CyberWire Daily - StoneDrill succeeds Shamoon. Trojanized Android Facebook Lite. Progressive groups threatened with doxing, blackmail. WikiLeaks' Vault 7. Hacking back? Wiretapping?
Episode Date: March 7, 2017In today's podcast we hear about how StoneDrill maybe succeeding Shamoon—it's more evasive and at least as destructive. Malwarebytes advises sticking to Google Play to avoid a new Trojan. Russian ha...ckers—apparently mobsters who've copped some of Cozy Bear's MO—are blackmailing US progressive political groups. The University of Maryland Center for Health and Homeland Security's Ben Yelin explains Amazon Alexa's role in a murder case. Neill Feather from SiteLock describes a Wordpress vulnerability. Congress considers a bill to allow companies to hack back. WikiLeaks' Vault Seven seems mostly unsurprising. Washington wiretapping allegations prompt recriminations. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Stone drill succeeds Shamoon.
It's more evasive and at least as destructive.
Russian hackers are blackmailing U.S. progressive political groups.
Congress considers a bill to allow companies to hack back.
WikiLeaks' Vault 7 seems mostly unsurprising.
And Washington wiretapping allegations prompt recriminations.
I'm Dave Bittner in Baltimore
with your CyberWire summary for Tuesday, March 7, 2017.
Kaspersky Lab reports finding a new version of Shamoon, which it's calling Stone Drill.
Like its progenitor, Stone Drill is destructive, deploying a wiper across infected machines to destroy data.
Kaspersky discovered Stone Drill in the course of investigating the three waves of Shamoon
2.0 attacks that began in November 2016. Stonedrill is more evasive than Shamoon,
it avoids execution in sandboxes, and includes mostly Persian resource language sections.
Shamoon 2.0 featured Yemen's version of Arabic. Kaspersky notes that both language cues could easily be false flags.
Another difference between Stonedrill and Shamoon is Stonedrill's reliance on memory
injection of the wiper into the victim's preferred browser. The new malware forgoes
Shamoon's use of drivers during deployment. It's begun to turn up in Europe in what Kaspersky
calls a large corporation with a wide area of activity in the petrochemical sector,
but with no apparent interest in or connection to Saudi Arabia.
This finding suggests that the stone drill operators are expanding their target set beyond its original Saudi range.
Shamoon itself has gone by a number of names.
Shamoon has been used to designate the campaign that was first identified
by the IT security company Seculert in August of 2016, when it hit Saudi Aramco machines in a
destructive attack. The name Shamoon has also, somewhat more loosely, been used to designate the
malware itself. Palo Alto, Silance, and a few others have called the wiper malware Distrack.
For background, recall that the original Shamoon campaign of 2012
was claimed by a group calling itself the Cutting Sword of Justice,
widely believed to be acting on Iran's behalf in that country's contest
for regional superiority with Saudi Arabia.
The threat group associated with Shamoon, and probably with Stone Drill,
has been called Charming Kitten, Newscaster, and NewsBEF by some security researchers.
Malwarebytes warns that a trojanized version of Facebook Lite for Android targets Chinese
users with spy fake play.
The users are downloading it from third-party app stores because of China's restricted access
to Google Play. Malwarebytes advises that you stick to Google's Play Store to avoid this particular nasty.
If that is, you've got access to Google Play.
If not, well, then buyer beware.
In the U.S., center-left and progressive advocacy groups are subjected to online blackmail.
Russian hackers threaten to release embarrassing emails and shared documents.
The FBI is investigating.
The blackmail demands so far appear to range from $30,000 to $150,000.
It's not clear what, if any, documents have been doxed.
The blackmailers are said to be using some techniques reminiscent of Cozy Bear,
that's Fancy Bear's quieter, more patient sibling,
generally held to be Russia's FSB, but in this case the hackers are thought to be criminals
and not intelligence services. It's worth repeating Bloomberg's observation that in
Russian operations this distinction can be a difficult one to draw, but Russian intelligence
services tools have shown up in criminal gangs' hands, and vice versa.
WordPress sites were recently hit with a slew of defacements and remote code execution attempts,
abusing a vulnerability in the WordPress REST API.
For more on this vulnerability, we spoke with Neil Feather,
president of website security company SiteLock.
So this one was a vulnerability that was in WordPress itself.
What it essentially allowed an attacker to do is,
if a site was making use of the REST API,
it was allowing attackers to insert their own content
or overwrite content that's on the website already
with essentially whatever they chose to put on the site.
It was allowing
unauthenticated, so you didn't have to have logged into your WordPress in order to make changes.
Normally that's the way it was. So it was allowing unauthenticated access to WordPress changes to
WordPress administration, basically. And the way it was done was, you know, what happened was there
were an input field that was not being properly handled in the code.
And so because those types of requests weren't being filtered properly and cleaned properly,
they were able to perform unintended actions within the WordPress environment.
And so has this been patched?
Yes. So it was patched.
For a lot of folks, it was able to be patched before it was publicly known.
Folks like us in the security community and folks on the WordPress side were, you know, patching this before the public disclosure of the information.
So for a lot of a lot of WordPress users, you know, they never had any kind of negative impact of this.
But, you know, certainly WordPress is such a large and widely deployed platform that it did impact you know millions of websites WordPress is so popular so that that tends to give
some folks the perception that it's an insecure platform or that is not secure
and that's not true right so it is it's as secure as any other kind of open
source CMS that's out there I think what the difference is so popular that cyber
criminals tend to target it I mean you, you know, the cyber crime business is no different from any other business.
They're going to fish where the fish are, so to speak.
Right. So WordPress happens to be a popular platform.
And so, you know, it gets targeted a lot more.
And the incidents tend to be a lot bigger because there's so many folks using the platform.
folks using the platform. And so, you know, we recommend that folks who are using open source CMSs, especially once you start using plugins and themes and a lot of more great functionality,
that you use, you know, a product like a web application firewall or something that's going
to help you kind of virtually patch these issues. You know, if you're not going to be the type of
website owner who's constantly going to stay on top of updates and stay on top of vulnerabilities
and things like that, this gives you a little bit of cover for those types of vulnerabilities that get
disclosed, you know, before you have a chance to patch it yourself. That's Neil Feather from
SightLock. In M&A news, CA buys Veracode for $614 million. Edwards acquires Evolved Cyber Solutions, Inabox buys Logic Communications, and Okta
acquires StormPath.
The Veracode buy is the largest of these by some margin and has attracted the most interest
among analysts, some of whom see it as a bellwether.
In the U.S., Congress considers legislation that would permit hacking victims to access
their attackers' non-cooperating systems to determine attribution.
The proposed bill seems less about reprisal than it does an incentive to do some aggressive private sleuthing.
Observers are divided as to whether this is a good idea.
Wikileaks has released some of its long-promised Vault 7 documents,
which, contrary to expectations, have little to do with former
Secretary of State Clinton, and instead mostly express RT and TAS-like shock that the Central
Intelligence Agency collects foreign intelligence and that the agency has seen its share of
controversy. And finally, you may have noticed a lot of yelling and tweeting since Saturday over
the Obama-Trump wiretapping dust-up,
as partisans of the current residents of Colorama and Pennsylvania Avenue woof at each other on talk shows and on the internet.
Present and former leaders of the intelligence community seem particularly riled and ill
at ease with some of the current administration's tweets.
We await the settling of dust.
In the meantime, you are invited to read your favorite papers, and unfavorite papers, too, for their take on that matter.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life. Thank you. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams
stars as a passionate artist
who puts her career on hold
to stay home with her young son.
But her maternal instincts
take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking
and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Joining me once again is Ben Yellen.
He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security.
Ben, an interesting story came by.
This is from Vice News, and it's about a court case where Amazon's Alexa is involved in a murder case.
People trying to get information from Alexa.
Bring us up to date here. What's going on?
We've lived to see the day where Alexa herself can be the subject of a lawsuit.
So what happened was there was an incident in Arkansas back in November 2015.
There's this man named James Bates who was a former Walmart employee.
He had friends over at his house.
Next morning, Bates himself called 911, reported that one of the guests was dead in the hot tub outside.
Bates was accused of the crime himself, was accused of homicide.
And one of the ways the government was trying to obtain evidence was trying to subpoena information from Amazon gleaned through their Alexa device.
So as you know, the device is activated when somebody says, hey, Alexa.
What I didn't know until I read this article is that it actually picks up some of the conversation
that happens before the trigger, before the hey, Alexa, and after that trigger. And law enforcement
in this case thinks that there might be some evidence of this crime, either in the conversation that occurred after the trigger or
immediately before and immediately after. Amazon is seeking to quash the subpoena. They,
just like Apple in previous cases, and just like all the technology companies,
want to protect the privacy of their users. So they are fighting the subpoena hard. They are
saying that the allegation that this information would be somehow useful to the investigation isn't supported by compelling evidence.
And they're also arguing that potentially there's a First Amendment violation.
When people are using their Alexa devices frequently, you know, they're asking them to shop for them.
It's an Amazon device. So if I say, I want to read a Noam Chomsky book, or I want to read Das Kapital by Karl Marx, this is something
that implicates freedom of speech and freedom of association. And to infringe on those rights,
you'd have to have a compelling interest. And what Amazon is saying is law enforcement doesn't
have a compelling interest because they can't prove to any reasonable extent that any information they'd gain from this device would actually be useful in the investigation.
of something, they convince a judge that maybe there's something to this, and they go through,
they search my home. How would searching Amazon's records be any different from that?
Well, a couple of things. One are those freedom of association implications. There is private information in the home, but what Amazon has said in its motion to quash the subpoena is that
there's a particular relationship between a user and this Alexa
device. And part of that is personal information that's gleaned simply from some of the conversations.
The other thing is the particularity requirement. So most times when you have a warrant to search
a house, it's because you have probable cause that there's some evidence there that a crime
has been committed. Here, there's no real confirmable evidence. The reason this seems like a fishing expedition, at least to
me, is that they just want all the audio they can obtain to see if there's something there that
might implicate this criminal defendant. And that's too generalized. We have this particularity
requirement under the Fourth Amendment that you have to have probable cause that a piece of evidence is really going to be useful in solving a crime.
Interesting stuff. We'll have to keep an eye on it as it develops.
Ben Yellen, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.