CyberWire Daily - Olympic Destroyer updates. Cyber forecasts from the US Intelligence Community. Patch notes. Cryptojacking and coinming. Ad blockers (also an incentive to coin mining).
Episode Date: February 14, 2018In today's podcast, we hear that Olympic Destroyer exploits EternalRomance and morphs as it moves from machine to machine. Other Olympic hacks are out there, too. The US Intelligence Community tell...s Congress to expect a more assertive Iran, Russia, and North Korea in cyberspace. They also forecast more election influence operations. General Nakasone has been nominated to succeed Admiral Rogers at NSA and US Cyber Command. Yossi Oren from BGU on two-factor authentication for the disabled. Guest is John Kuhn from IBM X-Force Iris on the uptick in spam around the Valentine’s Day holiday.Coin mining continues to make a nuisance of itself. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Olympic destroyer exploits eternal romance
and morphs as it moves from machine to machine.
The U.S. intelligence community tells Congress
to expect a more assertive Iran,
Russia, and North Korea in cyberspace.
They also forecast more election influence operations.
General Nakasone has been nominated to succeed Admiral Rogers at NSA and U.S. Cyber Command,
and coin mining continues to make a nuisance of itself.
to make a nuisance of itself.
I'm Dave Bittner with your CyberWire summary for Wednesday, February 14th, 2018.
The Olympic destroyer malware that hit the Winter Games
being held in South Korea
appears to be a complex piece of work.
It's a wiper, and it spreads via Eternal Romance,
which is one of the alleged Equation Group exploits the Shadow Brokers leaked.
More interestingly, it also contains a self-patching functionality that enables it to change its characteristics as it moves from machine to machine.
Cisco's Talos research unit has been examining Olympic Destroyer, and they discern some similarities in its code to that used in NotPetya and BadRabbit.
Speculation about attribution has turned largely toward Russia, but apart from circumstantial
code similarities, such speculation remains based mostly on motive and opportunity.
There are other hacks surrounding the Olympic Games, and Booz Allen's CyberForesight research Unit this morning published a useful guide to the range of threats surrounding the Games.
They fall into familiar categories.
Nation-states interested in information operations and espionage.
Hacktivists pushing whatever agenda they feel can be usefully advanced.
And common criminals looking to turn a dishonest buck by phishing and other scams.
and common criminals looking to turn a dishonest buck by phishing and other scams.
The U.S. intelligence community's annual threat assessment sees Iran, Russia, and North Korea as growing more assertive in cyberspace.
They expect Russian influence operations, propaganda, and disinformation
during this year's midterm elections.
They say the goal is, as it was during the 2016 elections, to sow discord
and mistrust. Spammers continue to up their game, taking advantage of botnets to send massive
volumes of deceptive emails. They keep an eye on the calendar, too, and with the run-up to
Valentine's Day, researchers at IBM's X-Force Iris team have tracked a sizable uptick in targeted spam.
John Kuhn is a senior threat researcher at IBM X-Force Iris.
More specifically, it's around dating spam.
You know, someone impersonating somebody else, saying that they liked their profile on such and such social media.
I think Badoo and I think maybe Facebook was in there.
And pretending that, you know, they romantically like this person or they want to talk more to this person, that's getting the spam.
It's just a large, large uptick in that amount of spam, centered around Valentine's Day,
where people might be a little more vulnerable to responding to those types of messages.
So can you give us an idea of the scale of this?
So what's the size of the campaign? So we witnessed over 230 million spam emails coming from 950,000 different IP addresses that are infected with the Necker's botnet.
And the Necker's botnet, what's behind that?
This is controlling zombie bots?
Exactly.
Yeah, it's a peer-to-peer botnet that is rather large.
It's over 6 million infected nodes last count.
So what's your recommendation for people to protect themselves against this?
I mean, obviously there's education, but if I'm running an organization and, you know,
Bob down in the mailroom has fallen on hard times in the romance department and thinks to himself,
well, what could possibly go wrong? I might as well click on this and give it a shot.
Well, beyond education, how can I protect my organization?
Utilizing spam filters, obviously.
We've been using spam filters since spam was created,
but keeping those updated, keeping the definitions updated,
keeping the intelligence inside of them updated, absolutely key.
The little more tricky part about this is most spam, as you know,
they use a lot of mixed
English and they use a bit of misspelled words and those things are easily identifiable. This
particular campaign, it was very straightforward, plain English. So a lot of the spam filters might
be tripped up. So monitoring those spam filters, seeing what's coming through, seeing what's coming
through in your own inbox, again, educating your staff to report things as spam, you know, absolutely key. You know, education is first and foremost,
but there is technologies obviously that can help, you know, thwart this stuff from even
getting to the end point or the victim in the first place. And in terms of an overall trend,
is this something that we're seeing more and more of, these sort of targeted spam campaigns based on events throughout the year, taxes, Valentine's Day, things like that?
Yeah, because they're most effective around seasonal things.
Obviously, Valentine's Day, they're going to go with a romance thing.
Maybe around Christmas, they go with sales or deals or something around the Christmas holiday.
It garners them more return on their spam campaign that they're sending out.
I mean, the Necker's botnet historically used to send malware, right?
It used to distribute malware, banking Trojans, ransomware, remote access Trojans.
They're kind of dabbling in this spam game with the pump and dump stock schemes that they're using.
I mean, the most important thing about this is this is a very, very large botnet. And it's important to track that and understand
what their campaigns are to try to get ahead of them, you know, as a security researcher or
security organization, or just protecting your organization against, you know, things that are
coming from tend to do things in a large, high volume. So it's sort of easy to detect,
but they don't care necessarily, because they have such a high volume so it's sort of easy to detect but they don't care necessarily because
they have such a high volume they figure if they just send it out everywhere they're going to get
a bit of return and even a slight return on their investment you know it is a win for them the other
thing is you know they save a lot of money right they're not utilizing their own resources they're
not buying servers to send this out they They're compromising endpoints. They're utilizing stolen bandwidth, stolen processors, processor usage.
And I think that's very key when they start talking about just the sheer volume of the Necker's botnet and what they're capable of.
That's John Kuhn from IBM's X-Force Iris research team.
search team. On patch Tuesday, Microsoft fixed 50 bugs, 14 rated critical, affecting widely used products including Outlook, Adobe patched 39 flaws in Acrobat and Reader. U.S. Army Lieutenant
General Paul Nakasone, long the frontrunner, has been nominated to succeed Admiral Rogers
as Director NSA and Commander, U.S. Cyber Command.
He'll be dual-hatted, at least initially, when he takes over this summer.
A fourth star will come with the job.
Cryptocurrency miners continue to trouble users of the Internet.
Kaspersky Lab warns of a zero-day in the Telegram messaging app
that's been exploited by crooks to install minors on
victim machines. The malware collects Zcash and Monera. Telegram has fixed the problem,
which was specific to the Windows version of their app, so if you're a user, it's time to
update your software. The malware, which Kaspersky researchers connect to Russian-organized crime
gangs, operates by concealing executable JavaScript using Unicode right-to-left override characters, RLO.
Thus, the malicious file looks like an innocent PNG image.
Criminal coin miners last week infested a lot of government sites,
mostly in the United Kingdom, but also in Australia, the United States, and Canada.
CoinHive is the typical payload crooks are installing in the targets.
CoinHive, it seems, was developed by people who thought it would be innocent, fun, and, mark this, voluntary.
Unfortunately, as CoinHive's creators have explained to Motherboard,
their code got away from them and found its way into the hands of criminals.
For some reason, they didn't think this would happen and regret it.
Among the casualties of CoinHive abuse, TechCrunch complains,
is SETI, the search for alien life that looks for anomalous
and possibly intelligent artificial signals in the cosmos.
SETI had done a lot of its work by using unused CPU resources in thousands of machines.
Thus, unused resources are now increasingly in use by third parties busily mining cryptocurrency.
Google is about to deploy an ad blocker to Chrome.
Mountain View is expected to roll out the new feature tomorrow.
Observers say it won't be an alternative to software like Adblock Plus or uBlock Origin.
Instead, it represents Google's attempt to stop the more annoying sorts of ads from hitting your screen.
That is, it's designed to block ads that don't conform to guidelines issued by the Coalition for Better Ads,
essentially applying the patterns realized in the community-sourced Easy Rules.
The sorts of ads expected to be filtered will include pop-ups,
pre-stitial ads, autoplay ads with audio, and big, sticky ads.
There are some differences in the filtering depending on whether Chrome is running on a desktop or mobile device,
but the principles remain the same.
To Google's credit, observers say the company is subjecting the contents of its own ad networks to the same filtering.
So, if you make a living selling ads, we do, so we're not completely unsympathetic,
although we don't use ad servers, at least not yet,
what are you supposed to do?
Graham Cooley reports that Salon Magazine now offers a choice.
You can block ads, but only if you let them install a coin miner on your machine.
We've taken a look at Salon, and yep, it appears that's what they're up to.
They even explain it in their FAQ to the question,
What happens when I choose to suppress ads on Salon?
Salon replies with a discourse on how the old mutually beneficial relationship,
what Thorstein Veblen would have called the exploitation
of man by man, in which you the reader get information and they the publisher get ad
revenue, well, the times have changed.
So if you want to read Salon, but don't want to see ads for, in our case, security software,
then you'll have to let Salon install a crypto miner on your machine.
Some people are complaining that the mining starts as soon as you click the Tell Me More
button inviting you to install CoinHive.
Well, at least they warn you that your computer's fan will turn on while Salon mines coin.
Mining is disruptive, but not very lucrative.
The recent CoinHive infestations seem to have brought the crooks about $24.
Maybe Salon should just consider a tip jar.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Hello, dearest listener.
In the thick of the winter season, you may be in need of some joie de vivre.
Well, look no further, honey, because Sunwing's Best Value Vacays has your budget-friendly escapes all the way to five-star luxury.
Yes, you heard correctly.
Budget and luxury all in one place.
So instead of ice scraping and teeth chattering,
choose coconut sipping and pool splashing.
Oh, and book by February 16th with your local travel advisor or at
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Dr. Yossi Oren. He's a senior lecturer at the Department of
Software and Information Systems Engineering at Ben Gurion University.
He's also a member of BGU's Cybersecurity Research Center.
Dr. Yossi, welcome back.
You know, we often talk about how important it is to use two-factor authentication,
but that can be a challenge for people who may not have well-developed motor skills or even poor vision.
You all have been doing some research in this area.
We've been doing this research together with a researcher named Benjamin Versteindiger.
The basic idea is that we want to be able to use two-factor authentication.
Many of us use it to log into our banks and so on.
And basically how it works is you enter your username and your password to a website,
and then the website sends you a series of numbers, and it could be sent to you by text message, or
if you're more security conscious, you have this little dongle, which is like a key ring holder,
and these numbers appear on the screen, and then you go ahead and you copy these numbers from this little screen to your phone, and then you can log in.
But the problem with this is that many people are simply unable to use this.
Because if we look at the sequence of operations you need to do, it's not very simple for many people.
For example, you have to have very good vision to be able to see these small numbers.
Some of us have poor vision. You also vision to be able to see these small numbers. Some of us have poor vision.
You also have to be able to memorize.
It sounds to us very simple to memorize a sequence of, let's say, six numbers and copy it.
But for some people, this is a very difficult task.
And there are people who don't have the ability to touch a touchscreen or manipulate a very sensitive keyboard.
a touchscreen or manipulate a very sensitive keyboard. So we were looking at a way to make two-factor authentication more accessible to these people who will be able to use their computer with
more security and with more dignity, so they won't have to ask anybody to help them.
So we took advantage of a very interesting phenomenon called piezo-gyro coupling,
which it's something which we initially thought of as a security problem.
And it is when you place a very particular type of speaker called the piezoelectric transducer
next to your phone's gyroscope, which is one of the sensors on your phone,
you can actually transmit data from this transducer to the phone. And it's actually
very easy to read this from websites and from apps.
You don't need any permissions. You don't need to do any modifications. And we actually built a
device which transmits these small sequences, let's say these six-digit sequences, from this
little transducer to the phone. And then on the the phone you have a website or an application which reads it and what this means that for two-factor authentication
all you need to be able to do is to put your hands together so we'll be holding
your phone in one hand and our device which is about the size of a of a coin
for example when we finish shrinking it you just put them together you touch
them together for for three or four seconds.
And during this time period,
this transducer is going to send this
two-factor authentication sequence
to the phone through the gyroscope.
And we've tested this on various phones
and on various web pages and applications.
You get a pretty good data rate and error rate
using this system.
And what's nice about this gyroscope
system is that it already works on the hardware that you already have on your phones or on your
tablets or on some of your laptops. I see. So you can start using it tomorrow. So the code that's
being sent to you is being converted by the piezo speaker and then the phone is set up to receive
that signal. To the person transmitting it,
they're not doing anything different than they would normally. Yes. So instead of looking at
this sequence of numbers with their eyes and memorizing it with their brain and typing them
with their fingers, they're just going to put two hands together and the same sequence is going to
be transmitted. We actually implemented it using the standard, this RFC, which is called the Internet Standards,
there's a very standard way of generating these sequences, these two-factor authentication sequences.
And we exactly use this exact same standard.
The only difference is instead of transmitting it using our eyes and memory in our fingers,
we're transmitting it using this gyroscope and piezoelectric transducer.
All right. That's interesting. Interesting research as always. Dr. Yossi Oren, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.