CyberWire Daily - MalwareTech arrested over Kronos banking Trojan. "Bateleur" in the wild. Long DDoS hits Chinese telco. Russian influence operations no longer novel? FBI investigates HBO hack.
Episode Date: August 4, 2017In today's podcast, we hear that security researcher MalwareTech has been arrested as the alleged author of the Kronos banking Trojan. Carbanak hoods release "Bateleur" into the wild, phishing in... chain restaurant waters. A long DDoS attack in China seems aimed at extortion. German elections prepare for Russian influence operations, but the novelty may have worn off Moscow's line. US states and DHS work toward cooperative cybersecurity. Emily Wilson from Terbium Labs on dark web gun sales. William Saito on Japan’s cyber security preparations for the upcoming Olympics. The FBI is investigating the HBO hack. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Security researcher MalwareTech is arrested as the alleged author of the Kronos banking trojan.
Carbonac hoods release Batulur into the wild,
fishing in chain restaurant waters.
A long DDoS attack in China seems aimed at extortion.
German elections prepare for Russian influence operations,
but the novelty may have worn off Moscow's line.
U.S. states and DHS work toward cooperative cybersecurity,
and the FBI is investigating the HBO hack.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Friday, August 4th, 2017.
It's said that what happens in Vegas stays in Vegas.
Sometimes what goes on elsewhere stays in Vegas too.
And sometimes it's you that does the staying.
You'll recall that WannaCry was impeded back in May when its kill switch was inadvertently tripped by a security researcher who registered a domain name mentioned in WannaCry's code.
That researcher, Marcus Hutchins, or MalwareTech as he likes to be known, enjoyed a minor hero's triumph and has taken a few victory laps since.
The most recent lap was a small celebrity reception at DEFCON last week in Las Vegas.
Unfortunately, on Wednesday, things went south in a hurry for Mr. Hutchins, age 23.
The FBI picked him up and arrested him on a computer fraud and abuse charge.
The Bureau was acting on an indictment a Wisconsin federal grand jury filed on July 11th of this year. The indictment alleges that sometime between July 2014 and July 2015,
Hutchins and a conspirator, whose name has been redacted from the court documents made available
publicly, advertised, sold, and received payment for the Kronos banking trojan. Kronos first came
to light when it was offered for sale
in Russian-language crimeware markets in July 2014.
The asking price was some $7,000.
Hutchins, who lives with his parents in Devon, England,
is said to have been the author and maintainer of the malware.
His name-redacted co-conspirator is alleged to have been the one who offered it for sale.
Their preferred market was the recently shuttered AlphaBay. His name-redacted co-conspirator is alleged to have been the one who offered it for sale.
Their preferred market was the recently shuttered AlphaBay.
The conspirators face six charges, one of computer fraud, one of wiretapping or aiding wiretapping, one of accessing a computer without permission, and finally three charges of creating and distributing wiretapping technology.
Hutchins is expected to enter his plea in a Nevada courtroom today.
The charges could add up to 40 years in club fed, although a sentence of between 5 to 10 years is
thought likelier, should the innocent until proven guilty Mr. Hutchins eventually be convicted.
Few would be prepared to argue that Kronos or other banking Trojans are good things,
but the case is not necessarily a slam dunk,
according to legal commentary in the Washington Post
by George Washington University law professor Oren Kerr.
The case may be an important one,
since the indictment alleges violation of an infrequently used anti-wiretapping law.
That law, 18 United States Code Section 2512,
makes it a crime to make, sell, or advertise, quote,
any electronic, mechanical, or other device, knowing or having reason to know that the design
of such device renders it primarily useful for the purposes of the surreptitious interception
of wire, oral, or electronic communications, end quote. The government's theory holds that
devising and selling the malware count as purveying such a wiretapping device,
and doing so with guilty knowledge that it will be used in a prohibited way.
There's other news of crimeware today.
The hoods behind the familiar Carbonac financial advance persistent threat are circulating another crimeware tool.
Batalor is being used against targets in the hospitality industry.
Batalor, which is distributed as the payload of a phishing email, is said to take screenshots
and steal credentials. Chain restaurants in the U.S. appear most affected.
Kaspersky Lab reports that the biggest DDoS attack so far this year, in terms of duration,
was experienced by Chinese telecom operators. The attack lasted
277 hours, or more than 11 days. The attacker's motive appears to have been extortion.
German federal elections are scheduled for next month, and, of course, Russian intelligence
services are expected to attempt to influence or otherwise undermine them. Observers think
such attempts unlikely to succeed.
For one thing, the element of surprise is gone,
with influence operations already factored into public opinion.
In the U.S., the Department of Homeland Security reports
that 33 states and 36 local governments
sought cybersecurity assistance for 2016 elections.
Longstanding, well-known roadblocks, secrecy and security
clearances continue to impede such assistance. In other U.S. news, investigations into Russian
influence operations targeting the 2016 elections proceed as special prosecutor Mueller has moved
to establish a grand jury, the administration is working to contain leaks, and Congress is making
continued noises about misuse of intelligence collected against foreign targets, but which
contained information about U.S. citizens. And finally, the HBO hack is now under FBI
investigation. Despite corporate assurance to the contrary, many still fear email doxing.
The hackers have notoriously compromised unreleased
Game of Thrones scripts. Security firms including Panda and ESET have warned people against
downloading torrents containing stolen episodes, since torrents are notoriously polluted with
malware. Some people complain that's a lot of security company FUD, and maybe they're right,
but we know one thing. We'll just wait to watch the episodes over old-fashioned TV. Thank you. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of
herself. Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Joining me once again is Emily Wilson.
She's the Director of Analysis at Terbium Labs.
Emily, you wanted to share a story that came by recently about some gentlemen who were selling some guns online
ended up being busted for that.
Yeah, I think this really caught
my attention. You know, I see headlines from time to time, typically in Europe of someone who's been
caught with guns that they believed were purchased in the dark web or sometimes a vendor who's going
to sell them. But what caught my attention recently was the story about a couple of vendors from the
old market, Black Market Reloaded. This has been down for ages. This is not new. It's been a few years now. And these couple of vendors,
charges are just being brought now against them for having sold guns on the dark web.
And it's a reminder that this does happen. It doesn't happen often. It is fairly rare,
certainly relative to other kinds of information, whether other kinds of goods and services,
whether credit cards or drugs or what have you.
But interesting to see the long tail of that, see it come around.
It strikes me that certainly here in the United States,
guns are not hard to get, to buy or sell.
That's fairly easy to do.
So what would drive someone to the dark web to set up a market there?
Yeah, I think that's interesting.
I think a couple of things that come to mind,
not everyone is buying and selling in the U.S.
So you may have a situation where it's really easy to get your hand on guns here,
but, you know, makes more sense to sell them elsewhere.
Or you may have people for whatever reason who would prefer to transact
in something like this on the dark web, whether they
aren't sure how to tap into kind of a personal or local network, if they can't purchase guns for
some reason somewhere else and see this as a good way to go about it, if they think this is going to
be safer. I think there are some similar arguments for people who, you know, why would you choose to purchase drugs on the dark web?
Guns are a little bit different, right? Most of these drugs are illegal.
But I can certainly understand the appeal in theory of going through some sort of anonymous online service where it shows up at your door as opposed to needing to talk to that guy down the street.
And yet, even being on the dark web, they attracted the attention of law enforcement.
They do. They do. I saw something recently. I think it came out of the UK.
Signs of terrorism include activity on the dark web. So be careful using Tor.
All right. Emily Wilson, thanks for joining us. with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
My guest today is William Saito. He's the Special Advisor to the Cabinet Office for
the Government of Japan in charge of science and technology and information technology policy.
The Summer Olympics are coming to Japan in 2020,
and Mr. Saito has taken an active role in ensuring
that Japan's cybersecurity posture is strong for the Games and beyond.
In the last six months, I think the reality of the Olympics is really hitting us.
And obviously there are a lot of things where our Cybersecurity Bureau has revamped the new laws
so that we coordinate various related agencies so that not only is the IT aspect,
but the OT aspects are covered synchronously.
But the other thing that we're doing that we put into plan last year that's executed as of this spring is HR development in the area of cyber.
So we've allocated several millions of dollars, 25 million or better, about getting an exchange rate to train cybersecurity professionals in this area, not just for the Olympics, but as a country in general.
Not just for the Olympics, but as a country in general.
Yeah, I saw in an article that you were quoted, you were talking about how when it comes to Japan, that it's not really a technical issue, that there are some human factors here.
Yeah, and I think that's actually true for a lot of countries.
For a country like Japan, we have a lot of great programmers.
We have people that, you know, quote-unquote hack things and take things apart and are curious there. The issue that I see in many countries, but especially highly in countries like Japan,
is the ability of the technical folks to communicate to the upper leadership and management type,
and then vice versa.
The unfortunate part in countries like Japan is lots of technical issues like cyber,
they try to pawn off and pretend that they don't know about
because their studies may not have included anything in IT or science related.
So I'm finding that it's important to really cross-pollinate between the sciences,
aka the STEM people, and the humanities, aka the management leadership people,
so that they can talk to each other.
So they've established the Industrial Cybersecurity Center of Excellence.
Tell us about that.
Right.
So obviously we and most countries are lacking several thousands, if not tens of thousands
of cybersecurity professionals.
And since they don't form overnight, we had to pick and choose.
And the area that we're focusing on with emphasis on the Olympics is the critical infrastructure that is either related or dependent on cybersecurity.
Every country defines critical infrastructure differently, but you can assume, you know, the electrical industry, the finance industry and so on.
The professionals there are required to not only maintain the integrity of the system, to be able to respond correctly,
and to put a defensive posture in place that management can agree on.
Are you in communications with any of the folks from Rio, Brazil,
or are there any lessons that have been learned from that Olympics?
Yeah, so the Olympics has been a great opportunity.
We've had our folks in the SOC at Rio.
I was in discussions and know lots of people,
and we have lots of technical exchange between people in London as well.
So the IOC, but the Olympic community, no one wants to see a bad Olympics,
but there are lessons learned, and there's no point reinventing the wheel.
I think there are a lot of interesting outcomes, not only from Rio,
but all the way back to London, that we learned from and we're building upon and are obviously intended to share that to whoever follows on the Olympics.
But yeah, it's actually a close group of CISOs and cybersecurity professionals that really work with each other prior to one's own game.
So Japan's cybersecurity professionals have been working for more than four years with London and Rio.
And is there a sense that you'll be ready?
My concern is, speaking for Japan, not our ability to pull off the Olympics.
I think, honestly, Japan will have a perfectly fine Olympics.
It'll go smoothly.
There won't be any really outstanding problems and stuff.
My real issue here is we're not doing cybersecurity for the sake of the Olympics.
The Olympics is just one of the crossroads.
And what I want to take and use this opportunity is how do we become a more cyber resilient country and in doing so that we
can better utilize ict and greater efficiency greater productivity especially in a country
like ours which is quickly aging and quickly shrinking and so one of the things that you see
in japan and mckinley around the cabinet office are new posters. We have the Olympic posters,
but the new posters say beyond 2020. And it's exactly that. What happens to us as a country
after 2020? And I think IT and cyber will play a critical role in that. And it's not just preparing
for the Olympics, but what benefits do we reap post-Olympics? Japan is dealing with an aging
population, as you mentioned, and a shrinking population,
so there are going to be fewer people around to take care of that aging population,
and so you'll have to rely on technology and the security that goes with that.
Yeah, ironically, terms like artificial intelligence, robotics, machine learning, those aren't buzzwords here.
Those are terms that we really need to apply and we really need to use.
These aren't things that are going to be in our next generation cell phones.
These are going to be taking care of our parents and grandparents.
Japan is, in some sense, going to be the most reliant on some of these cutting-edge technologies,
not from a feature nice to have, but as a society must have.
And in order to do so, it has to be safe and secure.
So how do you not only create these safe and secure products and services,
but vice versa, how do you create an environment that's safe and secure
so that people can develop these new technologies
and not have it go crazy or get sued because there's a breach or something?
I mean, one of the things that we're trying to work on,
don't know if it will pass, but the next session of our parliament,
we will be creating tax incentives for investments in cybersecurity.
And hopefully that will alleviate some of the issues
and costs that are associated with the hesitation for companies and people to implement this.
Our thanks to William Saito.
He's the special advisor to the Cabinet Office for the Government of Japan.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Your AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.