CyberWire Daily - Tracking Stone Panda to the Tianjin Bureau. Ad-fraud and Tokelau. RansomWarrior decrypted. US Congress to grill Facebook, Google, and Twitter. Celebrity scams.
Episode Date: September 4, 2018In today's podcast, we hear that Intrusion Truth seems to have Stone Panda dead to rights. Chinese intelligence increases targeting of expatriate Uyghurs. Zscaler warns that an ad-fraud campaign is ma...king use of the Tokelau top-level domain. Check Point has a decryptor for RansomWarrior. The US House and Senate will hear from Facebook, Twitter, and Google this week about influence operations, content moderation, and alleged monopolistic practices. And no, Pope Francis isn't giving away Bitcoin, nor did former President Obama encrypt your files. Emily Wilson from Terbium Labs with a look back at the effects of last year’s Alpha Bay takedown.  For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/September/CyberWire_2018_09_04.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Intrusion Truth seems to have Stone Panda dead to rights.
Chinese intelligence increases targeting of expatriate Uyghurs. Zscaler warns
that an ad fraud campaign is making use of the Tokolau top-level domain. Checkpoint has a decrypter
for Ransom Warrior. The U.S. House and Senate will hear from Facebook, Twitter, and Google this week
about influence operations, content moderation, and alleged monopolistic practices. And no,
believe it or not, Pope Francis isn't giving away Bitcoin,
nor did former President Obama encrypt your files.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Tuesday, September 4th, 2018. CrowdStrike has confirmed certain claims by Intrusion Truth that APT10, also known as
Stone Panda, is connected to the Tianjin Bureau of China's Ministry of State Security, and
has also confirmed the identities of two people whom Intrusion Truth has been tracking.
CrowdStrike specifically confirmed that one of the two was the owner of a blog account
whose handle was FisherXP, and that he was associated with a 2010 phishing campaign by Stone Panda.
The two had followed one another on Twitter, and the second individual was also connected
with a GitHub account holding versions of Stone Panda's remote-access Trojans, Quasar and Trochilus.
of Stone Panda's remote-access Trojans, Quasar and Trochilus.
Intrusion Truth, described in the trade press as shadowy,
effectively represents itself as a hacktivist group dedicated to exposing Chinese intelligence,
or, in their self-description,
quote, we hunt APTs,
which is about all they have to say about themselves.
Intrusion Truth, whoever they may be,
blog on a WordPress site.
Their posts are literate, which isn't always the case in this space, and they pursue Chinese intelligence officers with dogged intensity,
down to tracking their working hours and their Uber rides.
What's Chinese intelligence up to these days?
Apart from the customary interest in industrial espionage,
there's a good bit of current and nasty attention being paid to the Uyghur diaspora,
with threats made against relatives still in China of Muslim Uyghurs living abroad.
Zscaler researchers are tracking a spam campaign that directs users to the.tk sites,
the national top-level domain for Tokalow,
in the service of, for the most part, an ad fraud campaign. Zscaler estimates the ad fraud brings in
more than $20,000 a month, and other associated scams pull in additional revenue. Tokalow,
which allows anyone to register a domain, has a population shy of 1,500, but the world's largest
presence on the internet. Small nations once made money by printing stamps for the collector's
market. Now they sell domains, or even give them away as loss leaders.
Checkpoint researchers have found and made available a decryptor for ransom warrior ransomware,
Bravo Checkpoint. They say it wasn't particularly ransom warrior ransomware, Bravo Checkpoint.
They say it wasn't particularly well done ransomware, and that breaking it was not too tough, but Bravo nonetheless.
On Wednesday, the U.S. Congress will hold hearings on the tech industry.
They're interested in political influence, privacy, and monopolistic practices.
The Senate Intelligence Committee will interrogate Facebook, Twitter, and Google.
The House Commerce Committee will confine itself to Twitter.
Big Tech, as represented by these three companies,
are feeling a lot of pressure from authorities on both sides of the Atlantic.
The British Home Secretary in particular is on a warpath
to force the platforms into more extensive content moderation.
And finally, two implausible scams are circulating. One, a celebrity advance fee come on tells the
gullible that Pope Francis wants to give away a small fortune in Bitcoin. As usual, and you'll
remember this from all of the crypto dough Elon Musk was widely believed to be spreading around via Twitter,
all you need to do is pay a comparatively modest advance fee.
Sounds good, right?
The come on is like this.
I have prepared something for you all to cheer you up a bit, says a cheerful pontiff as he introduces the Pope Francis official BTC giveaway.
Seems legit.
I mean, he is always smiling and seems to want people to be cheerful.
The other caper is an unusual takeoff on the ransomware-scareware hybrid.
Usually, you'll see a reproduction of, say, the FBI seal,
with a warning that you've been caught in secret malfeasance,
and that you can clear the books, avoid embarrassment,
and recover your files if
you deposit some amount as directed. In this recent case, it's not the seal or logo of some
well-known law enforcement agency, but rather the crude ransomware displays the face of former
President Obama. He looks pensive in a sport coat and an open collared shirt, an index finger poised
thoughtfully on his pursed lips.
The message doesn't sound quite like Mr. Obama, however.
It goes like this.
Hello, your computer is encrypted by me.
Yeah, that means your EXE file isn't open,
because I encrypted it.
So you can decrypt it, but you have to tip it.
This is a big thing.
You can email this email,
and they helpfully provide the email here, gets more information.
So you can recover your files if you tip the former POTUS. At least that's how we read it.
The file properties on this little number, as reported by Malware Hunter Team, indicates that the malware is called Barack Obama's Everlasting Blue Blackmail Virus Ransomware, which is a mouthful and a lot more gasconade than one normally finds in the name of malicious code.
Maybe it's an indication of lack of confidence. We hear that bragging often is.
Some observers note that it's unusual for ransomware to encrypt file systems,
and that may well risk making the infected device unrecoverable
and thus remove any incentive the victim might have had to pay. They read this as either a
misstep or incompetence on the hood's part. If we had to bet, we'd say incompetence. Criminal
geniuses are a whole lot rarer than criminal boneheads. It should be, but isn't, needless to
say, that neither the current Pope nor the
former President are involved in any of this. The love of money, we've heard, is the root of evil,
and in this case, it seems the love of altcoin is the root of a great deal of really dumb evil.
So buyer beware, and don't bite.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io. And I'm pleased to be joined once again by Emily Wilson.
She's the director of analysis at Terbium Labs.
Emily, welcome back.
You know, it's been about a year now since the AlphaBay takedown.
Let's take a look back.
How effective was that?
How have things changed on the dark web since they went away?
It has, in fact, been a very long year since AlphaBay went down.
So the takedowns, just for listeners who aren't as intimately involved in the schedule there
as some of us who look at this every day,
AlphaBay was the sort of Amazon of the dark web, right?
You've heard about this.
It went dark on July 4th, 2017, which was a very disruptive holiday for me, I'll tell you that much.
And, you know, people were a little confused about what was happening.
They weren't sure if AlphaBay had exit scammed, had sort of run off with all of the money held in escrow, if there were technical difficulties.
And then a few weeks later on July 20th, the attorney general came out and said that Alpha Bay had been taken down, had been seized as part of an international law enforcement effort.
And that, in fact, the kind of secondary market, the the heir to Alpha Base throne that everyone had flocked to had been under control of Dutch police for more than a month.
So there was chaos. There was chaos and instability.
And over the course of the last year, as listeners will have heard, there have been a series of upheavals, right? Bitcoin ricocheted from, you know, $1,200,
I think the beginning of last year to, you know, hitting $20,000, which is obviously a big deal on
the dark web. People are holding a lot of Bitcoin and a lot of people were finding ways to use their
Bitcoin. So that's disruptive. There were takedowns
and infighting. There was a big fraud ring that was issued. There was an indictment that came out
from the Department of Justice earlier this year. The Reddit communities, which is where a lot of
information was being traded, were shut down. And so what happened? What does it look like?
It looks both completely different and exactly the same.
And this is what I mean by that.
The dark web is an incredibly adaptive community.
And to be clear here, I'm talking about the criminal communities on the dark web,
which is just a portion of what happens there.
These communities are adaptive.
They are designed that way.
And so some communities were more disrupted than others.
The drug communities were disrupted and they had to find new homes.
The fraud communities were largely doing fine.
They have operations that really run in parallel to these large markets.
But other markets are continuing to thrive.
We've had markets go down.
We've had markets come back up.
The takedowns were effective in that it took down the largest market the dark web has ever seen and potentially dismantled a big criminal network.
But they were only as effective as taking down a mob boss in a major city.
You haven't finished organized crime. You've just dealt a pretty significant blow.
Was this just a speed bump or has there been meaningful long-term friction applied to the system in a way that would decrease the amount of commerce going on?
I think it's fair to say more of the latter.
There is no denying that this was a milestone for the dark web in the same way that the takedown of Silk Road was, right? This was a very well-run operation and an operation run at a scale,
again, that we haven't seen and we haven't seen anyone else rise to that occasion. This was a
very large market conducting a huge volume of transactions all around the world. And taking
that down, and honestly, the willingness of the Dutch police to very effectively, I hear customer
service actually improved, very effectively run
a dark web market for a month has now made everyone even more paranoid than they were already.
Now, every time there's a glitch, now every time something goes wrong or a market goes down for a
little while, all of which happens regularly on the dark web anyway, people are having to ask
themselves, is this law enforcement? Is it worth
it? What am I doing? How do I keep this up and running? And so some people have been scared off.
Some people are operating more cautiously and some people are figuring out where to go next
and how to keep doing this because there will always be people who are going to find a way
to do this and they're just trying to adapt faster than law enforcement can.
Emily Wilson, thanks for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge,
it's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.