CyberWire Daily - Reddit Hacked. Ukrainians nabbed. Facebook boots "inauthentic" accounts for malign influence. Pegasus spyware found in Amnesty phone. Yale's old breach. Google and censorship.
Episode Date: August 1, 2018In today's podcast we hear that a Swiss chemical agent forensic lab has seen Sandworm phishing attempts. Facebook kicks thirty-one "inauthentic" accounts from its platform: they seem to have been ...engaged in influence operations, possibly Russian. Attribution remains difficult. NSO Group's Pegasus spyware found in Amnesty International phone. SamSam ransomware exacts a high cost. Yale realizes it was breached about ten years ago. Google allegedly prepares a censor-engine for Chinese web searchers.  Craig Williams from Cisco’s Talos unit, describing his team and the work they do. Guest is Thomas Hofmann from Flashpoint on ransomware and online extortion. For links to all of today's stories check out out Cyberwire daily news brief: https://thecyberwire.com/issues/issues2018/August/CyberWire_2018_08_01.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Reddit has been hacked.
The U.S. DOJ collars three Ukrainians alleged to be card stealers.
Facebook kicks 31 inauthentic accounts from its platform.
They seem to have been engaged in influence operations, possibly Russian.
Attribution remains difficult.
NSO Group's Pegasus spyware has been found in Amnesty International phones.
SamSam ransomware exacts a high cost.
Yale realizes it was breached about 10 years ago.
And Google allegedly prepares a sensor engine
for Chinese web searchers. From the CyberWire studios at DataTribe, I'm Dave Bittner with
your CyberWire summary for Wednesday, August 1st, 2018. We've got a couple of breaking stories as we publish today.
First, Reddit has announced that between June 14 and 18 of this year,
an attacker compromised a few employee accounts
and gained access to backup data, source code, and logs.
Specifically, they downloaded and archived backup of all Reddit data from 2017 and before,
including account credentials,
email addresses, and public and private messages. Also grabbed were email digests sent by Reddit
in June 2018, as well as Reddit source code and other internal files. Reddit is working
with law enforcement and is reaching out to users who may have been affected.
The other breaking news story today comes from the U.S. Department of Justice,
who announced the arrest and indictment of three Ukrainian nationals
who are alleged to be members of the notorious cybercrime group FIN7.
The DOJ claims FIN7 are responsible for attacks on over 100 U.S. organizations,
stealing more than 15 million credit card records
from companies like Chipotle, Chili's, Arby's, Red Robin, and Jason's Deli.
The Seattle Cyber Task Force of the FBI
and the U.S. Attorney's Office for the Western District of Washington
led the investigation and coordinated with law enforcement agencies
in Poland, Germany, and Spain.
Facebook has ejected 32 questionable accounts from its platform
for engaging in what Facebook characterized as inauthentic behavior.
There's some evidence that the accounts are connected with the Internet Research Agency,
the St. Petersburg troll farm implicated in earlier influence operations.
There's a degree of ambiguity in the evidence,
but one interesting note is that one of the pages taken down
appeared briefly but clearly to be under the control of the Internet Research Agency.
This round of influence would seem to be aimed at inflaming the alt-left against the alt-right,
which makes perfect sense if the goal is disruption and chaos.
The inauthentic pages were up and operating between March 2017 and this past May,
during which period they accumulated some 290,000 followers.
A representative recent message aimed at getting people to confront and resist fascism,
with the effort organized under the slogan,
No Unite the Right to D.C.
The reference is to a planned fringe alt-right event under Organization for Washington.
Facebook is reticent about connecting the campaign to Russia or any other nation-state,
and they do note correctly that while it looks like the old familiar St. Petersburg troll farm,
it could certainly be the work of copycats. Facebook's CSO John Stamos put it this way in a lengthy post on the company's blog yesterday.
Quote,
This is one of the fundamental limitations
of attribution. Offensive organizations improve their techniques once they've been uncovered,
and it is wishful thinking to believe that we will always be able to identify persistent actors
with high confidence." Facebook has notified followers and recipients of the inauthentic
messaging that they've been hoodwinked.
The Atlantic Council is analyzing the incident and expects to issue a longer report soon.
Amnesty International says that at least one of its people had their phone infected with NSO Group's Pegasus spyware tool. Pegasus has been used by a number of governments to monitor dissent.
The University of Toronto's Citizen Lab has confirmed the infection.
The targets in this case appear to be Saudi dissidents.
NSO Group has long been in bad odour with privacy advocates,
NGOs and people who don't want their phones surveilled.
The Israeli company was involved in M&A talks last month,
but its prospective partners grew skittish and withdrew.
Sophos Labs reported that ransomware payments
to the controllers of SamSam Ransomware
have now amounted to $6 million.
SamSam has acquired the reputation
of being difficult to uproot and recover from.
It's the same ransomware responsible
for causing so much trouble in the city of Atlanta,
which is still slogging through its recovery from the infestation it sustained on March 22nd.
Of course, having a plan to respond to a ransomware attack and practicing that plan can make all the
difference in the world. We spoke with Thomas Hoffman, Vice President of Intelligence at
Flashpoint, who shared his perspective on how companies could respond to ransomware and extortion.
I would really divide it into two different types of responses we've seen.
We've seen responses from organizations who have heavily invested in their defenses and cybersecurity,
and they have robust programs to educate their employees.
They have response plans that they've tested and have prepared. So when incidents do occur,
you see a much more methodical approach and response. While it still is an emergency
situation and every situation is unique, we see that the companies who have
heavily invested and prepared are better able to coordinate their responses. On the other extreme,
I think is where unfortunately many organizations who do not have the budgets or do not have the
resources dedicated to invest in their security and invest in their employee training.
When they encounter these situations, it's a little bit more chaotic and developing response
plans on the fly that can sometimes from the outside seem uncoordinated or ill-prepared.
And that's something that I don't think is unique to ransomware per se, but more for
cybersecurity incidents in general. Those are typically the two types of responses that we see
from organizations. Now, we see the common advice from both law enforcement and security folks is
don't pay the ransom, that we don't want to put money into this criminal economy.
From a practical point of view, is that the way it always plays out?
Are there occasions where the most practical thing to do is to roll the dice
and pay the ransom and see if you get your data back?
Yeah, this is really where our new response and readiness program comes in.
You're absolutely right.
The U.S. government, FBI in particular, what they say is they don't
recommend organizations pay ransoms. But they also acknowledge that there are situations where
there are systems that are so critical that any downtime is just not something that can be
tolerated. And when organizations are confronted with this type of situations,
the calculus really changes with how you respond and whether you want to attempt to
obtain the unlock keys through a ransom payment. We've seen organizations on both sides. We've
worked with some organizations as we've worked through a
response where ultimately they decided that pain is not the right way to go. And just going through
normal recovery efforts and rebuilding systems is their preferred path. And then other organizations,
the ransom demands, it's something that they have pursued in an attempt to acquire information or the unlock codes or to prevent information from being exposed.
So it really is organizationally dependent what systems are compromised or encrypted and really the individual company, how critical it is to recovering the systems in the most
expedient manner possible. So this is really what makes each one of these responses very unique,
because there are so many different factors that go into how you want to respond and the ultimate
decision to pay a ransom. And this is something that we here at Flashpoint have helped many customers
work through those really tough decisions. Now, do you ever run across people who have
found themselves victims of ransomware who thought they were prepared? Are there any common
mistakes that folks make where they think they're better off than they are?
Ironically, some of the organizations that do have robust programs and do have teams that are prepared,
sometimes during their responses, they attempt to engage some of these actors.
And if that's not something the organization has that experience or that expertise
in how you actually engage in some of these illicit communities and the proper ways,
the unwritten code of conduct, if you will,
that sometimes these organizations inadvertently reveal too much about the situation
and tip the hands of the true impact that the organization is experiencing to those threat actors.
And it can complicate a response if it's not well planned out.
That's Thomas Hoffman from Flashpoint.
The U.S. Department of Homeland Security this week announced a new program to share
information on cyber risks between government and the private sector.
U.S. Cyber Command is also interested in deepening its partnership with the private sector,
as its commander, General Nakasone, who also directs NSA, noted this week.
And everyone is up for cooperation.
Eugene Kaspersky has an op-ed in The Guardian in which he observes with some justice that,
with respect to cybercrime, we're all in this together.
Yale University has realized that it was subjected to a data breach in 2008 and 2009.
They don't know who did it, and they think it's now impossible to find the perps,
but the university is advising victims to protect their identity.
Documents leaked from Google indicate that the company is working on a version of its search engine
that will be tailored to meet the censorship requirements of the Chinese government
by blocking problematic searches and sources.
Among the sources likely to be blocked are the BBC and Wikipedia.
Much ironic commentary is circulating online about what it might mean to not be evil.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, Thank you. dollars off Vanta when you go to Vanta.com slash cyber. That's Vanta.com slash cyber for a thousand
dollars off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to welcome to the show Craig Williams.
He's the director of Talos Outreach at Cisco. Craig, welcome to the show Craig Williams. He's the director of Talos Outreach at Cisco.
Craig, welcome to the show.
Excited to have you on board here, as we always do when we welcome a new partner.
We want to learn more about you and the type of work that you and your Talos team are up to.
So what can you share with us?
Well, thanks for having me on.
You know, a lot of people are aware that Talos exists now, I think,
but I don't know that everybody is aware of exactly what we do, because Talos is probably one of the largest security research organizations in the world.
I think right now we're right around 300 researchers.
And at the end of the day, our overall mission is to protect our customers.
So in order to do that, obviously, we have a lot of specialized teams.
We have a lot of different projects going on.
But my team, the Talos outreach team, we look for things that the bad guys are doing that's new,
right? So we look for bad guys that have found a new way to bypass security devices or a clever
way to monetize some malicious act. And we try to figure out how that works. We make sure that,
you know, we have detection covered. Everything's out the door. We work with the detection teams in Talos. And then we look on, well, what can we tell our users
about this? How can we inform the public? And so we'll do things like this podcast. We'll do things
like conference talks, customer briefings. And so it's a lot of fun. And it's a really good way,
I think, to help educate people and let people realize what these new threats are.
And so what's the relationship between the Talos team and the broader Cisco in general?
It's a really good question.
So Talos as a whole basically pushes all the blocking content out to all the Cisco security devices.
So we work with teams like Umbrella and other security teams at Cisco,
and we help make sure that not only do we have coverage in place across all the products,
but we have a cohesive system to do that, right? And so literally right now at Talos,
I can take a single tool and I can type in a malicious website. And within about two to five
minutes, it's going to push that out to all the different Cisco security devices and protect our
users. Now, are you given a certain amount of independence? Yeah. You know, I often joke that
we're almost like a startup inside of
Cisco because we really are given a lot of freedom and latitude to find new and innovative ways to
research these threats and to figure out, you know, how they work and make sure that we have
the best detection in place that's possible. Now, what about you personally? What was your
journey to the position that you're in today? Oh, man. Well, it all started back in high school
when I was cheating at a video game.
No, but seriously, you know,
people think I'm joking when I tell that story.
I mean, I got into computer security
through trying to cheat at games like SimCity,
you know, games that I thought were fun,
but I sure didn't have enough time to play them fairly.
And I certainly wanted the nice fancy building.
But long story short, you know,
I ended up doing the traditional route through university.
I was actually a contractor for Cisco.
I was a contractor that started the IPS signature team for the old NetRanger IPS product.
Slowly but surely worked my way up in the ranks.
And now, almost 15 years later, I'm the director of one of the top research teams in the country.
Well, welcome. We're glad to have you join us.
Craig Williams, Director of Talos Outreach at Cisco. Thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. And that's the Cyber Wire. For links to all of today's stories, check out
our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.