CyberWire Daily - Olympic Destroyer took its time, compromised the IT supply chain. NotPetya attribution. Coin scams. Coin miners. Botnets old and new.
Episode Date: February 15, 2018In today's podcast we hear that Olympic Destroyer may have started with a supply-chain compromise back in December. The British Foreign Office blames Russia for NotPetya pseudoransomware, and the Rus...sian Foreign Ministry says they didn't do anything. Trend Micro researchers find a new Monero cryptomining campaign underway. Coinherder phishes in alt-coin wallets. The Satori botnet has expanded its target list. A new IoT botnet, DoubleDoor, gets into routers with a one-two punch. Ben Yelin from UMD CHHS, on New Jersey taking on the FCC and net neutrality. Guest is Scott Register from Ixia on security issues with the coming 5G cellular rollout. And the LoopX ICO vanishes into thin air. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Olympic destroyer may have started with a supply chain compromise back in December.
The British Foreign Office blames Russia for not-Petya pseudo-ransomware,
and the Russian Foreign Ministry says
they didn't do anything.
Trend micro-researchers find a new
Monero crypto-mining campaign underway.
Coin Herder fishes in altcoin wallets.
The Satori botnet has expanded its target list.
A new IoT botnet, Double Door,
gets into routers with a one-two punch.
And the LoopX ICO vanishes into thin air.
I'm Dave Bittner with your CyberWire summary for Thursday, February 15, 2018.
The hacking of the Winter Olympics appears to have been under preparation at least since December.
Investigations suggest that the game's cloud provider, Atos,
may have been compromised two months before the Olympics opened.
Atos has brought in McAfee to help with its investigation.
There appears to have been a reconnaissance phase late last year
in which Atos credentials were illicitly obtained
and used to prepare for this month's attacks.
This is consistent with Cisco's Talos unit's findings.
Malware used in the Olympic Destroyer campaign has turned up in VirusTotal,
uploaded by unnamed users in France and Romania.
Atos is headquartered in France and has significant offices in Romania.
The company has confirmed, with McAfee's help,
that some of its credentials were hard-coded into the Olympic destroyer malware.
The campaign is now generally regarded as an IT supply chain attack.
It's worth noting that the disruption does not seem to have extended to the management of the games themselves.
Events have gone off as planned, and scoring and timing systems show no signs of tampering.
There is no unambiguous evidence that would support attribution,
but speculation continues to point toward Russia
on grounds of motive and opportunity.
The British Foreign Office has directly attributed
last year's NotPetya pseudo-ransomware campaign to Russia.
Officials have also warned the Russian government
that the UK will not tolerate another disruptive attack.
Russian representatives dismissed the attribution as Russophobia.
The UK has been deliberate in its attribution.
Ukraine was, unsurprisingly, first out of the gate to blame Moscow,
and US official opinion has tracked Ukraine's since last summer at least.
The 5G mobile network is being prepped, tested, and rolled out, and it promises speed and convenience.
But what about security?
We checked in with Scott Register, Vice President of Product Management for Cloud and Security Products at Ixia, a Keysight business, to learn more.
The ultimate goal of 5G is to basically converge all of the networks that you think about today, mobile, wireline,
wireless, Wi-Fi, and what we think of as 4G or LTE, all of those different ways that you access
the network today in different environments and for different purposes, 5G should ultimately sort of subsume all of those so that there is one
very high speed access mechanism that's available sort of anytime, anywhere. That's the goal. You
have all these different things that are available on top of a shared infrastructure. One of the nice things about 5G is that, at least to get started,
the providers can reuse a lot of the basic 4G infrastructure that they've built out now,
and especially the service providers who have started to invest,
especially in FV and SDN to help them scale and automate.
Those can move more quickly. like especially in FV and SDN to help them scale and automate,
those can move more quickly.
But I think even late 18, early 19, you'll start to see kind of initial things at least build as 5G.
Although I think it's going to, in reality, it will take multiple years,
much like the transition from, if you think about the transition from 3G to,
you know, 4G slash LTE, there are lots of kind of marketing claims around that. Oh,
we've got the first network. Well, it wasn't really full, you know, LTE, even though it claimed,
you know, 4G. So you'll see a couple of years involved in the rollout, but I think we'll start to see things at least marketed that way even late 18.
And so from a security point of view, I would imagine as we've gone through the various versions of wireless data technology,
security has become more and more front and center.
Are there any specific technologies in 5G
that improve the security posture of it?
Yes and no.
There are some technologies being applied,
but because of the scale, right?
If you think about replacing all these different networks,
you know, the network in the coffee shop,
the network in your house, the network in your office,
network in the hospital,
if you replace all of those with kind of one big network, management becomes difficult just
because of the sheer scale. So automation becomes very, very important. And so you'll have an
automation layer that sits on top of your virtual devices, you know, NFV devices, because those
you can provision and tear down very rapidly, as well as SDN, you know, for flexible kind of plumbing between those.
comes online, I want to provide end-to-end encryption and provision that through my network from that device. Maybe it's just to the egress of the network, or maybe it's all the way back to
the auto manufacturer's site or into their service cloud. Maybe certain types of devices,
I want to do device authentication. I want to do some very strong authentication to make sure that this particular, I don't know, pacemaker is exactly the one that I think it is.
And so it's not so much a new technology.
It's just more kind of widespread and standardized adoption of a lot of the technologies that we have today, but in a standardized way and
spread across the network.
Now, the kind of counter to that is getting that security right becomes really, really
important because of the two things we've talked about.
One is the sheer scale, the number of devices that are on the network.
And two is that
shared infrastructure concept. If you think about the biggest IoT denial service attack that we know
of recently, like the Dyn attack that used DNS coming from vulnerable webcams, like IoT devices,
right? That was a massive attack and it took down, you know, major DNS services on the
East Coast, lots of companies offline. It was a big deal and it kind of leveraged this year's
scale of IoT devices. Now think about that device count, which was maybe in the just tens of
thousands and then multiply it out enormously. So maybe it's in the millions or it's in the
hundreds of millions.
Think about the scale of what that kind of attack could look like, coupled with the fact that the
network is not isolated, meaning, yeah, the internet is big and it's important to us, but
you can maybe still talk to people inside your building, even if the internet is down. You can
still make phone calls from your phone even if DNS is down
for major parts of the country. But if whatever security, a denial of service attack, maybe a
denial of service attack, but not exactly looking the way that we think of one today, if that is
able to impact not just the slice of the network that you're on, but the actual infrastructure that's providing services
for all of these different slices, then that's a really bad thing, right? Because someone launches
a denial of service based on some car network over here, and suddenly people's healthcare devices go
offline, or they can't unlock their doors, or they can't get into their buildings, or they can't read email or whatever.
That becomes a really big deal.
So how we apply that security and how we make sure that it protects the infrastructure that underpins all of these different provision networks,
as well as provide security for the end devices, provide things like end-to-end encryption.
Yeah, that becomes even more important than it is today.
That's Scott Register from Ixia.
We have an extended version of our interview on our Patreon page.
Our Patreon supporters get first access to it, and then in a few days, it'll be available
for everyone.
That's at patreon.com slash the cyber wire.
Researchers at security firm Trend Micro report that their sensors have detected vulnerability That's at patreon.com slash the cyberwire. criminals, probably because it's relatively easy to pull off, even if the payout seems,
if reports are to be believed, relatively small.
The big money seems to be in straightforward scams.
In one such campaign, Coin Herder is now under investigation by the Ukrainian police with an assist from Cisco.
Coin Herder is a complex phishing operation that uses Google AdWords to poison search
results in ways that induce
victims to give up access to their wallets, which the criminals then proceed to loot.
Losses from CoinHerder are said to run to some $50 million.
Botnets continue to be used for various criminal purposes.
The Satori botnet is evolving, according to security firm NetLab360, and now affects routers
made by South Korea's
Dasan networks. This development is regarded as serious by observers, if only because it's
unlikely that the routers will ever be patched. The Securiteam Vulnerability Disclosure Service,
part of the firm Beyond Security, told Ars Technica they tried without success to contact
Dasan in October. Dassan has so far
not commented, but about 40,000 routers could be susceptible to Satori. Satori, you'll recall,
is a variant of Mirai. And researchers at New Sky Security say that their honeypots have detected
the formation of a new IoT botnet. This one is being called Double Door because it chains two exploits to bypass a
firewall and compromise a router. The first backdoor, which is CVE-2015-7755, affects the
firewall, Juniper Network's net screen. The second, CVE-2016-10401, enables privilege escalation to
obtain a superuser account on Zyzel PK501Z devices.
Both vulnerabilities are of course known and have been addressed by the vendors,
but a large number of susceptible devices remain unpatched.
And finally, we all like transparency, right?
There's been another initial coin offering scam reported,
and people have thought for a while that the startup involved lacked transparency.
LoopX, which may have been a cryptocurrency exchange, had promised a proprietary algorithm yielding great profits continually every month.
What that algorithm, which they called the Loop algorithm, actually did was unclear.
So LoopX lacked transparency.
But over the weekend, it achieved a different
kind of transparency by vanishing into thin air, and everybody now sees right through it.
Investors in the ICO are left sadder but wiser, to the tune of some $4.5 million.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. In the thick of the winter season, you may be in need of some joie de vivre. Well, look no further, honey, because Sunwing's Best Value Vacays has your budget-friendly escapes all the way to five-star luxury.
Yes, you heard correctly.
Budget and luxury all in one place.
So instead of ice scraping and teeth chattering, choose coconut sipping and pool splashing.
Oh, and book by February 16th with your local travel advisor or at...
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection
platform secures their personal devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io. And joining me once again is Ben Yellen.
He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security.
Ben, welcome back.
We had a story come by via The Hill, and this is about the New Jersey governor signing some net neutrality orders.
Now, of course, we've seen the FCC back off of net neutrality.
So are the states taking matters into their own hands?
So they're trying.
There's a limit to what the states can do.
So, of course, President Obama instituted regulations establishing net neutrality.
The FCC overturned those regulations
a couple of months ago, and that sort of left the void for proponents of net neutrality to kind of
filter down to the states. New Jersey just elected a new governor, Phil Murphy, who signed an
executive order prohibiting all ISPs that do business within the state from blocking, throttling, or favoring web content.
Now, this could potentially be legally problematic.
Within the regulations laid out by the FCC are what are called preemption elements.
And what preemption means is that there's something in the regulation that says states cannot regulate net neutrality beyond the scope of what's been
regulated by the federal government and congress and federal agencies have the right to do that
under our constitutional system if they write in that federal law preempts and federal law
preempts where we sometimes see exceptions to that is when the state acts not as a regulator
but as a purchaser so new jersey Jersey, in the course of its business,
has to purchase services from internet service providers.
So for instance, they have to have internet access at the statehouse,
and they have to have internet access at the DMV.
So somebody is sending a check to Comcast or to AT&T.
And what this executive order does is it says you are not eligible for these
contracts if you throttle internet services, if you block web content. And not just to us,
to anybody in the state. So it's not to anybody in the state. It's just as it applies to
companies doing business with the government. And that's really the only power the state of New Jersey has here.
If they were to pass some sort of law banning net neutrality,
the FCC would step in and say the preemption applies.
This is a national issue.
Congress has the right, and through the federal agencies,
to regulate interstate commerce.
This certainly falls under interstate commerce.
They've chosen to preempt state action on this. But where the states do have a little leeway is in their own
purchasing practices. And I think that's what the governor of New Jersey is trying to leverage here.
Now, a separate issue is that a bunch of states, state attorneys general, I always get that term
incorrectly, are suing the FCC on the basis of overturning net neutrality.
And that's a whole separate question.
But until that's resolved, states can try to enact regulations.
I think they're going to be subject to pretty strict preemption lawsuits from the FCC and the federal government.
So they have to sort of use creative maneuvers to get around that preemption and using
their power as a consumer in the market, as a purchaser, I think is a really strong way to do
that. Interesting stuff. Ben Yellen, thanks for joining us. Thank you.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is
Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Valecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Thanks for listening.
We'll see you back here tomorrow. Thank you. and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.