CyberWire Daily - Phishing and watering hole alerts. Is DPRK stealing Bitcoin? NHS Lanarkshire ransomware identified as Bit Paymer. Onliner spambot has hundreds of millions of email addresses. St. Jude pacemaker patch.
Episode Date: August 30, 2017In today's podcast, we hear warnings against taking the Hurricane Harvey phishbait. The IRS says that email telling you to download a questionnaire and return it to the FBI isn't from them. Why you ...really don't want that tutorial in tumbling Bitcoin. Sources accuse North Korea of stealing cryptocurrency. Trickbot is back, and it's swiping Bitcoin. The ransomware strain in Scottish hospitals was Bit Paymer. More than 700 million email addresses found in the Onliner spambot. UK retailer suffers breach. St. Jude pacemakers get a firmware patch. Robert M Lee from Dragos on cutting through the hype. Joseph Loomis, promoting the upcoming IR17 event. And some industry notes. Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. Check out & subscribe to Recorded Future’s free intel daily. We read it every day. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper. JHUISI & partner COMPASS Cyber present Cyber Security Conference for Executives on September 19th in Baltimore. Register for the event. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. as that email telling you to download a questionnaire and return it to the FBI isn't from them. Why you really don't want that tutorial in tumbling Bitcoin.
Sources accuse North Korea of stealing cryptocurrency.
TrickBot is back and it's swiping Bitcoin.
The ransomware strain in Scottish hospitals is ID'd.
More than 700 million email addresses are found in the onliner Spambot.
A UK retailer suffers a breach.
Some industry notes and St. Jude pacemakers get a firmware patch.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, August 30, 2017.
You may wish to donate or get involved in some other way with Hurricane Harvey Relief to help the afflicted down in Houston.
That's of course good, but unfortunately you should be wary of whom you connect with online.
Scammers are using fraudulent Hurricane Harvey Relief efforts as both con games and fish bait.
The U.S. Federal Trade Commission warned this week of many active relief scams in progress
and noted with regret
that this happens whenever there's a natural disaster. Some of the scammers have even registered
domains to assist their bunco. If you're in doubt about the legitimacy of a charity you're unfamiliar
with, the Better Business Bureau's Wise Giving Alliance isn't a bad place to go for some quick
common-sense vetting. Or do what's even easier and deal with a charity
you're familiar with.
There is of course other fish bait being dangled in the US inboxes.
Here's an always popular gambit, the IRS telling you the FBI wants to hear from you.
The Internal Revenue Service warns that there's some fairly convincing but entirely bogus
spoofed emails that represent themselves as coming from the IRS. They don't. If the faint whiff of shadow broker ease in the text doesn't tip you off,
the diction in the phishing emails isn't bad for a non-native speaker of English,
and in some respects resembles the my-eyes-glaze-over dullness of some regulatory
communications, the fact that the email includes the FBI's seal
as well as that of the IRS is a tip-off.
And no, changes in U.S. tax law,
with a capital T and a capital L,
haven't transferred responsibility
for the belonging of offshore companies
from the IRS to the FBI.
So don't bite.
If you should receive such an email,
the IRS would very much like you to forward it to
them.
Use the address phishing at irs.gov.
There are also some baited watering holes out there.
Security researchers at the firm Comparatech have found a come-on boosted by high Google
search rankings.
If you wish to learn how to mix, tumble, or launder Bitcoin, and you probably shouldn't,
an outfit called Dark Web Markets will give you a good, concise tutorial in that dubious art.
Unfortunately, the tutorial will also take you to malicious sites
that will divest you of your cryptocurrency.
Comparatech says the tutorial is actually pretty interesting, but no, don't go there.
Don't take the course, because that would involve taking the bait. But don't even try to visit the site out of curiosity.
Doing so could, Comparatech warns, boost its Google ranking even higher,
enabling the crooks behind the bad link to lure even more of the unwary.
Speaking of Bitcoin, sources in East Asia are calling attempted raids on South Korean Bitcoin exchanges a North Korean operation.
Pyongyang has a history of turning to online crime to meet its financial needs.
This may be the latest instance of such a campaign.
Details are sparse, so observers are treating the reports with moderate skepticism.
Still, given Pyongyang's track record and the unsettling tensions the DPRK's
missile tests have aroused among anyone within range, all would do well to take the potential
threat seriously. State cyber operations do tend to accompany security crises.
A clearly criminal threat to cryptocurrency owners is being described by researchers
at security firm Forcepoint. They've found an
evolved version of the familiar TrickBot banking trojan circulating in the wild.
This TrickBot instance is going after cryptocurrency wallets.
The ransomware that hit NHS Lanarkshire in Scotland, disrupting healthcare operations,
has been identified as BitPamer, a fairly recently discovered malware variant.
Samples of BitPamer were posted to VirusTotal on July 11.
This ransomware is regarded as well-coded malware devised by programmers of some ability,
much better than the repurposed commodity stuff most online crooks use.
NHS Lanarkshire reports that its operations have largely returned to normal.
as Lanarkshire reports that its operations have largely returned to normal.
Researchers have found that the onliner Spambot, known for distributing the Ersniff banking trojan, holds some 711 million email addresses and 80 million SMTP credentials.
The well-known victim registry site Have I Been Pwned calls it the biggest batch of stolen
credentials it can recall uploading. A lot of them are probably bogus, but even a fraction of 711 million is still a pretty
big twinkie. Where the addresses came from is unknown. There doesn't appear to have been any
major breach or set of major breaches that could account for it. The UK retailer of second-hand
tech, CEX, disclosed to its customers that up to 2 million of them may have had their personal details accessed by unauthorized parties.
The usual advice applies, change your passwords, be on the QV for spear phishing, and so on.
Taking a quick look at our CyberWire event calendar, Incident Response 17 is coming up in September, and we're proud to be a media partner.
Joseph Loomis is CTO at Cybersponse, and he joins us to tell us more.
It's really a way that the community can come together as one to redefine how security no
longer has to be such a manual process, but more of a machine and person working together in a very
tight relationship so that they can ultimately
fight against the adversaries in the same manner with an equal opportunity to defend themselves.
And so give us an idea, what can people expect from the conference?
They can actually expect a lot of workshop, a lot of knowledge transfer, education,
best practices. Networking is probably one of the most powerful thing where you have a
mentee meeting up with a mentor that they can learn and build that relationship where you have
the junior level executives and analysts meeting other senior more experienced so your minor leagues
are meeting the major leagues basically and now they can build those bonds relationships they can
actually work on recruitment, team building.
And so it's kind of a combination of a kind of a workshop slash consortium slash movement.
Can you give us an idea of what some of the sessions will be like?
A lot of the sessions are going to be talking about capabilities that products currently today
that can do to lever them in regards to helping them on the human capital side. A lot of the agenda specifically is going to be speaking to best practices that
we have right now to define out in the framework. So, for example, like how do you select the right
tools? How do you do proper vendor analysis and bake-offs? How do you simplify your practice and bring in the right consultant or framework?
How do you actually use certain tools? Basically, imagine if you're a carpenter and you're learning
how to use a hammer and a skill saw. We're teaching them not specifically around what
tools to use, meaning like by vendor title, how to use not specific to the hammer brand,
but how to use a hammer period.
So who are you targeting here? Who's the ideal attendee for the conference?
Three different tracks. So we have the executive level track for the community.
We have the managerial track, which is the person typically in the trenches with the team, almost like a sergeant. And then you have your analysts, which are your soldiers.
So if you look at it from sea levels as your general,
managers as your sergeants, and analysts as your soldiers. And it's the first open community approach that's completely free to attend as long as you operate in one of those three capacities,
your executive at an organization, your manager in an organization of a team, or your actual team
member. So this is not a sales-oriented
event. It's an event that allows people to actually come and learn, not try to buy products.
That's Joseph Loomis from Cybersponse. The Incident Response 17 conference is coming up
in September on the 11th and 12th in Pentagon City, Virginia. You can find out more at
incidentresponse.com. You may recall that last year, St. You can find out more at incidentresponse.com.
You may recall that last year, St. Jude Medical, manufacturer of pacemakers and other health care devices, was embroiled in a conflict with security firm MedSec and stock speculators Muddy Waters.
MedSec and Muddy Waters disclosed St. Jude device vulnerabilities in the course of shorting St.
Jude stock. St. Jude patched some
issues in January. It has done so again. The U.S. Food and Drug Administration has approved a
firmware patch for the company's pacemakers. The flaw it addresses is thought to affect some
465,000 patients. In industry news, SolarWinds has made its first ever acquisition, picking up Netherlands-based email security shop SpamExperts.
The buyers, in this case, say they liked SpamExperts' intelligence engine a lot.
BugCrowd is getting a new CEO. Ashish Gupta will replace founder Casey Ellis.
Ellis isn't leaving. Instead, he'll become chairman and CTO.
Casey Ellis. Ellis isn't leaving. Instead, he'll become chairman and CTO.
Looking Glass Security Solutions has raised $26.3 million in mezzanine funding.
Participants in this round included new investors Eastwood Capital and Triangle Peak Partners.
The company also received additional investment from current backers Alsop Louis Partners,
Neuberger Berman, and New Spring Capital. Looking Glass intends to use the funds for expansion into five continents.
Antarctica, as always, seems to be the odd continent out.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for a thousand dollars off.
In a darkly comedic look at motherhood and society's expectations, Academy Award-nominated
Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Robert M. Lee.
He's the CEO at Dragos.
Robert, we were talking about, of course, ICS stuff,
industrial control systems. And I think, in general, when I describe you,
I describe you as being a voice
of reason in that industry, where a lot of times when there's hype, I turn to you to kind of cut
through that hype and tell me, do I need to be concerned or not? So tell me about that. When do
I need to be concerned? Thanks. I do try to push back on a lot of the hype out there because I know
that folks get scared pretty quickly sometimes without reason.
But there are some cases where we should be concerned.
I think one of those cases that we've seen was the crash override framework that my firm did analysis on from the attack that was used 2016 to take down a portion of Ukraine's power grid.
Why I think it's concerning, and I don't think it's run to the hills, build a bunker kind of concerning, but I think it's concerning in that
asset owners around the world need to be paying attention. And the reason for that is the adversary
didn't just build malware that was taking advantage of vulnerabilities. A lot of what we look at in
IT sometimes is very vulnerability centric. But this framework was really about taking advantage of
knowledge of how we do electric operations. So the last time we talked about like stage one,
stage two type kill chain, and what does it really look like to do a stage two ICS attack.
And crash override is a stage two attack. It's what it actually looks like to do disruption
to industrial environments. Again, what's so concerning is there is no vulnerability to patch away.
There's no fix to the system.
The protocols are being used exactly as they should on the network.
It is an aspect that Anavisari took the time to learn how electric grid operations are
run and codified that knowledge into a framework that allows it equally to be disruptive.
And right now,
the crash override framework and that tradecraft is immediately transposable to every electric and distribution power site in Europe, most of Asia, most of the Middle East, and then with maybe
less than a day of development scalable to North America. So the balance here is it's light. It's
going to be a couple hours of outages,
it's not good, but it's not build bunkers. Our grid is actually really, really well prepared
in the sense that we've built it very well to be able to bring it back if anything goes wrong.
But the downside is, there is now public tradecraft of how to do disruption. And there's
obviously an adversary interested. And I think for that reason, grid operators need to be taking a little bit extra precaution
and people outside of our community
and other industrial environments
need to be thinking about how you could leverage
the industrial environment against itself
to achieve these type of attacks.
All right, Robert M. Lee, thanks for joining us.
Cyber threats are evolving every second Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.