CyberWire Daily - Twitter takes down verified accounts after major hack (most service now restored). Russian influence operations. Cozy Bear’s biomedical intelligence collection. Spearphishing in Hong Kong.
Episode Date: July 16, 2020Twitter sustained a major incident in which celebrity accounts were hijacked yesterday. It seems to have been a social engineering caper, but it’s motivation, nominally financial, remains unclear. B...ritish authorities call out Russia for an influence campaign mounted during last year’s elections. Cozy Bear is back, and sniffing for COVID-19 biomedical intelligence. Craig Williams from Cisco Talos on Dynamic Data Resolver, a plugin that makes reverse-engineering malware easier. Our guest is Ashlee Benge, formerly from ZeroFox, on emerging and persistent digital attack tactics facing the financial services industry. And Chinese intelligence services are spearphishing Hong Kong Catholics. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/137 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Now at a special discount for our listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash n2k, code n2k. out Russia for an influence campaign mounted during last year's elections. Cozy Bear is back
and sniffing for COVID-19 biomedical intelligence. Craig Williams from Cisco Talos on Dynamic Data
Resolver, a plugin that makes reverse engineering malware easier. Our guest is Ashley Bang from
ZeroFox on emerging and persistent digital attack tactics facing the financial services industry.
And Chinese intelligence services are spear phishing Hong Kong Catholics.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, July 16th, 2020.
Twitter sustained a major hack late yesterday afternoon around 5.30 U.S. Eastern Daylight Time.
The incident embarrassed the company with takeovers of high-profile verified accounts. Major hack late yesterday afternoon around 5.30 U.S. Eastern Daylight Time.
The incident embarrassed the company with takeovers of high-profile verified accounts.
The attack seems to have involved extensive and effective social engineering,
perhaps, according to Motherboard, a bribed insider.
The Wall Street Journal and others list Bill Gates, Kanye West, Joe Biden, Barack Obama, Elon Musk, Uber, and Apple among the owners of affected blue-checked accounts.
Reuters reports that Twitter took the extraordinary step of suspending many verified accounts until it could get a handle on the problem.
seemed disproportionate to its ostensible objective,
a hackneyed, grubby Bitcoin advanced fee scam in which an impersonator offers to return the mark's donation many times over.
The wallet set up to receive donations accumulated about $100,000,
but that sum probably doesn't represent the actual take,
given the common criminal practice of salting their wallets with their own funds.
The better to lend plausibility to the whole greasy imposture. It's certainly conceivable
that a fair amount of ingenuity could be deployed in the service of a stupid and futile caper.
See the whole history of lulls of showbiz and so forth. But some observers are speculating that
this could be misdirection. Maybe the goons are
after people's direct messages or account details. Or maybe it was a demonstration showing that
social media aren't the undisruptable channels of communication we might complacently take them to
be, especially given the increasing imposing role they've come to play in political campaigns and even emergency communications.
The Telegraph grimly notes that one of the accounts taken offline
was a National Weather Service feed that gave emergency tornado warnings.
And, of course, there were storms in Tornado Alley during the outage.
The most important thing to remember is that the story is still developing
and that the early takes on it are unlikely to be definitive.
So suspend judgment.
I reached out to our own Rick Howard, the CyberWire's CSO and senior analyst, to get his take on the Twitter breach.
Here's what Rick had to say.
Well, it seems like when you listen to the pundits out there that this is a major meltdown of information security across the planet.
And, you know, first, no.
It's, you know, it's really not.
But if you look at it from an Intel analyst viewpoint, right, it's kind of a version of the business email compromise, but only using Twitter. You know, for business email compromise, you would, the bad guys would compromise
a senior executive's account
and use it to ask maybe one of their employees
to transfer money somewhere.
And it's very similar to what happened here, right?
But it's just with Twitter,
their accounts got compromised
and then they use those accounts
to ask their followers to send them money, right?
So, and these accounts happen to be very, very popular
Twitter personality. So that was the first thing that popped into my mind. What did you think when
you saw it? I think similarly, I think there's a part of me that sort of sat back and said,
okay, here we, you know, let's get out some popcorn and see how far this is going to go.
I'm not too proud to say there was that.
And you hope that... I was secretly eating popcorn with you, my friend.
Yeah. But how bad is this going to get? But I think we're all sort of conditioned at the moment
to think that perhaps there is no bottom to that. The answer to that question is,
hold my beer because things can get very
bad. I know in the scheme of things, you know, this isn't that big of a deal for most people,
right? Right, right. The interesting thing to me, though, is we're still not sure how the bad
guys got access to the accounts. There's two current theories. One was that key Twitter
employees were hacked, got their credentials,
and then the bad guys used those credentials to move laterally inside the Twitter network
to get access to these high-valued accounts. That's interesting. The other one, which is even
more hair-raising, is that some key Twitter employees were bought off. And here's the
classic insider threat thing that we all,
you know, worry and talk about all the time. So, and we don't know what the answer is to that yet,
but those are the two current theories. Do you have any insights as to what it's like to be
a high-level security person when something like this goes down? Is this, have you ever been in
one of these sort of all hands on deck situations? Yeah, they're not pleasant, right?
Because you spend your whole life, you know, trying to prevent these kinds of things, right?
And for some reason, something that you didn't foresee happens.
And now you're doing two things.
You're racing as fast as you can to try to figure out what happened so that you understand so you can stop it the next time.
And then you're also talking to your bosses who, you know, are paying your salary to prevent these kinds of things. So
it is stress on a high level when these kinds of things happen. Who do we see being the ultimate
victims here? I'm not so much worried about the victims who were fleeced. You know, if you see on Twitter, one of these personalities ask for money
and if it sounds too good to be true,
it probably is, you know?
So I don't have a lot of sympathy for them.
One of the things that stuck out to me
for those victims is that, you know,
some of the Twitter messages,
there was a time limit.
You have 30 minutes to match my donation
and you'll get double back.
You know, the red flag should be flying everywhere.
There should be red star streamers popping everywhere
when you hear stuff like that.
Not only on Twitter,
but when you go into the car dealership or anywhere.
So at least take time to seek a secondary source.
The other big victim though here is, you know, Twitter, right?
So this is the event that we all talk about.
Does this kind of thing cause us to lose trust in Twitter
and stop using it more?
I doubt that's the case, but that is,
I think that's a more potential, more impactful victim.
Yeah, yeah.
All right, well, Rick Howard, thanks for joining us and
sharing your insights. Thank you, sir. Speaking of elections and the campaigns that surround them,
the UK's Foreign Secretary informed Parliament today that Russian operators targeted the 2019
elections, seeking to influence voters through illicitly obtained sensitive government documents relating to the
UK-US free trade agreement. The campaign staged the material through Reddit. It was a leak and
dump campaign with amplification through multiple channels. UK officials did not see a comprehensive
intensive influence effort, but they did observe what they take to be, nonetheless, a clear attempt by Russian actors to shape voting.
Cozy Bear, that is APT29, Fancy Bear's quieter and more refined cousin, is also back in the UK.
The National Cyber Security Center warns in an alert that the SVR unit has been actively targeting British COVID-19 vaccine developers.
has been actively targeting British COVID-19 vaccine developers.
The goal appears to be theft of intellectual property and other information relevant to biomedical research
that's responding to the pandemic.
The espionage campaign is using, the NCSC's report says,
well-mess and well-mail malware.
GCHQ's NSCS isn't alone in reaching these conclusions.
GCHQ's NSCS isn't alone in reaching these conclusions.
Its formal report was joined, co-signed, and co-branded by Canada's communications security establishment and by both the U.S. National Security Agency and the Cybersecurity and Infrastructure Security Agency.
British Foreign Secretary Dominic Raab condemned the Russian activity.
British Foreign Secretary Dominic Raab condemned the Russian activity.
Quote, It is completely unacceptable that the Russian intelligence services are targeting those working to combat the coronavirus pandemic.
While others pursue their selfish interests with reckless behavior,
the UK and its allies are getting on with the hard work of finding a vaccine and protecting global health.
The UK will continue to counter those conducting such cyber attacks
and work with our allies to hold perpetrators to account.
End quote.
No one really expects the Russian services
to mend their ways.
The three eyes who signed on to the report
conclude with the assessment that, quote,
APT29 is likely to continue to target organizations
involved in COVID-19 vaccine research and development
as they seek to answer additional intelligence questions relating to the pandemic.
End quote.
The financial services industry has a big target on its back because, of course, that's where the money is.
We checked in with Ashley Bang from ZeroFox
on emerging and persistent digital attacks facing
the financial services industry. So this report actually falls in line with one of my more
interesting areas of research, and that is specifically within phishing and phishing kits.
And so what we have kind of observed over the past couple of years is that there is this
movement away from malware. If you
think about the threat landscape as a whole, there is a movement away from malware in that more and
more of the bad stuff, if you will, is actually phishing as opposed to traditional malware.
And there are a couple of reasons for this, but one of the dominant reasons is that there is a new category of tools called
phishing kits that make it very simple. And so even if you're an attacker that has really no
technical skill whatsoever, you're able to buy one of these phishing kits and it reduces really any
of the technical work that you have to do in order to set up a phishing page. So we've seen that
because of these kits in part, because it's so accessible generally to a phishing page. So we've seen that because of these kits in part,
because it's so accessible generally to launch phishing attacks versus malware attacks,
that there's been a tremendous increase
in the presence of phishing.
And a lot of the time,
phishing kits will target FinServ organizations and banks
because those targets are so lucrative.
But what are the recommendations?
What are the take-homes here in terms of people
protecting themselves? Sure. So I think one of the, and it's hard because user education really
is the most important thing to help prevent these types of attacks, but that's also the most
difficult thing to do. There is always an increase of awareness of these kinds of attacks, but
some of these lures are actually
quite good and it really only takes one mistake before you put yourself in a bad situation.
And so I would always urge people when they are reading these emails to verify senders,
to make sure that the link that they're being taken to is what they would expect.
If they're being contacted over text say or over a phone call and ask for personal information,
if there's anything about the situation that is new or would set off alarm bells because it's never happened before,
anything out of the ordinary is really probably a good indication that it may be a phishing attack
and not necessarily the bank or financial institute itself.
That's Ashley Bang from ZeroFox.
And finally, a researcher who goes by the hacker name Arkbird
has exposed a Chinese government spearfishing operation
designed to conduct DLL sideloading attacks
against devices used by members of the Roman Catholic Church
in the diocese of Hong Kong.
The fish bait includes both Vatican communications, modified to carry malware,
and reports from Catholic news services in Asia,
also altered to deliver the security service's payloads.
The threat actor involved may be Mustang Panda.
ZDNet notes that the campaign is effectively a twofer,
targeting both Hong Kong and a religious minority Beijing has long regarded as unreliable and undesirable.
Over the last two decades, Chinese anti-Catholic repression hasn't reached the genocidal levels currently being suffered by the country's Muslim Uyghur minority,
but the cyber operation in Hong Kong may be an indication that it's hardening. book of vacation? Like somewhere hot? Yeah, with pools. And a spa. And endless snacks. Yes!
Yes! Yes! With savings
of up to 40% on Transat South
packages, it's easy to say,
so long to winter. Visit Transat.com
or contact your Marlin travel professional
for details. Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals
to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive
protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Craig Williams. He's the head of Talos Outreach at Cisco. Craig,
always great to have you back. You have an announcement to make, a tool that you and
your team are making available.
What's going on here?
Well, the tool we've released is our IDA Pro plugin called Dynamic Data Resolver, or DDR.
You may remember it from 2019 when we released the Alpha.
Basically, it's the little blue hummingbird.
So, you know, this is one of the tools that we've been developing,
and I'm proud to say that, again,
more proof that Cisco is doubling down
on free and open source software
since the Sourcefire acquisition.
A lot of people were concerned about that.
Hopefully we put that myth to bed.
But we're releasing 1.0 now.
We've added some additional features,
we've added some cool capabilities.
And hopefully people enjoy it.
At a really high level, what this plugin is designed to do
is to allow one to reverse engineer obfuscated malware
more quickly and more efficiently.
If you think back to some of the samples we covered this year,
including ones like Astaroth, they were packed and obfuscated in reasonably complex manners,
to the point where we even escalated them within Talos to the people who specialize in that.
And we've designed tools like this to make that easier. So if you look through the list of
features, it offers some cool stuff. You can do a little bit better program flow tracing.
You can do a little bit better API logging.
You can search for all kinds of fun stuff.
And so it's a very complicated tool.
It's definitely not one for non-security analysts.
But if you're doing reverse engineering, I would encourage everyone to take a look at this
because hopefully it could save you some time and help us all take down more malware families.
For folks who aren't familiar with these tools, when it's not part of their day-to-day,
can you give us some insights as to how the folks who are doing reverse engineering,
having these tools in their toolbox, what sort of things does it provide for them?
But having these tools in their toolbox,
what sort of things does it provide for them?
Let me try and put on my CS100 hat.
I've got to think back a few years.
So if you think about the way a normal program flow would look, like a typical non-obfuscated program,
it would look like a very linear line.
And that would be a very simplistic program.
And you start adding complexity.
Let's say you're looking at maybe Hello World or something,
and they're calling libraries to do a print or something.
You could see it reach out to a complex library,
call a couple of functions from that,
and it's still going to look relatively linear.
You may have some functions, depending on how you look at it,
that pop up, but it's going to look like a straight line.
It'll have a very clear start and a very clear end. Obviously, when you get more complicated
programs that have a lot of conditionals and branches and things like that, complexity
climbs. When you look at a client-server architecture model, on paper
it doesn't look too bad. When you start to look at actual programs, it can get bad, right? You get
a lot of complexity out of them. And so what the bad guys will do is they'll go into that program
flow and they'll intentionally modify it so that it's, I don't want to say unreversible, but it
makes it much more challenging. You know, you really have to keep up with the current obfuscation methods and techniques. The things that you read in papers will help. You know what? A great way
to think of it is if you know a programming language and, you know, let's say you fall in
a coma for a year and you come out, right? In this modern society, you're going to have a completely
different set of programming languages. But the fact that you're familiar with the older ones will help you understand the new ones.
And that's really kind of what goes on with reversing.
If you're familiar with older obfuscation techniques, you're going to see variants of that.
You're going to see maybe things that are similar, even if it is a new technique.
And so it's really a cat and mouse game, much more so than others.
I know we use that terminology a lot in malware research,
but with reversing malware, it's incredibly true.
And so that's why tools like this are so helpful,
because they help you take that step
where maybe a couple of extra things have been done
and it's confusing, and remove that level of obfuscation
so that you can then recognize the layers underneath
and then just keep unwrapping the puzzle until you get to the core and can understand what it's doing.
Alright, well if this is something
that is up your alley, it seems that this is worth checking out. It's the Dynamic
Data Resolver, the DDR. That is on the Talos
website, part of Cisco. Craig Williams, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.