CyberWire Daily - Spearphishing from “Luhansk.” Pro-Assange hacktivism. Another undercover private eye? Pirated Game of Thrones episodes carry malware.
Episode Date: April 17, 2019Spearphishing campaign against Ukraine traced to the so-called “Luhansk People’s Republic.” Anonymice threaten to rain chaos on Yorkshire if Julian Assange isn’t freed--actually, more chaos si...nce the initial chaos was perhaps too easily overlooked. An implausible venture capitalist is asking people if they’re being paid to bad-mouth a security firm. Pirated Game of Thrones episodes carry malware. David Dufour from Webroot with survey results on AI and ML. Guest is Derek Vadala from Moody’s Investor Service on Moody’s framework for assessing cyber risk. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/April/CyberWire_2019_04_17.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
A spear phishing campaign against Ukraine has been traced to the so-called Luhansk People's Republic.
Anonymous threatened to rain chaos on Yorkshire if Julian Assange isn't freed.
Actually, more chaos, since the initial chaos was perhaps too easily overlooked.
An implausible venture capitalist is asking people if they're being paid to badmouth a security firm.
And pirated Game of Thrones episodes carry malware.
carry malware.
From the CyberWire studios at Datatribe, I'm Dave Bittner with your CyberWire summary for Wednesday, April 17th, 2019.
Military officers in Ukraine are being spearfished by a group seeking to install the Ratvermin
backdoor.
Ratvermin is a second-stage payload delivered by a PowerShell script.
FireEye, which identified the campaign, links it to the Luhansk People's Republic.
This is a region in eastern Ukraine controlled by Russia
and represented by the occupiers as being a breakaway state
that's won its independence from Ukraine.
Kiev regards Luhansk as nothing more than an administrative fig leaf for Russian occupation.
Kiev probably has it right.
The Washington Post sees the Luhansk operation as a troubling harbinger of small state and non-state actors
deploying increasingly sophisticated cyber weapons.
In this, they're following FireEye's lead.
The company's John Holtquist told the Post that, quote, we're focused on the big players and for good reason,
but we should bear in mind that if this small sub-state can put together a hacking capability,
then anyone can, end quote. Maybe, but with hacking, as has so often been the case with
kinetic terrorism, while there are genuine instances of attackers operating quite independently of other support,
there are many more instances of attackers working deniably on behalf of a state.
That's especially true with the more troublesome and damaging attacks.
FireEye did say it found no evidence that the Luhansk group was being assisted by Russia,
but here
that old chestnut that absence of evidence isn't the same thing as evidence of absence
should be kept in mind. And to ask if the Luhansk People's Republic is receiving assistance
from Russia is a little like wondering whether Google receives assistance from Alphabet,
in both cases their wholly owned subsidiaries. So, alternatively, this aspect of the campaign might be more realistically viewed
as a Russian attempt to achieve plausible deniability,
and not as a small group breakout into the big time.
Here's an example of what looks like small group activity,
contrasted with the sophistication of the Ratverman installation campaign.
Supporters who wish to stand by Julian Assange are doing so by taking two Yorkshire Council's websites down.
Presumably, the attacks on Barnsley and Bedale would prompt a groundswell of hacktivist pressure in favor of Mr. Assange's release.
Barnsley Council said it had indeed sustained a distributed denial of service attack and that it had succeeded in restoring its website.
The council also alerted the National Cyber Security Center of the incident.
The Bedale matters were a little different.
The Bedale Town Council said it was unaware that anything had happened to its site.
So go figure.
Anywho, needless to say, someone has claimed responsibility for the
incidents. Tweets from the Philippine Cyber Eagles and the anonymous España both claimed credit,
and CyberGhost404, thought to be the founder of both groups, if indeed these are groups in any
meaningful sense, offered a menacing message, quote, free Assange or chaos is coming for you,
end quote. So there. Why Yorkshire was chosen as the beachhead for this particular hacktivist
invasion is unclear. In the case of Bedale, apparently nothing happened at all, unless,
of course, that particular corner of North Yorkshire is ordinarily so chaotic that any
new chaos that came for you, for them,
was just lost in the sauce. But it looks like another hacktivist fizzle. And of course,
Mr. Assange remains in custody. But to return to the spearfishing campaign in Ukraine,
FireEyes Holtquist makes a good point later in his interview with the Post. He noted that Russia's
hybrid war in Ukraine has been a kind of proving ground for attack tactics and techniques.
The Post quotes Holtquist as saying,
It's created this consistent battle rhythm of activity that we'd never seen before.
Russian cyber operators have a record of perfecting their method against Ukraine and then using them elsewhere, and that does seem beyond serious question.
and then using them elsewhere, and that does seem beyond serious question.
But as a sign of increased capability on the part of unrecognized microstates and others with axes to grind, we'll wait and see.
If Sealand or the Republic of Awesome turn out the lights in North Yorkshire
or change every high schooler's grades in Union County, New Jersey,
that would be a different matter.
Moody's Investors Service recently
published research titled, Credit Implications of Cyberattacks Will Hinge on Long-Term Business
Disruptions and Reputational Impacts. The report outlines which business sectors they believe have
high-risk exposure to cyberattacks. Derek Vidala is Managing Director of Global Cyber Risk for Moody's Investors Service.
So we view cyber risk as event risk. And so we recognize that there are now these global
cyber events which have real dollar value impact. If you look back to 2017 and not Petya,
there's a view that that was about $10 billion of exposure across a number of different companies
with about $2.5 billion really focused
on just four companies. When you start to think about these kinds of very large financial impacts
across individual companies, you can start to think about how that affects overall liquidity
and other financial strength of those individual companies, and how that could eventually have an
impact on credit. And so that's the way we're thinking about it is these financial exposures due to cyber events can have a channel to credit
at some point if they rise to a certain level. And have we reached the point where there's
enough history with these sorts of things that we can make accurate predictions?
I think we're still in the early days of being able to use historical event data to make
predictions, but that's obviously
something that a number of different industries, including the insurance industry, are very focused
on. But the data set that exists for this is not quite as long and rich as data sets, for example,
on normal types of cat risk or other risks associated with, for example, weather events.
We do think that this data set is building over time, and it will get better over time,
but there's still work to be done.
For example, a lot of the data sets really focus in on breaches of privacy information,
because that's where a lot of the regulations exist,
and the disclosure requirements around cyber events tend to focus today on breach of personal
information. And that means that the data sets often are missing things like disruption events,
or maybe there are disruption events that occur, but they're not attributed to cyber events. And
so in order for the data sets to improve, the disclosure has to improve, and it has to start to cover events
beyond privacy breach events. Now, the research covers some specific sectors that you all see
as having a high risk to cyber attacks. Who are we focusing on here? Yeah, so when we did our
analysis, what we came back with is that there are four sectors with about $12 trillion in rated debt that we
thought were at a high risk. And these included the banks, securities firms, and market infrastructures,
you know, financial institutions, and also included hospitals. And some of the reason for that,
for example, on the financial services side, is the fact that these organizations are so reliant on technology and supply chain,
their transaction volumes are very, very high. And so the ability to do things like revert to
manual processes in those industries is very, very limited. Hospitals, for example, have a lot of
personal data, but more importantly, they're starting to become even more interconnected
in terms of patient care, which obviously opens up a number of potential vulnerabilities that
could affect patient care and impact patient health. I think one of the things that's important
to point out here is we're really looking at the inherent risk across the 35 sectors that we
evaluated, and we're not taking into account today individual
defenses that an individual company might have. And that's important for us because what we're
trying to do right now is really set a baseline across the playing field and come up with a
relative ranking of inherent risk across sectors. That's Derek Vidala from Moody's Investors
Service. The research is titled Credit Implications of Cyberattacks Will Hinge on Long-Term Business Disruptions and Reputational Impacts.
The WePro hack may have targeted dozens of the company's clients.
The company initially put a brave face on reports of the breach,
poo-pooing the first reports from Krebs on Security during its recent earnings calls.
But it now acknowledges that, yes, the attack did take place. poo-pooing the first reports from Krebs on Security during its recent earnings calls,
but it now acknowledges that, yes, the attack did take place.
It's bringing in an unnamed forensic company to help with its investigation.
Several media reports have said that the incursion appears to be the work of a nation-state and that the targets were WePro clients.
The IT outsourcing and consulting firm was itself more avenue of approach than
target. This may represent a trend as intelligence services begin to take a growing interest in
managed service providers. The AP is reporting on another suspicious questioner, one Lucas Lambert,
who said he was a venture capitalist and wished to talk with the think tank about a cyber conference Mr. Lambert said his firm was organizing.
His questioner, Chatham House Russia specialist Kir Giles, was struck by the way conversation all turned quickly to whether anyone was being paid to badmouth Kaspersky Lab.
A couple of other things struck him too.
couple of other things struck him too. For one, Mr. Lambert claimed to be based in Hong Kong,
but seemed to be as unfamiliar with that city as, say, a Manhattanite might be unfamiliar with Secaucus. For another thing, he kept asking Giles to speak up and repeat himself, to the point where
Giles thought he might ask whether he ought to speak into Mr. Lambert's pen or necktie or briefcase
or wherever else the microphone was secreted.
And for yet another, he thought Mr. Lambert's suit looked too cheap to be one a VC might wear.
Kaspersky Lab didn't respond to the AP's questions about whether they had anything to do with the inquiry.
The AP is reminded of a similar approach to the University of Toronto's Citizen Lab by one Michel Lambert back in February.
In that case, the microphone looked as if it were in Monsieur Lambert's pen.
Monsieur Lambert was interested in finding out why people were slandering controversial
lawful intercept firm NSO.
NSO said then they've never heard of Monsieur Lambert.
So are Lambert and Lambert the same mug, or maybe related? The general take
is that they're the kind of P.I. who appeared as a second or third banana in a Bogart movie,
usually played by Elijah Cook Jr., and rarely successful at getting the girl or cracking the
case. We hope there really are two of them. They'd be like Thompson and Thompson, Dupont
and Dupont in the
original. We always like those two detectives in the Tintin comics. And finally, Game of Thrones
fans, when you watch, watch properly, and pay for your premium channel. It's giving you value,
right? Pirated copies of the new episodes are out and about, Zscaler warns, and many of them contain a subtitle file that contains malicious code,
specifically a remote execution exploit.
And if you download one of those, spoiler alert, winter is coming.
For sure.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is David DeFoe he's the vice president of engineering and cyber security
at webroot uh david it's great to have you back you all recently released some survey results
that tracked artificial intelligence and machine learning uh what did you find out here mlai it's
very close to me we've been spending 10 years plus doing machine learning at WebRoot. So we have very
strong opinions. And this survey, it's interesting to me where we talked to a lot of our customers
or people in the industry, and 76% of the people we surveyed said that it didn't matter if their
protection included AI or machine learning. But then 70% said they wanted to see advertising
that said you used AI or machine learning.
Oh, wow.
Yeah, I'm not exactly sure where the connection there is.
And what I think is, you know, I go out to the MSP shows and things like that, and I
talk to folks.
I think the feeling is if you're doing AI and ML, then you're perceived as being technically
advanced and really forward thinking, but it doesn't necessarily have to be in the product they buy from you. Huh. That's fascinating because, I mean,
certainly we've seen, like you say, at the trade shows, it's all over everything.
What an interesting gap there. Well, it is. And you're exactly right when you say
it is all over everything. And I think a lot of times people lose sight of the value that artificial
intelligence and machine learning can bring. And they're more interested in seeing that it's that
it's available. And I think what we need to do as an industry, not as the producer, but as a consumer,
understand what value that the ML or AI is going to bring to you, not just is it in there? Because
a lot of folks see that they they see the hype, and they just
run with it. Where if you really understand the specifics, where it's helping, where it's not
helping, that's how you can really make a judgment if it's something valuable to the product you're
buying. And what about the sophistication of the tools themselves? Are you finding that
folks are comfortable using these tools? Well, from our perspective, as a consumer of our solution, shouldn't even know if it's AI or ML.
So you could be using it and have no idea that you're using any type of machine learning environment because it should automatically protect.
It should automatically remediate. It should automatically do everything for you as much as possible.
Now, there are tools that you have to be interactive with,
and those tools have varying levels of complexity and knowledge that you have to have. So it really
depends on the tool and what you're using it for. Yeah, it sounds like, you know, your marketing
folks would probably like you to install a little red blinking light that lights up every time the
machine learning or artificial intelligence is being used, right? Yes. And I hope none of them listen to this
because then I'll be having my engineers put a little blinking red light and wondering why
they're doing it. You're absolutely right. Yeah. What about the other side of it? Are we seeing
that the bad guys are making use of this stuff as well? You know, there's a huge belief that the bad guys are.
We're not seeing as much of it that correlates with the belief that they are. Machine learning
is very sophisticated. There are non-machine learning methodologies that you can use to
attack machine learning models that take less sophistication and less complex techniques. And
there's, as we said, the whole
tried and true items as well of types of cybersecurity attacks that are more simple.
So if you don't have machine learning on the machine protecting you, you know, those those
methods are good as well. Where am I going with all this? If you're a cyber criminal, you're going
to use the stuff, you know, already path of least resistance. Now, there could be some cyber
criminals out there, you know, large ego. they want to really, you know, use some advanced
techniques. But those are very, very few. Most people are just opportunistic. So again, we're
not seeing a lot of it, but it is in existence. And I'm sure over time, it'll start growing.
Yeah, that's interesting. I mean, you could have the most secure,
or the most sophisticated security system in your home and somebody can still throw a brick through the window.
This is exactly what I tell people.
That the cyber criminal who wants to steal your TV isn't going to hack your network infrastructure.
They're just going to kick in your front door and take your TV.
Yeah. Yeah. All right.
Well, it's interesting stuff.
It is the WebRoot AI ML survey, and you can find that on the WebRoot website.
David DeFore, thanks for joining us.
Great being here, David.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Your AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.