CyberWire Daily - RATs and the long game. New ransomware, Learning from other espionage services. Advance-fee scams continue to infest Twitter. Fancy Bear says it can’t be sued.
Episode Date: November 15, 2018In today’s podcast, we hear that tRAT indicates a criminal shift to a longer game. Chinese industrial espionage copies Russian services’ tricks. Dharma ransomware evolves. Bitcoin’s price may be... tanking, but Bitcoin-based advance-fee scams are still all over Twitter, with bogus big brands’ blue checks all over them. Nigeria plans to go after cyber gangs. Fancy Bear says it can’t be sued, even if it did anything. And why a password manager is better than an infernal machine. Jonathan Katz from UMD describing a side channel attack on mobile device encryption. Guest is Mike McKee from ObserveIT on nation state attacks. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2018_11_15.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
T-Rat indicates a criminal shift to a longer game.
Chinese industrial espionage copies Russian services tricks.
Dharma ransomware evolves.
Bitcoin's price may be tanking, but Bitcoin-based advanced fee scams are still all over Twitter,
with bogus big brands blue checks all over them. Nigeria plans to go after cyber gangs.
Fancy Bear says it can't be sued, even if it did anything.
And why a password manager is better than an infernal machine.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, November 15th, 2018.
Researchers at the security firm Proofpoint have described a new modular remote access Trojan, T-RAT.
This rat arrives with social engineering, phishing emails with malicious Microsoft Word documents attached.
T-RAT is distributed by the criminal group familiar from its involvement with the notorious Drydex campaigns in 2014,
the Lockheed crime spree in 2016 and 17, and many other attacks as well.
That group Proofpoint tracks as TA-505. It's criminal, of course, and its motive is financial.
No reasons of state here. Proofpoint describes the group's activities as structured in an
informative way, one that can help defenders recognize similar campaigns.
First is the actor itself, most interesting
because recognizing the human motivations of the attacker
can inform defense.
Then there's the vector, the delivery mechanism.
In the case of TA-505, that mechanism has been a spam-serving botnet,
sometimes owned by TA-505 and sometimes leased.
The third element is the hoster, usually a macro-enabled document that pulls its malicious
payload from a host server. The payload itself is the fourth element. It's the malware that
enables the attackers to work their will on the victim machines. And finally, there's command and control, the link between the malware and the attackers. TA-505 and other capable actors use a range of
command and control servers, which renders them resilient in the face of sinkholing,
takedowns, and other enforcement actions. TA-505 has tended to be a ransomware specialist,
but its turn toward remote access trojans suggests that it's now playing a longer game.
As Proofpoint puts it, this represents, quote,
a broader shift towards loaders, stealers, and other malware designed to reside on devices
and provide long-term returns on investment to threat actors, end quote.
There's another new ransomware threat out there, a refreshed and
evolved version of the Dharma strain. Researchers at Heimdall Security have been tracking new
strains of the familiar ransomware. The latest version successfully evades detection by most
antivirus software. Nation-state threat actors are also currently active. A cyber espionage
campaign against engineering and maritime targets in the UK
has been traced by cybersecurity company Recorded Future to a Chinese threat actor
known variously as Temp.Parascope and Leviathan.
We'll say Leviathan for now, and note that it seems to be engaged
in the now very familiar Chinese practice of industrial espionage.
Leviathan's case is interesting because of the way it points out the extent to which different
nation-states' intelligence services sometimes share and more often simply copy the methods of
their competitors in espionage. Leviathan makes interesting use of techniques apparently repurposed
from the Russian threat actors Dragonfly and APT-28, that is, Fancy Bear, the GRU with its restored R. If you relied solely
on style, you might conclude this activity originated in Moscow as opposed to Shanghai.
The threat of nation-state attacks on private companies leads to a certain amount of
understandable anxiety among security professionals. We checked in with Observant CEO Mike McKee for his take on how
serious a threat nation state actors really are and how much of an uptick they're really seeing.
I think the short answer is increasingly often. Fortunately, it's nowhere near the majority.
More and more, there's risk there in terms of competitive trade secrets and intellectual property leaving.
And this is more larger companies. It's something we're hearing more and more of as being on the radar of security folks at large companies.
So how do you dial in what would be a reasonable, practical, proportional response?
what would be a reasonable, practical, proportional response?
Yeah, it's almost a little bit by vertical.
You know, manufacturing and pharmaceuticals,
yeah, I would say a third of the time we're hearing that as a threat.
That's probably up from around 10% of the time before as something that's on their radar that they're looking out for.
I guess what I'm getting at is I hear a lot of people say
that attribution isn't necessarily so important.
Does it matter if the attacks coming in are from a nation state or from just your run-of-the-mill criminals who are trying to get something to either steal or sell?
I would say yes, because I think more often when it's at the nation state level, it's a direct competitor.
More often, when it's at the nation state level, it's a direct competitor.
I headed down to D.C. tomorrow to see a bunch of folks that we work with that, you know, get a lot of this information firsthand. But the particular individual we partnered with was at one of the larger pharmaceutical companies.
You know, they would regularly see employees planted in the organization whose job it was was to get intellectual property back to China.
whose job it was was to get intellectual property back to China.
I do think that the difference between just selling it on the web and the different areas of the dark web and to actual countries or nation states
is it gets into the hands of better, well-funded competitors faster.
And are there any specific indicators that point to a nation state actor specifically?
We literally, so we work with this partner down in D.C.
And most of the folks there came out of the CIA.
I mean, they have literal websites that people go back to.
They have organization names who they'll communicate back to.
They know from their investigative work what sites are set up and what information repositories are set up, where they're trying to get it to.
They have the addresses and the URLs. and that's what they look for. And that's what we look for
with them as we build that information into the alerting capability of our product.
Do you suppose that this notion of being attacked by nation states has in some way
become kind of a get out of jail free card for people who've been breached? I mean,
it's one thing to say that some crooks got in,
but it's another thing to say, well, a nation-state got us,
and what could we have done with an attack that sophisticated?
I don't think so.
Yeah?
Meaning people are always trying to know the why or where it came from,
and that whole meantime to detect, meantime to remediate is always on people's mind.
It's no better if it's a data breach
from some kid in a basement in the US
than it is a nation state.
If customer information has gotten out
or intellectual property has gotten out,
whether, like I said,
it's to an individual trying to sell on the dark web
or a competitor across the street
or a competitor in China,
I don't think there's any less concern on that.
I don't think people are like, oh, well, you can get the guy next door,
you get the guy in the basement, but I understand you can't get China or Russia
because their job is to make sure that as little information goes out as possible.
One of our new board members, Dave DeWalt, I was actually just looking at the quote,
but he was saying that 29 countries have
declared cyber commands, including, you know, basically said they're going to use offensive
cybersecurity methods to get information. These are more nation states as opposed to companies
in those countries, but often there's a pretty blurry line between those two things. So 29 have
actually declared they're doing it. 60 other countries say they've got the ability to do it.
And that's just a completely different level than it was five years ago.
So it's almost, I mean, exaggerating a little bit, but Army, Navy, Air Force, Marines, as we know, sort of Army, Navy, Air Force, Marines, cybersecurity.
And it's an arm that nation states have to get information, which is becoming increasingly accepted.
That's Mike McKee from Observeit.
The implausible but depressingly effective Bitcoin-based advanced fee scam,
as in send us Bitcoin and we'll send you 10 more Bitcoin in return,
has assumed new forms, with major brands' Twitter accounts being hijacked or spoofed to convince the unwary.
with major brands' Twitter accounts being hijacked or spoofed to convince the unwary.
Target and Google are among those major brands whose blue-checked names are being fraudulently used to bubble people out of their cash,
and a lot of observers are impatiently grumbling that it seems Twitter ought to do something.
Bitcoin itself, we note, has seen its price crash below $6,000 on trading markets this week,
as speculators apparently fear a coming fork in the blockchain.
Nigeria's new cyber command, staffed by technically proficient military officers,
is expected to help with counterterrorism. The government also hopes the young organization
will take a toll on the country's organized cybercriminals. That will be a challenge. The gangs are a deeply rooted subculture. It's no accident that the
classic advanced fee scam is the email from the widow of a fictional Nigerian prince.
That scam is so iconic it's even known as a 419 scam, after section 419 of the Nigerian
criminal code that makes such stuff illegal.
Good luck to the young Cyber Command.
Fancy Bear says the DNC can't sue them, according to ABC News and other outlets.
Fancy Bear and Cozy Bear got their pals over in the Ministry of Justice to say that.
Even if they did hack the Democratic National Committee, the DNC can't sue them.
And they're not saying they did, it's more that they're speaking hypothetically on behalf of a friend.
That's the claim the Russian Ministry of Justice made in a 10-page statement of immunity it delivered to the U.S. State Department.
If such alleged hacking happened at all, which understand they're not saying it did, but if it did,
they say that such alleged hypothetical hacking would have been a military action,
and as such shielded by the Foreign Sovereign Immunities Act of 1976, a U.S. law that affords
foreign governments a degree of immunity for some actions they take inside the U.S.,
if that is they took any such alleged action at all.
if, that is, they took any such alleged action at all.
Finally, in a story that's far less funny than bald retelling suggests,
a Swedish man has received six and a half years in prison for mailing a letter bomb to what he thought was the address of a Bitcoin exchange that wouldn't change his password.
Jermu Michael Salonen of Gullspung, Sweden, was a customer of London-based CryptoPay,
a site that enables altcoin enthusiasts to indulge their passion for trading this now rapidly depreciating currency.
Mr. Salonen sent the device, which was real and potentially lethal, to what he thought was CryptoPay's address,
but that in fact was the address of an accounting firm CryptoPay had once used.
The London Mets bomb squad rendered the device safe
but it could have been lethal and it sat in the mailroom unopened for five months.
There are a few lessons to be drawn from this incident.
First, don't gamble with more than you can afford to lose.
Second, don't expect your accountants to open mail you send them promptly.
to lose. Second, don't expect your accountants to open mail you send them promptly. And third,
for heaven's sake, Mr. Salonen, invest in a password manager. Heck, even writing your password on a sticky note tacked to the underside of your keyboard would be suboptimal,
but better than sending someone a letter bomb.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting Thank you. and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Jonathan Katz.
He's a professor of computer science at the University of Maryland.
He's also director of the Maryland Cybersecurity Center.
Jonathan, it's great to have you back.
We had a story come by from Science Daily,
and this was about some researchers at Georgia Tech
who had discovered some side-channel vulnerabilities
with some encryption in smartphones.
Fill us in. What's going on here?
This was an attack that the researchers found on a version of OpenSSL that was being used on
these smartphones. And like you said, it was a side channel attack, which means that they were
kind of using information that was being leaked from the device itself, physical information that
was being leaked, in order to figure something out about the encryption key being used on the device. So is this like RF energy leaking from the device?
Right, that would be an example. And what's interesting about the side channel attacks in
general, is that typically, when we think about security of an encryption scheme, and when we
analyze security of an encryption scheme, we think only in terms of the plain text messages going in
and the encrypted messages going out.
And then we argue that the attacker won't be able to figure out anything about the message from the encryption that it sees.
But we typically don't think about all this other information that might be coming out of the device, like you just mentioned.
But it turns out that those can be a pretty powerful attack vector that can allow an attacker to figure out more about the encryption than they should be able to. So help me understand, is this the information within the device itself
is traveling around in an unencrypted state and they were able to sort of suss out what the
keys would be in this case? Is that what was going on? That's the basic idea. It's a little
more complicated than that, but basically by looking at emanations from the device, they were able to figure out, in particular, when some operation was being done and when it wasn't being done.
And that information could then be correlated with the bits of the key.
And gradually, by repeating this enough times, they were able to figure out the entire key from the device.
I see. So I suppose part of this is they had to be
in fairly close proximity to the device in this case. They did. In their experiments, they actually
had a measuring device that was not touching the phone, but it was right up next to it. But they
claimed that in principle, an attacker might be able to do it from further away or might be able
to have a recording device nearby the phone with the owner of the phone not suspecting anything.
And what's your take on ways to prevent this sort of thing? Well, researchers have been
looking actually for a while at these attacks and then also how to prevent them. What's, you know,
maybe especially interesting here is that the OpenSSL libraries were designed in part to prevent
these kind of attacks, but nevertheless, the researchers were able to carry out the attack
anyway. So I guess it just shows we'll have to go back to the drawing board and figure out how to make either the physical device not leak this information anymore or to make sure that the algorithm that they're using for the encryption is kind of leaking things that are independent of the key.
But it's definitely something that's quite difficult to do.
Yeah. All right. Jonathan Katz, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan, Rick Howard,
Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. That's where
Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided Thank you.