CyberWire Daily - Update on the Iowa Democrats’ bad app. DDoS warning for state election sites. DDoS trends. New ransomware tracked. Tehran spoofing emails? Nintendo hacker pleads guilty.
Episode Date: February 5, 2020Iowa’s Democrats are still counting their caucus results, but on the other hand they weren’t hacked. A poorly built and badly tested app is still being blamed, and that judgment seems likely to ho...ld up. The FBI warns of a DDoS attempt against a state voter registration site. Trends in DDoS. Some new strains of ransomware are out in the wild. Spoofed emails may be an Iranian espionage effort. And the confessed Ninendo hacker cops a plea. Craig Williams from Cisco Talos with updates on Emotet. Guest is Kurtis Minder from GroupSense on the Pros and Cons of notifying breached companies. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_05.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Iowa's Democrats are still counting their caucus results.
The FBI warns of a DDoS attempt against a state voter registration site.
Trends in DDoS.
Some new strains of ransomware are out in the wild.
Spoofed emails may be an Iranian espionage effort.
And the confessed Nintendo hacker cops a plea.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberW Wire summary for Wednesday, February 5th, 2020.
The Democratic Party continues to count the results of its Iowa caucus.
This afternoon, those results remain incomplete.
71% of the precinct's results have been counted.
The problems at the caucus are attributed not to hacking, the Washington Post reports,
The problems at the caucus are attributed not to hacking, the Washington Post reports,
but to a buggy, inadequately tested app produced by Shadow,
effectively a for-profit tech arm for its investor,
the progressive Washington not-for-profit consultancy Acronym.
The app that failed is said to have been developed in haste,
a haste driven in part by fears that having precinct leaders phone their results in, as had been done in past campaigns, would have been insecure.
It was finished and adopted without proper testing.
For example, it wasn't finished in time to qualify for inclusion in Apple's store.
And of course, many precinct leaders use iPhones.
Many of the party officials who were to use the app only sought to install it the morning of the caucus,
and the difficulties were, under such circumstances, unsurprising.
Compounding the difficulties with the app is the apparent failure to prepare and exercise backups against the eventuality of exactly what happened.
The state's party leaders say they've got a handle on the count,
which they're confident they can complete accurately,
only not so fast as they'd otherwise have been able to account for it.
Sources at the Democratic National Committee say they warned Iowa not to try to run the caucus through the app.
The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, CISA,
has said it offered to test Shadow's app, but that the Iowa party turned down the offer.
Iowa Democrats rebuffed the warnings from the National Committee,
and according to the Washington Post, they say they didn't know about CISA's offer.
No fresh lessons have emerged since yesterday, but it's worth repeating four of them.
First, don't deploy election software until it's thoroughly tested,
and Shadow's app seems hardly to have been tested at all,
judging from the Wall Street Journal's account.
Second, resilience always demands some sort of affected, tested backup.
Third, a technical problem, even if it's an innocent mistake,
erodes trust and spawns unfounded rumors,
what the Washington Post calls a cesspool of toxic conspiracy theories.
And fourth, of course, if someone
is in a position to help, offers help, consider taking it. And before we leave Iowa, it's worth
repeating that the problems at the caucus were an unforced error, a case of poor execution,
and not a cyber attack. Whatever they're saying out in that toxic cesspool, the Post is pointing out.
attack. Whatever they're saying out in that toxic cesspool the Post is pointing out.
There is one incident of cyber interference in election systems, as opposed to campaign or caucus systems. Bleeping Computer reports that the FBI yesterday issued a private industry
notification that it's received reports that a state's voter registration and information site
was hit with an attempted distributed denial of service attack.
The Bureau didn't say which state's site was affected, but it characterized the attack this way, quote, the FBI received reporting indicating a state-level voter registration and voter
information website received anomalous domain name system server requests consistent with a
pseudo-random subdomain attack, end quote. That is, the system was flooded with a large number of DNS requests for non-existent subdomains.
Happily, rate limiting on the targeted DNS servers prevented the attack from succeeding,
and voter registration wasn't affected.
What's the general state of play in distributed denial of service these days?
Researchers at Imperva yesterday published their Global DDoS Threat Landscape Report.
The categories of victims are among the interesting things in their description.
By number of attacks, the top two classes of target are gambling, with 31% of the attacks,
and gaming, number one victim at nearly 36%.
The most affected countries are in South or East Asia,
with India leading at just under 23%.
Looking just at application attacks, however,
the biggest target, hands down, was Ukraine.
Doppelpamer is the latest ransomware gang to not just encrypt data,
but to steal data as well.
Data Breach Today points out that Doppelpamer has
now joined Mays and Sudinokibi in the new normal for ransomware. A ransomware attack
should now be considered a data breach until proved otherwise.
Most people would like to know when something bad happened to them, right? We'd rather not
stick our heads in the sand, our fingers in our ears, or turn a blind eye to news that could affect our livelihood.
Common sense.
But, and you knew there was a but coming, for a variety of reasons, many companies aren't all that eager to hear from security researchers about their potential vulnerabilities.
Curtis Minder is CEO and co-founder of GroupSense,
and he shares insights on the pros and cons
of sharing your findings with a company you discover has been breached.
So GroupSense is a cyber reconnaissance company.
We focus on digital risk protection services for enterprise customers and governments.
As part of our work on a daily basis, we are uncovering breaches, stolen data, stolen intellectual
property, things like this, mostly for our clients. But in the margins of what we do,
our analysts occasionally find data that affects others that are not clients. And in those cases,
we put together a program where we notify the affected parties, you know, free of charge as
part of, you know,
for goodwill and as part of our service, we just give that data away and we notify them when we
see it. So what would your recommendations be then for organizations who are out there listening to
this? How can they have a pipeline for when someone needs to get a hold of them with this
sort of information, which I guess we can agree is in their best interest, what sort of things should they have in place? Well, I'll comment and say that it may not be
in their best interest in some cases, if you think about the outcomes from this sort of notification,
but it's certainly in their, a lot of times in their constituents' best interest, right? So
their customer's best interest. I think the problem is, you know, due to some laws that
vary state by state on breach notification, things like this, there is no provision in most of these
laws or the ones that I've seen that effectively tell an organization that they have to have a
channel where they listen to inbound information like this. I understand that it's a difficult
problem to solve because there's a lot of noise. You know, there's a lot of people trying to sell things and a lot of scams, but there should be some official program
for external notification of breach awareness. So is it that these organizations are just sticking
their heads in the sand or their incentives aren't necessarily aligned? They're being pulled
in different directions by different groups.
Right.
And I mean, this is effectively why we have regulatory bodies that govern things like
this, because there are certain actions that are unnatural or not indicative to the growth
of a business that companies are just not going to take on their own without some sort
of guiding hand, if you will.
And so I think I speculate that in some of these cases that the companies are choosing to
ignore the problem, or perhaps they're acknowledging it and doing research on their own,
but not acknowledging it in a public way or acknowledging my initial outreach.
What sort of adjustments would you like to see? Can you imagine a solution like this that would
work out for all parties involved? I can imagine one, but imagination doesn't
do much for us, does it?
I think it goes along the lines of somewhere in the regulatory statutes,
they need to dictate a process for third-party notification.
If not that, then perhaps within the bug bounty programs,
there could be a process for this.
Obviously, this is something that is going to take some energy and resources on both the regulatory side or the bug bounty side, and certainly on the
enterprise side to consume it and verify it. But there needs to be something outlined. It should
be fairly standard. To date, I have not seen this in any of the enterprise customers I've
interfaced with. I have seen it with government customers
where they do have a process in place,
but it's ad hoc.
It's different for each organization.
Yeah, it seems to me like if an organization like yours,
your team at GroupSense,
if there was some way that you could establish yourselves,
register yourselves with the regulators
and say, we're a good company in good standing,
this is what we found. If there was some way to have
those findings both hit the regulators and the company affected at the same time,
at least then the company knows that, first of all, the messaging
is coming from a vetted source, but also the regulators
have been notified as well, and they can react as they see
appropriate. Yeah, that's one approach.
I agree that that certainly would be effective in protecting the constituents
if the regulatory bodies were notified simultaneously.
Yeah, I guess, but like you say, though, I mean, it's complicated and nothing's perfect.
Right, exactly.
Yeah, yeah.
We have to say the good side of the story, right,
which is the companies that have responded and we've engaged with, the outcomes have
generally been positive, or we've been able to actually supply them with useful data.
We work with their IR teams, and we come to a resolution.
Typically, we're working also with their law firms in some fashion or some capacity as
part of the process.
And for the benefit of companies that are listening to the podcast, yes, this is a scary thing. But the good news is, we're not charging for this. We'll see it all the
way from the notification through the process. Anything you need from us from a research
perspective is provided free of charge through the entire process. And we've actually helped a
number of well-known large companies through the process. And when they don't have the resources
internally, we've been able to help them source those for the breach response, etc. So,
you know, on the flip side, there are some good stories that come out of this as well.
That's Curtis Minder from GroupSense.
Security firm Varonis this morning reported finding a new ransomware strain,
which it's calling Save the Queen. After the.savethequeen, the attackers append as an extension to the affected files.
The ransomware propagates using the sysval share on Active Directory domain controllers.
The only thing unusual about Save the Queen is what Vronis calls
its creative use of Active Directory to spread the dropper.
Beyond that, the ransomware's components seem largely commodity tools,
packaged into a straightforward bit of malware. Reuters says that emails spoofing the accounts
of journalists are being used to prospect targets with bogus approaches for interviews.
It appears to be an espionage campaign, and the circumstantial evidence of targets and topics
suggest an Iranian operation. Remember, this evidence is circumstantial,
but the spoofing of accounts belonging to journalists working in the West
but who have connections with Iran to approach high-profile targets
who themselves have Iranian background is suggestive.
Finally, one wonders what the cops and robbers are thinking, sometimes.
Well, at least the robbers. Ryan
Hernandez, who took a guilty plea Friday to charges related to hacking Nintendo servers to steal games
and other things, not only spent years doing so, but was brazen enough to brag about his exploits
on social networks like Twitter and Discord. Vice has the whole sad story. Nintendo got wise to him in 2016, and in 2017, the FBI
visited him at home to reason with him. Cliche alert. He lived with his parents.
After discussion, Mr. Hernandez indicated he understood the seriousness of the matter and
promised to return to the straight and narrow, but he was back up on discord within hours,
mocking the FBI in, we must observe,
appallingly spelled posts. A few days later, he escalated, seeking to create a meme in which
SpongeBob SquarePants was an FBI special agent, and in case anyone failed to get it, he tagged
the image with, Hi, at Nintendo America. Other public boasting enabled the FBI, using nothing
more than their browser, apparently,
to get enough for a search warrant.
Mr. Hernandez faces up to three years in club fed,
and he's agreed to pay Nintendo just under $260,000.
The 21-year-old resident of Palmdale, California,
will have another opportunity to amend the path of his life,
and we hope he'll take it. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with BlackCloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Craig Williams.
He's the director of Talos Outreach at Cisco.
Craig, always great to have you back.
You all recently published some information over on your blog.
This is Stolen Emails Reflect Emotet's Organic Growth.
So Emotet is still under your watchful eye here, yes? Absolutely. Emotet's been one of those
campaigns that we've been monitoring for like literally years. I don't know that it's the
longest. I'm sure we've been monitoring a couple of things longer, but it's definitely up there
in terms of things that we've just been sitting back and watching and keeping a really close eye on for both our customers and the
internet as a whole. And so what are you tracking here? What's the latest? Well, so what we saw in
this particular campaign was basically a compromise of some government and military customers.
And then, you know, as usual, Emotet will use those accounts to move laterally within
organizations.
And because these were government and military, it's moving inside of government and military.
And obviously, when you see that type of thing, it's very concerning because generally speaking,
if people see emails from sources that they consider internal, they're much more likely to trust them.
And that's why we needed to make sure the word got out that there are malicious actors using these relationships
for various purposes.
Can you give us some of the specifics about how Emotet functions?
Yeah, I mean, one of Emotet's favorites
is to basically find conversations that have existed over an email thread
and basically continue on that thread with a malicious attachment.
So, you know, if you've got a thread with your buddy and it's gone on and on and on
and all of a sudden your buddy replies back with,
oh, you know what, that's right, and then attaches receipt.pdf,
probably don't open that.
Right, right.
So Emotet works by getting access to your email account
for getting in there and being able to do those sorts of things.
Well, that or phish credentials.
And generally speaking, it responds with a Word document
that has macros embedded in it.
And the typical Emotet attachment is one that you open
where it will then entice you to open a macro
or otherwise interact with it for the compromise to take place.
Is this a case where because it's so effective, does that explain the longevity of MOTENT?
Yes. And we actually saw them take a break for the Orthodox Christmas holiday. And so obviously
that has certain political implications and it can lead you to conclude that actors are potentially operating out of certain areas.
And when those number of TTPs add up over time, year after year, it can help you really get a good idea of where these operators are acting out of.
You know, I think as of this morning, we're even tracking campaigns that are distributing themselves as new coronavirus information.
distributing themselves as new coronavirus information. So these actors aren't going to go away and they're going to continue to find very enticing reasons for people to open these
email attachments. And best practices to protect yourself here? Well, this falls back to just
don't open untrusted email attachments, right? And if you are on a thread and all of a sudden
an attachment appears, even if the thread appears to be legitimate,
and even if the reply doesn't seem that unusual,
you should probably just pick up the phone
and make sure that the person sending it intended to send it,
especially if it hasn't come up in the thread before.
Now, obviously, if someone says,
hey, on Thursday I'm going to send you that email,
then it's probably okay.
But alternatively, if you have a thread that's existed for a while
that's been basically abandoned,
and then all of a sudden someone replies to it with an attachment
and maybe a couple of really generic statements
that don't make a lot of sense in the context of the conversation,
that's when your guards shoot up.
Yeah.
All right.
Well, the blog is titled
Stolen Emails Reflect Emotet's Organic Growth.
Craig Williams, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.