CyberWire Daily - PureLocker ransomware. APT33 update. Hong Kong and information war, in the courts and on PornHub. Facebook content takedowns. Alleged criminals prepare to face the court.
Episode Date: November 14, 2019PureLocker is a new ransomware strain available in the black market. APT33 is showing a surge of activity. Lawfare and information operations in and around Hong Kong. Facebook takes down content for v...iolating its Community Standards. And two alleged cyber criminals are facing charges: one is allegedly the former proprietor of Cardplanet, the other was selling a remote administrative tool the RCMP says was really a different kind of RAT. Justin Harvey from Accenture on the increasing use of biometrics in security. Guest is Jennifer Ayers from Crowdstrike with the insights from their Overwatch threat hunting report. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/November/CyberWire_2019_11_14.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Pure Locker is a new ransomware strain available in the black market.
APT 33 is showing a surge of activity.
Lawfare and information operations in and around
Hong Kong. Facebook takes down content for violating its community standards. And two
alleged cyber criminals are facing charges. One is allegedly the former proprietor of Card Planet.
The other was selling a remote administrative tool the RCMP says was really a different kind of rat.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, November 14, 2019.
Researchers at security company Intezer and IBM's X-Force warn of a new ransomware strain,
PureLocker,
which attacks enterprise production servers.
PureLocker, the researchers believe, is associated with the criminal groups Cobalt Gang and Fin6,
who are thought to have obtained it on the black market from a malware-as-a-service provider.
PureLocker is stealthy.
If it detects itself running in a debugger environment, for example, it exits.
It also deletes its payload after its work is done. It has cross-platform capabilities. The ransomware is written in Pure Basic, which makes it relatively easy to use against Windows, Linux, and macOS machines.
PureLocker is also selective. It avoids encrypting executables, concentrating on data
files. Once it's infected a machine, it leaves its ransom note on the desktop, written in the
now-traditional non-native speaker's English. Researchers at the security firm Trend Micro
describe renewed activity by APT33, the suspected Iranian threat group active against oil, gas, and defense
targets. The targeting is said to be narrow. The group uses commercial VPNs for reconnaissance and
staging. Most of APT33's interests lie in the oil industry supply chain, but it's also focused on
other targets of interest, including a European politician's private website used to
spearfish oil industry companies and a potable water facility used by the United States Army.
Much of the activity Trend Micro describes appears to be reconnaissance and staging,
but Trend Micro warns even those indicate a major risk given APT33's record of using destructive malware.
Unrest in Hong Kong continues, as do lawfare and information operations waged from Beijing.
The Internet Society has protested a ruling by the Hong Kong High Court
that effectively criminalizes using the Internet for communications not in the government's interest.
The proscribed
communications are ones that nominally promote violence, but the ruling seems more expansive
than that. It's also likely, the Internet Society believes, to exert a chilling effect on online
communications, with attendant pressure on platforms to err on Beijing's side when they
perform content moderation.
The Internet Society has filed a petition with the High Court
to overturn the ruling.
And in the face of widespread takedowns of coordinated inauthenticity,
Quartz reports that Beijing's line on Hong Kong
is being circulated through an unlikely channel,
Pornhub, which is exactly what its name suggests.
Much of this activity seems the work of centrally inspired but independently operating patriotic actors.
One imagines that Pornhub visitors who expected to find saucy videos were disappointed
to find themselves offered edification on the bad faith of Hong Kong protesters,
or cockroaches as the Beijing line calls them.
It's as if one were to walk into what one had taken for a gentleman's club
and instead found that one had actually wandered into a Legion Hall.
Some of the videos have highlighted violence to represent the protesters as right-wing thugs.
One incident in particular, tragic, repellent, and utterly discreditable,
showed a man disagreeing with the protesters being murdered by incineration.
CrowdStrike recently published their 2019 mid-year review from their Falcon Overwatch team
titled Observations from the Front Lines of Threat Hunting.
Jennifer Ayers is vice president of Overwatch and security response at CrowdStrike. One of the reasons why this type of information
is important is because what we're talking about is what we call tactical intelligence.
So at the end of the day, you know, when you kind of look at global threat intelligence,
regardless of whether it's coming from CrowdStrike, you know, or another provider,
that often looks at much more of the strategic, you know, threat landscape view. You know, or another provider that often looks at much more of the strategic, you know, threat
landscape view. You know, what is the plan from China? What is the, you know, theory on, you know,
Russia? What is the geopolitical status of the Ukraine? That level of intelligence, you know,
is very, very broad and very high level. What we report on at the tactical level is the execution
of that. So what we're talking about, you know, are real live intrusions
that we have seen across the Falcon telemetry that we have the privilege of being able to work with.
And this is a dynamic landscape, right? This is constantly changing. So one thing that we might
identify in the first half of the year might not exactly be the same in the second half of the year.
You know, adversaries are real, they're constantly working, and they definitely have their agendas. So the first half of this year,
you know, a major observation was actually the uptick in e-crime. One of the key points around
highlighting that is, you know, e-crime is a much, much bigger, much more diverse group than what
your typical nation state adversaries are. To look at the statistics and see
that in the first half of 2019, a 61% increase in terms of e-crime attack compared to our full 2018
is pretty significant. Now, that's not to say that this doesn't mean that nation states have
stopped and e-crime has taken over. What this is simply showing you is from a volume perspective, we are seeing a lot more e-crime activity on the rise.
This is where you get into areas like we've talked about as CrowdStrike, big game hunting,
for example, where these criminal organizations band together and begin to leverage what we would
call living off the land or previously known nation state techniques
to focus on larger assets than the typical spray and pray, right? I'm going to send a spam email
to a thousand people. Maybe your parents pick it up and get encrypted by ransomware, right?
You're going that broad. You're going to get maybe 10 out of a hundred for lack of a better term.
The big game hunting purely focuses on enterprise, and they are purely
focusing on what the key assets of those enterprise are. So watching that continue to rise is more of
an awareness concern for people in the industry as a whole. This is not necessarily targeting that
is driven by what the traditional nation states do, whether it's geopolitical or intellectual
property. This is targeting based off of how much money you're going to be able to pay in that ransom. So what
we're seeing, you know, across the board is the more mature your security program is, the less of
a target that you'll be. So there are some fundamentals that we continue to see not
happening in practice. You know, fundamentals that we've all been talking about for years and years,
and don't get me wrong, I've been on the commercial side. I understand how hard it is
to implement things. I understand how hard it is to get business buy-in to do updates. I understand
how very, very difficult it is to get the business to agree to let one system go down so you can
properly patch it. But it is those fundamentals that continue to allow these adversaries,
whether they're e-crime or whether they're nation state, to do their job. Two-factor
authentication is something that we're starting to see much more of, especially in our online
presence. It is necessity. If you have a VPN, it should have two-factor. If you have the capability
two-factor enabling on any administrative account, domain administrator, always a benefit,
multi-factor type of methodologies.
Those types of things help disrupt this actor type of activity. They can still dump creds today,
and they can still get in by using a simple username and password from whatever they've
cracked from the creds that they've dumped. Other simple things, passing passwords in plain text.
Very active in a number of enterprises today. As the security practice for the last 20 years,
we've been talking about this for more than 15. It's those type of little practices that are
continuing to allow these adversaries to be as successful. There's no need for them to change
their tactics and techniques because things still work. And it's up to us in the security industry
to make sure that we're making it much more difficult. They'll never go away.
It is our job to make it much more difficult. As a security person or a CISO or a security analyst
within an enterprise company, it's your job to make it so you're not as much of a target. And
the way you do that is by making it so that you're not interesting to them because it's too hard to
do their job. Adversaries are humans just like we are, right? All of us humans by
nature will take the least path of resistance. The more resistance you put in place, the less likely
they're going to play in your space and they're going to go find somebody else who doesn't have
those types of security practices in place. That's Jennifer Ayers from CrowdStrike. The report is
Observations from the Front Lines of Threat Hunting, a 2019 mid-year review from the CrowdStrike
Falcon Overwatch team.
Facebook's Community Standards Enforcement Report says the social network took down tens
of millions of pages whose contents violated its community standards.
Those standards proscribe content that falls into categories that cover adult erotic material, with certain
artistic and scientific or educational exceptions, bullying and harassment, child exploitation,
fake accounts, hate speech, contraband, notably drugs and weapons, spam, terrorist propaganda,
violent and graphic content, and finally, suicide and self-injury. The categories for Instagram are presently a subset of these,
and they exclude terrorist propaganda, suicide and self-injury,
child exploitation, and contraband.
Facebook also offered examples of how it draws the line on impermissible content,
recognizing that such lines can be difficult to draw.
In the second and third quarters of this year,
Facebook removed 54 million pieces of violent and graphic content,
18.5 million items determined to involve child abuse or exploitation,
11.4 million posts that broke Facebook's hate speech rules,
and 5.7 million uploads that violated policies against bullying and harassment.
As we've mentioned, Facebook has also brought its Instagram unit under the same monitoring and reporting system,
taking down 3.2 million images that violated its community standards.
And finally, two long-running criminal investigations seem to be arriving at their endgame.
One Mr. Alexei Burkov, age 29, of Yoimen and St. Petersburg, Russia, arrived at Dulles International Airport outside of Washington Monday, courtesy of extradition from Israel, where Mr. Burkov had been ensconced.
He's now in U.S. federal custody, held on suspicion of operating a large and lucrative carding shop.
federal custody, held on suspicion of operating a large and lucrative carding shop. His charges include wire fraud and access device fraud, as well as conspiracy to commit those offenses and
identity theft and money laundering. The charges together carry a maximum of 80 years in prison,
and prosecutors would also like to see Mr. Burkoff forfeit his $21 million in allegedly ill-gotten gains.
Card Planet was one of those black markets that mimicked legitimate business practices.
It advertised itself as the only service that would refund the price of invalid card data.
It's also said to have offered a fee-based service, Checker,
that would allow downstream criminals to verify whether the cards they were considering
buying were still valid. Meanwhile, in Canada, the Royal Canadian Mounted Police have charged
Toronto resident John Armada-Rivez with operating an international malware distribution scheme
doing business as Orcus Technologies. Mr. Rivez says that Orcus is a legitimate remote access tool. The Mounties say,
nope, it's a rat. Okay, but the remote access Trojan kind.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the
world what AI was meant to be. Let's create the agent-first future together. Head to
salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Justin Harvey. He's the Global Incident Response Leader at Accenture.
Justin, it's always great to have you back. We've been seeing a lot of stories come by about biometrics
and how it is taking a larger and larger part of cybersecurity operations.
What sort of insights can you share with us?
I think we can all agree that logging into websites is not fun,
either through multi-factor or through the SMS textbacks or through remembering all of
these passwords. And it does seem that biometrics is one of the cornerstones to authentication and
to identity, but I don't think it's the panacea that people make it out to be. I am a big advocate
of having multi-factor passwords in at least two of the three types
of authentication mechanisms.
And those three are, one, what you know, so it's your password.
Two, what you are, which is, of course, your DNA, your eyes, your fingerprints.
And three, what you have.
So whether that be a device, your phone, a fob, or something else in your physical possession,
that makes it a lot more secure when you implement two or all three of those against an authentication target.
What really worries me about this, Dave, is our reliance on biometrics, particularly here in North America.
particularly here in North America. Biometrics, your fingerprint, your eye, your face is all data that is then sent and stored in various places. If you and I were living in Europe under the GDPR,
our own biometric digital information is considered to be part of us. It is our identity,
and in fact, we own it. So if Google or Microsoft
or Facebook have our biometric information, we have the right under EU law to force those
companies to destroy it and not use it anymore. But here in North America and in other countries
where we lack national data privacy regulations, it makes it a little bit fuzzy. And I'm not sure today,
particularly outside of EU, if there is a generalized social construct or social understanding
on who owns our biometric data. And I suppose, I mean, the other concern I've heard about
biometrics is that they're hard to change. My fingerprints are my fingerprints,
and it's not like I can change my fingerprints the way I can change a password.
Exactly. Our fingerprints are all digitized when we get our driver's licenses, and they're
digitized when we pair them with our phones, same with our faces. And those zeros and ones
can be copied, they can be reconstructed, and they can be altered.
And in fact, they can be breached and they can be lost. Or even worst case scenario,
they can be leaked and they can become public. It's only a matter of time before some organization
that collects these biometrics goes through an incident or a breach, and a lot of our biometric data is out
there in the public. So that really enforces why it is so important to have at least two, if not
three, of these identity cornerstones to be considered for authentication.
Don't put all your eggs in one basket.
Don't put all your fingerprints in one basket either.
That's right. That's right.
All right. Well, Justin Harvey, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. Thank you. run smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.