CyberWire Daily - Ukraine accuses Russia of preparing a cyber campaign. China eyes Tibetan diaspora. A decryptor for Thanatos ransomware. Nudging away from privacy. Dark web undercover.
Episode Date: June 28, 2018In today's podcast we hear that Ukraine has warned that Russia is preparing a coordinated attack against Ukrainian financial and energy infrastructure. China appears to be stepping up surveillance ...of the Tibetan diaspora. Cisco's Talos unit has a free decryptor for Thanatos ransomware. Facebook's self-audit of data usage proves both more difficult and more skeleton-rattling than hoped. Norwegian consumer watchdogs find that Facebook and Google nudge users away from privacy. An alt-coin sting against drug dealers. Mike Benjamin from CenturyLink on Malspam, and how it differs from run of the mill spam. Guest is Jaime Blasco from AlienVault on the security implications of using open source tools.  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Ukraine warns that Russia is preparing a coordinated attack
against Ukrainian financial and energy infrastructure.
China appears to be stepping up surveillance of the Tibetan diaspora. Thank you. find that Facebook and Google nudge users away from privacy, and an altcoin sting against drug dealers.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, June 28, 2018.
The head of Ukraine's National Cyber Police has warned
that Russian operators are staging malware in Ukrainian enterprises,
presumably for a coordinated campaign at some later date.
Ukrainian authorities have told Reuters and others that they've detected evidence
that battle space preparation is in progress against financial institutions and energy infrastructure.
The operation, as it's understood so far, has proceeded in the following familiar stages.
First, compromise of legitimate Ukrainian government email accounts.
Second, phishing campaigns mounted against infrastructure targets using those compromised accounts.
Third, installation of malicious payloads carried by the emails.
The malware is believed to have established back doors in banking and energy enterprises,
where it will presumably be held in reserve until the attackers decide to execute.
The threat, should it materialize, is unlikely to be confined to Ukraine.
NotPetya began with attacks on Ukrainian targets in June of last year and quickly spread worldwide.
A number of Western companies were hit hard. FedEx, affected to a considerable extent through
a recently acquired European subsidiary, recently pegged the costs of NotPetya at roughly $400
million. Today is Ukraine's Constitution Day, often mentioned as attractive to attackers wishing
to draw maximal attention to their political point.
Nothing, however, has been reported so far today.
August 24th, the country's Independence Day, is another date mentioned for potential attack
timing.
Russian authorities have issued routine denials of involvement in cyberattacks on Ukrainian
targets.
To be sure, the Ukrainian government is disposed for many reasons
to think the worst of Russia and her intentions,
but the Ukrainian government is by no means alone in this respect.
Much of the rest of the world regards Ukraine
as a kind of proving ground for Russian cyberattack tools.
The Russian record of hitting portions of the Ukrainian power grid
to induce
electrical outages is particularly worrisome, especially given the interest Russian operators
have shown in other countries' power grids. So, as we said, Moscow says they didn't do nothing,
and Ukraine says, well, you're about to. If nothing pops today, put a circle on your calendar around August 24th.
But when you do so,
remember that public holidays
are nothing more than convenient indicators.
More to the point,
keep an eye out for phishing.
Open source software is a valuable resource
for software developers and security professionals,
and the recent purchase of GitHub by Microsoft raised a few eyebrows
and brought attention to the open source community.
Jaime Blasco is chief scientist at AlienVault,
and he offers his perspective on open source software for security.
I think it's a double-edged sword, right?
I mean, on one hand, you need to be careful with which tools you are using,
especially if they are
open source and whether or not those tools are properly secure, audited, and people are
putting enough resources into securing and auditing the source code.
When it comes to the most popular open source projects, that's usually not an issue.
And actually, it's an advantage, you know,
that the source code is publicly available
because you have all these developers,
all these security researchers looking at the code
and, you know, submitting bugs and improvements
whenever they find them.
Now, when it comes to using open source tools,
do you find, are there some misperceptions out there?
Do some people resist using them, maybe for the wrong reasons?
I think it used to be an issue. I don't see this being an issue anymore.
And I think, you know, like last week or a couple of weeks ago when Microsoft bought GitHub,
I think that was the confirmation that, you know, open source is the future.
And we are seeing these, you know, companies such as Microsoft 10, 15 years ago, it was unbelievable that they will contribute to open source communities.
They're actually one of the biggest contributors right now to some of the biggest open source projects out there.
So I think people are not as scared of these tools anymore.
They have become an instrumental part of any organization nowadays.
Can you describe to us, I mean, the security advantages?
You touched on it earlier about having so many eyes on the code.
Can you describe to us, so what's the advantage there?
So yeah, besides having many people being able to audit
and find vulnerabilities in those tools,
the other advantage is also how fast patches can be created and released
compared to some traditional enterprise vendors.
Sometimes you will have to wait weeks or months until your vendor will make patches available.
With open source tools, if there is a high critical vulnerability,
many times you have many people creating patches
for those vulnerabilities,
even before the official patch is available.
So you have an option to make that piece of software
more secure even before you can use
the official packaging system
or whatever method to patch your systems you are using.
I think cybersecurity is actually one of the biggest
examples in terms of using open source tools.
Many times enterprises, they have this dilemma
where it's buy versus build.
And I think open source is helping sometimes
in terms of filling those gaps where you don't have to spend millions of dollars anymore in one specific tool.
But you can go to the open source community and find something that can satisfy your needs.
And I think, you know, in cybersecurity, it has been one of the first industries to adopt open source tools in a broader context.
the first industries to adopt open source tools in a broader context.
I remember 10 years ago, you will have projects such as S-Nord and OSIM and Suricata,
OpenBus, even Nisus before it became proprietary.
But there were many, many tools that people were actively using on an enterprise context. So what are your recommendations for people who want to start using open source tools,
want to integrate them into how they approach security?
I will recommend, you know, go talk to your peers
and, you know, talk to other companies
that are in a similar situation
that maybe they have already, you know,
implemented some of these tools.
Nowadays there are forums, even GitHub,
or, you know, Slack channels where you can go and talk to other users and try to get a perspective of how difficult the implementation is going
to be and if there is any tricks and things you can use before you decide to implement
that or even replace some of the enterprise tools that you may have.
That's Jaime Blasco from AlienVault.
Cyber-espionage campaigns, apparently
staged by and from China,
have been targeting Tibetans resident
in India. The campaign
seems connected with long-standing
Chinese domestic surveillance of
ethnic populations whose loyalty
and adherence to Beijing have been
suspect. Bravo Talos, Cisco's research unit, has released a free decryptor for Thanatos ransomware.
Thanatos gained itself a degree of notice by its acceptance of ransom payments in a range of
cryptocurrencies, and not just in the extortionist's favorite, Bitcoin. The crooks will take payment in Bitcoin Cash, Zcash, Ethereum, and a few others as well.
To add insult to injury, the Thanatos masters have shown themselves to be either incapable of,
or more probably just not interested in, actually decrypting their victims' files upon payment of ransom.
But Cisco's Talos Group has exploited what they call
weaknesses in the design of the file encryption methodology
to build their own decryptor,
which they say can recover a decryption key in 14 minutes or less.
The Norwegian Consumer Council,
sounding a bit like a Freakonomics type interested in getting the right kind of nudges out there,
complain that Facebook, and for that matter Google,
are nudging toward all the wrong places, privacy-wise.
The NCC says their services exhibit dark patterns,
default anti-privacy settings, confusing layouts,
the illusion of choice, and various design choices that offer positioning,
visual cues, and so forth
tending to push people into more self-revelation than is probably good for them.
As they put it in their study,
Facebook and Google have privacy-intrusive defaults,
where users who want the privacy-friendly option have to go through a significantly longer process.
They even obscure some of these settings so that the user cannot know
that the more privacy-intrusive option was pre-selected.
So the moral for users would appear to be the usual one.
Take the trouble to be an informed consumer, especially when you're consuming a free service offered by a company that realizes a significant fraction of its revenue from marketing.
of its revenue from marketing.
Finally, a multi-agency law enforcement operation in the U.S.
has taken down a number of alleged dark web contraband dealers,
for the most part drug traffickers.
The action involved the Department of Justice, Homeland Security Investigations, the U.S. Secret Service, the U.S. Postal Inspection Service,
and the Drug Enforcement Administration.
Authorities are tight-lipped about
details, but apparently government agents posed as cryptocurrency money launderers to roll up the
suspects. Turning cryptocurrencies into more conventional and more easily negotiable government
fiat money is a bottleneck for dark web black marketeers. Agents of Immigration and Custom
Enforcement's Homeland Security Investigations,
posed in the dark web as brokers willing and able to do just that,
and many drug dealers were ensnared.
If you're trying to launder money or convert altcoins to euros, dollars, shekels, or pazoozas,
well, think twice.
Those helpful bankers may not be what they appear to be.
It's a sad day when you can't trust the people you meet't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass
your company's defenses is by targeting your executives and their families at home? Black
Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to welcome to the show Mike Benjamin.
He's the Senior Director of Threat Research at CenturyLink.
Mike, welcome to the show.
You know, I have certainly heard of
malware and I've certainly heard of spam, but you brought something to my attention called mal-spam.
Is this the best of both worlds? Is this the worst of both worlds? Fill us in. What are we
talking about here? Well, I'd say it's the best and the worst, depending on how you look at it.
So, you know, mal-spam is not a new topic or concept, but we have found as we've
been working on the topic lately, that when we say we're working on spam to the broader security
community, we actually get a lot of folks just assuming we're, we're filtering pharmaceutical
ads or dating ads. And what we're really trying to look at is the malicious email people are
getting. And so we call, you know, describe it as mouse spam,
and we would describe it ultimately as email you're going to get
that aims to do something malicious.
Now, in some cases, dating spam is mouse spam
because ultimately they want to steal your credit card number at the end of it.
And in other cases, pump and dump scams are pumped through these things
with, again, trying to ultimately steal money from people.
But at its core, we're looking for the malware delivery.
And so mouse spam is one of the primary vehicles of infection these days.
We saw a couple of years ago the exploit kit being popular with criminal actors.
And there were enough browser exploits, enough Java bugs, enough Flash bugs,
that that was a great delivery mechanism for them. They could get you to click on a URL,
they could inject malice into advertising, and ultimately infect people through that method.
Fast forward a few years, a lot of browsers have cleaned up their problems, a lot of people have
patched, there's less volume of bugs coming out. And we put
ourselves back into the position where opening a file in an email is a really effective way to
infect someone. And so the old tried and true zip file, the file that is not what it claims to be,
it claims to be a text file. It's really an executable. Things like that are, of course,
popular. But we've also seen
the macro still be a popular way to infect people. So an office document with macros that drop some
sort of lightweight dropper into the operating system and then download the final payload. And so
that dropper is relatively light and small. It's not a full binary executable. And then whatever
it is that their final outcome
that they're looking to achieve is downloaded into the machine. Now, in terms of the distribution of
these things and tracking these botnets, what are you seeing? The criminal space around mouse spam
is reasonably sophisticated. If you think back to the spam problems that arose in the late 90s and then became really rampant in the early 2000s, they were forced to evolve.
And so the security world, the internet world for that matter, did a relatively good job hunting down and shutting down spammers in that era.
People were successfully prosecuted in courts.
Laws were passed.
And those are things that helped the world mature around how to deal with spam.
And so, as you might expect, the successful criminal actors that remain, they've evolved
since then.
And so you see sort of a marketplace around what they're doing.
The folks who are running the spam botnets are very rarely, at least at any size and
scale, the folks who are actually trying to infect you.
They are being hired by the people who are trying to infect you. And the folks who are after bank
account information or installing crypto miners, they're paying the botnet operators for successful
installs or volume of delivery or whatever the mechanism is. So it's very interesting to watch.
And as such, what you see from the botnets is a similar level of sophistication. They're not a single
command and control in a single place that's easy to remove and take down. They've evolved,
they've seen law enforcement take their botnets in the past. And so now, of course, they evolved
to the domain generation algorithm or DGA, where an algorithm tells it what the next
DNS host name to resolve is. That's one of the more simple items that they've implemented.
But there's a lot of redundancy, a lot of levels to the command and control. In many cases,
we see peer to peer being used in conjunction with it. And in almost all cases, the larger and
more successful mouse bound botnets are in a
position where they're using three or four of these types of techniques in order to stay up
and avoid being broken by whether it be law enforcement or the security community.
All right, Mike Benjamin, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, Thank you. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll
save you time and keep you informed. Listen for us on your Alexa smart speaker too. The CyberWire
podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're
co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire
team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Thanks for listening. We'll see you back here tomorrow. Thank you. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your
role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.