CyberWire Daily - Turla’s new backdoor. Verizon’s 2019 Data Breach Investigations Report. Bad actors seek to influence the EU. US CYBERCOM preps for 2020. Baltimore’s ransomware. Monolingual content moderation.
Episode Date: May 8, 2019Turla is back, and with a clever backdoor called “LightNeuron.” Verizon’s Data Breach Investigations Report shows that the C-suite remains a big target of social engineers, that crooks are follo...wing companies into the cloud, that ransomware remains popular, and that people seem warier of phishing. Bad actors peddle influence in the EU. Binance gets looted, Baltimore gets hacked. Meny Har from Siemplify explains SOCs, SIEMs and SOARs. Ben Yelin from UMD CHHS considers emojis in the courtroom. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Turla is back and with a clever backdoor called Light Neuron.
Verizon's data breach investigations report shows that the C-suite remains a big target of social engineers,
that crooks are following companies into the cloud,
that ransomware remains popular,
and that people seem warier of phishing.
Bad actors peddle influence in the EU,
Binance gets looted, Baltimore gets hacked.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, May 8, 2019.
Microsoft Exchange has received a good bit of hacking attention recently, and ESET has a partial explanation. Turla, also known as Snake or Uroburo,
a Trojan long used by Russian intelligence services, is back,
and using what ZDNet calls one hell of a clever backdoor.
The backdoor is called Light Neuron,
and it functions as a mail transfer service, which is thought to be a first.
It's been active since 2014,
and it's hit targets in Brazil,
Eastern Europe, and the Middle East.
It's an espionage tool,
not a conventionally criminal one,
and the organizations it's known to have affected
include diplomatic organizations.
Kaspersky discussed the tool
briefly in early 2018,
but Light Neuron's unusual mode of operation
and powerful functionality
have only recently been understood. Light Neuron's unusual mode of operation and powerful functionality have only recently been understood.
LightNeuron is directly integrated into the Microsoft Exchange workflow,
and it's said to gain complete control over whatever passes through an infected mail server.
ESET says it can intercept or redirect email,
and it can alter the content of both inbound and outbound messages.
It can even create and send new emails.
There's really no software patch for this.
LightNeuron lives off the land, abusing sound legitimate systems.
Its control mechanism is also unusual.
Once installed, LightNeuron's masters don't connect with it directly.
Instead, they send commands steganographically, hidden in
emails through the infected servers, where Light Neuron reads and executes them.
Verizon's always-interesting Data Breach Investigations report is out.
This 2019 edition offers some interesting takeaways. The C-suite is far more likely now
than in years past to be socially engineered over social media,
and an uncomfortably large number of such attempts are proving successful.
Criminals are following companies into the cloud and are devoting a lot of effort to stealing cloud service credentials,
and the hoods are also looking hard for any configuration mistakes.
Ransomware is still going strong, now accounting for almost a quarter of malware incidents.
Paycard web application compromises are fast catching up with compromises of physical payment terminals.
There's some good news here.
Part of the change is accounted for chip-and-pin systems' wider adoption,
and the success those systems are having in slowing down card-present fraud.
And there's more good news.
Targeting of human
resources departments seems to be on the decline, and general users are showing a lot less readiness
to click links in phishing emails. They're most gullible for some reason while using mobile
devices. The phish now seem to be more mobile than otherwise. And cryptojacking? Still around,
but a lot less prevalent.
We'll have an interview with one of the authors of Verizon's Data Breach Investigations report on this coming Friday's CyberWire podcast.
There's no shortage of abbreviations and acronyms in the security space,
and it's no wonder some of us find ourselves wandering around in the wilderness chanting,
Sims and socks and sores, oh my.
Well, don't surrender, Dorothy,
because we've got many har from Simplify on the line to help make sense of some of the lingo.
I think we're in this spot where I think we're slowly recognizing,
maybe in a few years now, that our focal point
has now become the ability to actually respond to all these alerts.
So if you think about the last 15 years, 10 years, 5 years,
we spent a lot of effort on a lot of different tools.
We have a lot of different data sets that we now emplace.
Vulnerability management, threat intelligence,
there's a huge list of those.
There's a huge list of tools that you're using,
from cloud to endpoint to network,
there's a list of them that goes on and on.
And we built all of these,
but we haven't thought through about what are the analysts
actually looking at all this data
supposed to do with it.
And I think this is where the socks are these days, trying to figure out,
and I think you've seen all the different security appraisal centers pretty much across the country
looking at how can they now bring it all together, be better, make sure they look at everything.
Well, let's run through some terms together because the things that are tossed around when it comes to socks
are SIMs and SORs. Can you describe to us what those are and what the difference is?
Definitely. SIM, Security Information Event Management, is actually a tool set built to be
able to centralize all the log sources or all the information that the organization has. For example,
15 years ago, you could have an antivirus, like a Symantec or an orthodontic antivirus. You could
have a firewall, like a checkpoint firewall. There will be two interfaces. So at that point, you also only have two log
sources, two alert sources that you can look at. Now there's 50 different tools. And the log
sources, the level of information you have is just tremendous. There's no way to now leave all
these different log sources and information in separate tools. There's now a need to centralize
all these logs to a central repository.
And that's what the SIN is here to do,
which is, by the way, a very big undertaking.
A lot of different logs, a lot of different formats. How do they come together?
And I think up until maybe a few years ago,
they were also being used as an interface on the SOC.
Once we have all these logs together,
and I'm an operating analyst sitting in the operations center
of the organization, since all the logs are there and since I can define correlations to actually help me highlight the alerts I want to look at,
that becomes the interface the analysts are working with.
And it worked for a time until the attackers, until the level of attacks, level of tools became a bit too much.
And now they came in need for a tool set that is really focused on the operations side, right, the store itself,
which is basically security orchestration, automation, and response, right? That's kind of the acronym here. So once we have come to this point where
there needs to be a focus on more of the operational side, how do we take all this
information, all the different tools that we have, how do we operationalize it to a way where now we
can actually respond and be effective in our SOC? That's where the SOAR comes in, right? It comes
to help you understand what is important, help you automate the things that you might not want to look at
because there might be noise or false positive,
which is a big problem these days.
It also helps you create a process around how you should respond
or best practices around how you should respond to different alerts
and actually help manage the operational side of security
and not just the law collection or correlation of those.
And is there a life cycle that most organizations go through?
Do they start with one
and grow into another or do they dial it in depending on what their individual needs are?
So as people, as organizations look to adopt a SOAR today, especially major organizations,
large enterprises, they are in the place where they typically already have a SIM in place because
A, they needed something before SOAR. There was still SOC. So it's typically in place.
Another option is a lot of the times organizations put in a SIM for compliance purposes.
They must maintain logs of X time or seven years for a specific audit they're reviewing.
So a SIM a lot of the time is mandatory for the business just to be able to maintain compliance.
The second option we're seeing today, if I'm an organization building a SOC right now,
then I might be looking at both at the same time, right?
If I want to build a SOC end-to-end, I might take my sim, I might add a SOAR and have the whole thing together
as I initially look at building a SOC.
But there's also a lot to be done. And once all of the information is collected, what should the analyst do with it?
What decision should he make? What should he base his decision on?
And that's where a SOAR can help you, A, bring all this together in a very easy-to-use way, That's Manny Haar from Simplify.
Safeguard Cyber says the bad actors never left the European elections' fields of influence.
They've been tracking bots, trolls, and hybrids,
all of which have been active against the electorates of Germany, Italy, France, Spain, Poland, and the United Kingdom.
A lot of the bots make pests of themselves by following the social media accounts of prominent European Union figures.
A full 13% of Julian King's followers, for example, are bogus bad actors.
Sir Julian is the European Commissioner for the Security Union.
In the U.S., outlines of Cyber Command's preparations
to help secure the 2020 elections grow clearer.
The Command seems likely to take a more active approach,
hunting for cyber operators and influence campaigns in foreign networks,
the Washington Post reports.
Bot herders and trollmasters can at the very least expect some stern talking-tos by direct message.
Another large cryptocurrency exchange has been looted.
Binance, the world's leading altcoin trading system by volume,
lost some $41 million to hackers, Reuter reports.
Binance, founded in China but now operating out of Japan and Taiwan,
has suspended trading until it gets a handle on security.
Closer to home, Baltimore's city government was hit yesterday by ransomware. It's not been a good
couple of weeks around Charm City. The new mayor, and he's new because the old mayor resigned over
some creative marketing of a children's book she'd written. The new mayor, His Honor Jack Young, took wearily to Twitter to let all of us here in the land of pleasant living
know that emergency services were unaffected and that the city would work to recover as quickly as possible.
The precise strain of ransomware involved seems to be so far unknown, or at least undisclosed.
In fairness to Baltimore, we must note that the city was hit in early 2018,
about the same time Atlanta got clobbered,
and Baltimore actually came out pretty well.
It didn't take a financial bath, it switched quickly to manual backups,
and it restored systems to essentially full capacity within 17 hours.
We'll see how recovery proceeds this time.
Maybe there's even a children's book in it.
Hacker Holly? Ransomware Randy? Maybe not. Hey, we got a joke for y'all. You say that someone who
speaks several languages is polylingual, and you call someone who speaks two languages bilingual,
right? Well, what do you call someone who speaks one language?
You call them American.
That kills us every time we hear it, and hey, we're Americans around here, so happy self-deprecation runs through our veins.
Anywho, why are we sharing this particular vitz, this bon mot with you today?
We're prompted to do so by an article in Foreign Policy, which points out that for all the
woofing about multiculturalism around Silicon Valley, Greater Mountain View tends to be about as American
as, say, Bug Tussle, Oklahoma or Rabbit Hash, Kentucky, and this, they argue with some reason,
might well induce people to cool their optimistic jets about how easy it will be to realize
the ardor for content moderation forming along the San Francisco-Washington axis.
We're fortunate at the Cyber Wire to have a linguistics desk that pips us to the nuances
to be found in various foreign tongues.
Like, for example, they've schooled us at great length about bad words and other lingos.
Did you know, for example, that one swears quite differently in French
depending upon whether one is doué or chiquitoumi?
We keep telling the desk that we're a family show and don't need to know this kind of thing.
But they keep letting us know that, for example, in some Slavic languages,
the names of certain diseases have the perlocutionary force of a good old American F-bomb.
But not in Russian. A Muscovite F-bomb's just like a New Yorker.
Except, strictly speaking, as the desk pedantically tells us,
in Moscow it's really more of a Ye-bomb.
Go figure.
Anyway, kids, study STEM, but don't blow off the languages either.
And don't forget, for all you algorithms listening out there,
content moderation ain't beanbag.
Interpret that one,
you decision procedure you. Calling all sellers. Salesforce is hiring account executives to join
us on the cutting edge of technology. Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Ben Yellen. He's a senior law and policy analyst at
the University of Maryland Center for Health and Homeland Security. Ben, it's great to have you
back. Interesting article came by from The Verge, and this is about folks using emojis in their communications and using a crown emoji, high heels, and a dollar sign.
And that accompanied the message, teamwork makes the dream work.
Prosecutors claimed that the message implied a working relationship between a
potential prostitute and this individual. The individual's defense was that he was simply
trying to strike up a romantic relationship. But the fact that these emojis were used in the
prosecution, I think, is both extraordinary and also becoming more common. You know, in terms of
the reliability of emoji use,
when we're talking about a criminal case, it seems rather unreliable to me. I don't know about
you, but in my casual conversations, I will frequently use the wrong emoji or I'll use an
emoji that might indicate something to me, but indicate, you know, something else to a third
party observer or even the person I'm speaking to.
They use an example in this article, one of the smiley faces that's used in the iOS emoji catalog
looks a little bit different and less smiley when it makes its way into an Android user's device.
And that could mean different things to the person who sent the emoji than to
the person receiving them. When you think about the real world analog to this, you can probably
glean some evidence from people's facial expressions or emotional reactions, certainly an
excited utterance, which, you know, somebody's instant reaction to an event that they see is admissible in court. But emojis are vague enough and subject to such conflicting interpretations that I don't see how they could consistently be used as reliable evidence.
I can't help wondering if we're going to end up with experts in emoji interpretation as hired by the prosecution or the defense.
Yeah, I mean, maybe I have a future profession here as someone quite familiar with using emojis.
But, you know, I'm trying to think of the most extreme examples possible,
not to make something too R-rated for this podcast, but if I was legitimately interested
in cooking eggplant, and I sent that emoji and I had no idea that it was used in very different connotations.
Right.
And that ended up being used in evidence for my criminal prosecution.
I mean, that would be fundamentally unfair to me.
And also, it would be impossible to deduce my intention of sending that particular image.
to deduce my intention of sending that particular image, it would be up to a jury to decide whether,
you know, a jury is the finder of fact to decide whether I meant that as the literal vegetable or as the symbol that it's become in the emoji world. So because of that unreliability and because,
you know, emojis being different things to different people, I just don't see how it can be a reliable source of evidence.
The other thing is that people make mistakes in which emojis they use all the time. Some emojis
that might implicate somebody in criminal activity might be next to something that's completely
innocent and innocuous, and somebody could have pressed it by accident. You'd hate to see
somebody being sent to prison
because they pressed the wrong button on their mobile device.
I just don't see how emojis could ever be reliable evidence.
You started to see emoticons show up in cases starting in the early 2000s.
Those to me, this may be a distinction without a difference, but it takes somewhat of a
purposeful action to draft an emoticon. You know, although most of the ones I use,
I copy and paste from the internet, like that, that shrugging emoticon, but making us, you know,
a smiley face is a conscious action on the part of the person sending it, whereas selecting an emoji that may be subject
to different interpretations isn't something that necessarily is conscious or purposeful.
So I think there really is possibly a distinction between the two.
How interesting for the judges and juries who have to contend with this stuff. And when your
co-workers send around that text that asks,
what's everybody in the mood for for lunch?
No matter how much you want to have eggplant, don't send it out.
Don't put the eggplant.
Don't use the eggplant emoji.
Right.
All right.
Ben Yellen, thanks for joining us.
Have a good one.
Cyber threats are evolving every second, Thank you. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll
save you time and keep you informed. Listen for us on your Alexa smart speaker too. The CyberWire
podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're
co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire
team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here
tomorrow. Thank you. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.