CyberWire Daily - Reaper looks like a criminal booter on the Chinese black market. BadRabbit shows some moves. Catch-All malicious Chrome extension. Android currency miners in Google Play. Indictments in Russia probe.
Episode Date: October 30, 2017In today's podcast, we hear that the Reaper botnet is still quiet, and looking like a booter-for-hire. BadRabbit shows some odd stealth, and some interesting strategic selectivity. A malicious C...hrome extension steals everything you put on a website. Currency miners on phones seem to be the kind of crime that doesn't pay, but that's not stopping crooks from stuffing them into Google Play. First indictments in the US probe of Russian election influence operations are out. Emily Wilson from Terbium Labs on third party breaches, what she describes as “Not your breach, still your problem.” And a class action suit is filed over the Equifax breach. Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. We read Recorded Future’s free intel daily, you might find it valuable, too. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper. Interested in the latest research in cyber security? Cylance is revolutionizing cybersecurity with products and services that proactively prevent, rather than reactively detect the execution of advanced persistent threats and malware. Learn more at cylance.com. Podcast sponsor 1-Recorded Future: http://goo.gl/wphZ1z Podcast sponsor 2- E8 Security: https://goo.gl/yBBx55 Friday sponsor- Cylance: https://goo.gl/fHR65L Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. I'm Dave Bittner. and a class action suit is filed over the Equifax breach.
I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, October 30, 2017.
The Reaper IoT botnet remains puzzlingly quiescent.
It may also be smaller than initially believed. Security company Checkpoint's tally of a million,
widely reported last week, was based on extrapolation from an observed size of 30,000.
It's not a bogus number, but it is an extrapolation. Other security firms have come up with lower
infection totals. NetLab 360 initially put the total somewhere between 10,000 and 20,000 devices, now up to nearly 30,000.
Radware and Ixia have arrived at numbers similar to NetLab 360's, but the botnet could expand swiftly.
NetLab 360 reports observing a queue of about 2 million devices vulnerable to exploitation by a Reaper control server.
to exploitation by a Reaper control server.
While most researchers see signs of amateur missteps by Reaper's developers,
the botnet's development platform lends itself to attacks other than the expected DDoS.
But as things stand, Reaper looks like a booter or stressor service intended for China's domestic DDoS-for-hire black market.
That's Arbor Network's assessment, anyway.
They've told Krebs on Security that, quote,
Reaper appears to be a product of the Chinese criminal underground.
Some of the general Reaper code is based on the Mirai IoT malware,
but it is not an outright Mirai clone, end quote.
Researchers at Morphus Labs are describing a new malicious Chrome extension
that they're calling Catchall.
Catchall does what its name suggests.
It intercepts and captures all of a user's interactions with sites reached through the browser.
Morphous researcher Renato Marinho has details up on the SANS Institute's
Internet Storm Center InfoSec forum.
He's been tracking malicious Chrome extensions for some time.
This campaign, which has been observed in Portuguese-language emails,
fishes its way into victims' machines posing as an email with links to photos sent via WhatsApp.
If you follow a link, you'll download a dropper, which will present a bogus Adobe Reader install screen,
and at that point, Bob's your uncle, or rather, their uncle,
since Catchall will indiscriminately pull in all the data you enter into any website you visit.
Security researchers are reporting an odd discovery about Bad Rabbit.
FireEye and Cylance say the ransomware skips encryption if it detects Dr. Web antivirus software.
Dr. Web published the same findings.
Cylance thinks it's a stealth measure having to do with the way Dr. Webb protects the master boot record,
and that Bad Rabbit also keeps an eye out for McAfee products that operate similarly to Dr. Webb's.
FireEye thinks it looks fishy, and that Bad Rabbit may not be the typical criminal ransomware
this spawn of NotPetya would have us think.
FireEye's Nick Carr offered some perspective
on what they think is up with BadRabbit.
On the 24th, the company began to detect and block attempts
to infect clients with a drive-by download,
posing as a bogus flash update.
Carr said, quote,
the infection attempts were referred from multiple sites simultaneously,
indicating a widespread strategic web compromise campaign, end quote.
FireEye has been seeing this sort of malicious JavaScript framework in the wild since February
of this year, including its usage on several of the sites from today's attacks. According to Carr,
quote, this framework acts as a profile that gathers information from those viewing the
compromise pages, including host and IP address info, browser info, referring site, and cookie FireEye sees Bad Rabbit's approach as involving strategic web compromises
that enable attackers to select targets carefully
and cease operations swiftly. Carr explained further, quote, when we say strategic web
compromises, this means an attacker hosts malicious code on an unknowing victim's website
that is then used to infect the true targets. The websites are carefully selected for compromise so
that they will have the most direct reach to the ultimate targets with minimal collateral damage.
In the case of Bad Rabbit, many strategic compromises were Eastern European travel and media websites used to then profile visitors and deliver the payload.
India's computer emergency response team has issued a medium security alert for Bad Rabbit, which seems about right.
It's not clear that mobile devices have the computational oomph to mine useful amounts of cryptocurrency,
but that hasn't stopped the hoods from trying.
Trend Micro reports a resurgence of Android miner malware in the Google Play Store.
They detect the malware as Android's JS Miner and Android's
CPU Miner. They'll run down your battery and degrade performance.
In industry news, cybersecurity startup Kryptonite has emerged from stealth,
that's Kryptonite with a C. With investment from Gula Tech Adventures and early stage support from
the U.S. Department of Homeland Security's
Science and Technology Directorate, Kryptonite specializes in helping networks protect themselves
by containing infections and blocking lateral movement. U.S. Special Counsel Robert Mueller
this morning announced charges against two individuals emerging from the Russian influence
probe. Paul Manafort, briefly President Trump's campaign manager
during the run-up to the Republican convention,
and Manafort's associate Richard W. Gates
were indicted by a federal grand jury Friday
on 12 counts of conspiracy against the United States,
conspiracy to launder money,
unregistered agent of a foreign principal,
false and misleading FARA statements,
false statements, and seven counts of failure to file reports of foreign bank and financial accounts.
More indictments are widely expected,
and the U.S. Senate and House are moving forward with investigations of activities
surrounding political opposition research consultants Fusion GPS.
And in civil litigation, as night follows day, so does the plaintiff's bar
follow the data breach. A class action lawsuit has been filed against Equifax on behalf of those
who suffered identity theft as a result of the credit bureau's loss of their personal information.
What took you so long, Counselor?
What took you so long, counselor?
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly
humorous film from Searchlight Pictures. Stream Nightbitch January 24 only on Disney+.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Emily Wilson.
She's the Director of Analysis at Terbium Labs.
Emily, welcome back.
You brought to my attention a recent Poneman study
on third-party breaches and an interesting narrative there. It was sort of not your
breach, but it's still your problem. Take us through what we need to know here.
Absolutely. The not your breach, still your problem is definitely a topic that keeps coming
up again and again. We're seeing, obviously, industry-wide, more people looking at and feeling the impacts of data breaches.
And typically, people are concerned about breaches.
You know, hey, is this my data?
And more specifically, is this my problem?
Is this my system?
But companies don't always have the benefits,
call it a benefit, right,
of it being something that they can control or they can contain.
And Potamon's looking at data around how people are assessing and evaluating
not only third-party risk, but what they're calling nth-party risk.
The third parties you trust with your data, then who are they sharing that data with?
And how can you get control over that?
Is it a matter of disclosure that basically anyone
you do business with who has access to your data, you require them to tell you who they're going to
share the data with and how? That's one approach to it. And Ponemon has a nice breakdown. I would
encourage, I know plenty of the listeners are going to be familiar with the Ponemon reports.
This one's from September this year, a third party risk ecosystem. I'd would recommend reading it. You know, they talk about different ways companies are approaching
this and some of it is in contractual language. But then also, you know, a lot of this relies on
a third party disclosing to you that they've had a problem, which means the third party needs to
know that they've had a problem. And that's an entirely separate issue. Right. We've got the, I mean, the statistics are sobering there that can take, I don't know
what the current number is, but we've certainly heard up to a year before you even know that
someone has been inside your system.
Right.
And that ends up showing up in this report.
Only 35% of respondents were confident that a third party would notify them if they'd
had a data
breach. And that drops down to 11% for an nth party, right, someone outside of a third party.
And so when you look at that, if only 35% of the respondents were confident that a third party
would share that with them, you know, how does that number drop even further when, you know,
again, that's notifying them when they know there's a problem.
Are we heading towards this time when perhaps the safest approach is just to assume that the
data has been breached? I wish I could be as optimistic as saying that we are heading toward
that time. I think companies need to now assume that they have been breached or that one of their
partners has been breached. As we've been seeing, even with
a company like Yahoo, you know, we recently heard that the number of accounts exposed there was even
higher than we originally thought. And that dates back to what, 2014? So, you know, I think we're
going to see over the next coming years, we're going to, you know, continue to hear about breaches
that people are discovering two or three years later, I think you absolutely have to assume that there has already been or soon will be a problem.
All right. Emily Wilson, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, Thank you. and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.