CyberWire Daily - Tracking the impresario behind Collection#1. OceanLotus and a new downloader. CookieMiner malware afflicts Macs. Huawei’ prospects. Influence ops. Extortion by bluff.
Episode Date: February 4, 2019In today’s podcast, we hear that Collection#1 looks like the work of an aggregator who goes by the name of “C0rpz.” OceanLotus is working with a new downloader. CookieMiner malware is poking a...round in Macs. Huawei continues to receive harsh security scrutiny internationally even as it seeks to position itself as a 5G leader. Russian influencers begin to attend to Venezuela. And if someone says they’ve got video of you looking at things you shouldn’t, they probably don’t. Rick Howard from Palo Alto Networks on Australia’s controversial encryption legislation. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/February/CyberWire_2019_02_04.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Collection number one looks like the work of an aggregator
who goes by the name of Corpse.
Ocean Lotus is working on a new downloader.
Cookie Miner malware is poking around in Macs.
Huawei continues to receive harsh security scrutiny internationally,
even as it seeks to position itself as a 5G leader.
Russian influencers begin to attend to Venezuela.
And if someone says they've got a video of you looking at things you shouldn't,
they probably don't.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday,
February 4th, 2019. Security firm Recorded Future has been looking into collection number one,
as well as collections number No. 2 through 5,
and its researchers believe they have a line on the individual responsible for Collection No. 1.
It appears to be a cybercriminal known by the Nom de Hack corpse.
There are other names out there who've hawked Collection No. 1 for sale in various dark web markets.
The one who calls himself Clorox is a poseur, not the person who pulled the material together.
The one who goes by Sanix is a reseller, who bought the data dump and is now offering it to others.
ZDNet points out that Mr. Corpse, like Clorox and Sanix, is probably at most an aggregator,
not a hacker who accomplished the breaches in the first place.
The collections have by all appearances been pulled from past data exposures, and there's
little new there.
These data dumps are useful reminders of the importance of good digital hygiene, and they
should inspire people not to reuse passwords, and to change passwords that may have been
exposed.
But they're not grounds for panic.
Those who continue to reuse passwords that they established several years ago
can expect to receive the attentions of criminals conducting credential stuffing attacks.
Suggestions last week that there would be a demand-side push against users of WebStressor
after supply-side action against the booter service seem to be borne out.
Krebs on Security reports that Europol is preparing to bring legal action
against 250 users of the shuttered DDoS-for-Hire service.
U.S. authorities have also noted that hiring a service like WebStressor
would typically also constitute a violation of U.S. law.
Palo Alto Network's Unit 42 reports that the Vietnamese threat group Ocean Lotus, that's APT32,
has deployed a new downloader, CareDown. It's typically distributed either through a malicious
macro in a Microsoft Office document or by a RAR activity with some DLL side loading.
Security firm Malwarebytes is tracking a new strain of malware. They call it
CookieMiner. It steals browser cookies associated with various online wallet services and
cryptocurrency websites. It can also pick up as bleeping computer reports, passwords, texts,
and credit card credentials, particularly any stored locally in either Safari or Chrome browsers.
particularly any stored locally in either Safari or Chrome browsers.
Palo Alto's Unit 42 has also been tracking CookieMiner.
The researchers there list some of the cryptocurrency exchanges the malware is interested in,
Binance, Coinbase, Poloniex, Bittrex, Bitstamp, MyEtherWallet,
and any website that uses the word blockchain in its domain name. Cookie Miner affects Macs, like the possibly related Darth Miner and Lampire malware strains
identified last December.
Cookie Miner uses the Empire backdoor to establish persistence and command and control channels.
Huawei receives harsher scrutiny as a potential security risk in both Canada and the UK.
In the UK, as the Times of London reports,
the discussion is mixed with recriminations over the government's alleged failure to take warnings from various defense experts of Huawei-enabled espionage seriously
when it received them six years ago.
The Telegraph is also reporting that the soon-to-be-released annual report
from the UK's Huawei Cybersecurity Evaluation Centre,
that's a working group within GCHQ's National Cybersecurity Centre,
will be highly critical of the telecom equipment manufacturer's ability or willingness to address the security concerns the centre raised last year.
Huawei has committed to spending about $2 billion to allay the concerns that earlier report raised, but, says The Telegraph, sources in a position to know say that the reality of their effort has fallen far short of the promises.
network remains a matter of public debate, and the company's CFO remains in or around Vancouver,
awaiting the outcome of proceedings that would extradite her to face criminal charges in the U.S.
It's an open question whether the company's early advantage in 5G technology will enable it to ride out the international backlash over security. On the one hand, Huawei's devices have a reputation
for low cost and solid performance,
and the company is an influential player on standard setting bodies that will have a lot
to say about the shape 5G technology will assume. On the other hand, if the Five Eyes' suspicion of
the company continues, as they seem likely to do, that participation and influence may not translate into commercial viability,
let alone market dominance. If the Russian media mouthpiece RT is any indication,
Moscow's information campaign concerning Venezuela would seem to have begun. The outlet warns that
U.S. military intervention may be imminent and would be easy for the U.S. to undertake.
intervention may be imminent and would be easy for the U.S. to undertake. Interference in Venezuelan internal affairs would grossly violate international law, says Mr. Putin,
because countries shouldn't fool around in other countries' internal affairs.
Yet somehow one doubts this means President Maduro's bodyguard of green men is likely to
be repatriated to spend their VAPR coins in the Arbat anytime soon.
We do hope that Venezuela's suffering is soon alleviated, but be wary of how the conflict
is treated in social media over the coming weeks.
Finally, there's a new wave of extortion attempts that's been running since the middle
of last month.
The victims receive an email saying that the emailer, you don't know me,
as the extortionists invariably introduce themselves, has caught the recipient using
an adult content site, and they have webcam video of such use, and that they'll release
that webcam video to friends, family, colleagues, employer, and so on, if they're not promptly
compensated in Bitcoin. This is a case in which a little bit of knowledge can be dangerous.
The extortionists say they've got the victim's passwords from a data breach.
Well, there have been a lot of those, haven't there?
After all, there's collection number one, collection number two, and so on.
Who's to say they don't have those passwords?
And who knows what they now have access to?
Or so thinks the nervous victim.
But remember, the guilty flee where no man pursueth. and who knows what they now have access to. Or so thinks the nervous victim.
But remember, the guilty flee where no man pursueth,
it's a pure scam.
They've probably got nothing.
If you get one of those emails, delete it,
and get on with life.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Rick Howard.
He's the chief security officer at Palo Alto Networks,
and he also heads up Unit 42, which is their threat intelligence team.
Rick, great to have you back.
We recently had some news coming out of Australia, some new legislation there.
Can you bring us up to date? What's going on?
Yeah, Australia's House of Representatives passed the Telecommunications Assistance and Access Bill for 2018. It's also known as the
Anti-Encryption Bill. They did it at the beginning of December. And if the upper house votes in
support early in 2019, which it is expected to do, law enforcement with the proper warrant could
force companies like Google, Facebook, WhatsApp, Signal, and other tech giants to help them access encrypted communications.
And if they don't, these companies could face massive financial penalties.
So where do you stand on this?
Are you for this or against this?
Well, let me just say that I am sympathetic to the law enforcement problem, not just in Australia but all around the world.
You know, Newsweek reported last year that half of all internet traffic is encrypted,
and that stat will likely go up over time. And with end-to-end encryption apps like WhatsApp
and Signal, criminals and other near-the-wheels can block their communication traffic from prying
eyes with ease. The Australians, and indeed all the Western law enforcement agencies,
claim they need this capability for national security, that it is an essential tool to fight serious offenses such as crime, terrorist attacks, drug trafficking, smuggling, and sexual exploitation of children.
I don't disagree.
Nobody wants to hamstring our law enforcement organizations by allowing the Internet to go dark on them.
Yeah, but obviously this bumps up against privacy concerns.
Exactly. I get that question everywhere I go. So here's a couple of things that come to mind. Do we want our
governments to have this kind of power when the average citizen has no mechanism to check for
potential abuse of it other than a note from our leader saying, trust us, we're here to help,
right? Do we want that? Or do we want our governments to mandate that we give them that
power when even the tech giants don't know for sure how anything they might do to accommodate law enforcement
might weaken the privacy of even the average citizen? All right, but where's the happy medium
here? I mean, how do we choose? Do we prioritize privacy over security? Not at all. Listen,
in the U.S., in the preamble to the Constitution, it says to establish justice and secure the blessings of liberty.
And most constitutional scholars say that although the Constitution does not say that privacy is a right explicitly, that last bit about blessing of liberty is about our right to privacy.
But the Fourth Amendment does say that the people should be secured against unreasonable searches and seizures.
The point is this.
In the U.S., privacy does not trump security.
The two ideas are in tension with each other, either by design or by luck.
U.S. founding fathers gave neither idea dominion over the other.
They're supposed to be in balance.
Yeah, but it strikes me that people sort of take sides with this, and they have very
almost tribal positions when it comes to which side of this they choose to be on.
Yeah, it's worth noting that we've been here before, right? So back in the early 1990s,
the U.S. was having this debate for the first time. Diffie and Hellman published their famous
key exchange paper back in 1975, and the RSA boys Rivest, Shamir, and Hellman published their famous key exchange paper back in 1975.
And the RSA boys, Rivest, Shamir, and Alderman published their famous encryption paper in 1978.
This was a giant milestone, by the way.
Before Diffie and Hellman and the RSA team, encryption was purely a government function.
But by 1986, the RSA company had started selling encryption software to the commercial space. And by 1991, Phil Zimmerman had released his PGP, pretty good privacy software, to the world for free.
The NSA panicked because they thought they were losing a rich source of intelligence and convinced the Clinton administration to mandate the inclusion of something called the Clipper chip into all computers.
Right.
Yeah, I remember that. yeah, you remember this debate.
Yeah, yeah.
Now, the Clipper chip was going to provide encryption services to the masses, but the
catch was that it would also keep the encryption keys for all citizens in escrow in case the
government needed to break the encryption for law enforcement and intelligent purposes.
Now, this scheme failed for lots of reasons.
And if you want to learn about the details, check out Stephen Levy's book called Crypto. He chronicles the entire process
in the Cybersecurity Canon Project, inducted his book into the Hall of Fame two years ago.
Stephen Levy is one of my favorite authors.
I know. He's just fantastic. He actually came out to the ceremony and gave a great speech.
He's fantastic. But here we are again in 2018 with Western governments
seeking a way to break encryption
inside of commercial products.
The Aussie approach
is this anti-encryption bill
and it seeks to play security
as more important than privacy.
It isn't, but it seeks to pull
the conversation to that side.
The question for the privacy advocates
is this,
what would you want in return
for giving the government
this kind of power? What kind of rules would you want in return for giving the government this kind of power?
What kind of rules would you want in place to make sure the government cannot abuse this power or did not unknowingly weaken the privacy of the general citizen?
Now, I got a couple of thoughts here, Dave.
Rick, you always have thoughts.
It seems to me, too, that this debate, we never hear from the other side about what would we want.
It's always on each side it's no or yes.
It has to be one of its complete thing.
And how about a little compromise here?
So if I was going to offer a compromise, there would be two things I'd want to consider.
First, I'd want complete transparency of the process.
Regular publication of how many times the law was used, for what kind of crimes, and how many times having access actually resulted in a conviction of a criminal or the prevention of a terrorist attack.
I'm not looking for classified information here.
I'm just looking for stats and metrics that shows that the program is working.
This all should be public knowledge.
And the second thing is I want this built into the law, a regular reassessment
of the program. Let's say we build a law with a regular reassessment by lawmakers, call it every
10 years, where they look at the stats with the purpose to determine that neither security or
privacy is more powerful than the other, that the system as designed does not break the average
citizen's privacy, nor does it keep law enforcement in the dark. I think with these two ideas, we can get out from in between this, you know, debate on both sides
where nobody is budging an inch. Well, I admire your optimism on it. I can't say that I feel
as hopeful as you do that we can find that happy place in between. It seems like folks are pretty
well dug in, but certainly thought-provoking.
And as always, Rick Howard, thanks for joining us. Thank you, sir.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo
is easy. Learn more at ai.domo.com. That's ai.domo.com.