CyberWire Daily - Twitter bots in Swedish politics. A different approach to influence operations. Hotel guest PII for sale. Medical device vulnerabilities. Charges in the case of the Satori botnet.
Episode Date: August 30, 2018In today's podcast, we hear that Twitter bots have shown up in Sweden's political discourse. Not so much Chinese hacking for influence: Beijing seems to prefer funding sympathetic cultural and resea...rch centers. 130 million hotel guests have their PII offered for sale on the dark web. Medical device vulnerabilities are disclosed, and hospitals are urged to patch. Nexus Zeta faces charges in a US Federal Court, apparently in connection with the Satori botnet. Mike Benjamin from CenturyLink with an update on the Necurs botnet. Guest is Gilad Peleg from SecBI on the challenges of secure BYOD policies. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/August/CyberWire_2018_08_30.html 1 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Twitter bots show up in Sweden's political discourse.
Not so much Chinese hacking for influence.
Beijing seems to prefer funding sympathetic cultural and research centers.
130 million hotel guests have their PII offered for sale on the dark web.
Medical device vulnerabilities are disclosed and hospitals are urged to patch.
Nexus Zeta faces charges in a U.S. federal court, apparently in connection with the Satori botnet.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday,
August 30th, 2018. Automated Twitter accounts have turned up in Sweden, according to a study by that country's defense research establishment.
The bots of unknown provenance appear to be interested in the election,
where they seem likelier to favor the country's third largest party, the Sweden Democrats,
whose nationalist and anti-immigrant line appears positioned to make a run at overtaking the
opposition moderate party for second place behind the governing Social Democrats.
The Sweden Democrats have been working to expunge racist elements from their ranks
without departing from their nationalist platform, and they may be seeing some success.
The bots, wherever they come from, seem to like what's on offer.
The U.S. FBI says that it doesn't have much evidence supporting recent reports
and presidential tweets that Chinese intelligence compromised former Secretary of State Clinton's
insecure private server. Observers say that doing so would represent a departure for Chinese
espionage, which has specialized in intellectual property theft. Chinese information operations have tended to focus on sponsoring think tanks and cultural centers,
a kind of malign version of Germany's benign Goethe-Institut, to take one example.
A few universities have cut ties with Chinese government-funded cultural centers
over suspicion that they're being played in an influence operation,
but a considerable number of them remain.
that they're being played in an influence operation,
but a considerable number of them remain.
Australian and U.S. universities have been of particular interest to the Chinese services.
In this world of network-connected refrigerators, thermostats, and toasters,
it can be an ongoing challenge for organizations
to keep up with the proliferation of IoT and BYOD devices
they see on their networks.
Gilad Peleg is CEO at SecBI, and he offers his perspective.
We as security professionals are used to dealing with quite, let's say, a rigid environment,
at least rigid compared to IoT.
rigid environment, at least rigid compared to IoT.
So, you know, there's PCs, there's Macs, there's servers.
And, you know, here and there, or not here and there,
everybody has their own iPhone or Android.
And kind of that's more or less it. Let's add some cloud infrastructure and cloud services to the mix.
That's where we are on the customer side serving their users.
And now comes this, I don't know, tidal wave of new devices with tremendous new capabilities,
but also a whole lot of vulnerabilities that a lot of them just don't have an answer
at this point.
And we even don't understand all the vulnerabilities yet.
BYOD, bring your own device, is a problem.
There's now a lot of discussions about zero trust or sanctioned services or not.
The industry is working its way to solving or containing those challenges.
But IoT is a whole new category and a whole new battlefield.
I think the fact is that we can't trust the device.
the device. And if we can't trust the device, the next area or the next place to look for protection is the network. If I'm an organization or if I have to consult an organization, I will tell them,
look, if you can buy, you know, IoT from a brand name, try to understand the vulnerabilities.
But you know what?
One thing is for sure.
You have to protect your network.
You have to make sure that if something gets through, you will block it or you will detect that malicious activity on the network.
That's a stronghold.
That's presence.
And when a hacker gains presence in your network,
it doesn't matter if he's infected your machine
or he's infected the smart TV
or he's infected that AC controller.
He has presence.
He is literally inside your network and now it's up to him to decide what he does. We like to say he owns your network. And the only thing you need to do right now very quickly or as quick as possible is to detect that. That's critical. If you analyze network traffic and you do that well,
and today companies like us employ machine learning, artificial intelligence,
to really be able to pick up the lowest signals to understand and detect very low and slow attacks,
taking them into context and allowing the security team to detect and respond as quick as possible to any of those threats.
That's Gilag Peleg from SecBI.
A criminal is selling data belonging to 130 million guests who've stayed at hotels belonging to China's Wazoo Group.
Several security companies report finding the offering in a dark web market.
The hacker wants eight Bitcoin, about $56,000, for the whole shebang.
Manufacturers of two medical devices, Qualcomm's Life Capsule Data Captor Terminal Server and Becton Dickinson's Alaris Teva syringe pump,
disclosed through ICS-CERT that their devices allow remote unauthenticated access.
Patches and upgrades are available. Hospitals are urged to apply them.
The issues were discovered and disclosed to the manufacturer by the security company CyberMDX.
The DataCaptor terminal server is susceptible to an old exploit, the Misfortune Cookie,
which was described by the security firm Checkpoint back in 2014 when it noticed it in home routers.
It's since cropped up in other IoT devices.
home routers. It's since cropped up in other IoT devices. This issue arises in the ROMPager software from AllegroSoft that's used in DataCaptor. The Misfortune cookie allows an attacker to use
an HTTP cookie to write to arbitrary addresses in device memory and to do so without authentication.
The DataCaptor terminal server is a medical device gateway that connects monitors, respirator, anesthesia delivery systems, and infusion pumps to a hospital network.
There are several disturbing possibilities in the misfortune cookie.
Denial of service, unauthenticated login, privilege escalation, arbitrary code execution, eavesdropping, compromise of patient information, and so on.
The most disturbing possibilities are that device functioning might be altered,
thereby threatening patient safety.
The Becton-Dickinson-Alaris syringe pump issue, also noted by CyberMDX,
also could enable an attacker to alter device performance.
In this case, a hacker would abuse a proprietary
protocol to gain unauthenticated access to the device, at which point they could start or stop
the pump, alter the rate at which it delivered drugs, or even silence alarms going to nursing
stations. Again, it's worth noting that the latest versions of these systems don't suffer these
vulnerabilities, but it's an old story in IoT security.
People often bucket along with older, vulnerable versions,
and the devices themselves are easily overlooked and may be difficult to upgrade in any case.
A young man has been charged in connection with the creation of the Satori botnet,
but observers wonder if he really had the technical chops to do the crime.
Here's the case. Toronto resident Kevin Curran Shushman has been hauled before the U.S. Federal
District Court in Anchorage, Alaska, by teleconference, and charged with two counts
of violating the Computer Fraud and Abuse Act by installing malware into non-cooperating systems
between August and November of last year.
The charging document doesn't name the malware it alleges he installed,
but the Daily Beast think signs point to the Satori botnet.
Mr. Shushman had been active in various online hacking communities under the nom-de-hack Nexus Zeta.
Checkpoint researchers noticed Nexus Zeta's chat requests for help in setting up a botnet,
and eventually the pseudonym was traced to him. Some doubt that he had the technical chops to
pull off something like Satori. He's set to fly into Anchorage to face the court in person tomorrow.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting Thank you. and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Mike Benjamin.
He's the Senior Director of Threat Research at CenturyLink.
Mike, welcome back.
We wanted to touch today on the Neckers botnet.
What can you update us with here?
Well, for those that are familiar with Neckers, it's not a new malware family,
but it produces a substantive chunk of all of the spam that we see in the Internet.
And while spam may not be a
security issue for many listeners, it also sends a lot of mal-spam. So we've seen this particular
malware send ransomware over the last couple of years at a pretty large volume. More recently,
we've also seen the actor deploy modules within the malware family that can do crypto mining,
as is popular with a lot of threat
actors these days. And so Neckers is particularly interesting because it's seen a lot of evolution
over the spam botnets that have existed in the last, call it 15 years, to the point that it is
very difficult to take down. And so Neckers, however, through the resiliency that they've
built also makes it noticeable within a network monitoring perspective.
And so we've seen the actor in recent months shutting down the malware for periods of time.
In fact, it most recently just went offline on August 27th.
And what's great about the time periods when they knock their command and control structure down is, of course, they can't send spam.
That's good for everybody.
knock their command and control structure down is, well, of course, they can't send spam. That's good for everybody. However, what we see is them calling back to the DGA domains that they've
registered for the malware. And so monitoring in an environment for callbacks to those DGA domains
can be a great way to find infected machines that folks may not be aware of.
So explain to me the contrast there between the resiliency of NECRS, but also that it seems to be noisy when
it's running. Yeah, so NECRS has a few different mechanisms in which it communicates with its
sort of infrastructure. The first is an infected endpoint joins a peer-to-peer network. And so,
while peer-to-peer protocols are more common these days, the behavior of a host joining a peer-to-peer network can be an anomaly within an environment.
And so that's the first thing it does.
The second is it reaches out over TCP to a command and control server.
Very much like a lot of malware does, it reaches out and maintains a persistent connection looking for the next command on what it should do.
However, the last thing it does is when it can't reach its command and control, it also calls back to DGA, just like quite a few malware families we've seen
over the years. But it's really the combination of all of that together that ends up being a little
louder than you might see from a traditional piece of malware. And in many cases, we see an actor
choose one, not all three of these mechanisms in order to do its callbacks. And so the fact that a host shows all three of those behaviors can be a great signature for actually finding hosts that are affected with the malware.
So when we're talking about its resiliency then, is it a matter of the number of bots that are on the network that makes it hard to tamp down?
Well, in order to fully remove the malware from the internet is the resiliency that
I'm describing. And so the fact that you'd have to remove all of its peer-to-peer network,
all of its command and control, and pre-reserve all of its DGA domains for an extended time period
in order to have the malware family start to shrink, that's a pretty big ask. And so while
we do work to notify infected users of their
infected machines, removing the sort of the brain and heart of that malware family is something the
industry has not done to date. I see. All right. Well, thanks for explaining it for us. As always,
Mike Benjamin, thanks for joining us. Cyber threats are evolving every second and staying ahead is more than just a challenge
it's a necessity that's why we're thrilled to partner with threat locker a cyber security
solution trusted by businesses worldwide threat locker is a full suite of solutions designed to
give you total control stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too. Thank you. Thanks for listening. We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.