CyberWire Daily - Nation-state tensions in cyberspace over North Korean threats and presumably Russian cyberespionage. Locky returns. More pharma spam. Seleznev gets 27 years for carding.
Episode Date: April 24, 2017In today's podcast we hear that cyberattack worries mount with international tensions over North Korea. France's first-round presidential elections conclude with two outsiders headed for the finals. W...ikiLeaks' and ShadowBrokers' leaks find their way into the criminal wild. US shows renewed interest in prosecuting WikiLeaks' Assange. Locky ransomware is back from the dead. SMSVova spyware kicked out of the PlayStore. More Canadian pharma spam. Emily Wilson from Terbium labs describes the unintended consequences of "spectacle" attacks. Seleznev gets 27 years for carding. And notes on some less-than-fully-successful criminals. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Cyber attack worries mount with international tensions over North Korea.
France's first round presidential elections conclude with two outsiders headed for
the finals. WikiLeaks and Shadow Brokers leaks find their way into the criminal wild. The U.S.
shows renewed interest in prosecuting WikiLeaks' Assange. Lockheed Ransomware is back from the
dead. More Canadian pharma spam. Seleznev gets 27 years for carding. And notes on some less than
fully successful criminals.
I'm Dave Bittner with your CyberWire summary for Monday, April 24, 2017.
Concerns about cyberattack, as usual, follow in the train of rising international tension.
This can be seen currently as U.S. worry about North Korean hacking prompts conversations about U.S. vulnerability to cyberattacks directed by Pyongyang.
Kaspersky has been reminding the world that the Lazarus Group, implicated most famously in the
partially successful funds transfer fraud committed against the Bangladesh Bank in February 2016,
is connected to the North Korean regime by strong circumstantial evidence.
The U.S. has also accused Pyongyang of the November 2014 Sony Pictures hack.
While the Kim regime's recent talk has been decidedly kinetic, with much lurid propaganda
involving promised missile strikes and widespread nuclear devastation, delivered for the most part
in the characteristic model
airplane aesthetic of Juche culture, that country's missiles are regionally dangerous
but not yet capable of the promised havoc. Cyber attack is thought much more likely.
A study HP conducted in 2014 remains a good guide to North Korean capabilities.
The report estimated the size of North Korea's offensive cyberforce
as some 6,000 personnel, some of whom operate under clandestine illegal cover in foreign countries,
China among them. Infrastructure targets, including well-defended financial networks
and arguably more vulnerable power grids, are thought to be at risk. Small and unrelated power
outages last week in New York, Los Angeles, and San Francisco
are being talked about as cautionary examples. The disruptions all appear to have had accidental
non-cyber causes, but they have underscored potential vulnerabilities in the grid.
China's government is none too happy about North Korean behavior either,
but their reaction is a complex one. An embargo on North Korean coal
exports, but also unhappiness over South Korean efforts to build up defenses against missile
attack. China is specifically concerned, according to analysts at security company FireEye, about
South Korea's deployment of missile defenses in the form of the Terminal High Altitude Air Defense,
or THAAD, system. The PLA has targeted its cyber-espionage assets accordingly.
The first round of France's presidential election concluded yesterday.
The runoff will be between Emmanuel Macron and Marine Le Pen, both outsiders, both regarded as populists.
No word yet on whether the feared foreign influence operations appeared in this election,
but the finals will be watched closely.
WikiLeaks' release of alleged CIA cyberespionage tools in Vault 7 continues to prompt concerns over the risk all enterprises face when such tools hit the wild.
Similar concerns surround the presumably independent release by the shadow brokers of what the group claims are NSA tools. One of those, the Double Pulsar backdoor, affects large numbers of unpatched Windows machines worldwide, 36,000 according to estimates by security firm Below Zero Day.
Countercept has released a tool that promises to determine whether a system has the Double
Pulsar implant, and of course, users are advised to patch their systems.
U.S. investigations of the apparent leaks proceed, but without much public comment about progress.
The U.S. Justice Department has taken a renewed interest in indicting and prosecuting Wikileaks' Julian Assange,
still resident in Ecuador's London embassy.
How he might be charged is still unclear.
Assange's attorneys position their client as a journalist
and argue that his prosecution would be tantamount to an attack on press freedom.
A former official who worked on the matter during the previous U.S. administration
told Foreign Policy that, quote,
the problem with the investigation was finding a case that you could bring against Julian Assange
that wouldn't also apply to reporters from every major U.S. media outlet.
Mr. Assange, it's worth noting, has taken refuge in the Ecuadorian embassy
to avoid extradition to Sweden on charges unrelated to WikiLeaks.
Locky ransomware recently given up for dead is back.
The revenant malware is being distributed by the newly active Nikors botnet.
Experts agree that regular secure backup of files is the best thing you can do to protect yourself from the effects of a ransomware attack.
You'll be inconvenienced, but you won't lose irreplaceable data.
Google has booted SMS Vova spyware from the Play Store.
Google has booted SMS Vova spyware from the Play Store.
SMS Vova cloaked itself inside a bogus system update app that promised users that it would keep their Android devices up to date.
Researchers at security company Zscaler say that between 1 and 5 million users
downloaded the app over the past three years.
SMS Vova was particularly interested in harvesting location data.
Researchers at security company Encapsula reported finding a large and evasive spam campaign hawking counterfeit pharmaceuticals,
the usual discount Viagra come on.
More than 80,000 unique IP addresses are serving the spam.
It's a large criminal campaign, the latest iteration of the Canadian pharmacy scam,
long pursued by organized gangs, most of which appear to be headquartered in Russia and Ukraine.
A U.S. court at the end of last week handed down the stiffest sentence on record, 27 years,
to Roman Valerievich Seleznev, Russian Carter and son of Valery Seleznev, an influential member of Russia's
Duma. Seleznev was arrested while on holiday in the Maldives in 2014, extradited via Guam
to Seattle, and convicted in August 2016. In mitigation, he unsuccessfully pleaded a
difficult Vladivostok life, the details of which do indeed sound sad, his mother's death to alcohol poisoning, a bombing, an unpleasant divorce.
Still, he had been something of a princeling.
The Russian government, for example, took sufficient notice of his arrest
to mount an ultimately unsuccessful campaign denouncing it as kidnapping,
and the U.S. court apparently was more moved by the damage Seleznev's carding worked.
Many of his targets
were small businesses, at least some of which were driven into bankruptcy by Seleznev's crimes.
Two more stories of crime and punishment are worth mentioning, neither one a case of criminal
genius at work. In one, a guy stealing smartphones at the Coachella Festival apparently forgot about
Find My iPhone. He had about a hundred stolen
devices in his backpack when he was collared. And in New York, it's come to light that the FBI,
earlier this month, arrested an IT engineer on Wall Street for hacking into his employer's
servers. The feds think he was stealing proprietary source code. The gentleman,
under official suspicion, said he was worried about his job and so was
looking into people's emails to see if he was about to be fired. Fired he was, the very act
taken to avert his fate, working to bring that fate about. It's like Dumb and Dumber, only
written by Sophocles. Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Emily Wilson. She's the Director of Analysis at Terbium Labs.
Emily, you know, we had this story not too long ago about the emergency alert sirens in Dallas
being set off.
And it turns out this was not so much a cyber connectivity issue or anything like that.
It was these sirens are triggered by an RF signal, a radio signal,
and someone took advantage of the fact that these systems respond to those RF signals in the clear.
There's really no protection against them. But you wanted to make the point, it brings up a good point that some people are out there to do things sort of for
the spectacle of it, and that can have some unintended consequences. Absolutely. You know,
in this case, originally in the news, right, we saw, you know, people referencing a hack,
as you described, right? So the immediate assumption there is something is wrong with,
you know, someone has a laptop somewhere that they shouldn't, or there's something wrong with
the software. Right. But it's interesting in this Dallas case that, you know, I think it's fair to
suppose that whoever did it may have been just doing it for the laughs, or to sort of prove a
point that they could do it. But there were some consequences. The 911 systems
were overloaded for a period of time. And so people who had other types of emergencies may
not have been able to get the services they get. And I suspect that that may have been an
unintended consequence of the person who did this. Sure. And I think you also saw a range of reactions
from people in Dallas, right? I'm sure no one was happy it was happening, but you saw some combination of people being confused or making jokes to people being genuinely concerned,
right? People being afraid, is this a terrorist attack? Is there something going on? Am I safe?
And so I think, you know, these spectacles can definitely have unintended consequences.
The same thing, you know, when we see certain types of data showing up, right,
or certain types of exploits being traded around.
You know, it's the step beyond vandalism.
Sometimes people really want to make a splash,
and you think about something like the medical records being dumped
after the Olympics from the World Anti-Doping Agency, right?
Big spectacle, big conversation,
but now you have personal information out there
about all of these athletes that they can't change.
It's not like a credit card.
You can't reissue it.
The spectacle is going to cause a lifelong problem
for some of these people.
So the motivation of the people releasing those records
may have been as simple as,
oh yeah, watch this,
without really thinking through
or considering the long-term consequences
for all the people who are innocent bystanders of a drive-by attack.
Absolutely. And I think we're all wondering now,
are we going to see copycats of this Dallas-style siren fiasco?
Are we going to see people poking at other things?
What else can I do with radio
frequencies? And maybe, hopefully, I suppose this will have kind of far-reaching impacts
on conversations about things we never thought we'd need to encrypt.
Right. Right. Yeah. I mean, these siren systems have been out there for 50 years or more,
and this hasn't been a problem and now everybody knows
about it and knows how to do it does that mean they have you know steps will have to be taken
to lock them down right and and what else right besides the sirens what what else could be a
problem and and how do we begin to you know think about this and allocate these resources you know
what what is this going to mean for you you know, other cities, smaller cities?
You know, as you mentioned, right, when when the 911 system shuts down, then you're not just talking about an annoying noise.
You're talking about potentially life and death situations because someone wanted to have fun.
Right. All right. Emily Wilson, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.