CyberWire Daily - Satori variants. Hacking in Anatolia. Lazarus Group improves its tradecraft. Tindr vulnerabilties. UK's new office to combat disinformation. Pirated pdfs hold malware.
Episode Date: January 24, 2018In today's podcast, we hear that new Satori variants are out. Turkish hacktivists use Twitter for social engineering. Parties unknown are conducting an espionage campaign against Turkish defense contr...actors. North Korea's Lazarus Group improves its cryptocurrency theft tradecraft. Dating app vulnerabilities are a cyber-stalker's dream date. Britain will combat disinformation with a national office of rumor control. Justin Harvey from Accenture addressing the cyber skills shortage. Guest is Jon Condra from Flashpoint, reviewing their Business Risk Intelligence Decision Report. Plus, say phooey to pirated copies of Fire and Fury. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Don't forget to subscribe to our daily email news brief,
where you'll find dozens of links to all the day's cybersecurity news.
You can subscribe at thecyberwire.com.
New Satori variants are out. You can subscribe at thecyberwire.com. theft tradecraft, dating app vulnerabilities are a cyber-stalker's dream date, Britain will combat disinformation with a national office of rumor control, and say phooey to
pirated copies of Fire and Fury.
I'm Dave Bittner with your CyberWire summary for Wednesday, January 24, 2018.
New Satori variants are said to be out with fresh botnets.
Researchers at New Sky Security have been poking around in the dark web
and believe they've determined the same malefactor
who recently pushed the Satori variant, Mirai Okiru,
is the same actor responsible for two newly discovered Mirai variants,
Masuta and Pure Masuta.
The hacker's nom de net is Nexus Zeta, and when investigators first became aware of his
or her activities, they were inclined to regard him or her as a novice.
Too many OPSEC missteps in the code, for one thing.
But Nexus Zeta seems to have upped their game.
Pure Masuta, in particular, is thought to be interesting.
It exploits a simple Object Access Protocol, or SOAP, feature
that exists as an injection bug first noticed on D-Link systems.
SOAP is used by administrators to manage network devices.
Researchers at security firm McAfee describe an assault on certain high-profile Twitter accounts
that's been claimed by Turkish pro-government hacktivist group Ayıldız Tim.
The attacker compromised accounts belonging to influential persons at the World Economic Forum,
the UN and Fox News to send the compromised accounts contacts direct messages
that either suggested support for Pakistani and Turkish causes
or phished for account credentials.
Using compromised email accounts to send messages
whose recipients are likely to accept and act upon
is a familiar social engineering ploy.
It's seen, for example, in business email compromise scams.
This particular campaign uses Twitter direct messages in a similar way.
Security firm Risk IQ reports another phishing campaign, but in this case Turkish enterprises
are the victims. An unidentified espionage operator has been prospecting Turkish defense
contractors with malicious email attachments that carry the Remcos remote access trojan, the Remcos Rat.
Remcos performs a typical array of spyware functions,
keylogging, screenshot capture, audio and video recording,
as well as common rat functionality that permits it to manage files and programs.
One unusual capability is its ability to set up SOX5 proxies,
which lets the attack's controllers turn their victims into network proxies,
thereby hiding their real command and control server.
Pyongyang is staying busy.
Trend Micro reports that the Lazarus Group has evolved
toward the use of PowerShell scripts in its ongoing cryptocurrency theft campaign.
There's been no obvious let-up in North Korean attempts against cryptocurrencies.
South Korean targets of altcoin heists may be getting a bit harder.
The South Korean government is considering regulations that would limit cryptocurrency trading
to the more stable, better regulated environment of the banking system.
And Metrolinx, an Ontario transit company,
disclosed that it was hit by a North Korean cyber attack.
The organization says the attack was routed through Russia
and that neither customer privacy nor safety were compromised.
But beyond that, they cite security
and declined to provide further information.
An obvious bit of speculation would be
that the incident involved WannaCry
and media accounts of Metrolinx's disclosure have tended to mention the US CIA's recent
attribution of that particular strand of malware to the Democratic People's Republic of Korea,
but Metrolinx is unwilling to go even that far in its public comments.
Flashpoint recently released their 2017 end-of-year update to their
business risk intelligence decision report. It provides an overview of
evolving geopolitical issues, evaluates the cyber criminal ecosystem, and measures
cyber and physical threats. John Kondra is the director of Asia-Pacific research
at Flashpoint and he joins us to review the report. One of the things that we do
differently in this report as well is we have a section we call
Flashpoints. It's somewhat cutesy given the name of the company, but these aren't intended to be
predictions per se. These are intended to be things to look out for in the global geopolitical
threatscape or landscape in particular that may cause a shift in whatever direction in the
cyber threat environment for our
client base as well as just more broadly. And so we have things in here like, say, the North Korea
conundrum. Obviously, if a kinetic conflict breaks out on the Korean Peninsula, that is probably
going to change the risk posture for many of our clients as well as just as everyday users on the
Internet. Is there anything in the report that was particularly surprising or unexpected? One thing that, at least from since I cover
Asia Pacific, one thing that we throughout the year I was kind of surprised about
was the pivot ostensibly by North Korean threat actors to target financial institutions and even
in the case of WannaCry, leverage ransomware. Both of those behaviors are not generally
associated with nation state actors, at least up to this point.
If you think about it, it makes a lot of sense.
Nation states generally don't have those types of funding requirements.
The money you're going to make from ransomware is not nearly what a government would require to, say, buy things like tanks and planes.
But in North Korea's case, they're somewhat of a unique one since they're so isolated.
They're being hammered by sanctions right now.
They're trying to find alternative ways to fund their regime. So turning towards tactics that we would generally associate
with cyber criminal groups, it's a really interesting turn in North Korea's behavior.
And that's something that obviously now North Korea is more of a threat to entities that
traditionally would not consider them a threat. So that was one surprise for us. One of the other
ones that I personally found interesting was kind of the rapidity with which
the deep and dark web marketplace environment, kind of in more traditional cybercrime,
fell away or kind of collapsed in 2017. And this is a variety of factors that go into this,
but fundamentally four top tier marketplaces went down in 2017. We're thinking of things like
Alphabay, which is kind
of the spiritual successor to the Silk Road, was taken down by law enforcement the latter half of
the year. And then Hansa Market went down not long after, and it turned out that those two cases were
related and were both a result of law enforcement action, as well as two other marketplaces,
Evolution and Agora, both went down for different reasons, security concerns, plus potentially an exit scam. And so that really caused a lot of chaos in a very fast moving,
paranoid community who was very much concerned about personal safety, very much concerned about
anonymity online. And what we've been seeing is a transition away from traditional services for
communication or transactions moving towards alternative ones
that are emerging. Things like Discord, which is a popular chat and video app or chat and voice app
primarily used in the gaming community, as well as decentralized marketplaces that can't easily
be taken down. When you look at the threats that are on the horizon here, the things that have
shown up in this report, what sorts of recommendations do you have for people in terms of focusing their efforts and their resources?
Yeah, in general, as intelligence professionals, you know, one of the things that intelligence
professionals do is, in general, try to avoid making such broad recommendations because they're
generally not applicable. It's generally not our expertise, nor is it our place to do so. But I would say
one way that you could use this report is, you know, say you're in the healthcare industry,
go look at the chart on page five or whatever it is in the report and say, okay, the two entities
that are known to target healthcare in any regular fashion are would be China and cybercrime. And
then you can start to think about how do you
mitigate both of those threats, which are very fundamentally very different threats in terms of,
you know, the scale with which they target, the frequency with which they do so, the tools that
they use. You can start asking your internal team, as well as whatever threat intelligence
providers and vendors you use, more targeted questions about that, rather than just thinking,
you know, I have to defend against
everything. I have to defend against the monopoly of threats. But in reality, you know, jihadi
hackers don't really go after healthcare entities. So why bother in that sense? You know, it's not to
say that it can't happen. It's not to say that it doesn't happen sometimes. But it is to say that
you can use this type of information to help tailor your own strategies internally.
That's John Condra from Flashpoint. You can review the complete report on their website.
Amid dark warnings of the United Kingdom's vulnerability to massive infrastructure hacking,
Her Majesty's government is also seeking to address the problem of hostile nations'
influence operations. The government intends to form a new organization whose mission will be to combat disinformation. Britain's new National Security Communications Unit will
operate from the Cabinet Office.
Researchers at Checkmarks have taken a look at the widely used dating app Tinder, and
they don't particularly like what they see. The app doesn't encrypt photos, for one thing,
and it also leaves swipes
and matches open to inspection. This would be good news for stalkers, but bad news for ordinary
lonely hearts looking for whatever it is they're looking for. Checkmarks warns that it's able to
simulate exactly what the user sees on his or her screen. You know everything. Everything includes
what Tinder users are doing, what their intimate preferences might be, stuff like that.
Stuff that attracts voyeurs, stalkers, and blackmailers.
Here's another reason to get your stuff from actual legitimate stores as opposed to from torrents of pirates and so forth.
Fire and Fury, the sketchily sourced but by most accounts lurid and hugely entertaining tell-all by a journalist
who somehow received access to the Trump White House,
is circulating in a pirated PDF form that contains, of course, malware.
The PDF contains a Windows executable that quietly installs a backdoor in the reader's device.
The bad version is being circulated mostly through social media
channels. There was a downloadable edition in a Google Drive, WikiLeaks tweeted a link out,
but that drive has been taken down because of a violation of Google's terms of service.
HackReads cautiously says, experts believe that it is difficult to assess whether the pirated
edition is safe or unsafe. We think we'll go with unsafe.
The sort of silvery lining is that the malware, discovered by the way by a researcher at Kaspersky
Lab, which adds a certain flavor to the story, seems readily detectable by most antivirus products.
But don't download it. Buy it from Amazon or Apple instead if you're interested. I mean, come on,
spend a buck, won't kill you.
Badness does creep into the walled garden of big stores from time to time,
but less often than it disports itself in the digital equivalent of the car trunk
of some guy selling knockoff NBA jerseys on a side street.
Besides, the pirated version is said to be about 230 pages long.
The original runs 328 pages and is therefore 98 pages better.
You get what you pay for, my friend.
How do you know those 98 pages
weren't where all the good stuff was?
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Harvey. He's the Global Incident Response Leader at Accenture. Justin, there is no secret that we have a cyber skills shortage. And you wanted to go through some of the ways that perhaps people
can address that. Yeah, I think that, like you said, we have a very large cyber skill shortage
ahead of us. And we as an industry need to do a lot better at bringing in diversity into the workforce.
So number one, I think first and foremost, there needs to be a cultural shift and a mindset shift around women and technology.
And working at Accenture, we have a very big commitment to diversity and we participate in a lot of forums and being able to draw in more women into the workforce and really specifically and actually, from my perspective, very selfishly more into cybersecurity.
And I think that one way to do that is to promote, of course, the science and technology and the mathematics and engineering and all that in the younger generation. So number one is bringing in diversity, and number two would also be getting into earlier processes in schools. So perhaps it's not just high school anymore,
perhaps it's middle school, and then perhaps even in elementary, teaching the basics and
the fundamentals around computer programming. You know, one of the things I've heard many times
with people I've spoken to is that, you know, even when we get women into the field, we have a hard time keeping them,
that retaining them is a real problem. Yeah, I think I do acknowledge that the retention
around that may be problematic in some organizations. I think that speaking as a male,
meaning I could be part of the problem, I would also see that part of the cultural shift needs to be in being more accepting of diversity and being more accepting of people who want to excel in their field.
I do think that technology and cybersecurity, there are some less than favorable behaviors and voices that are made.
And I think that it's up to us as professionals to, A, not stand for it,
and B, educate others in this field to prevent that from happening.
So those of us who are advocating for the increased diversity,
we need to stand up and have our voices heard.
Exactly.
All right, Justin Harvey, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
Thank you. to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.