CyberWire Daily - Reaper botnet update, Election hacking in Kenya, Czech Republic. M&A notes. APT28's phishing. Kaspersky's offer of code review. FBI shots in the crypto wars.
Episode Date: October 24, 2017In today's podcast, we learn that Hurricane Reaper, the big IoT botnet, remains a digital tropical depression, but plenty of people are warning everyone to stock up on the cyber equivalents of flashl...ight batteries and bottled water. Czech parliament sites hacked in apparent election-related mischief. Kenya's contentious re-vote approaches. APT28 gets a Bronx cheer for lame CyCon phishing, but don't get cocky, kid. KnowBe4 and Cisco announce acquisitions. Kaspersky seeks to undo reputational damage inflicted by US Government ban. The FBI re-engages in the crypto wars. David DuFour from Webroot on phishing trends. Phil Neray from CyberX reviewing their Global ICS & IIoT Risk Report. If you had a nose job at London Bridge Plastic Surgery, someone's got your before and after pix. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Hurricane Reaper, the big IoT botnet, remains a digital tropical depression,
but plenty of people are warning everyone to stock up on the cyber equivalents of flashlight batteries and bottled water.
Czech parliament sites are hacked in apparent election-related mischief.
Kenya's contentious re-vote approaches.
APT 28 gets a Bronx cheer for lame Saigon fishing, but don't get cocky, kid.
Nobifor and Cisco announce acquisitions.
Kaspersky seeks to undo reputational damage inflicted by U.S. government bans.
The FBI re-engages in the crypto wars.
And if you had a nose job at London Bridge Plastic Surgery, somebody's got your before and after pics.
I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, October 24, 2017.
People are still waiting for the Reaper botnet, also called IO Troop,
to unleash its expected distributed denial-of-service hurricane,
but so far Hurricane Reaper remains the cyber equivalent of a just-forming tropical low-pressure system.
It bears watching. Security reporter Brian Krebs, for one, thinks this is the proverbial calm before
the storm. The Mirai botnet to which Reaper is being compared incorporated about half a million
IoT devices. Reaper is thought to have accumulated at least twice that many. Its bot herding differs from Mirai's.
Where Mirai relied on exploiting default or hard-coded passwords,
Reaper uses at least nine known vulnerabilities present in products of more than ten device manufacturers.
Brief denial-of-service attacks interrupted vote counting in Czech parliamentary elections
as the government had to take down two sites temporarily.
But effects seemed transitory and of little consequence.
It's unknown who was responsible.
The campaign has been a contentious one with a, stop us if you've heard this one,
wealthy populist emerging as the surprise winner.
Kenya is undergoing a troubled election this week,
actually a court-ordered do-over prompted by findings of widespread and serious electronic voting fraud when the presidential election was held earlier this summer.
Kenya's Supreme Court overturned incumbent President Uhuru Kenyatta's August 8th re-election in a decision handed down on September 1st.
With voting now just two days off,
it's not even clear if the opposition candidate will be standing for election this time around.
Observers fear the possibility of civil unrest, whatever the outcome turns out to be.
APT 28, also known as Fancy Bear, also known as Russia's GRU, is getting razzed for its attempts to fish attendees at the upcoming
PsyCon conference on cyber conflict to be held November 7th and 8th in Washington, D.C.
Oh, you silly APT28, show some respect, is bleeping computer's admonition to the Russian hackers
who fished for people likely to attend the upcoming PsyCon conference.
Apparently, few have taken the bait.
attend the upcoming PsyCon conference.
Apparently, few have taken the bait.
We get the joke, but before we're willing to second APT28's nomination for a pony award,
we'll wait and see.
Kids swallow the darndest fish bait.
Anyway, we know for sure, we're pretty sure anyway, that we didn't take the bait, even though we'll be attending.
On the other hand, we think APT28 didn't bother sending us a baited document,
and we're glad of that because, you know, well, kids swallow the darndest fish bait.
Kaspersky's offer to subject its source code to independent public review
is about as much as the security firm can do to recoup reputational damage
sustained from a U.S. government ban.
Observers are skeptical that this will work.
A code audit wouldn't preclude compromise by or collaboration with intelligence services,
and those are the fundamental concerns that customers have.
We've had plenty of examples this year of vulnerabilities in industrial control systems
and the industrial Internet of Things. The folks at CyberX released a new report today
called the Global ICS and IIoT Risk Report. Phil Narae is VP of Industrial Cybersecurity at CyberX,
and he gives us an overview of the report. We know that experts have been telling us for years
that these industrial networks are vulnerable. And a lot of that is due to the fact that
they were designed many years ago, that the protocols and devices that are using are insecure
by design. They were designed at a time when the focus was more on performance and reliability
than security. And so they don't have a lot of things that we take for granted in IT networks like strong authentication. And a lot of these
opinions are, you know, based on anecdotal evidence, lots of experience looking at these
networks and seeing how insecure they are. So we thought it was important to have more of a data
driven discussion about the risk, and to objectively evaluate that risk risk and then talk about what we could do about it,
short of a massive upgrade to all of these networks. And so this approach involved actually
going out and gathering a good bit of data? Yeah, we took network traffic data from real-world
industrial networks worldwide. Over the past 18 months, we analyzed data from 375 industrial control networks
across all sectors energy oil and gas manufacturing pharma chemicals and we used some algorithms that
we've developed that are in the general category of network traffic analysis nta which are
specialized algorithms we've developed that by by inspecting the network traffic, can highlight vulnerabilities such as connections to the public internet, what types of operating systems are running on the devices, what types of PLCs are installed in the network.
And using that analysis, we came up with some data points that are pretty eye-opening,
I would say. Yeah, I'd agree. Well, why don't you take us through some of the key findings in the
report? Sometimes these networks are described as being hard on the outside and soft on the inside,
like M&M candies. And we found that they're definitely soft on the inside, but they're
actually not that hard on the outside either. And there's this myth
of the air gap that because these networks are separated from the internet or from corporate IT
networks and air gapped from them, we don't have to worry too much about patching or monitoring.
And what we found was that nearly a third of these networks are actually connected to the
public internet. So that was the first big one. The second big one is that these networks have a lot of
legacy Windows machines in them.
We found that three out of four of these sites have legacy
Windows machines like Windows XP or Windows 2000, which
means they're not getting security patches from
Microsoft anymore.
So even if you wanted to patch them,
which is a difficult process in OT environments, you can't.
And if you wanted to upgrade all of them,
that's a big task because they're running
all kinds of skate applications
that might be tied to a particular version of Windows.
So that would be a pretty massive upgrade.
But what that means is once an attacker gets in the network,
it's pretty easy
for them to deploy common malware to those devices, to those Windows boxes, including
sort of newer malware like WannaCry and NotPetya, but even the older stuff like Conflicker
could be running on these machines just because they can't get those patches.
So obviously, you know, sobering information, lots of interesting
data sort of translated for us. So what does this mean in the real world? How bad is it?
Well, I think it's a wake up call. I think it's a wake up call for management teams. Now,
you know, the people who are running industrial security in these organizations, they know that
their networks are vulnerable.
I think the biggest challenge is raising awareness with management teams and boards of directors that this is an issue that really needs to be addressed from a top-down point of view,
kind of in the same way IT woke up to that fact 10 years ago or so. Anything you can do from a
top-down point of view to encourage people to
work together? Because look, if malware or targeted attack shuts down the plant and your
main production line that's generating the revenue for your company, everyone's going to suffer.
The growth of your company is going to suffer. People's careers are going to be slowed down.
There's going to be a decline in stock price. So really,
it's everyone's job to protect the OT network. And so getting these guys to talk to each other,
to understand each other, maybe assigning an OT person to go work in your corporate SOC to learn a bit about security, or taking an IT security people from your CISO team and assigning them to
the operational side of the business to learn a bit about how these OT networks work.
Those are all good things to do to break down the barriers between IT and OT.
That's Phil Nouray from CyberX.
The report is Global ICS and IIoT Risk Report.
There's a lot more to it than we had time to cover here,
so you can check out the complete report on the CyberX website.
and we had time to cover here, so you can check out the complete report on the CyberX website.
In other industry news, security training shop KnowBe4 has announced that it's buying Securable.io.
KnowBe4 expects the acquisition to provide the security awareness training shop with the ability to tailor training to an individual's observed behaviors.
Cisco has also made an acquisition, a big one, buying Broadsoft for $1.71 billion.
Broadsoft's products are widely used in the telecommunications industry, and the pickup
is expected to bolster Cisco's collaboration offerings and further diversify the company
from its core switching and routing products.
The deal surprised many analysts, who now speculate that Cisco may make a major push
to buy a rival.
The US FBI re-engages in the crypto wars, still on the anti-encryption side.
Director Wray says he gets that there's a balance to be struck, but he calls unbreakable
encryption a huge, huge problem.
The Bureau has been unable
to break into some 7,000 devices it tried to access over the past year in the course of
investigations. Finally, a plastic surgery practice in the UK has been breached, and of course the
question everyone wants answered, that is everyone who reads Celebrity Gossip Sheet E online,
answered, that is everyone who reads Celebrity Gossip Sheet E online, is this. Was the royal family involved? Was there information among those compromised in the hack of London Bridge
plastic surgery? The aesthetic surgeons to the stars describe themselves as horrified and say
that of course the attack was the work of a sophisticated group well known for hitting
medical practices in the U.S. Police are investigating.
Apparently, photos are involved.
Photos usually are.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this, more than 8,000 companies,
like Atlassian and Quora, have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1, dollars off. who puts her career on hold to stay home with her young son. But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is David DeFore. He's the Senior Director of Engineering and Cybersecurity at Webroot. Dave, welcome back. Over there at Webroot, you publish a report. It's
called your Quarterly Threat Trends. And you guys are seeing some interesting stuff when it comes
to phishing. Yes. Thank you for having me back, David. And phishing, I think to probably no one's surprise, continues to be a really huge attack vector for everyone in the cybersecurity industry. And we were taught that social engineering was the number one way that the bad guys were going to try to get into a computer system by phoning you or acting like they were maintenance people or trying to some way get your username and password from you.
Again, that was 1988, not to date myself.
Here we are in 2017 with phishing.
And that is still, ironically, social engineering is the number one way of getting access to someone's information, their accounts and things of that nature.
So 29 years hasn't changed.
Yeah. What are some of the stats that you all have been seeing?
You know, throw some numbers, hard numbers at you.
We're seeing about 46,000 new phishing sites created every day, 46,000. And so what's happening here is folks are able to automate the infiltration
of unpatched web servers, things of that nature. And then they're propagating across those web
servers with prepackaged, typically phishing tools that you can buy at places like Alphabase,
you know, out of business. But, you know, websites like that, you buy these prepackaged phishing sites that you can just
automate the deployment of those if you've been able to hack servers. So we're seeing massive,
massive numbers. And these packages typically are geared towards attacking or phishing information
from financial institutions or technology companies. So there are two main categories
we're seeing where these packages
or where folks are trying to fish information from people to gain access to those environments.
So they're trying to get access to people's banking information?
Yes. So banking information would be banking, financial, your stocks, things like that.
That's the number one thing that we see for in terms of, you know, people trying to steal money.
thing that we see for in terms of, you know, people trying to steal money, then on the other side of the fence, people are trying to get access to like your email accounts or even
hack into technology companies simply because it's fun to hack into technology companies and look
cool doing it. So that's why we really see those two verticals as being the primary
vehicles of attack. And so observing these things,
what kind of efforts are there to help to shut them down? There are lists out there that are
provided. A lot of that is crowdsourced where someone sees a phishing site, they may have
gotten it in an email, and they're going to add that to a list. The problem with lists that we experience, and this is, you know, my view and what I'm seeing, most of the phishing sites we see are only up for four to eight hours.
So those 46,000 sites created every day on average are only up and running four to eight hours.
So a list is not necessarily going to provide you accurate
information about phishing sites that are up. What you've really got to do is look for solutions that
can identify sites in real time as you're trying to hit that site. From a pure security play,
what you want to do is analyze a URL as you navigate to it to ensure that it is not a phishing site, that it
is in fact a legitimate site. And obviously you're going to need some type of software or something
running on your machine to do that. Short of that, David, what you can do to protect yourself from
phishing is don't click on those links that someone might send you in a social app or something.
You know, verify it.
Hover over it to make sure it looks legit.
And really, honestly, the best thing you can do is if someone sends you an email or sends you a link they want you to navigate to, type it in your browser.
That's how you can be sure you're going to the site you expect to arrive at.
All right.
Good advice as always.
David DeFore, thanks for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. so practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.