CyberWire Daily - US indicts Iranian hackers. Guccifer 2.0 is a GRU Bear. Atlanta hit with ransomware. Equifax breach cost consumers plenty. Facebook's troubles persist, as do Cambridge Analytica's.
Episode Date: March 23, 2018In today's podcast, we hear that the US has indicted Iranian hackers. Guccifer 2.0 has been fingered as a GRU team. Inquiries into their activities are folded into Special Counsel Mueller's invest...igation. Atlanta, Georgia, hit with ransomware. A study estimates the direct cost of the Equifax breach to consumers. App stores show a decline in malware infestations. Facebook leaders speak, finally, but do little to ease the company's pain. An FTC inquiry could be costly. The Cambridge Analytica affair will have implications for regulations, marketing, and consumer trust. Ben Yelin from UMD CHHS on the Equifax probe being put on ice by the US Consumer Protection agencies. Guest is Kevin Haley from Symantec, on their annual Internet Security Threat Report. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Iranian hackers are indicted.
Guccifer 2.0 is fingered as a GRU team.
Inquiries into their activities are folded into Special Counsel Mueller's investigation.
Atlanta, Georgia's been hit with ransomware.
A study estimates the direct cost
of the Equifax breach to consumers.
App stores show a decline in malware infestations.
Facebook leaders speak, finally,
but do little to ease the company's pain.
An FTC inquiry could be costly.
The Cambridge Analytica affair will have implications for regulations, marketing, and consumer trust.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, March 23, 2018.
This morning, the U.S. Justice Department announced that it had indicted nine Iranians
for a multi-year cyber espionage campaign they conducted while working for the Mabna
Institute, an innocent-sounding organization that works on behalf of the Islamic Revolutionary
Guard Corps. The Mabna Institute is also named as a defendant. Charges include conspiracy
to commit computer intrusions, wire fraud,
unauthorized access of a computer, and aggravated identity theft. The campaign was a multi-year
operation. It began in universities, where the defendants are alleged to have phished about
100,000 professors in some 300 universities worldwide. 8,000 of them took the bait.
The attackers are said to have extensively
prospected university databases for technical information. They then extended their campaign
to corporations and government offices using low and slow password spray attacks, an approach
that's easily overlooked by defenders. The Islamic Revolutionary Guard Corps, essentially
the Iranian government,
has both used and sold the data and intellectual property they've stolen.
The indictments and the accompanying Treasury Department sanctions will, the U.S. hopes,
serve to impose consequences on the attackers.
It's unlikely any of the individuals indicted will face American justice,
but of course they will find travel to countries
that have extradition treaties in place with the U.S.
uncomfortable to the point of impossibility.
U.S. organizations were not the only ones affected.
Victims were found in some 21 countries worldwide.
Turning to that other nation-state cyber no-goodnik,
you recall Guccifer 2.0,
the notional hacktivist who docks the Democratic National Committee with some enforced transparency of less-than-creditable internal emails?
He's back in the news, and he's no hacktivist at all.
He's GRU.
This has long been widely believed and now appears to be confirmed.
The threat actor originally posed as a Romanian hacktivist,
but that didn't hold up under either journalistic or linguistic scrutiny.
It was difficult to track Guccifer 2.0 because of his use of EliteVPN,
an anonymizing service headquartered in Russia but with an exit through a server in France.
On at least one occasion, however, Guccifer 2.0 forgot to activate the VPN client before logging in,
and his IP address led to Moscow and the GRU.
The Daily Beast reports that Special Counsel Mueller has brought the FBI agents
who worked on Guccifer 2.0 into his investigation.
Some political advisors to the Trump campaign had swallowed Guccifer 2.0's claims
to be a disinterested hacktivist
and had some Twitter encounters with him.
We say him for convenience.
It could also have been her, of course, but them is most likely.
At one point, the Guccifer 2.0 persona was handed over to an operator with better tradecraft
and English proficiency than the original.
Perhaps he should be known as Guccifer 2.0.1. But as we hear so
often, cybersecurity is a team sport, and that's true whether you're playing offense or defense.
It's also worth noting that Guccifer 2.0 shouldn't be confused with the original Guccifer,
Marcel Lazar Lehel, an actual Romanian hacker who's now serving time in the U.S. for his 2012-2014 one-man cybercrime wave.
The GRU's homage to Marcel was misdirection.
And even though we're neither the Illuminati Guccifer 2.0 claimed to be hunting,
nor the wealthy elite that are the shadow broker's preferred quarry,
we await a similar discovery about the brokers, who've been quiet now for some time.
Their style seems maybe more FSB than GRU, but we suspect these roads still lead back to Moscow.
The Hekawi lingo shouldn't fool anyone, not even you, wealthy elite.
The city of Atlanta, Georgia, confirmed yesterday that a ransomware attack has disabled a number of citizen-facing services.
It's unknown so far exactly what's been affected or how recovery is expected to proceed.
Krebs on Security reports that a study by Wakefield Research
has put a retail price tag on the Equifax breach.
American consumers spent some $1.4 billion on credit freezes
after the credit bureau disclosed that it had lost a vast trove of personal information.
Security firm Risk IQ has some good news about app stores.
They note that the occurrence of malicious apps has declined by 37%,
largely because of a decrease in Android malware inventory.
The European Union's General Data Protection Regulation
will be fully implemented just two months from now, on May 25.
Security firms see a need and seek to fill it.
Data privacy officer-as-a-service offerings have proliferated.
GDPR has certainly spooked the market, and many firms will no doubt conclude
that they should obtain the services of a data privacy officer the way they obtain the services of an attorney.
Don't try to develop the expertise in-house, but rather go outside for it.
Heavy U.S. tariffs imposed on Chinese tech imports are seen as a form of reprisal for cyber attack, specifically for cyber attacks that steal intellectual property
britain's european allies prepare to expel russian diplomats in solidarity with the uk
over the attempted assassination of sergey skripal latvia lithuania and estonia are moving first
with poland germany and france expected to follow suit soon thereafter.
Facebook CEO Mark Zuckerberg and COO Sheryl Sandberg are receiving little love for their public handling of the Cambridge Analytica data affair. As Wired magazine puts it,
Mr. Zuckerberg waited either five days or two years to make a public statement about the matter,
depending on how you look at it. Both would seem to be too late.
Ms. Sandberg has finally leaned in with some public comments of her own,
saying that the social media giant would, quote, be open to regulation, end quote,
but this stop-me-before-I-sell-your-data-again plea is also receiving tepid reviews.
A number of observers have commented that Facebook's business model is surrounded by a bodyguard of shifting EULAs,
and that's not a good thing.
It may well be that the EULAs, as we've known them, go the way of the hold harmless clauses,
the ones that say you do this thing we're offering you at your own risk,
which pretty much don't hold up in court for anyone except ski resorts.
Facebook is under investigation by the U.S. Federal Trade Commission,
a famously willful and rapacious regulatory body.
The FTC wants to determine whether Facebook violated an earlier consent decree
that required Facebook to obtain users' permission before it shared their data.
If Facebook is found to be in violation of that consent decree,
it could face fines of $40,000 per violation.
You do the math.
$40,000 is petty change for Facebook, but that figure we stress is per violation.
Quantity has a quality all its own.
In the UK, suspended Cambridge Analytica CEO Alexander Nix is back in parliamentary hot water.
He's being recalled to testify before a panel investigating fake news.
Westminster has decided it's dissatisfied with some of the things Mr. Nix has told it before,
and it would like some clarification.
A great deal of the odium surrounding the firm's activities derives from the nastiness of its own self-image.
We've noted before Mr. Nix's
uncanny visual resemblance to characters in the Kingsman movies, but it seems unlikely that
Kingsman would have done so much wallowing in fantasies of blackmail and entrapment.
There are reports that Cambridge Analytica was engaged in political consultation of this kind
in both Nigeria, St. Kitts, and Nevis.
Fairly or not, the episode is likely to have profound effects on online marketing.
The market is already punishing Facebook as advertisers withdraw from the social media platform.
Apple's Tim Cook has for a number of years said, with a sideways glance at Silicon Valley neighbors Google and Facebook, that if you're not paying for the product, you are the product. People haven't in general minded that bargain because they
like the value the free service is offered. That may be about to change.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for a thousand dollars off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Ben Yellen. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security.
Ben, welcome back.
We saw a report come by via Reuters that the U.S. consumer protection officials have put the Equifax probe on ice.
What's going on here?
Why would the consumer protection officials dial this back?
So back in September, we found out that Equifax had been breached, that hackers stole the personal data of approximately 143 million Americans,
which, just to put that in context, that's about one half of the people that live in this country.
one half of the people that live in this country. So it's a plethora of information. And it's obviously deeply personal information when we give information to these credit reporting bureaus.
It's everything from social security numbers, bank accounts, credit card accounts. I mean,
it's some of our most personal and protected data. So obviously, this was a massive breach.
And the leadership at the time of the
Consumer Financial Protection Bureau, which was created as part of the Dodd-Frank Act in 2010,
was seemingly very concerned about it and started an investigation to see what went wrong to sort of
do some testing on some of the systems to make sure that it doesn't happen again.
The head of the Consumer Financial Protection Bureau, a guy by the name of Richard Cordray,
who was appointed by President Obama, he resigned at the beginning of November. He's actually
running for governor of Ohio. And there was a bit of a legal dispute about who his replacement would
be. The law is rather unclear on the subject. The president
appointed the head of the Office of Management and Budget, Mick Mulvaney, to be the temporary
chair of the Consumer Financial Protection Bureau. Courts affirmed that he was the legal
head of that program, so he has resumed authority over these past few months.
And according to these sources, quote in the Reuters article, he sort of let this Equifax investigation wither on the vine.
Now, we don't exactly know what the motivations of that are. There are certainly legitimate
questions about whether the Consumer Financial Protection Bureau, as opposed to other federal
agencies like the FTC, should be the ones conducting this investigation.
But I think if we look broadly at the politics involved in here,
Republicans have long been skeptical about the Consumer Financial Protection Bureau.
They think it's too harsh on the industry players
and think that it could have a negative effect on our system of commerce.
So they've sort of long been against this program's existence.
And now that one of their own has taken it over, I think he's taking a step back, sort of curtailing
the more aggressive activities of his predecessor. And, you know, as far as the public is concerned,
that's a major problem. We need to make sure that we're using all of our institutional power
to make sure this type of hack never happens again, because half of all Americans have had
their personal data breached. So I think it's a worrisome development.
Yeah, it's a real head-scratcher. A breach this size, it just doesn't seem to me like there'd be a
significant political constituency who would be for giving Equifax a break on this one.
Yeah, I mean, I don't think there really is.
This is sort of all happening under the radar.
Well, we're focusing on, you know, the president's latest tweets or some of the other high profile legislative fights.
And it's not just this Equifax investigation that's withered on the vine.
I think Director Mulvaney has put basically a moratorium on all activities inherent in the Consumer Financial Protection Bureau. He wants to
better understand what's happening at the Bureau, what its powers are, you know, so that he can
fully understand the job. But it's certainly lost some of the teeth that it had under its previous
director, Richard Cordray. And I think, you know think a lot of agencies, their level of involvement,
their level of how much they care about certain political problems changes when the political
party of the administration changes. And I think that's what happened here. We've just seen an
administration that's hostile to these types of regulations on business. They now control the
agency. And I think, you know, the rest of us are going to be facing the consequences of their
inaction here. Ben Yellen, as always, thanks for joining us. Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and
securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
My guest today is Kevin Haley. He's a director at Symantec Security Response, and he joins us to discuss their latest research report,
ISTR23, Insights into the Cybersecurity Threat Landscape.
It's the latest version of Symantec's annual look at cybersecurity threats.
the latest version of Symantec's annual look at cybersecurity threats. Probably the thing that really jumps out this year is what we're calling an explosion in crypto jacking, an 8,500% increase.
And that really just started in the fall and the winter. Cryptocurrency prices started to go up.
Bad guys saw an opportunity. And so they began to, instead of buying their own rigs and paying for their own electricity, decided to use yours and mine in order to mine for coins.
So that's – clearly there's been a lot of incidences that have made the news so far this year.
It's something we expect to see continue for the rest of the year.
As long as cryptocurrency prices remain high, people will look to borrow somebody else's resources to mine them.
Now, another thing that you all highlighted in the report was a spike in software supply chain attacks.
Can you describe that for us?
Can you describe that for us?
Sure.
Probably the simplest way to think about it is the bad guys will insert their malware into the software update from one of your software vendors.
Best practice is you need to keep your software up to date.
So you download the latest release, you install it on your system, it works fine, but you've also installed the bad guy's malware as well. We talked about this back in like 2014, a group called the Dragonfly was doing it.
They've been in the news recently. They're still out there trying to break into energy industry companies, understand how the factories work, how all the systems work so they can take over if they
want. And it seemed like kind of a one-off. And every now and then
you hear about this happening again. In fact, there was the PECHA this year, also see Cleaner,
where bad guys inserted themselves into software updates to get into organizations. And people
tend to think of it as a one-off. We really wanted to make the point this year that this is not just
that one you read in the paper.
This is ongoing.
We saw at least one of these types of attacks every month in 2017, the 200% increase from the year before.
Organizations have to take this seriously.
This is not an aberration.
This is not a one-off, and they need to start having that conversation with their software vendors.
What are you doing to protect me?
Now, you also saw some shifts when it comes to ransomware.
Yes.
I mean, first off, you could say, well, ransomware had a huge year.
Well, if you look at Petya and WannaCry, and, of course, in the Petya case, it wasn't really ransomware. It was looking to destroy computers but to hide that fact behind pretending to be ransomware.
If you take those two threats out, what you see is that the market has kind of leveled off.
Ransomware has stopped that huge growth. And we think that there's a couple reasons for that.
Maybe the simplest explanation is market correction. In 2016, we saw a lot of new
gangs get into ransomware. They saw an opportunity to make money, kind of like cryptojacking is now.
They wrote their ransomware and they got into the business and they knew they could make a lot of
money. They all priced their product very high. The ransom demands that went up on average were
$1,000.
And what happened is there are too many products in market and they were overpriced.
So these ransomware guys are out there and they're asking way too much money and people couldn't, even if they wanted to, they couldn't pay that much money to get their files or photos
back. So these cyber criminals weren't making as much money as they thought, and they've kind of left the marketplace.
And you also saw some changes when it comes to, or I guess some persistence when it comes to targeted attacks.
Yeah, we did something interesting this year.
I mean, we've done research into targeted attacks, what they're doing, how they do it for numerous groups.
But we decided to take a bit of an analytical approach this year and kind of create some stats.
And the reason we could do that is there are so many targeted attack groups at this point.
We're tracking 140 different groups.
It seems to grow on average of about 29 new groups every year.
So there's a lot of them out there.
year. So there's a lot of them out there. Probably one of the most interesting findings from looking at it that way is that 71% of these groups are still using spear phishing as a way to
get into an organization. You have watering hole attacks, you have the supply chain attacks,
you have zero day vulnerabilities. They're still using spear phishing. It's cheap. It's efficient. It just works.
In fact, not that many groups use zero days.
We think that they're expensive.
They have a short shelf life.
And why are you bothering with that
when you can go do one of these spear phishing attacks
and it works just as well?
And you're also seeing a continued surge when it
comes to mobile malware. Right. Mobile malware is something that I think is sneaking up on us.
You know, there was a number of vendors who rush out and say, well, hey, this year is a year of
mobile malware. And it never exploded. So we never got it right. This thing never blew up.
But what it did was steadily climb every single year.
We saw a 54% increase in the number of mobile malware variants.
That's new pieces of malware for mobile.
It's still not at the same numbers as PCs,
but it has consistently grown year after year, and it's time we take it
serious. We can't wait for that explosion to start addressing this problem. It's already here. It's
crept up on us. Now, when you look at the report overall and the results that you've gotten from
it, what sorts of advice do you have for folks who are looking to develop their strategies as we look over the next year or so to defend themselves?
Well, one of the first things that jumps out at me is when you look at cryptojacking is it attacks every type of device.
We saw an 80% increase in attacks against Mac last year, that platform that doesn't get viruses well it does not as many as windows but
it's a huge increase because it's susceptible to crypto jacking just like other other systems
we saw 600 in attacks against iot devices now those weren't all crypto mining but they're
very vulnerable devices there's a lot of them you can build a huge botnet and you may not get
a big payoff in mining on any single one, but if you have a million of them, you can do some damage.
So the message I take away is, yeah, all these devices need to be protected. You need to
step it up in all these areas. It's unfortunate things never seem to get easier,
but that's the world we live in.
That's Kevin Haley from Symantec.
The complete report, ISTR 23,
Insights into the Cybersecurity Threat Landscape,
can be found on the Symantec website.
It's in their blog section. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.