exit node
sorts of information, which caused me to jump very quickly into looking at the Dan Tor nodes UK list
and doing a mashup to see how many of those IPs actually were showing up as Tor nodes,
which ended up being right around 25%, as I reported and as other people have reported.
What's the insight to be gained from that percentage of Tor nodes?
So I think there are a couple really important takeaways for me in that high-level analysis,
and that is, you know, in 2017, there's a lot of really cheap, easy-to-use virtualized
infrastructure out there. Services like Scaleway and DigitalOcean will let people stand up a server
within minutes
and they can attack targets at will. And then they can take that infrastructure down and then
the next day somebody else is using that IP for something completely legitimate. And so the key
concern for me is we've had a big focus over the last five years or so on information sharing
within our community. Time matters now. So this IP address was known to be bad during these couple
of minutes, but before or after that, it doesn't matter anymore. And unless we figure out how to
solve that problem, we end up with this problem in these cyber indicators that I'm calling noise,
where we saw it with the Vermont power utility, where when you search for those indicators on
your system, you get hits and you're like, oh no, we've been hit by the Russians. And then you
actually look back through and you say, no, this was actually something different.
And so how do we get that noise out of the system? And I'm really passionate about this
noise issue because everybody assumes that companies around the world have analysts sitting
at a table that are looking at these shared indicators that are saying, OK, this is good,
this is bad. But the reality is only the largest of the large companies
have teams of analysts that can do that work and can manage through those false positives.
Everybody else is kind of left at the mercy of trying to trust that data. And when they can't
trust that data, it actually causes more harm than good. Do you think there's an issue with
chasing shiny objects, you know, as opposed to basic blocking and tackling? Absolutely. Yeah, I think it's very easy. Again,
just like there are a lot of products out there that are focused on really hard problems that do
a great job. I'm not disparaging these products because they do a great job of addressing very
sophisticated threats. This creates the shiny object problem where it's you need to do these five things.
You need to do these 10 things. You need to do these these 15 or 20 security controls.
But the problem with kind of boiling down cybersecurity risk into the top five, top 10, top 20 is every company is different.
And if you just say these top 20 things are the most important to focus on and you're
going to manage 80 percent of your risk the adversaries are just going to move to something
else and the companies will have spent all their time money and energy kind of solving risk when
the adversary just moves around them this isn't about just putting a technology control in place
this is about managing risk to a company. And that's not necessarily a core IT function.
Us IT folks are good at solving problems with technology, but we also create other problems
and we miss things. I'm curious, I'm going to switch gears a little bit. I'm curious about
your experience in the White House. Yeah, so it was quite an interesting experience. I got there in probably September of 07, and I was there through March of 09.
And so it's a little over eight years ago that I started.
And I got to go through an amazing but traumatic experience called presidential transition, which a lot of folks are going through right now.
And there are so many things that happen behind the scenes that people don't realize.
And this is the largest peaceful transfer of power in the world, and it's a pretty phenomenal event to watch.
But from a technology perspective, if you think about every IT system that's at the White House, whether it is the system that's storing the president's diary to email to file stores and everything is subject to records requirements under the Federal Records Act or Presidential Records Act.
And for those things that are subject to the Presidential Records Act, which are all the political appointees information, that has to be off the network by the time the inauguration happens.
And you all were doing, you know, you were blazing a trail there when you were there.
Yes. Yeah. I think what's really fascinating to me about presidential transitions and the last
couple, you know, when we think about eight year time gaps, if you think about the technology
advancements that happen in eight years. So when President Bush took over from President Clinton,
there was Lotus Notes in place and there was limited mobile capability.
And then you fast forward eight years and everybody's on BlackBerrys and you're talking web apps and all of the advancement that happened in just eight years.
And to manage to see that change that happens in those eight year increments is incredible. And the stuff that the folks for the Obama administration are dealing with now with, you know, social media engagement and all of the other online applications
and data stores that have to be archived and backed up because it's a part of our
American history story. It's just incredible to see that speed of change in technology that happens.
That's Vince Chrysler from Dark Cubed.
And that's the Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening. Thank you. products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your
role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.