CyberWire Daily - Turla's Gazer backdoor. OurMine vs. WikiLeaks; WikiLeaks vs. CIA. Reality Winner trial. House of Cards material leaks. Patching notes. Insecure APIs.
Episode Date: August 31, 2017In today's podcast we hear that Turla's using some sophisticated code against diplomatic and defense industry targets. OurMine hackers use DNS poisoning against WikiLeaks, but WikiLeaks opens up Va...ult7 anyway: this week it's "Angelfire." Accused US Intelligence Community leaker Reality Winner wants her initial statements to investigators suppressed at trial. House of Cards leaks stories and other material related to the TV show. A quick patching update. Insecure APIs take a toll on Instagram and the FCC. Emily Wilson from Terbium Labs with her thoughts on the closure of Alpha Bay. Mike Kearney from Deloitte on predictive reputation protection. And what's up with Rick and Morty? Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. Check out & subscribe to Recorded Future’s free intel daily. We read it every day. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper. JHUISI & partner COMPASS Cyber present Cyber Security Conference for Executives on September 19th in Baltimore. Register for the event. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Turla's using some sophisticated code against diplomatic and defense industry targets.
Our mine hackers use DNS poisoning against WikiLeaks,
but WikiLeaks opens up Vault 7 anyway.
This week, it's AngelFire.
Accused U.S. intelligence community leaker Reality Winner
wants her initial statements to investigators suppressed at trial.
House of Cards leaks stories and other material related to the TV show.
A quick patching update.
Insecure APIs take a toll on Instagram and the FCC.
And what's up with Rick and Morty?
I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, August 31, 2017.
Terla, the Russian espionage group that's known to have been active for the better part of two decades,
has continued its cyber collection efforts this summer.
ESET researchers have more on the group's technique,
publishing an assessment of a second backdoor they've discovered in its toolkit.
They call it Gazer, and it's a second stage backdoor installed once the first stage,
called Skipper, is in and open.
Kaspersky Lab has also been tracking Turla.
They've referred to the attacks involving Gazer as White Bear, so don't let the differences in nomenclature confuse you. Gazer's been around for a while, making its appearance, it seems, in 2016.
ESET thinks it's likely that Turla will develop a successor backdoor now that Gazer has been
detected and linked back to the espionage group. Turla doesn't use much repurposed commodity malware. Gazer, like most
of the other tools in Turla's kit, was designed with care and sophistication by a well-resourced
team. The backdoor's command and control mechanisms are interesting. As ESET says in their report,
Gazer can receive encrypted tasks from a CNC server,
which can be executed either by the infected machine or by another machine on the network.
It also uses an encrypted container to store its components. Its list of command and control
servers is embedded. They're all legitimate but compromised websites, most of them based on
WordPress, that serve as a first-layer proxy.
Turla has tended to concentrate on the Middle East, Eastern Europe, and what Russia calls the
near-abroad, former Soviet republics in Russia's backyard. Its latest operations have tended to
follow this pattern, although some South American targets appear to have been serviced as well.
Diplomatic missions, in its reasons of interest,
have long received Turla's ministrations, but it's recently shown an increased interest in
the defense and aerospace sector. Wikileaks' site was attacked and defaced earlier this morning by
OurMine, the Saudi-based hackers whose public stance is that they're grey-hat pen testers,
freelancing into vulnerable sites for the general good.
This time, however, the defacement indicates it's personal,
an instance of long-festering bad blood between OurMine and Wikileaks.
OurMine has gone after Wikileaks at least twice before, and the text of the defacement page also alludes to a long-standing beef OurMine has had with Anonymous.
It appears that WikLeaks' servers themselves
weren't compromised, which has led Silicon Republic and others to sniff that this wasn't
a real hack at all. Instead, they accomplished their work through DNS poisoning.
It's Thursday, and that's the day WikiLeaks has tended to choose for its now regular weekly
publication of the contents from Vault 7. RT, the news organization formerly known
as Russia Today, has reported that Vault 7 opened on schedule. This time, the documents purport,
as usual, to be descriptions of CIA hacking tools. Today's are said to describe AngelFire,
a framework for loading and executing implants onto Windows XP or Windows 7 machines.
for loading and executing implants onto Windows XP or Windows 7 machines.
This also continues a trend.
Many of the recent documents WikiLeaks has released are represented as affecting older machines,
running software which is beyond its end of life.
How WikiLeaks gets its material remains publicly unknown.
There have been some recent moves in the U.S. Congress to express its sense of what WikiLeaks is up to.
The text of the resolution is, It is the sense of Congress that WikiLeaks and the senior leadership of WikiLeaks
resemble a non-state hostile intelligence service often abetted by state actors
and should be treated as such a service by the United States.
This, like sense of the Congress resolutions generally, is expressive, not prescriptive.
Congress is upset with WikiLeaks and wants people, especially people working in the intelligence community, to know it.
Protecting your organization's reputation online is, of course, important,
but it can be challenging to predict when an online misstep or squabble can turn into a full-blown PR disaster.
And of course, online, things can happen really fast. The folks at Deloitte recently announced
the acquisition of assets from a company called Blab, specifically their predictive social
intelligence platform. Mike Kearney is a partner in Deloitte's risk and financial advisory group.
While organizations do a very good job managing risk, they often look at brand
and reputation risk as more of an outcome. So something that is really dependent on their
existing risk management programs. And so we believe that it is a risk. And I think if you
look at what CEOs and other executives talk about as being their most significant risk,
they oftentimes focus on an event that could potentially impair their reputation. And so with this Blab acquisition,
we're excited about it because it allows us to begin to anticipate potential issues,
reputational events that may occur. And so this could be anything from a regulatory issue, a competitive threat, a financial reputational impact.
It could be innovation from our competitors.
It could be a reputational damaging event from our employees, third parties, government.
It really kind of goes across the spectrum.
So give us an idea, how does this predictive technology work?
The tool, like many other risk-sensing tools, ingests, I think, 50,000 different data sources,
100 million pieces of data a day. But what really interested us and what was different about the
tools that we were already using within our firm and other vendors that we had worked on,
the Blab team had developed an algorithm and had patented it, which allows them to predict low signal noise,
which could potentially be a reputational event.
And that could be something that is extremely positive, something as an organization you want to amplify.
It also could be a potential reputational event that would be
something that you'd like to mitigate. The algorithms get smarter because it's continuously
looking at how well it did to predict an event. And so now they're hovering around 80%
likelihood that when they predict something, and it's always within a 72-hour period of time,
that it's kind of always improving kind of the way that it looks at those
events. And so it's learning from itself so that it can improve predictability in the future.
That's Mike Kearney from Deloitte.
In one of the ongoing cases against alleged U.S. intelligence community leakers,
former NSA contractor Reality Winner has asked that the court suppress their initial
statements she made to investigators when they first came knocking. Those statements amounted
to a confession, which she takes back, arguing that it was a confusing time and she lacked proper
counsel. Reality Winner was apprehended after her alleged cover was inadvertently blown by her
communications with The Intercept, the magazine that received the material she's said to have improperly removed from a secure facility. The Chinese
and Cuban governments have little compunction about locking public discourse down fairly tightly,
and foreign companies doing business in China are puzzling over how to navigate Beijing's
latest round of internet controls. But in most other places, there's been a tension between dissuading people from extremism
and safeguarding rights of free speech and expression.
The discussion about how to do so has tended to concentrate on how best to manage censorship,
with those concerned about radicalization either opting for censorship cheerfully and enthusiastically
or embracing some modified, limited hangout form as the lesser of two pretty bad evils.
Consider, however, the role bots have come to play in information operations.
Brian Krebs has noticed when he tweets something about Russian President Putin,
he gets a lot of not-really-relevant Twitter traffic about U.S. President Trump.
Social media are infested with bots,
and information operations find them useful in magnifying opinion, pushing memes, and either
influencing or intimidating those who don't share their views. Here's an interesting suggestion
we've heard from former U.S. Homeland Security Secretary Chertoff. Research into quick
identification of bots could provide an opportunity to control
at least this aspect of information operations. And bots not being natural persons wouldn't seem
to enjoy the natural rights persons do. In patching news, a cross-site scripting
flaw in the WooCommerce WordPress plugin has been fixed. Siemens patches logo and patients
with St. Jude pacemakers are advised to
see their doctor for a firmware update. You can add House of Cards to the list of television
hacks alongside Game of Thrones. Some of the show's scripts and other production information
have been compromised, but this appears to be inadvertent exposure as opposed to focused
criminal attack. Insecure APIs trouble Instagram, with some high-profile accounts being compromised,
and the U.S. Federal Communications Commission,
where jokers probably dissatisfied with how net neutrality regulations are playing out,
have installed Rick and Morty GIFs.
We consulted our middle school desk about Rick and Morty.
We're informed that the cartoon is okay,
but that you have to have played Call of Duty to get the jokes.
Words for all of us to live by,
at least until school begins in Maryland next week.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off. Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Joining me once again is Emily Wilson. She's the Director of Analysis at Terbium Labs.
Emily, we have not spoken about the AlphaBay situation. You were making sort of a running commentary while it was going down. You were one of the folks who did not think that the people running Alpha Bay were sort of running off with
the money. And ultimately, you were proven right. So fill us in. What do we need to know about this
situation? Well, yeah, the first reaction from users, at least, is always that a market has
exit scammed, right? Because people are worried about their money. I didn't think it was an exit
scam. Alpha Bay was a fairly sophisticated organization, despite what we
know now about, you know, one of the admins, OPSEC. And I figured if they were going to
close down and run off with money, they would do it a little bit less sloppily.
And so I didn't know, I don't think any of us knew for sure what had happened,
but I didn't think it was an exit scam. And now it turns out that not only
was it a coordinated international takedown, but the Dutch police had been running Hansa
for a month. And I don't think any of us saw that coming. And Hansa is? Hansa was one of the other
main dark web markets. Actually, the interesting thing for me on Hansa is that after Alphabay first
went down, Hansa ended up locking new user registration,
claiming that it was putting too much of a strain on their systems that was causing technical difficulties.
So an interesting way to run a honeypot, and I'm sure we'll see the reasons for that shake out at some point, publicly or privately.
Is the popular working hypothesis now that the takeover of Hansa was done in preparation for the shutting down of Alpha Bay,
that everyone would shift over there and it would be a honeypot.
Yeah, absolutely. I mean, Hansa and Dream, Dream is still up.
Those were the two markets that people began to flock to, really.
And those were two of the larger remaining markets.
Now Dream is still up.
And then you have a few others who are kind of floating in that top space, and a few others that are growing as people are starting to diversify.
And so what's the reaction of the people who use the dark web as part of their day-to-day lives?
I can give you a more narrow answer than people who are using the dark web as part of their day-to-day lives.
I can speak to the people who are operating on these markets.
There are plenty of people who use Tor hidden services for a variety of other reasons that
aren't impacted by the AlphaBay takedown.
As you can imagine, a bunch of, at least for the drug community, a bunch of people find
out that law enforcement has been operating a market they've been spending money on.
People were scared.
People were panicky.
And then after a few minutes, wanted to know when their orders would arrive.
So people are beginning to move
on to new markets. Vendors are setting up shop on new markets. The community is still reeling a
little bit, but I described this as a hiccup, right? And that's what it is. The dark web
markets continue to go on, but people are definitely keeping a wary eye out to the side.
And there's even some talk of whether or not any of the remaining markets are also being controlled by law enforcement. So does this sort of takedown
have the effect that I think that I suspect law enforcement would want it to have, which would be
to make people hesitant to use these markets at all? A little bit. And certainly by taking away
two of the largest sources, I mean, AlphaBay was so much larger than any of the markets we've ever seen before. Taking away that source certainly disrupted the
trade. We'll see now how other markets react to selling things like heroin or fentanyl,
which really got a lot of attention. I mean, certainly in the statement that Jeff Sessions
came out and made about it. But people are moving on and markets are recruiting and vendors are
moving. A lot of the
conversation, honestly, at least in that part of the community, is about how to avoid being exposed
if this happens in the future. And let's, you know, clean house and take a hard look at our
personal security measures. So not necessarily the reaction they were hoping for, I think.
Emily Wilson, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.