CyberWire Daily - Russian APTs target EU governments. FIN7 is back. Google and Facebook scammed.
Episode Date: March 21, 2019Fancy Bear and Sandworm are launching cyberespionage campaigns against European governments before the EU parliamentary elections. The FIN7 cybercrime group is still active, and it’s using new malwa...re. A scammer stole more than $100 million from Google and Facebook. Facebook stored hundreds of millions of passwords in plaintext for years. And chatbots can learn to impersonate you based on your texts. Ben Yelin from UMD CHHS on rumors of NSA shutting down the Section 215 program. Guest is Jadee Hanson from Code 42 on insider threats. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/March/CyberWire_2019_03_21.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Fancy Bear and Sandworm are launching cyber espionage campaigns
against European governments before the EU parliamentary elections.
The Fin7 cybercrime group is still active and it's using new malware. Thank you. to impersonate you based on your texts. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Thursday, March 21st, 2019.
Two Russian APT groups are targeting European NATO member states with ongoing cyber espionage
campaigns ahead of the EU parliamentary elections in May. Researchers at FireEye observed both large-scale
and highly targeted phishing operations launched by Sandworm and APT28 against European government
institutions with the goal of stealing credentials. Sandworm is the group believed to be responsible for the 2017 NotPetya
attacks. APT28, also known as Fancy Bear, was one of the threat actors that hacked the Democratic
National Committee in 2016. FireEye says their efforts seem to be coordinated, although the two
groups use different tools and techniques. Sandworm prefers publicly available hacking tools, while APT28 leans toward
custom-made malware and zero-day exploits. The campaigns are believed to have three primary
objectives. The first is stealing information and credentials for use in future attacks.
The second is gathering intelligence to give Russia a diplomatic advantage. The third is collecting data to assist in information operations.
FireEye didn't specify which organizations were targeted
or whether or not the attackers got their hands on sensitive data,
but it did say that attack campaigns of this size are generally successful.
It's not clear if these campaigns are directly focused on influencing Europe's upcoming elections,
or if they're part of a more general cyber espionage operation.
FireEye thinks it's safe to assume, however, that European voting systems and political parties
are very tempting targets for Russian intelligence.
CNBC notes that FireEye's findings are in line with an announcement from Microsoft last month,
in which Microsoft warned that APT28 was launching phishing attacks against European think tanks and non-profit organizations.
At a leaders' summit taking place in Brussels today and tomorrow, European Union leaders are expected to urge governments to do more to protect the upcoming elections
against coordinated information operations by foreign powers.
The FIN7 cybercrime group is still active,
despite the arrests of several of its members last year.
Flashpoint says the group is using two new strains of malware,
which researchers have dubbed SQLRAT and DNSBOT.
The criminals are also using a new attack panel called Astra,
which acts as a script management system that can push scripts to compromised computers.
When an employee leaves your company, what kind of information are they allowed to take with them?
Their contacts list? Samples of code they've written?
Researchers at data loss prevention company Code42 have discovered there's
a surprising disconnect between what employers and employees think they're entitled to. J.D.
Hansen is CISO and VP of the information technology team at Code42. You know, when you think of
insider threat, there's two camps, the malicious and then the non-malicious. Certainly there's issues that happen that
result from both. In my opinion, we're seeing more and more happen on the malicious side than
we have before. And as our defenses and security grow stronger, I feel like we're going to see
more and more malicious behavior internal to companies.
We recently did a study about just taking data outside of companies.
And the response for those that feel entitled to the data that they create while they're at a company was astounding. We had over 72% of the CEOs that we interviewed admit that they were taking data
external to the company that they were working for.
And what do you mean by that? What sort of data were they taking?
So any of the data that you create while you're at a company is effectively property of that
company. We shouldn't be grabbing all the data that we have when we're working at a company and putting it on a USB drive and taking it to a competitor or to our next position.
And what we found through this survey was that a lot of the people that left companies were taking
their data with them, what they thought was their data, because they felt like this entitlement to the data that they created.
And this was at every level, from the entry-level analyst all the way to the CEO.
And do you think there's any failure on the part of the company here to really be clear about what
is off-limits? Yeah, that's an interesting question. I do and I don't. Certainly, I think there's a level that companies
have to communicate what's allowed and what's not allowed. That goes beyond even just a data
movement. It's all sorts of different security policies. But then there's also an element where
if employees knew you were watching what they took and what they put on USB drives,
they wouldn't do it. They wouldn't move the data as often as they do now.
I've led a number of different insider threat programs. And one of them that we led, we were
pretty quiet about what we were monitoring. And the results of that one were people would take all sorts of information.
And when we would follow up with legal notice or some sort of follow up to say we saw something,
what was going on, the reaction was almost surprise. Like, oh my gosh, I didn't know you
were watching and I'm sorry and let me delete it versus when you're really, really transparent
about what you're doing and what you're watching and you tell employees, you know, you can't move
IP, you can only move personal information. The volume of what employees take certainly goes down.
Employees that are acting maliciously still do take data.
So let's talk a little bit about breach fatigue. I mean, do you suppose that this is endless
news reporting of one breach after another? Is that a barrier to effective insider threat defense?
Yeah. And I think even broader, if you think about what's going on within the cybersecurity
industry, every single year we outpace the
previous year for a number of records compromised. And in the same sense, the amount of money that
we're spending on response to breaches is going down. So year over year, 17 to 18, we were down
10% in terms of the response dollars that were spent. You can read into that,
but my read is that we're spending less on their response, meaning we're falling victim of this
breach fatigue issue. And if you think through it, the giant breaches that hit in 2011 were what was talked about forever and were such
a big deal. And now you wake up to a headline of some sort of company being breached almost every
day. It's interesting to me, but I do think that consumer and businesses are getting more immune
to this news story. And when that happens, you get less investment and less focus on it.
And it's almost like certain companies are giving up on protecting it to the extent that they should
and doing the bare minimum, which is a very scary spot to be in from a cybersecurity perspective.
That's J.D. Hansen from Code42.
perspective. That's J.D. Hansen from Code42. Facebook stored hundreds of millions of users'
passwords in plain text within a database that was searchable by 20,000 Facebook employees,
Brian Krebs reported this morning. The issue was discovered in January when a security team was reviewing some new code and noticed that the code was logging passwords in plain text.
The team launched a wider investigation to find other places where this was happening, new code and noticed that the code was logging passwords in plain text.
The team launched a wider investigation to find other places where this was happening,
and the company is still in the process of determining the extent of the problem.
Krebs spoke with an anonymous senior Facebook employee who said between 200 and 600 million Facebook users may have been affected, dating back to 2012.
Facebook partially confirmed the report in a blog post earlier today,
saying that it plans to notify hundreds of millions of Facebook Lite users,
tens of millions of other Facebook users, and tens of thousands of Instagram users
that their passwords were being stored in a readable format within the company's internal data storage systems.
Facebook Lite is a version of Facebook designed for areas with low internet speed and expensive
bandwidth.
Facebook emphasized that, quote, passwords were never visible to anyone outside of Facebook,
end quote, and the investigation has, quote, found no evidence to date that anyone internally
abused or improperly accessed them, end quote.
The Irish Data Protection Commission,
which has jurisdiction over Facebook's European headquarters under GDPR,
said it was notified by Facebook and it's currently seeking further information.
A Lithuanian man pleaded guilty in a New York court yesterday
to scamming Facebook and Google out of $123 million over the course of three years.
The man registered a company in Latvia that shared a name with a legitimate computer hardware
manufacturer based in Asia. He then used a variety of fraudulent invoices and contracts
to trick Facebook and Google employees into wiring him millions of dollars at a time.
Facebook is said to have lost $100 million from the scams.
Google lost $23 million.
Finally, the Register notes that a machine learning engineer has created a bot that can
learn to impersonate someone based on text samples of their conversations.
The bot was based on research published last month by the artificial intelligence research
organization OpenAI.
OpenAI said it had developed a language model capable of advanced tasks,
such as generating coherent paragraphs of text, without task-specific training.
OpenAI withheld most of the software from the public, however,
fearing that it would be abused to create what the register calls
the equivalent of deepfake videos for the written word.
Using the limited amount of research that was released, however,
the engineer was able to develop a bot that can impersonate you
by learning from your messages in Facebook Messenger.
This particular bot is fairly rudimentary,
but its developer warns that it wasn't difficult to make
and he expects to see more sophisticated versions of this technology
being used for malicious purposes very soon.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with
Black Cloak. Learn more at blackcloak.io. And joining me once again is Ben Yellen. He's a
senior law and policy analyst at the University of Maryland Center for Health and Homeland Security.
Ben, always great to have you back. We saw an interesting article over on the Lawfare blog,
and this had to do with Section 215 and some whispers about some potential changes here.
What's going on? Yeah, so Section 215 of the USA Patriot Act is the provision
that we found out allows for the government to collect nearly all domestic phone records
as part of a national security surveillance program. If you'll recall, this is one of the
programs revealed in the 2013 Edward Stone disclosures. Under those disclosures, we found
out that most of the major telecommunications companies were routinely handing over metadata,
so information on who made a phone call, who
received the phone call, and the duration of the call over to the NSA. And they were holding those
records for over five years. Obviously, that caused major controversy, particularly among
privacy advocates. So Congress amended the law in 2015. The way that law works under what's called
the USA Freedom Act is that
the telecommunications companies themselves now hold those call detail records, and the government
has to obtain a warrant from the Foreign Intelligence Surveillance Court to access those
records. Now, that program is up for reauthorization at the end of this calendar year,
and there have been whispers
from staffers on Capitol Hill on the relevant intelligence committees saying that it's possible
not only that the program will not be reauthorized, but that the National Security Agency and other
elements within the federal government are no longer using the Call detail records program at all. Part of that stems from an announcement the
NSA made almost a year ago where they said that because a bunch of phone records were not
authorized to be obtained and were obtained by the National Security Agency, the NSA had to scrub up
to five years worth of CDR, call detail records, data. Now, they didn't make any announcement at the
time that they were suspending collection under that program. But this has fed whispers that
the program is dysfunctional. It's too much of a legal headache. It exposes our government to
legal liability and controversy. And it's frankly ineffective. The government's Privacy and Civil Liberties
Oversight Board under President Obama wrote in a detailed report in 2014 that this program hasn't
really done anything to stop terrorist attacks. And frankly, and this is something the Lawfare
blog article mentions, the technology has changed. And not only has the technology changed,
that technology has changed. And not only has the technology changed, but the terrorist organizations that we need to monitor to protect our national security themselves have changed.
Al Qaeda was a very top-down run organization. You could draw connections between low-level
individuals and whether they were connected to the high-level al-Qaeda apparatus through
these phone records, through figuring out who these people made phone calls to.
Much more difficult in the current era. ISIS in particular has much less of a top-down
structure. It's far more disorganized. It's composed of smaller factions, and terrorists have adopted the technology themselves.
They're using encrypted apps, messaging services, rather than just making phone calls. run its course in terms of its effectiveness. And because it has become so controversial and
has subjected our government to lawsuits and controversy, I think there's a good chance that
by the end of 2019, we may get the definitive end of the Call Detail Records program.
That's interesting. So I suppose folks on the civil liberties side would take this as a win,
regardless of how it comes.
folks on the civil liberties side would take this as a win, regardless of how it comes?
Absolutely. Now, of course, they would warn us that these are, so far, just the murmurs of congressional staff. I think one of them was quoted in an obscure article, and this kind of
became fodder for the national security surveillance community online. There was
excitement that this finally might be the death knell for
the Call Detail Records program. And there are obviously other programs conducted under the
authority of the NSA that are controversial, but this was one that really stuck out in the post
Snowden freakout we all had over government surveillance. So yeah, no matter how it ends,
I think it would definitely be considered a victory for civil liberties advocates.
All right. Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Alexa Smart Speaker 2.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next
generation of cybersecurity teams and
technologies. Our amazing Cyber Wire
team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar, Joe
Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett
Moe, Chris Russell, John Petrick,
Jennifer Ivan, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.