CyberWire Daily - Tracking down hackers-for-hire. SNAKE ransomware bites Honda. Anti-DDoS for criminal markets. And a menu for cyber contraband.
Episode Date: June 9, 2020Commercialized hacking-for-hire is traced to an Indian firm, but it’s probably not an isolated problem. Ransomware shuts down Honda production lines in three continents. Criminals develop and distri...bute an anti-DDoS tool to help keep the dark web souks responsive and available. Ben Yelin revisits Twitter’s flagging or removing the U.S. President’s tweets. Our guest is Jeremy Oddo from The Third Floor to discuss cybersecurity in Hollywood during COVID-19. And researchers compile a menu of cyber contraband. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/111 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.comansomware shuts down Honda production lines in three continents.
Criminals develop and distribute an anti-DDoS tool
to help keep the dark web markets responsive and available.
Ben Yellen revisits Twitter's flagging or removing the president's tweets.
Our guest is Jeremy Otto from The Third Floor.
He discusses securing your favorite Hollywood movies during COVID-19.
And researchers compile a menu of
cyber contraband. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire
summary for Tuesday, June 9th, 2020. The University of Toronto's Citizen Lab this
morning released a report on a hacker-for-hire operation, Dark Basin, which targeted advocacy groups and journalists, elected and senior government officials, hedge funds and multiple industries.
Dark Basin is said to have been especially interested in U.S. not-for-profits, notably climate change and net neutrality advocates.
notably climate change and net neutrality advocates.
Among the specific groups targeted are the Rockefeller Family Fund,
the Climate Investigation Center, Greenpeace,
the Center for International Environmental Law,
Oil Change International, Public Citizen,
the Conservation Law Foundation,
the Union of Concerned Scientists,
MNR Strategic Services, and 350.org.
There were others in what Citizen Lab calls the same cluster,
but the report declined to name them.
Citizen Lab says, quote, We found that Dark Basin likely conducted commercial espionage on behalf of their clients
against opponents involved in high-profile public events, criminal cases,
financial transactions, news stories, and advocacy.
They initially thought Dark Basin might have been a state-sponsored group,
but concluded instead that they were hired guns,
working for one side of a contested legal proceeding, advocacy issue, or business deal.
Citizen Lab says it's been sharing information with norton lifelock
whose researchers have been tracking the same outfit under the name of mercenary armada much
of the activity citizen lab reports is connected to the climate change campaign marked with hashtag
exxon new and it was keyed to events surrounding both that advocacy campaign and a new york
investigation of exxonMobil.
Email compromise and social engineering with spoofed email and social media accounts
were Dark Basin's principal methods.
While the targeting of climate change advocacy groups was keyed to events involving ExxonMobil,
Citizen Lab is careful to say that it has no evidence that would enable it to identify
who hired Dark Basin. Nor is there
much to finger the clients who may have hired Dark Basin to pay attention to campaigners for
net neutrality, or to short sellers of particular stocks, or to energy or financial services
companies, or simply to high net worth individuals, particularly Eastern European oligarchs.
particularly Eastern European oligarchs.
Citizen Lab says Dark Basin is run by a Delhi-based IT and security firm, Beltro X.
Beltro X's director and owner is Sumit Gupta.
According to Citizen Lab, he's the same Sumit Gupta, whom the U.S. attorney for the Northern District of California charged in 2015
with crimes related to a conspiracy to access the email accounts,
Skype accounts, and computers of people opposing his co-conspirators in civil lawsuits.
Mr. Gupta is still at large in India and apparently still running BeltroX. The company's
website was up and accessible earlier this morning, but as of 1 p.m. Eastern time,
the Bell Troex site had been replaced
with an account suspended page
that included advice to contact your hosting provider.
We'll pass.
It seems clear enough what's going on.
Those looking for Bell Troex after this morning
clearly have to search elsewhither.
The New York Times says U.S. federal prosecutors
are investigating the latest
dark basin capers. Citizen Lab draws this lesson from their research. Large-scale commercialized
hacking is a serious and growing criminal sector. The folks in Hollywood who work hard every day
producing the movies and TV shows we all love go to great lengths to protect those assets from leaking prematurely.
Spoilers can ruin the anticipation for that big movie premiere and derail expensive marketing
efforts. So what happens when the writers, producers, editors, and special effects artists
suddenly need to shift to working from home due to COVID-19? Jeremy Otto is director of technology at LA pre-visualization firm The Third Floor.
We work primarily in feature film.
We do commercials as well and video game cinematics.
But most of our work really revolves around theatrical movies.
And what we provide is we provide a service called Visualization that allows the director and content creators to express what's in their brains out into a medium that everybody else can digest and understand.
But organizations like yours do go through extraordinary efforts to make sure that you're not leaking any spoilers about the movies that are coming out.
I guess my question is, what's happened as you've shifted to working from home, as so many folks have during this COVID-19 situation?
You know, you no longer have everything protected within your actual facility there. What has that shift been like? Yeah, no, that's a terrific question. So we go
through a lot of security audits throughout the year to make sure that we're maintaining
a proper level of security so that our content is secure. And then COVID-19 happens and it completely changes the landscape.
Our plan from the get-go was always keeping the data safe in our four walls,
not exposing that out to the edges.
We need to make sure that we could get people into our studio remotely,
work on it as if they were working there.
That way, all of the applications that are stitched together, the studio remotely, work on it as if they were working there.
That way, all of the applications that are stitched together,
the way that we've done it, all of our process can function the way that it normally does.
The first thing that we needed to do was establish a data center presence and get a 10-gig link.
The reason why we went to the data center is we checked to see how quickly we can get a 10 gig link dropped to our office,
and it was upwards of three months,
which obviously that wasn't going to do in this situation.
Right.
I said, okay, well,
how do we trim time off of here?
The way to do that is to go to a data center where they
have easy access to drop in these connections.
Using AppGate, it's called software-defined perimeter,
where you actually create this little perimeter around
everybody and only provision out the resources that they need.
In our instance, we're predominantly a Windows shop,
so we use remote desktop for some purposes and then we
use a tool called teradici which is just really a very high performance high fidelity version of
remote desktop you can think of it that way so it it allowed us to really create just a pinhole for
them to get in and do what they needed to do and not expose all the other resources that typically we would want to protect very closely.
That's Jeremy Otto from The Third Floor.
Production at Honda plants in Europe, North America, and Japan
has been affected by what the company calls a computer disruption,
NBC News and others report.
Local news reports from the U.S., the U.K., and Canada indicate that Honda facilities in those countries are among those affected.
The problems began on Sunday, and Honda is still working to resolve them.
A company statement said in part,
On Sunday, June 7, Honda experienced a disruption in its computer network that has
caused a loss of connectivity, thus impacting our business operations. We have canceled some
production today and are currently assessing the situation. The company is remaining relatively
tight-lipped, but Bleeping Computer says that outside observers think they see signs that the
incident was a ransomware attack with a variant of Snake,
which also goes by ECANS. It's apparently a targeted attack. A sample of the malware in
VirusTotal seeks to resolve the domain mds.honda.com. If it can't, it terminates without encrypting
anything. Here's the latest in a series of fitful attempts at cooperation among criminals, as described this morning by researchers at Digital Shadows.
It's a DDoS protection tool, Endgame, no connection to the similarly named security company acquired last October by Elastic Envy.
Denial of service attacks have been a drag on criminal operations for some time, whether they're mounted by underworld competitors or law enforcement agencies.
Endgame is a product of collaboration among players in the criminal markets Dread,
White House Market, Big Blue Market, and Empire Market.
Despite some cartelization, as Trend Micro observes, the underworld remains a low-trust community.
In any case, as we'll hear a little later, DDoS attacks are also criminal commodities.
They're inexpensive, and since, as Digital Shadows points out,
speed and availability are important to dark web markets,
it's easy for distributed denial of service to become a problem for the criminal trade.
The reactions to Endgame from its clientele have been mostly positive.
How the tool will fare remains to be seen, but the fact that it's appeared at all suggests that even a low-trust
community can cooperate if self-interest pushes hard enough. And finally, if you're buying
commodity cyber-contraband a la carte, not that you would, of course, but if you were, or maybe if you were asking for a friend. Privacy Affairs has compiled a representative menu from the dark web. The
offerings range from an appetizing morsel of a thousand Spotify plays, which can be had for a
buck, to an appetizer of 10 to 15,000 DDoS requests per second against an unprotected website for over 24 hours, just $60, to a main
course of premium malware at $6,000. Consider on the side a Rutgers University student ID,
$70, or perhaps some stolen PayPal account details, $198.56, but some think it worth the price.
For dessert, consider a cloned Visa card with PIN, $25.
Care to wash it down with a hacked Gmail account?
That'll be $155.73.
Bon appetit.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen. He's from the University of Maryland Center for Health and
Homeland Security. Also my co-host over on the Caveat podcast.
Ben, always great to have you back.
Good to be with you, Dave.
We got a bit of follow-up from a listener about something we spoke about recently.
They wrote in and they said,
Friday's Cyber Wire episode talked to the executive order issued regarding social media companies.
In this discussion, Ben mentioned one of the president's tweets
was flagged for possibly being interpreted for a call for violence.
Walking the concept further, if there were multiple flagged or blocked tweets,
which could have a normal user restricted or banned,
considering the public figure the president is,
and Twitter being a regularly used method for messaging the public,
could Twitter temporarily suspend the president's account for violating the EULA or similar grounds? And what actions might the
administration need to take to prevent or reverse any type of actions taken by Twitter, such as
restrictions of the account, if they, Twitter, consider tweets harmful, abusive, or a call to
violence? So it's a great question. Normally, any other user who was not a head
of state or a head of government, if Twitter determined that there was a call to violence,
if the tweet was harmful or abusive, it would be taken down. And if the pattern continued,
that user would be suspended. I know a lot of individuals who have been suspended. I don't
know them personally, but I know a lot of individuals whose have been suspended. I don't know them personally,
but I know a lot of individuals. The circles you run in, you're running with some bad boys there.
Exactly. You know, somebody like the actor James Woods was suspended on Twitter for a period of
six months or something for incendiary tweets. So most people are not immune. Twitter has made a distinction for heads
of state and heads of government because of the newsworthiness of all of their statements.
Basically, they're saying whether that user, if they are in a position of power,
tweets something harmful or abusive or violent, Twitter, as a general policy, will not take that
tweet down because it is in the
public interest. The public has a right to know what their leaders are saying and what their
leaders are thinking. So it really is an exception to the EULA. And I honestly think once you attain
a certain position of power in the government, it does give you more free reign to post what you want, whether it would
otherwise violate the terms of service. And certainly, I think our president has taken
advantage of that exception. Now, suppose Twitter changes their mind. I mean, we've seen some
movement from them lately where they've been putting some tags on the president's Twitter
posts, and they also hid one. They made it so you could still see it, but they hid it as a default.
Does the administration itself have any right to action against Twitter as a private company?
No, they do not.
I mean, as far as the law is concerned, Twitter is a private organization.
They're not restricting the president's speech.
They can really do whatever they want. They can come up with their own terms of service,
their own rules on censorship. And as we talked about last week, per Section 230 of the
Communications Decency Act, at least as the law is right now, they can't be held liable
for any of those decisions. It seems to me that despite what Twitter is doing as it relates to
the president's posts, it really has no intention of doing what it does for, you know, the other
99.99% of its users, which is to take down posts entirely and suspend users. Just because I think
when the president says it, it's newsworthy. It's in the public interest.
So they're willing to put warnings on tweets, but they're not willing to censor them entirely.
And I think they've held that viewpoint pretty strongly.
You know, 40 years ago, Richard Nixon said in an interview that if the president does it, it's not illegal.
I think there's some of that logic at play here.
The president is held to a different standard than any other user. You know, you use that word censor, and I think that's a hot
topic here. Many people will accuse Twitter of censorship, but strictly from a legal point of
view, again, since we're talking about a private company, that's not how the law works, right? It is certainly not how the law works. You know, the theory is if the
president were angry enough at Twitter, in our capitalist system, he could start his own
microblogging technology and can make his own rules about censorship. Honestly, would you be
really surprised if that happens? You know, there could be Trump-ter or something. Right. You know, and
Twitter just happens to be the major micro blogging platform there. It's where the people are.
And that's where he can get the most eyeballs. But in terms of what Twitter is allowed to do,
they are allowed to manage the content on their website. They are allowed to make these editorial
decision decisions as long as they're not
violating any other federal law. So, you know, for example, they can't violate the Civil Rights Act
by saying we're only going to accept tweets from white users or something like that. But if they're
not doing that, then they are a private organization and they have the right to police the content and
the way they see fit. All right. Well, thanks to our listener for
sending in the thoughtful question. And Ben Yellen, thanks for joining us. Thank you, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatL are evolving every second, and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Listen for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here
tomorrow.
Thank you.