CyberWire Daily - Lebal's layered approach to infection. Crytominers are becoming a big problem. Tracking influence ops. Dutch intelligence spotted Cozy Bear early. Exploiting password recovery.
Episode Date: January 26, 2018In today's podcast, we hear how Lebal malware steps its way through layered defenses. Cryptocurrency mining campaigns go after Monero with XMRig, WannaMine, and other toolkits. It's not a victim...less crime, either—CPUs can be rendered effectively unusable. Influence operations are tracked in Twitter and Facebook. Dutch intelligence services penetrated Cozy Bear and shared warnings with allied services. Russia demanded, and got, source code access as a condition of doing business. Dale Drew from CenturyLink shares his outlook on 2018. Stacey Higginbotham, host of the Internet of Things Podcast, chats about IoT security. A creep exploits password recovery utilities. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Transcription by CastingWords and got source code access as a condition of doing business. Stacey Higginbotham from the Internet of Things podcast
shares her views on IoT security
and a creepy exploit of password recovery utilities.
I'm Dave Bittner with your CyberWire summary for Friday, January 26, 2018.
Layered defenses in depth that involve a complementary mix of automated tools, user awareness, and
human analysts and watchstanders, have for some time been the default best practice in
enterprise security.
But of course, as is always the case in conflict, defenders are up against adversaries who observe,
orient, decide, and act,
tuning their attack to the defender's vulnerabilities.
Researchers at Komodo Threat Research Labs are reporting an interesting campaign that constitutes a kind of layered attack designed to get around layered defenses.
Komodo calls it a complicated chain to bypass technical security means
and deceive human intelligence.
The malware involved is called LeBall, and as so often happens,
infection begins with a phishing email.
The phish bait presents itself as a message from FedEx,
telling the victim that a package couldn't be delivered
because it exceeded a non-existent free-deliver limit.
If you want your package, the email explains,
you must go pick it up from a
nearby outlet. To do so, you must click a link to download a label you'll need to present in order
to get your parcel. The link, of course, is malicious, and it's disguised as a Google Drive
link. The hackers have presented plenty of reassuring markers in the address bar, like
secure and HTTPS and drive.google.com. And the label itself appears
to be an Adobe Acrobat document, but the malware payload it carries scans the infected machine
and steals all manner of information, cookies and credentials, email, instant messenger clients,
and in a big payoff it looks for cryptocurrency wallets it can rifle. The researchers say the campaign is targeting some 30 email servers.
It's connected to an IP address and domain in Sao Paulo, Brazil.
Cryptocurrency mining shows no signs of slacking off.
Right now, the criminal world seems to have shifted its attention from Bitcoin to Monero.
The XM-Rig campaign, being followed by Palo Alto and others,
has now infected more than 15 million users with unwanted mining software.
XMRig misuses URL shortener Bitly to hide red flags from users
it seeks to induce to click malicious ads.
Other mining campaigns are in full swing.
Security company DrWeb reports that Windows systems running some versions of the Cleverance Mobile Smarts server,
a legitimate Russian product that automates various industrial and logistical processes,
are being infected with malicious DLL files that mine Monero.
Trend Micro is following a similar campaign against Apache struts and.NET nuke servers,
and Palo Alto Networks is tracking a mass effort to infect individual users through file-sharing sites,
retail rather than wholesale infestations.
Panda Security describes WannaMine, which is fileless malware used in what are being characterized as smash-and-grab attacks.
As its name suggests,
WannaMine makes use of the same exploits as WannaCry,
but instead of encrypting files,
it worms its way into systems to install a miner.
Perhaps you're tempted to ask, well, what's the big deal? Sure, I'd rather not be running some random guy's program on my device,
but after all, I'm not always using that CPU power,
and they're not stealing anything from me anyway. No harm no foul, right? Well no, generous
live-and-let-live soul. These miners and other like them aren't a relatively
harmless nuisance. They burn power of course, and they also hog more CPU
resources than you might imagine. CrowdStrike warns that mining is so
computationally intensive that it routinely
renders affected CPUs unusable. Turning to news of information operations,
the British Parliament is dissatisfied with what many MPs take to be Twitter's evasiveness over
how its platform may have been used to influence the UK's Brexit vote. Facebook reports its
introspective conclusion that Russian agents were found behind
129 promoted events during the election cycle. Dutch intelligence services are reported to
have penetrated Cozy Bear before the FSB threat actor hit the U.S. Democratic National Committee.
They shared warnings with their American colleagues. Symantec, SAP, and McAfee are reported to have submitted source code for inspection by Russian security organs.
Such inspection was apparently a precondition for doing business in Russia.
This has disturbed observers because of the possibility that such inspection might reveal exploitable vulnerabilities.
might reveal exploitable vulnerabilities.
Finally, in news of crime and punishment,
one Mr. Jonathan Powell of Phoenix, Arizona,
has received a prison sentence after his conviction in a case involving his intrusion into university students' email and social media accounts.
He gained access to a utility IT staffs use to help students
when the students forget their passwords.
And why?
He was looking for explicit pictures female students might have cached in their accounts.
Creepy, yeah, and well-deserving of a sabbatical in the big house.
It's also bizarre.
With all the free adult content on the internet,
it seems the stalking had to be part of the thrill Mr. Powell was after,
because it seems unlikely this represented a buzzword. It's a way of life. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform Thank you. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Dale Drew.
He's the Chief Security Strategist at CenturyLink.
Dale, welcome back. Happy New Year.
Happy New Year. Thank you very much for having me.
Good to have you back.
What are we in for this year, Dale?
What are your thoughts?
What do we need to batten down the hatches and be ready for?
Well, you know, I think 2018 is going to be a very interesting year from a cybersecurity perspective.
I would call 2017 sort of the tipping point with regards to security. You know, we saw a migration from bad guys mostly focusing on obtaining reputation,
you know, getting a name for themselves, to the community finding a way to make revenue from
attacks. Not just the professionals, but pretty much anybody. We saw a lot more people focusing
on the revenue side of collecting from victims than we've ever seen before. I think that another thing is
we saw with regards to the level of sophistication in attacks that were previously reserved for
nation states, we're seeing a much more commodity of sophistication being available to the bad guys.
So, you know, things like the Mariah botnet, that botnet has been modified so
many times to be able to take advantage of that sort of ecosystem and that infrastructure,
but then be able to tailor it to specific sort of attacks and specific sort of campaigns for the
more commodity attacker. And then we're also seeing victims who just – well, I want to say this politely.
Victims are paying to reduce the nuisance factor.
They're not necessarily interested in solving the overall solution for the ecosystem.
They just want the problem to go away. So when they get hit with a ransomware attack, they're not interested in participating in the global excursion of how to stop ransomware.
They just want the ransomware off their system
so they can get back to business.
So we saw a pretty large explosion
in people paying for DDoS extortion,
people paying for ransomware extortion,
and then typically coming to us
after the second or third time
that the bad guy goes back to the till to get more money.
How much of that do you think
is looking to minimize reputational damage?
Oh, I think it's almost exclusively dedicated to protecting that company's brand
and making sure that they can get back to the business of doing business.
When desktops are encrypted and your end users, your employees, cannot conduct business,
When desktops are encrypted and your end users, your employees, cannot conduct business, that's going to get noticed very, very quickly by your customers and by your investors and by the outside public. And so they want that to be reduced or eliminated as quickly as possible to get back to the business of doing business.
So this idealized notion, you know, the good guys always say don't pay the bad guys.
When it comes down to it from a practical point of view, sometimes always say don't pay the bad guys. When it comes down to it,
from a practical point of view, sometimes people still choose to pay the bad guys.
Absolutely. And we're seeing a very sharp increase in that, which means that there's
much more motivation for the bad guys to increase ransomware. If you remember in 2017, we saw one of
the first spam-based ransomware attacks where instead of targeting specific companies and specific industries, we saw bad guys essentially, you know, flash mob ransomware out to as many victims as
they possibly could, expecting only a small percentage of people to pay, but getting a
pretty large payout in the end. And they were surprised, just as we were, that it was a fairly
large number of people who ended up paying for those ransomware attacks. And we now expect to
see a lot more ransomware, spam-based, botnet-driven sort of attacks to occur in 2018.
Do you suppose this is a year we're going to gain any ground?
Well, I do think that we're sharing more information across the community
better and faster than we ever have, that we've seen a step function of evolution from the bad guys from 2016 to 2017, and not a step
evolution in response from the good guys. And so, you know, the good guys are scrambling to be able
to, you know, collaborate together to find that step function to get ahead of this. Whereas we were a step
either ahead or a step behind the bad guy, we're now several steps behind the bad guy,
and we have to catch up. All right. Dale Drew, thanks for joining us.
All right. Thank you for having me. And don't forget to check out our special edition covering
what you might expect in 2018 from cybersecurity. It's on our website. You can also find it in your
podcast feed.
My guest today is Stacey Higginbotham. She's a journalist and producer and host of the Internet
of Things podcast, a weekly exploration of all things IoT. She's got a weekly IoT newsletter
as well, which you can sign up for on her website,
iotpodcast.com. Why don't you start with the origin story there? What brought you to
start the podcast? I was forced to many, many years ago at GigaOM. One of our colleagues was
like, hey, you know what? You should start a podcast. I was like, oh no. But I did it and we decided to do the Internet
of Things. This was probably back in, oh goodness, 2013. So a long time ago. And I started doing it
and he was like, you are terrible all by yourself. You need a co-host. And so my colleague at the
time was Kevin Toffle. And he was like, I'll do it. That's how it started. It's not very glamorous.
And then when Get Go, Oh, Went Under, Kevin and I were having so much fun.
Plus, we were kind of traumatized by the loss of our livelihoods.
So we were like, you know what?
Let's keep the podcast going.
So we started it up again.
And even when I was working at Fortune, I was still doing the podcast on the side because
it was super fun.
And then I decided to really focus in on the Internet of Things.
And Fortune was kind of like, eh, we're not that into it.
So I was like, let's do the podcast full time.
And so far, it's worked.
Yeah.
Well, one of the things I like about your show is that there's something for everyone.
You have stuff for consumers and you have stuff for enterprise folks.
And you even dig into how IoT works in your own life with your family.
It's true.
I am a really technical person, although I'm not like a computer scientist.
And I love learning how things work.
So I think that that's kind of the spirit Kevin and I both approached the show with.
And we really believed and have since the very beginning that you have to try this stuff because marketers are going to market.
And Lord knows that in the real world, tech products often behave badly.
And from a security point of view, what sorts of things are on your radar? What are some of
the things you think we need to pay attention to? I am still searching for a good security model
for the Internet of Things. I feel like, so I've been in this space for two decades,
this space being just technology. I've covered chips and cloud and data and all kinds of other
stuff. So I feel like we had, we came up with some decent models with the cloud, but we don't have
something for IoT, for edge-based devices that are low in resources, so very tiny sensors.
based devices that are low in resources, so very tiny sensors. We don't have, and we don't have a way to scale out security programs to the masses. And the Internet of Things is bringing in a lot
of companies that have never worried about cybersecurity or IT security before into this
world. And we have to make it easier for them. So we have to have set standards and we
don't. I really actually am one of the people who believe that the government should set some
standards here because absent those, you don't know what goal you're working for. So someone,
UL will say something secure or another lab will say something secure, but really you don't,
or another lab will say something's secure.
But really, as a consumer, or even as an enterprise software device buyer,
you don't actually know what matters there.
And right now, the burden is all on the consumers, and it's not cool.
What sort of policy framework would you like to see?
Oh, that is the killer question, because I still don't think we have a security model.
And that's where I'd like to start. So I don't know how we actually go about doing this. Is there like a security API that you can just put on a device? There's so many companies offering
like an agent. There's a really interesting startup I just talked to called Vidu. And
they're trying to build, oh man, they're trying to just attack the problem
from everywhere at once. So it's difficult, but they're trying to build a list of, they're trying
to tier devices, and then they're trying to build a list of vulnerabilities, known vulnerabilities
and best practices for each class of device. And they're pulling in your device firmware and then
data on what it's supposed to do to categorize it and then
send you that information. The end goal is to have an agent running on your device from them
in a non-production, like in a test QA environment. And that agent's just going to keep reporting back
as things change in, you know, threat detection, vulnerabilities, the software of the device.
And so something like that seems really interesting, but it also seems really hard coming from
a startup, right?
Yeah.
So that and blockchain.
So there's some really interesting blockchain models, but I'm still not convinced that that's
but it's closer because it's decentralized and authenticated.
Does that make sense?
I'm not trying to just throw buzzwords out there.
Yeah, no, no, no, I understand.
So looking ahead towards this coming year, what are the things that excite you?
What are you looking forward to?
I'm looking forward to hopefully things becoming more automated, more context coming into my smart home stuff.
I'm looking forward to better data privacy practices brought about in part by
companies trying to comply with GDPR. I'm looking forward to seeing the next crazy level of devices
that people are coming up with. Like computer vision has come so far. So I'm like, oh, what
are we going to be able to do with that? So in addition to consumer facing things,
you focus on the industrial side of
things. What's got your attention on that side? I think the biggest thing is applying that security
model I talked about earlier, figuring out something for that side, because those guys,
they don't have an IT staff that does security and their cybersecurity efforts are geared in a
slightly different direction. So I actually think both sides could learn from each other.
On the industrial side, I think they could learn more about agility and over the air updates and
things like that. On the IT side, I actually think there's a lot of really good best practices that
the industrial side already does. So they there's a lot of really good best practices that the industrial side already does.
So they actually do a lot of training with their employees aimed at cybersecurity.
So, you know, talking about the information they post online, telling, talking to them and training them on that, which I think is really valuable and probably should happen everywhere.
So that's one.
And then the other thing I would say for the industrial side and the enterprise side is we need to figure out a way to put security in on the manufacturing side of devices.
to put security in on the manufacturing side of devices.
And we need to get some accountability among people in the supply chain to actually say, hey, wait, I just saw that you did this,
and that is not a great implementation.
You know, we need to get more communication along the supply chain
and push back between manufacturers building up to a connected product there.
That is Stacey Higginbotham.
She's a journalist and producer and host of the Internet of Things podcast.
You can find her show on iTunes and also at IOTpodcast.com.
Check it out.
And we'll have an extended version of this interview on our Patreon page. That's at patreon.com slash the cyber wire.
Our supporters get first act.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing Bye. and keep your company safe and compliant.
Access to it, and then in a few days, everyone can check it out.
We hope you will.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro. It'll save you time and keep you
informed. Listen for us on your Alexa smart speaker too. The Cyber Wire podcast is proudly
produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.