CyberWire Daily - Patriotic hacktivism. HNS botnet spreads P2P. Electron vulnerabilities found, mitigated, Criminals target ICOs. Ransomware-as-a-service. Cryptowars. Fancy Bear doxes luge.
Episode Date: January 25, 2018In today's podcast, we hear about how patriotic hacktivists are talking turkey to high-profile Twitter accounts. The Hide 'N' Seek IoT botnet spreads swiftly through specially crafted peer-to-peer ...communications. Vulnerabilities found in the Electron developers framework. ICOs are heavily targeted by criminals. Bell Canada was breached, and the Mounties are on the case. Ontario transit operator Metrolinx is asked how it knows North Korea hacked it. British Prime Minister May takes a swing at secure messaging and tech companies generally. Fancy Bear doesn't like Olympic luge. David DuFour from WebRoot with his outlook on ransomware for the coming year. Guest is Malcolm Harkins from Cylance with thoughts on the Aadhaar data breach. And what's the significance of a values statement? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Remember, one of the ways you can help support our show
is by leaving us a review on iTunes.
We appreciate you taking the time.
Thanks.
Patriotic hacktivists talk turkey to high-profile Twitter accounts.
The hide-and-seek IoT botnet spreads swiftly through specially crafted peer-to-peer communications.
Vulnerabilities are found in the Electron Developers Framework.
ICOs are heavily targeted by criminals.
Bell Canada was breached and the Mounties are on the case.
Ontario transit operator Metrolinx has asked how it knows North Korea hacked it.
British Prime Minister May takes a swing at secure messaging and tech companies generally.
Fancy Bear doesn't like Olympic luge.
And what's the significance of a values statement?
I'm Dave Bittner with your CyberWire summary for Thursday, January 25, 2018.
McAfee has continued to track the hacktivist Twitter compromise campaign of Ayyildiz Tim.
Their intentions have increasingly turned to the Twitter accounts of high-profile journalists.
They continue to be interested in both tweets and direct messages.
The content of their communications over the hijacked accounts
generally aligns with the government of Turkey's positions.
Thus, they would be a fair specimen of the patriotic hacktivist variety.
A representative message of Ayyildiz Tim would be,
We will show you the power of the Turk and we love Pakistan.
The campaign has some social engineering dimensions to it,
since direct messages have been used to induce people to follow malicious links,
but the general operation is typically hacktivist,
ideological cries and defacements transposed to social media.
Security company Bitdefender is describing a new Internet of Things botnet,
Hide and Seek, or simply HNS.
describing a new Internet of Things botnet, Hide-and-Seek, or simply HNS. HNS is marked by its rapid spread, growing from 2,700 to more than 24,000 devices over the last two
days. Its infection mechanism is the same as Reaper's, but researchers discern no other
connection between the two botnets. HNS's rapid spread is enabled by a decentralized peer-to-peer mechanism that will complicate any takedowns.
Other botnets have used P2P communications, but they've relied upon an existing BitTorrent protocol.
HNS uses a custom system.
Once installed, HNS's capabilities include code execution, data exfiltration, and interference with device operation.
Effectively, every infected device serves as a command and control server,
a file server, and a jumping-off point for further infection.
Bitdefender thinks HNS has the hallmarks of an attack prepared by an unusually sophisticated threat actor.
Widely used applications, including Skype and Slack,
that were built using the popular developer platform Electron,
are being patched after the Electron framework has been discovered vulnerable to remote code execution.
While Electron is used to develop apps for macOS and Linux, this vulnerability affects only Windows applications. Initial coin offerings, ICOs, a trendy approach to funding that's attracted
increased interest from legitimate businesses seeking to raise capital, is also attracting a
lot of interest from criminals. Security firm Group IB says that hacking attempts against ICOs
increased roughly tenfold during 2017. Group IB also contributed research to a report issued this week by
Ernst & Young. The study found that, of the approximately $3.7 billion raised in ICOs so far,
about $400 million of it has simply been stolen. The typical theft involves fishing victims with
bait that will induce them to send cryptocurrency to a wallet controlled by the criminals.
with bait that will induce them to send cryptocurrency to a wallet controlled by the criminals.
Once it's there, it's gone, and a lot is going, about 10% of total investment.
Indeed, cryptocurrency seems to attract criminals to its techno-libertarian garden the way Carrion draws flies.
Security researchers with RiskIQ took a look at 20 of the most popular legitimate app stores.
You'll recognize most of them.
They include the Apple App Store, Google Play, SameAPK, and APKPLZ.
And what RiskIQ found was disconcerting.
Even in monitored and curated stores, of the over 1,800 apps the researchers inspected,
661 of them were blacklisted Bitcoin apps.
Google Play hosted the most, some 272 malicious Bitcoin apps.
Cryptocurrency is not only stolen directly,
but it's also a popular means of getting ransomware victims to pay the extortion.
The Sands Institute has been looking at this section of the criminal-to-criminal market. They've found one ransomware-as-a-service offering
that's ridiculously user-friendly and run on a royalty model.
All you, the aspiring criminal, need do is specify the Bitcoin address
to which you want the ransom delivered,
and then select the amount of ransom you wish to demand,
between a hundredth Bitcoin and one Bitcoin,
and in a matter of seconds you get a malicious PE file
you can turn loose on your victims.
What do the proprietors of the service get?
10% of whatever ransom their customers collect.
It appears to be either a proof-of-concept service or perhaps one that's still under development.
One hopes, of course, that the criminal participants in this market
will spend a lot of time and energy busily attempting to defraud one another,
but the criminal-to-criminal market continues to display growing sophistication.
Bell Canada disclosed a data breach affecting about 100,000 customers.
The data lost were customer names and email addresses.
Bell Canada says no credit card numbers or other sensitive information was taken.
Nonetheless, the matter has been referred to the Royal Canadian Mounted Police,
who are investigating.
Earlier this week, another Canadian organization,
Ontario Transit Operators Metrolinx,
disclosed that it was hacked by North Korean hackers.
The disclosure was light on details,
beyond saying that customer privacy and safety were not compromised.
The transit provider cited security reasons for saying little beyond that.
But sparse as details were, they were very specific in their attribution.
Whatever was done, it was the North Koreans who done it.
This hasn't played particularly well with the security sector.
Observers would like to see evidence that fingered Pyongyang.
Observers would like to see evidence that fingered Pyongyang.
The recent discovery of records for sale online from India's Athar database has caught the attention of security researchers.
One of those researchers is Malcolm Harkins, chief security and trust officer at Cylance.
He joins us with his take on the breach. Well, you know, there's still a lot under investigation and reports are saying
that police are investigating other agencies within India. But as far as what's been reported,
there was access given to reporters who were apparently able to buy personal information
for India citizens that apparently came from that national ID system for hundreds
of rupees, so small dollar amounts, and therefore potentially exposing it. The full nature of what
exactly occurred still will probably have another several weeks or potentially even months to fully
ascertain. But at this point, it's clear to say that information that is contained in that database,
people's names, address, perhaps phone numbers, emails, was able to be purchased and so therefore exposed.
And is there any idea what the scale is of this?
How many people's information is available throughout that nation?
As I understand it, that system has been in use now for almost eight years.
It started in 2009 as a voluntary system, again, meant to prevent fraud and improve the identification of Indian citizens for a variety of purposes.
And last reported that I've seen is greater than 1 billion, 1.2 billion citizens of India,
give or take a little bit, have their personal data and biometric data in the system.
With the part that this database plays in their society
for security, how do you see this playing out? What do you suppose the folks there are in for?
You know, it will be interesting to see how it fully evolves and whether or not
biometric data ends up having been potentially compromised versus just other sets of information. I think if it is anything like
we've seen with the Equifax breach or other breaches that we've seen in the U.S. and in Europe,
you can expect potential identity theft. You can expect fraud type items. You could expect that that information could be used not necessarily for harming the individual.
So let's just say Malcolm's identity was compromised.
It could be used in a way that could potentially harm me, but it could also be used to represent Malcolm. And so if I assume somebody else's identity,
I could use that for a variety of purposes.
One would be the obvious, you know,
getting a credit card fraud, that type of stuff.
You could use it for healthcare purposes.
I'll pretend to be Malcolm and go get his medicine,
go use his doctor's appointments, that type of stuff.
You could also use it and say, who is Malcolm associated with?
And if I have Malcolm's identity, can I pretend to be Malcolm to go after a different target?
And so use the potential compromise of my identity to go after somebody else that I might be associated with or close to that's a more
higher valued target because Malcolm might be associated with a senior executive in a company.
Malcolm might be associated with somebody in a particular research field. It all depends upon
what the motivation is and the ways in which you could leverage the identities that you've compromised
for whatever means or mechanisms that you might have as an attacker.
That's Malcolm Harkins from Cylance.
At Davos, British Prime Minister May doubles down on her crypto-skeptic position in the
crypto wars.
She wants technology companies to, as she puts it,
live up to their social responsibilities.
Human trafficking, child abuse, terror and extremism, she said,
are being enabled by social media and messaging platforms
that give malefactors a safe place to roost.
She said, quote,
Companies simply cannot stand by while their platforms are used
to facilitate child abuse,
modern slavery, or spreading of terrorist or extremist content.
Prime Minister May named security messaging app Telegram as a principal offender.
She'd like to see more cooperation out of them.
Olympic-related hacking didn't end with the first doxing wave earlier this month.
Fancy Bear has released documents stolen from the International Luge Federation.
The hackers claim the documents reveal doping violations.
Fancy Bear, generally identified with Russia's GRU military intelligence organization,
has been upset over the International Olympic Committee's sanctioning of the Russian team.
Finally, The Intercept notes with disple, that the U.S. National Security Agency has changed the Mission and Values statement on its public website.
NSA told the publication that they'd simply updated the website and not made any real
changes to their values, but The Intercept isn't buying it.
We've taken a look at both the new and old versions, and we have to admit that the
changes look mostly verbal to us. The values of honesty and transparency that were in the old
versions still seem to be there, albeit in a different form. So we're going with website
update and not nefarious retreat from high ethical standards. But value statements raise
interesting questions. What's the value of a value statement?
On the one hand, public statements of some sort of code can seem to have good effect.
One sees this sometimes in military organizations, for example.
But on the other hand, they can also be so much marketing argle-bargle.
One of the most famously high-minded corporate value statements of the last few decades belonged to Enron.
Talk amongst yourselves.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose and showing the world what AI was meant to be.
Let's create the agent first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by David DeFore.
He's the Senior Director of Engineering and Cybersecurity at Webroot.
David, welcome back.
Here we are a couple weeks into 2018.
What's on your radar for this year?
Well, you know, cybersecurity, of course.
You know, a lot of a lot of things are going to probably carry over from last year. And,
you know, we'll see some things we've maybe been talking about for a while actually start to happen
this year. And top of mind for me, David, is ransomware. If, you know, people have heard you
and I talk in the past thing, everyone knows that's one of my
favorite business models for cyber criminals. And I see that growing just simply because the
business model is a good one. I see lots of new strains coming out. 2010, we saw the first variant
or the first instance of that. By the end of this year, we're well over 500 different strains,
not just polymorphed versions, but actual strains of ransomware. So I continue to see that to grow
because it's a great way for cyber criminals to make money. Do you think there are any areas where
people aren't paying the attention that they should to particular things? Yes. And we just
started the year. And so I'm going to look into my crystal ball back into December where I was going to really talk about how we're going to start seeing some actual physical plants and facilities be affected by cyber criminals. December last year, there was, in fact, a plant closure. Don't want to give out names or exact
locations, but if you Google cyber attack plant closure, you'll actually see where some cyber
criminals are beginning to really affect and find very effective ways to take advantage of
infrastructure and shut infrastructure down, physical infrastructure. So to me, I think we're going to start seeing a lot of that occurring both this year and into the future.
And so for the day-to-day, for those of us who are just trying to protect ourselves, keep our computers safe,
any new advice? Is it just keep at it from last year, or do we have to change our tactics?
Or do we have to do we have to change our tactics?
Well, and so the advice a lot of times is the same as again, as if anyone's ever heard me talk with you, David, back up your data.
That's the number one way to protect yourself.
But I guess I would submit to people, assume things are going to get hacked when you get those.
You know, maybe over the holidays you got some new electronic device that tracks your your walking or, you know, just assume something is going to get hacked and don't enter information into it that you wouldn't be comfortable sharing
with the public. That's really the advice I would say. Just be vigilant and aware.
All right. David DeFord, thanks for joining us.
Thank you for having me, David.
Thank you. a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart
speaker, too. The CyberWire
podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of
cybersecurity teams and technologies.
Our amazing CyberWire team
is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Thanks for listening.
We'll see you back here tomorrow. Thank you. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.