CyberWire Daily - Sleeper malware. Hakai botnet spreads. SamSam is still with us. US DNI warns of election threats. Congressional panels interrogate Facebook and Twitter, but not Google.
Episode Date: September 5, 2018In today's podcast, we hear that German security authorities warn about the possibility of sleeper sabotage malware. A botnet to rival Satori, this one called Hakai, continues to spread to new classes... of router. SamSam ransomware remains dishearteningly successful. The US Director of National Intelligence warns against foreign influence in elections. Facebook's former security chief says the midterms could be the World Cup of information Warfare. Silicon Valley comes to Capitol Hill, but without Google. Craig Williams from Talos at Cisco with an update on the Remcos RAT. Guest is Robert Holmes from Proofpoint on the DHS’s Binding Operational Directive (BOD) 18-01 mandate to secure their email systems. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/September/CyberWire_2018_09_05.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
German security authorities warn about the possibility of sleeper sabotage malware.
A botnet to rival Satori, this one called Hakai,
continues to spread to new classes of router.
SamSam ransomware remains dishearteningly successful.
The U.S. Director of National Intelligence
warns against foreign influence in elections.
Facebook's former security chief says
the midterms could be the World Cup of information warfare.
And Silicon Valley comes to Capitol Hill, but without Google.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, September 5th, 2018.
The head of Germany's domestic security agency, the Bay F.A.,
noting extensive Russian and Chinese cyber espionage,
yesterday warned against the real possibility of sleeper malware,
destructive code installed into crucial systems well in advance of its intended use.
Hans-Georg Massen clearly had industrial control systems in mind.
Germany has had some experience with cyber interference in manufacturing processes,
and Massen thinks this threat hasn't abated.
The Hakai botnet has moved beyond its initial Huawei targets
and now infests D-Link and Realtek routers.
The botnet is growing, but the bot master's doing less crowing.
The recent arrest of rival Satori's alleged bot master,
having evidently put the fear of the law into him.
He had formerly been marked by his willingness to boast,
not just to victims and fellow hoods, but to journalists as well.
SamSam ransomware spreads largely unabated
as victims continue to swallow its fish bait.
Preventive measures are fairly well known and available.
Regular secure backup, appropriate measures against phishing, and sound basic cyber hygiene.
But the attacks continue to succeed.
In October 2017, the U.S. Department of Homeland Security issued Binding Operational Directive 18-01,
which intends to enhance email and web security for organizations within the federal government.
There have been several deadlines and milestones along the way, and joining us to help explain where things stand is Robert Holmes, Vice President of Products at Proofpoint.
So there are various requirements of the BOD,
and probably the least well understood,
certainly at the point at which it was issued,
was DMARC, or Domain Based Message Authentication Reporting and Conformance.
And that's really key to solving for email fraud.
The BOD was issued in October of last year, and agencies were afforded a year to enforce the strongest policy of DMARC.
With two months to go, we're about halfway there.
And what is the expectation? Are they going to make the deadline?
Difficult to say. I think there will be a flurry of activity, just as calling for the gate to board your flight. There's a last minute panic when everyone rushes.
What I would say is I suspect what we will see is some of the smaller agencies will fail to
meet the deadline. So some of the largest agencies have been making great progress on this,
but the smaller agencies are lagging. And I think those people won't probably make it.
And what is going on behind the scenes here?
Why is it taking folks so long to get with the program?
It starts with it's not that well understood.
DMARC is the most recent of technologies that the BOD requires people to deploy.
And that's really only kind of six years
old. That may sound like a long time, but this is pretty techie stuff. So I think, first of all,
it's not well understood. And if you were to care to understand it, there are some 300 pages of
technical specs. And then you actually have to understand that in the world of email, we're
not always working on complete information. So we're having to make best guesses in some cases
and fill in blind spots, which is both difficult and risky. Because what's at stake here is the
deliverability of email. Really what DMARC is, it's a form of whitelisting.
Whitelisting is great. It's very strong.
But unfortunately, if good email is not on that whitelist, it doesn't get in.
Now, what are the teeth behind this?
If folks fail to make the deadline, what happens?
Some wrists may be slapped.
That's a good question.
And I think actually there is a general sense that so long as you can demonstrate best endeavors, that maybe the DHS would afford agencies who were otherwise unable to meet the deadline a little bit of leniency.
There may be kind of a call in to see what's going on and why they missed it.
But understand that just like enterprises, agencies have budgeting cycles
and they have headcount constraints. And so this BOD 1801 rather came out of nowhere. Senator
Wyden obviously had issued a letter indicating that he was hoping that it was going to happen,
but it happened very, very fast. And some agencies just may not have been prepared for that and may
not have been able to absorb the additional workload.
So I think there'll be some risk slaps.
I can't imagine that there will be penalties or sanctions.
And then maybe the carrot might be replaced with a bit of a stick.
That's Robert Holmes from Proofpoint.
U.S. Director of National Intelligence Coats said yesterday that the prospect of foreign interference with U.S. elections remains real and troubling.
Facebook's recently departed security chief Alex Stamos was more direct.
The U.S. elections risk becoming, quote, the World Cup of information warfare, end quote.
Some of those concerns found their way into congressional hearings today.
Some of those concerns found their way into congressional hearings today.
The U.S. Senate's Select Committee on Intelligence this morning questioned Facebook COO Sheryl Sandberg and Twitter CEO Jack Dorsey about foreign influence, censorship, cooperation with repressive regimes, and other matters.
Their concerns included Russian influence operations, with special attention devoted to the possibility of voter suppression,
protection of personal privacy,
the relative preference an American company might be expected to have
for supporting American interests and the U.S. government
over the governments of other countries where the company might operate,
the suppression of hate speech and bullying,
and the potential for legislation imposing liability on tech
companies for the content that resides on their platforms.
Facebook's Sandberg was clear on her company's intentions and described a defensively principled
way of navigating content moderation without restricting expression, at least with respect
to the challenge of weeding out disinformation.
Facebook clearly intends to concentrate on culling inauthentic accounts from its service,
that is, accounts that falsely represent themselves as belonging to anyone
other than their actual owners and controllers.
They've purged a number of inauthentic accounts recently
and clearly find that easier than directly policing content.
Their approach to fake news, fanciful stories retailed as fact,
and political disinformation sounds as if it will harken back to traditional rumor control.
When known false stories appear, put true stories beside them.
Twitter's Dorsey gave similar answers, especially on inauthenticity,
but his company's plans were less clear.
He did note that bot detection remained a problem still only partially solved.
More than one senator was at pains to point out that neither Twitter nor Facebook do business
in China, both being blocked by that country's government. Facebook's Sanders took the opportunity
to say that the company declined to do business under conditions that would violate its values.
A company that does do business in China and was conspicuously absent at the hearings is, of course, Google,
which declined to send a comparably senior executive to testify, and so was symbolically shamed with an empty chair.
Google apparently offered their chief legal officer,
but he was insufficiently senior to interest the committee,
so Mountain View went unrepresented.
Most of the senators, with both parties being represented among the critics,
noted Google's absence with displeasure.
Senator Rubio, Republican of Florida, was particularly scathing,
characterizing the company's decision not to send a senior leader as arrogance.
He also suggested it may have been cowardice,
given the recent demonstration by researchers from the Campaign for Accountability
that it's still easy for trolls to buy ads from Google.
The Campaign for Accountability, a liberal, which is to say center-left good government advocacy group
Sought to buy ads from Google AdWords
And they did so in ways that obviously impersonated a Russian troll account
Down to borrowing images and content from St. Petersburg's notorious Internet Research Agency
And linking to sites that have been publicly and officially identified as Russian-controlled.
And for the low, low price of $35 and a 48-hour waiting period, the researchers got their ad approved.
They also got 20,000 impressions and some 200 click-throughs,
and they say Google never flagged them as a problem, which they say they clearly were.
Google didn't like it. They said
they have, too, now that they know, taken the politically divisive ads down and that they're
working on making AdWords better. They also call the thing a stunt and point to the donations Oracle
has given to the campaign for accountability, with the suggestion that this is at least in part motivated by Oracle marketing.
In addition to keeping trolls from buying ads,
Google has also committed to clearing malicious apps from its Play Store.
It's met with indifferent success here as well, according to reports in Bleeping Computer.
The fight Google picked was a good one.
They determined to go after tech support scams.
The problem is the scammers have
gotten good enough at handling their ads that they pass for legitimate and get right through
Mountain View's filters. The moral here seems to be that content moderation is difficult and doesn't
really lend itself to technical solutions. And as far as human solutions are concerned, when it
comes to social engineering, of the crooked timber
of humanity, no straight't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Craig Williams.
He's director of Talos Outreach at Cisco.
Craig, welcome back.
We wanted to touch today on Remcos.
Bring us up to date.
What do we need to know about this?
Well, Remcos is another
one of these, we call them gray area tools, where conceivably there is a legitimate purpose of it.
It's basically a RAT, sort of remote access Trojan. It allows people to do things like
install key loggers, compile new binaries that would evade antivirus detection. They even tend
to go one step further, and they even provide a dynamic DNS C2 system,
which would make it much more difficult to detect, and even a mailing tool that can effectively be
used as a mass mailer. So, you know, at a really high level, it's a botnet in a box. You know,
if you needed to conceivably remotely manage a machine that had to have a payload that was
avoided by antivirus to install a keylogger
over something say like a phishing email and then use a dynamic dnsc2 to control it conceivably it
could have a legitimate purpose right go on but you know i was discussing this with some colleagues
and matthew only who i believe you've met pointed out the fact that typically that kind of usage
would come with a warrant so you, you know, it's this area
where people have designed what certainly appears like something that could be used for malware,
and they sell it kind of semi-openly with their real name in some cases, or a very, very poorly
hidden identity, like in this case. And it's one of those situations where we tend to find these,
and we look at them and we're
not saying that everyone's using this for malicious purposes. I think it's safe to say that a large
number of people are using these for malicious purposes. We know specifically in this one,
we've actually seen a reasonable increase in usage lately. The author built a new, you know,
GUI interface that was much more friendly to people, say, without experience.
And as a result, we saw the numbers climb as blocks.
So that's why we started looking into this.
And what sort of things are you discovering when you dig into it?
Well, it gets a little bit more gray.
So there's YouTube videos of supposedly the author of the piece of software, or at least someone using that name, trying to push people to use this and use the other tools they sell, like Octopus Protector, to basically encode the malware so that it can't be detected by AV or walking people through how to set up other parts of what conceivably could be a botnet.
what conceivably could be a botnet. And so when it comes down to it, you know, it seems like this kind of thing, while there might be a legitimate use for it, it's really being used maliciously
in a lot of cases. And when that happens, we just have to block those for our customers to protect
them. I see. Now, is this a case, I mean, you sort of remind me of, you know, back in the old
days years ago, when people started selling radar detectors, which, you know, the use for a radar detector is so that you can speed.
There were some states that tried to outlaw radar detectors and did.
You can't use a radar detector in Virginia, I believe.
Is this a similar type of thing where even though there might be legitimate uses for this, we could find law
enforcement saying, hey, you know, we're going to come after you if we find you using this?
As someone with a radar detector, I want to say no. But, you know, I got a new car,
got a radar detector, you know, long story. Yeah. But just for safety.
Right. Exactly. Informational uses only.
Right. You know, it's funny you say that because I was surfing along the internet today,
and I don't know if you remember from a couple weeks ago, but there was a similar piece of
software called Luminosity Link. Very similar, designed to be a remote administrative tool
for people who maybe weren't as computer savvy, and it would allow them to basically manage a
computer remotely. And it was widely advertised on malware forums, much like
Rimco's. And the author had videos and things, much like Rimco's. And recently, it turned out
that they were charged by the FBI. And I think today they pleaded out to some massively long
sentence. And so what caught my eye on this, though, was really interesting is this morning,
I was surfing Reddit, reading the news in the morning as one does. And I happened to flip over to legal advice. Cause you
know, it's one of those things I look at from time to time just to see what's going on. And
they have this weirdly worded FBI, ask Google for my information thread. So you look at it and at
first it doesn't really look like there's anything related. And then if you look at one of Reddit's
mirrors, you know, one of the ones that mirror the comments that have been deleted, it turns out this thread is filled with people who
actually bought Luminosity link and paid for it with PayPal using their Google account. And so,
you know, we don't know that this is what happened, but reading through it, I think a reasonable
assumption is that a lot of these people were buying this type of gray area software. And as
a result that the FBI apparently
investigated their Google accounts, which I think is great. You know, I think this type of software
that's clearly designed to cater more towards the attacker than, say, the pen tester or security
researcher is something that should be investigated. Yeah, that is interesting. And does it seem in
that particular case, is the FBI going after, after you know the kingpin at the top well
i think they already got the kingpin yeah so you got to remember this was one of those sealed
indictments so basically all this happened a year ago and so presumably if they were going to go
after people that would have been arrested by now much like the malware author i'm assuming these
people were just grouped in because who knows maybe the fbi wanted to check to see if there
was any overlap between the purchasing ip and attacker IPs or something like that.
Right. Oh, interesting.
All right. Well, as always, it's an interesting story to follow.
Craig Williams, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your